Helge Deller [Tue, 17 Mar 2026 19:38:54 +0000 (20:38 +0100)]
target/hppa: Update SeaBIOS-hppa to version 23
New SeaBIOS-hppa v23 release with various fixes for qemu-v11:
- Various fixes to support CPUs with 40 and 44 bits physical address
- Fix PAT_CPU call when asking for current CPU
- Add function to stop CPU in PDC_PROC
- Prevent execution of some functions when running as PAT firmware
- Tune cache parameters to speed up cache flushes in operating systems
- Revert resetting LSI SCSI with ODE on HP3000
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Anton Johansson <anjo@rev.ng>
Helge Deller [Sun, 15 Mar 2026 18:16:02 +0000 (19:16 +0100)]
hw/hppa: Fix crash of 64-bit HP-UX 11 while flushing caches
HP-UX 11 64-bit reads at bootup a word from address CPU_HPA + 0x500
while flushing the the cache of a T600.
Add a memory handler to avoid crashing while reading this word.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Anton Johansson <anjo@rev.ng>
Helge Deller [Sun, 15 Mar 2026 18:00:00 +0000 (19:00 +0100)]
hw/pci-host/astro: Use proper region names
All 64-bit hppa machines have at least 4 Elroy PCI busses in the system.
Make sure to use proper names in the qemu device tree, e.g. "elroy0" or
"elroy2-pci-mmio", to be able to distinguish between the various chips.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Helge Deller [Fri, 13 Mar 2026 18:43:09 +0000 (19:43 +0100)]
target/hppa: Always map 64-bit firmware at 0xfffffff0f0000000
I checked on a physical A500, C3700 and C8000 machine and all load their
64-bit PDC (Firmware) at 0xfffffff0f0000000, independed if the CPU uses
40 or 44 physical address bits.
For qemu we will do the same and load the 64-bit SeaBIOS-hppa at the
same address for our emulated machines.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Anton Johansson <anjo@rev.ng>
Xiaoyao Li [Thu, 12 Mar 2026 06:34:20 +0000 (14:34 +0800)]
memory: Set mr->ram before RAM Block allocation
Commit 2fb627ef2f48 ("memory: Factor out common ram region initialization")
introduced a helper function memory_region_set_ram_block(), which causes
mr->ram to be set to true after the RAM Block allocation by
qemu_ram_alloc_*().
It leads to the assertion
g_assert(memory_region_is_ram(mr));
in memory_region_set_ram_discard_manager() being triggered when creating
RAM Block with the RAM_GUEST_MEMFD flag.
Fix this by restoring the original behavior of setting mr->ram before
RAM Block allocation.
Jay Chang [Thu, 5 Mar 2026 03:44:29 +0000 (11:44 +0800)]
target/riscv: Support Smpmpmt extension
The Smpmpmt extension provides a mechanism to control memory attributes
at the granularity of PMP (Physical Memory Protection) registers, similar
to how Svpbmt controls memory attributes at the page level.
Version 0.6
https://github.com/riscv/riscv-isa-manual/blob/smpmpmt/src/smpmpmt.adoc#svpbmt
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260305034429.74739-1-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Peter Maydell [Sat, 7 Mar 2026 12:52:22 +0000 (12:52 +0000)]
hw/riscv/riscv-iommu: Free instance_init allocations in instance_finalize
The riscv-iommu device makes various allocations in its
instance_init method. These will leak when QMP inits an
object of this type to introspect it, as can be seen if you
run 'make check' with the address sanitizer enabled:
Direct leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x5d8415b6ed9d in calloc (/home/pm215/qemu/build/san/qemu-system-riscv32+0x1832d9d) (BuildId: fedcc313e48ba803d63837329c37fd609dd50849)
#1 0x75c0502f1771 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5d8416d09391 in riscv_iommu_instance_init /home/pm215/qemu/build/san/../../hw/riscv/riscv-iommu.c:2463:18
#3 0x5d841710483f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#4 0x5d8417104ee9 in object_initialize /home/pm215/qemu/build/san/../../qom/object.c:578:5
#5 0x5d8417104ee9 in object_initialize_child_with_propsv /home/pm215/qemu/build/san/../../qom/object.c:608:5
#6 0x5d8417104db1 in object_initialize_child_with_props /home/pm215/qemu/build/san/../../qom/object.c:591:10
#7 0x5d8417106506 in object_initialize_child_internal /home/pm215/qemu/build/san/../../qom/object.c:645:5
#8 0x5d8416d16a12 in riscv_iommu_sys_init /home/pm215/qemu/build/san/../../hw/riscv/riscv-iommu-sys.c:199:5
#9 0x5d841710483f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#10 0x5d841710661f in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#11 0x5d841755d956 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
(and other similar backtraces).
Fix these by freeing the resources we allocate in instance_init in
instance_finalize. In some cases we were freeing these in unrealize,
and in some cases not at all.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260307125222.3656140-1-peter.maydell@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 26 Feb 2026 07:18:15 +0000 (15:18 +0800)]
fpu: Fix unexpected exception flags when converting infinity to OCP E4M3
Infinity is a special case distinct from numeric overflow:
- Numeric overflow: finite value exceeds format's max normal
-> overflow|inexact
- Infinity conversion: input is already infinite
-> no flags
This commit fixes the unexpect exception flags by relocating the float
exception flag update flow to be outside the uncanon_e4m3_overflow.
And raising the overflow|inexact for numeric overflow in uncanon_normal.
Fixes: 27e989f99c ("fpu: Add conversion routines for OCP FP8 E4M3") Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260226071817.1417875-3-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 26 Feb 2026 07:18:14 +0000 (15:18 +0800)]
fpu: Fix repacking issues in the uncanonical step for E4M3 overflow
In the uncanonical step, the input FloatParts will be repacked to the
target FloatFmt. This commit fixes following issues after calling
uncanon_e4m3_overflow in the uncanon/uncanon_normal functions.
- Add the local exp update after calling uncanon_e4m3_overflow in the
parts_uncanon_normal function.
- Add the fraction shift after calling uncanon_e4m3_overflow in the
parts_uncanon function.
Fixes: 27e989f99c ("fpu: Add conversion routines for OCP FP8 E4M3") Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260226071817.1417875-2-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
The "riscv,delegate" DT property was added in QEMU 7.0 as part of
the AIA APLIC support. The property changed name during the
review process in Linux and the correct name ended up being
"riscv,delegation". The incorrect name was added as alias, and
deprecated in v9.1 (commit 38facfa8432), so can be removed for
v11.0.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260227232838.23392-1-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jay Chang [Wed, 4 Mar 2026 03:08:16 +0000 (11:08 +0800)]
hw/dma: sifive_pdma: Set done bit upon completion
Ensure that the 'done' bit is set upon transfer completion, even if
an error occurs, since all transfers are considered completed regardless
of success or failure.
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260304030816.33209-1-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Chao Liu [Thu, 26 Feb 2026 10:20:08 +0000 (18:20 +0800)]
MAINTAINERS: Add myself as a reviewer for RISC-V TCG CPUs
Add myself as a reviewer for RISC-V TCG CPU related code to better
participate in patch review.
Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Message-ID: <20260226102008.146928-1-chao.liu.zevorn@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Also add myself as a "RISC-V TCG target" reviewer.
Signed-off-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251217191726.194767-1-daniel.barboza@oss.qualcomm.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
* tag 'single-binary-20260317' of https://github.com/philmd/qemu:
target/ppc: Replace TARGET_PAGE_BITS -> qemu_target_page_bits()
hw/s390x/vfio: Replace TARGET_PAGE_BITS -> qemu_target_page_bits()
hw/misc: Build 'mac_via' as common unit file
hw/display: Build stubs once
fsdev: Build stubs once
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 18 Mar 2026 10:12:39 +0000 (10:12 +0000)]
Merge tag 'migration-20260317-pull-request' of https://gitlab.com/farosas/qemu into staging
Migration/Qtest pull request
Various fixes
# -----BEGIN PGP SIGNATURE-----
#
# iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmm5muIQHGZhcm9zYXNA
# c3VzZS5kZQAKCRDHmNx0G+wxnVpBEADQYBxOt+SzHpHfv/BqJ2dx0zrJK44+wjUd
# gL8iLA7cd0/Rri2gYV1GuVEiNarC10Fg8NSNf/td2HbucDHviwkg9G84GgbjdyXl
# CWs6pseTkCk0X1W+o/fEaXB4ve1ES4RyJwCpWL+QCN3XUNuaMA7YnFB+8ksW2AuA
# lsgNU6mvXHrR8agTl77/G0R5/mVZ5lu5p9gwz09PCXk0nrWyi5j2a7rA2zLneLuk
# jBfEa5b9yX7au/DL/55wMszkA8NRqft0CabJxTZRYO5YNPXvlsJS0L3gWHWDQ9DB
# I895zk2JnagARpiu/v/eHSf+b6nnmE+huAYxv8iXTw9aOet/2aLusJidS+S5IIV4
# 7Lkomis/ch8KqnDMB+SPnW/9TplfKHHa3Jv/3ZphbOwSM6SxjcHHTtUaIvAhQeAt
# DSLBdprDcMePYxi9ugoZLkIHgJGNiWnx+egOrEMa4ShyDXmIlxcjuV4/RtjI158V
# UXK4qPw2f60+Ic+d6gUMpByEX1O2BZziL97qHLAKWYtA9mktL+mX2x6sIEkIjrQJ
# F6dJcE1yvMY6Imhz+zRcS0Dck+vafHGA0DP8t1oxMYcBKeaGrCzuS9jCBQEp10hk
# L/P2jfdgvtlLRXhcoa22Ynn2qNkJDLEAy6+xHH8thkaaYeg52NGO5wGIYe5+F766
# Cekez3u3NA==
# =7Smy
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 17 18:18:10 2026 GMT
# gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D
# gpg: issuer "farosas@suse.de"
# gpg: Good signature from "Fabiano Rosas <farosas@suse.de>" [unknown]
# gpg: aka "Fabiano Almeida Rosas <fabiano.rosas@suse.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D
* tag 'migration-20260317-pull-request' of https://gitlab.com/farosas/qemu:
tests/qtest/test-hmp: Free machine options
tests/qtest: Don't dup machine name in qtest_cb_for_every_machine callbacks
migration: fix implicit integer division in migration_update_counters
migration/options: Fix leaks in StrOrNull qdev accessors
migration: assert that the same migration handler is not being added twice
tests/qtest/migration: Force exit-on-error=false
migration/multifd: Fix leaks of TLS error objects
tests/qtest/migration: Fix leak in CPR exec test
io: Fix TLS bye task leak
tests/qtest/migration: Fix leak of migration tests data
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'for-11.0-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
coreaudio: Initialize the buffer for device change
audio: Add functions to initialize buffers
coreaudio: Commit the result of init in the end
coreaudio: Improve naming
ui/surface: Avoid including epoxy/gl.h in header files
ui/console: Remove DisplaySurface::mem_obj
ui/console: Unify pixman-OpenGL format mapping
dump: enhance dump_state_prepare fd initialization
ui/gtk-egl: Ensure EGL surface is available before drawing
ui/dbus-listener: remove dbus_filter on connection close
ui/dbus-listener: Fix FBO leak in dbus_cursor_dmabuf
virtio-gpu: use computed rowstride instead of deriving it from hostmem
virtio-gpu: fix overflow check when allocating 2d image
ui/vdagent: add migration blocker when machine version < 10.1
rutabaga: improve error handling, fix potential crash during init
audio/mixeng: drop some needless checks
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 18 Mar 2026 09:16:48 +0000 (09:16 +0000)]
Merge tag 'pull-block-2026-03-17' of https://gitlab.com/hreitz/qemu into staging
Block layer patches for rc0
- Fix race condition in throttle-group code triggering an assertion
failure
- Fix assertion failure in mirror job when issuing job-complete twice
# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCgAwFiEEy2LXoO44KeRfAE00ofpA0JgBnN8FAmm5SG8SHGhyZWl0ekBy
# ZWRoYXQuY29tAAoJEKH6QNCYAZzfMvMP/0IXpGtqMmG4cHvW6KS+VDrX4AOA7ZOg
# 8TP7KhpiFPKxnTzdlSiwlbNGAndUdxA8Ef7z5SUF0kslG9N+Ry3BCG6oB3b1zHAA
# 1Irz30FWny0zlESAvLjsK6KAetGEX/ZKKiEfWjlamZSfWzLI5RK5M8x59SxSene5
# oOe3+nxPV/I2VnXI1+svD3VtPjFxNjx2aA51sUfyuQRMP1II3XUdWCSv6DSb8wAh
# QVTFYWnFK9lHejXIXVOTHas5JG30cvC9fAsIBW8mK5J4rRWJP4zfqq5SQbgg9vtm
# pv0YZS8h0X/Vj3SSbPV6abP4MecVTLvvqCr/gRc+OtHbltK4HFMl3Y29VPDO5vTY
# XCPInFv6D84CliCESx2hGUJx9APScZqH047hxlmTTYdQGO2/RQSI6mr83CoVwKBh
# AmN23A5T2Bru+3zKea8HMwi/8NVtvZUWxJfq/NQRThXtLHILPTzKR6QP2VV8ZyD0
# d4Tqk1CqwE/yitbu9xjxpE5lC3O67q/X8DsH5SYiHJZVxSxQYs4b6LirHmlQrN4F
# aW3TQ7C18re4iqqPK3rlRsgR2q0pEdTbkBqSp5I7ZPU/QKLdklKgYnjI4ZefwjGy
# cMPy94rfP7HINH6SHX6R6AhIqFmPIxr1gPE3IjdOIWEqXV5r89DJ0ehrwWogasFv
# q1Qq7HRBIgwX
# =9y5H
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 17 12:26:23 2026 GMT
# gpg: using RSA key CB62D7A0EE3829E45F004D34A1FA40D098019CDF
# gpg: issuer "hreitz@redhat.com"
# gpg: Good signature from "Hanna Reitz <hreitz@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CB62 D7A0 EE38 29E4 5F00 4D34 A1FA 40D0 9801 9CDF
* tag 'pull-block-2026-03-17' of https://gitlab.com/hreitz/qemu:
block/mirror: fix assertion failure upon duplicate complete for job using 'replaces'
throttle-group: Fix race condition in throttle_group_restart_queue()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 18 Mar 2026 09:16:26 +0000 (09:16 +0000)]
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* runstate: handle return code of EOPNOTSUPP properly from rebuild_guest()
* meson: do not hardcode paths to generated files
* rust: fix build when --disable-rust and meson < 1.9
* rust: suggest passing --locked to "cargo install"
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
rust: suggest passing --locked to "cargo install"
rust: fix build when --disable-rust and meson < 1.9
build-sys: use the "run" variable
runstate: handle return code of EOPNOTSUPP properly from rebuild_guest()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paolo Bonzini [Wed, 18 Mar 2026 07:35:21 +0000 (08:35 +0100)]
rust: suggest passing --locked to "cargo install"
Without the option, cargo will try using the latest version of the
dependencies of bindgen-cli. While it will obviously respect the
constraints in Cargo.toml, old versions of Cargo do not have
version-constrained resolution and will choke on dependencies
that need Rust 2024.
Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Move stubs to the global stub_ss[] source set. These files
are now built once for all binaries, instead of one time
per system binary.
Add pixman to qemuutil library dependencies since pixman is
transitively included, which is needed to be able to include
prototypes for stubs we declared:
In file included from include/ui/console.h:4,
include/ui/qemu-pixman.h:10:10: fatal error: pixman.h: No such file or directory
10 | #include <pixman.h>
| ^~~~~~~~~~
On OpenBSD, opengl headers are not available in default
include path, and thus we need to add opengl to list of
qemuutil dependencies, otherwise we get:
In file included from ../hw/display/acpi-vga-stub.c:4:
In file included from ../hw/display/vga_int.h:28:
In file included from include/ui/console.h:9:
include/ui/surface.h:11:11: fatal error: 'epoxy/gl.h' file not found
# include <epoxy/gl.h>
^~~~~~~~~~~~
1 error generated.
migrate_add_blocker() can fail (e.g. if migration is already in
progress), in which case it returns a negative value and populates
its errp argument with the reason.
The previous code ignored the return value. Pass &error_fatal so
that on failure QEMU exits cleanly with an informative error message
rather than continuing in an inconsistent state.
Fabiano Rosas [Fri, 13 Mar 2026 18:29:53 +0000 (15:29 -0300)]
tests/qtest: Don't dup machine name in qtest_cb_for_every_machine callbacks
The qtest_get_machines function caches the list of machines in a
static variable. Dup'ing the machine->name string only serves to leak
that memory when a single test is executed.
Aadeshveer Singh [Mon, 16 Mar 2026 13:45:09 +0000 (19:15 +0530)]
migration: fix implicit integer division in migration_update_counters
switchover_bw is a uint64_t, so switchover_bw / 1000 results in an
integer division. This value is then assigned to expected_bw_per_ms
which is of type double. This results in losing precision and is type
unsafe. Adding explicit cast ensures floating-point division.
Akihiko Odaki [Wed, 4 Mar 2026 06:16:57 +0000 (15:16 +0900)]
coreaudio: Commit the result of init in the end
init_out_device may only commit some part of the result and leave the
state inconsistent when it encounters a fatal error or the device gets
unplugged during the operation, which is expressed by
kAudioHardwareBadObjectError or kAudioHardwareBadDeviceError. Commit the
result in the end of the function so that it commits the result iff it
sees no fatal error and the device remains plugged.
With this change, handle_voice_change can rely on core->outputDeviceID
to know whether the output device is initialized after calling
init_out_device.
Akihiko Odaki [Wed, 4 Mar 2026 06:16:56 +0000 (15:16 +0900)]
coreaudio: Improve naming
coreaudio had names that are not conforming to QEMU codding style.
coreaudioVoiceOut also had some members that are prefixed with redundant
words like "output" or "audio".
Global names included "out" to tell they are specific to output devices,
but this rule was not completely enforced.
The frame size had three different names "frameSize", "bufferFrameSize",
and "frameCount".
Akihiko Odaki [Tue, 3 Mar 2026 13:08:56 +0000 (22:08 +0900)]
ui/surface: Avoid including epoxy/gl.h in header files
include/ui/shader.h and include/ui/surface.h are included by files that
do not depend on Epoxy so they shouldn't include epoxy/gl.h. Otherwise,
compilations of these files can fail because the path to the directory
containing epoxy/gl.h may not be passed to the compiler.
Akihiko Odaki [Tue, 3 Mar 2026 13:08:54 +0000 (22:08 +0900)]
ui/console: Unify pixman-OpenGL format mapping
console_gl_check_format() was supposed to check if the pixman format is
supported by surface_gl_create_texture(), but it missed
PIXMAN_BE_x8r8g8b8 and PIXMAN_BE_a8r8g8b8, which are properly mapped to
OpenGL formats by surface_gl_create_texture().
Fix the discrepancy of the two functions by sharing the code to map
pixman formats to OpenGL ones.
Initializing descriptor with zero is unsafe: during cleanup we risk to
unconditional close of fd == 0 in case dump state wasn't fully
initialized. Thus, let's init fd with -1 value and check its value
before closing it.
Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20250911123656.413160-2-nikolai.barybin@virtuozzo.com>
Dongwon Kim [Tue, 3 Mar 2026 01:11:51 +0000 (17:11 -0800)]
ui/gtk-egl: Ensure EGL surface is available before drawing
The EGL surface and context are destroyed when a new GTK window is
created. We must ensure these are recreated and initialized before
any rendering happens in gd_egl_refresh.
Currently, the check for a pending draw is performed before the
surface initialization block. This can result in an attempt to
draw when the EGL surface (vc->gfx.esurface) is not yet available.
This patch moves the drawing check after the surface initialization
to ensure a valid surface exists before rendering in gd_egl_refresh.
ui/dbus-listener: remove dbus_filter on connection close
The dbus filter holds a strong reference to the DBusDisplayListener
(via GDestroyNotify) to ensure the listener remains alive while the
filter may still be running in another thread. This creates a
reference cycle (ddl -> conn -> filter -> ddl) that prevents the
listener from being freed.
Break the cycle by connecting to the connection's "closed" signal
and removing the filter when the connection closes.
Fixes: commit fa88b85dea96 ("ui/dbus: filter out pending messages when scanout") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/dbus-listener: Fix FBO leak in dbus_cursor_dmabuf
cursor_fb is a local egl_fb that gets an FBO allocated via
egl_fb_setup_for_tex but is never destroyed, leaking the
framebuffer object on every cursor update.
Add egl_fb_destroy() after the cursor data has been read.
virtio-gpu: fix overflow check when allocating 2d image
The calc_image_hostmem() comment says pixman_image_create_bits() checks
for overflow. However, this relied on the facts that "bits" was NULL and
it performed it when it was introduced. Since commit 9462ff4695aa, the
"bits" argument can be provided and the check is no longer applied.
Promotes the computation to uint64_t and adds an explicit overflow check
to avoid potential later OOB read/write on the image data.
Fiona Ebner [Tue, 10 Mar 2026 14:25:39 +0000 (15:25 +0100)]
ui/vdagent: add migration blocker when machine version < 10.1
In QEMU 10.1, commit 5d56bff11e ("ui/vdagent: add migration support")
added migration support for the vdagent chardev and commit 42000e0013
("ui/vdagent: remove migration blocker") removed the migration
blocker. No compat for older machine versions was added, so migration
with pre-10.1 machine version, from a 10.1 binary to a pre-10.1 binary
will result in a failure when loading the VM state in the target
instance:
> Unknown savevm section or instance 'vdagent' 0. Make sure that your
> current VM setup matches your saved VM setup, including any
> hotplugged devices
Add a compat flag to block migration when the machine version is less
than 10.1 to avoid this.
rutabaga: improve error handling, fix potential crash during init
When virtio_gpu_rutabaga_get_num_capsets() returns 0, virtio_init()
isn't called and the device later crashes during realize.
==72545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x556ad6f7ba9e bp 0x7ffe6958f810 sp 0x7ffe6958f7e0 T0)
==72545==The signal is caused by a READ memory access.
==72545==Hint: address points to the zero page.
#0 0x556ad6f7ba9e in virtio_memory_listener_commit ../hw/virtio/virtio.c:4034
#1 0x556ad6a24c96 in listener_add_address_space ../system/memory.c:3128
#2 0x556ad6a25d15 in memory_listener_register ../system/memory.c:3216
#3 0x556ad6f7bf11 in virtio_device_realize ../hw/virtio/virtio.c:4075
Rework error handling of the function to set Error appropriately. 0
capset may be ok now.
The NULL checks for be, name, callback_fn, and as in
audio_mixeng_backend_open_{in,out} are redundant: the callers
audio_be_open_{in,out} already assert that name, callback_fn, and as
are non-NULL, and dereference be unconditionally via
AUDIO_BACKEND_GET_CLASS(be) before the call.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260224163229.2918858-1-marcandre.lureau@redhat.com>
Fabiano Rosas [Thu, 12 Mar 2026 20:46:19 +0000 (17:46 -0300)]
migration/options: Fix leaks in StrOrNull qdev accessors
Fix a couple of possible leaks detected by Coverity. Both are
currently harmless. This code is only used for the very specific
purpose of maintaining compatibility of a few migration options which
can be set via QEMU command line (-global migration.tls-*). The
command line interface is not supported and only used during
development and testing.
1) The setter function set_StrOrNull() is invoked whenever the -global
migration.tls-* command line options are set. The way it could leak is
that the temporary "StrOrNull *str_or_null" object is allocated before
calling the visitor, which could fail and cause an early return of the
function, leaving *ptr unset and str_or_null leaking.
2) The getter function get_StrOrNull() is unreachable code. It's only
there to provide a complete implementation of the property. Still, the
way it could leak is that the temporary "StrOrNull *str_or_null" might
be allocated and is simply never returned to the caller nor freed.
Fix the possible leaks:
1) at set_StrOrNull(): change the allocation of str_or_null to happen
only after the visit call has returned successfully.
2) at get_StrOrNull(): assert that the object is non-NULL, there is no
need for a temporary object.
The reason it should be non-NULL is that the property is initialized
by the default setter of the qdev property. The initialization is
unlikely to fail because the call to the setter is setup by qdev,
which has boilerplate ensuring the to-be-set object is allocated and
of the correct type. Moreover, passing NULL via command line to
-global migration.tls-* is not possible.
A programming error could result in an invalid call to the setter,
which would leave the object NULL and cause a crash in the getter, but
that's not a worthwhile scenario to protect against given the low
probability of this code being even reached.
While here, update the comment about why there's no QNULL in this
StrOrNull property to be more clear.
Fixes: CID 1643919 Fixes: CID 1643920 Cc: Markus Armbruster <armbru@redhat.com> Reported-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Prasad Pandit <pjp@fedoraproject.org> Link: https://lore.kernel.org/qemu-devel/20260312204619.1969-1-farosas@suse.de Signed-off-by: Fabiano Rosas <farosas@suse.de>
Ani Sinha [Wed, 11 Mar 2026 07:01:14 +0000 (12:31 +0530)]
migration: assert that the same migration handler is not being added twice
Currently the code that adds a migration blocker does not check if the same
blocker already exists. Assert that the migration handler being added has
not been added already.
CC: Markus Armbruster <armbru@redhat.com> CC: Peter Xu <peterx@redhat.com> CC: Prasad Pandit <pjp@fedoraproject.org> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Ani Sinha <anisinha@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260311070114.164434-1-anisinha@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Fabiano Rosas [Wed, 11 Mar 2026 21:34:18 +0000 (18:34 -0300)]
tests/qtest/migration: Force exit-on-error=false
Some tests can cause QEMU to exit(1) too early while the incoming
coroutine has not yielded for a first time yet. This trips ASAN
because resources related to dispatching the incoming process will
still be allocated in the io/channel.c layer without a
straight-forward way for the migration code to clean them up.
As an example of one such issue, the UUID validation happens early
enough that the temporary socket from qio_net_listener_channel_func()
still has an elevated refcount. If it fails, the listener dispatch
code never gets to free the resource:
Direct leak of 400 byte(s) in 1 object(s) allocated from:
#0 0x55e668890a07 in malloc asan_malloc_linux.cpp:68:3
#1 0x7f3c7e2b6648 in g_malloc ../glib/gmem.c:130
#2 0x55e66a8ef05f in object_new_with_type ../qom/object.c:767:15
#3 0x55e66a8ef178 in object_new ../qom/object.c:789:12
#4 0x55e66a93bcc6 in qio_channel_socket_new ../io/channel-socket.c:70:31
#5 0x55e66a93f34f in qio_channel_socket_accept ../io/channel-socket.c:401:12
#6 0x55e66a96752a in qio_net_listener_channel_func ../io/net-listener.c:64:12
#7 0x55e66a94bdac in qio_channel_fd_source_dispatch ../io/channel-watch.c:84:12
#8 0x7f3c7e2adf4b in g_main_dispatch ../glib/gmain.c:3476
#9 0x7f3c7e2adf4b in g_main_context_dispatch_unlocked ../glib/gmain.c:4284
#10 0x7f3c7e2b00c8 in g_main_context_dispatch ../glib/gmain.c:4272
The exit(1) also requires some tests to setup qtest to expect a return
code of 1 from the QEMU process. Although we can check migration
status changes to be fairly certain where the failure happened, there
is always the possibility of QEMU exiting for another reason and the
test passing. This happens frequently with sanitizers enabled, but
also risks masking issues in the regular build.
Stop allowing the incoming migration to exit and instead require the
tests to wait for the FAILED state and end QEMU gracefully with
qtest_quit.
In practice this means setting exit-on-error=false for every incoming
migration, changing MIG_TEST_FAIL_DEST_QUIT_ERR to MIG_TEST_FAIL and
waiting for a change of state where necessary.
With this, the MIG_TEST_FAIL_DEST_QUIT_ERR error result is now unused,
remove it.
Also add a comment to QEMU source explaining that the incoming
coroutine might block for a while until it yields as this is the
actual root cause of the issue.
Fabiano Rosas [Wed, 11 Mar 2026 21:34:17 +0000 (18:34 -0300)]
migration/multifd: Fix leaks of TLS error objects
The code currently ignores errors from multifd threads that happen
after a first error has already been propagated. Make sure the
subsequent errors are freed appopriately.
This fixes a leak of the TLS session->werr when the certificate
validation fails after multifd threads are already running. The first
writes on the threads will fail deep into the gnutls stack.
No need to check if(err) because the callers are all under a similar
check.
Fabiano Rosas [Wed, 11 Mar 2026 21:34:15 +0000 (18:34 -0300)]
io: Fix TLS bye task leak
Recent fixes to TLS tasks memory handling have left the TLS bye task
uncovered. Fix by freeing the task in the same way the handshake task
is freed.
Direct leak of 704 byte(s) in 4 object(s) allocated from:
#1 0x7f5909b1d6a0 in g_malloc0 ../glib/gmem.c:163
#2 0x557650496d61 in qio_task_new ../io/task.c:58:12
#3 0x557650475d7f in qio_channel_tls_bye ../io/channel-tls.c:352:12
#4 0x55764f7a1bb4 in migration_tls_channel_end ../migration/tls.c:159:5
#5 0x55764f709750 in migration_ioc_shutdown_gracefully ../migration/multifd.c:462:9
#6 0x55764f6fcf53 in multifd_send_terminate_threads ../migration/multifd.c:493:13
#7 0x55764f6fcafb in multifd_send_shutdown ../migration/multifd.c:580:5
#8 0x55764f6e1b14 in migration_cleanup ../migration/migration.c:1323:9
#9 0x55764f6f5bac in migration_cleanup_bh ../migration/migration.c:1350:5
Fixes: d39d0f3acd ("io: fix cleanup for TLS I/O source data on cancellation") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: Daniel P. Berrangé <berrange@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260311213418.16951-3-farosas@suse.de Signed-off-by: Fabiano Rosas <farosas@suse.de>
Fabiano Rosas [Wed, 11 Mar 2026 21:34:14 +0000 (18:34 -0300)]
tests/qtest/migration: Fix leak of migration tests data
When the migration-test is invoked with the '-p' flag (to run a single
test), the glib code won't call the destroy function for the
not-executed tests, causing the MigrationTest wrapper data to leak.
This doesn't affect make check, but affects debugging use-cases where
having a leak pop up in ASAN output is extra annoying.
Fix by adding the tests data to a list and freeing them all at the end
of migration-test execution. Any tests actually dispatched by glib
will have the destroy function called as usual.
Note that migration_test_add_suffix() is altered to call
migration_test_add() so that there's only one place adding the data to
the list.
Performance is not an issue at the moment, we have < 100 tests.
Fiona Ebner [Wed, 11 Mar 2026 14:54:25 +0000 (15:54 +0100)]
block/mirror: fix assertion failure upon duplicate complete for job using 'replaces'
If s->replace_blocker was already set by an earlier invocation of
mirror_complete(), then there will be an assertion failure when
error_setg() is called for it a second time. The bdrv_op_block_all()
and bdrv_ref() operations should only be done a single time too.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-Id: <20260311145717.668492-2-f.ebner@proxmox.com> Reviewed-by: Hanna Czenczek <hreitz@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Paolo Bonzini [Sat, 14 Mar 2026 07:50:51 +0000 (08:50 +0100)]
rust: fix build when --disable-rust and meson < 1.9
Commit e65030ed50ee moved rust_std and build.rust_std from per-target
override_options into the project's default_options, in order to avoid
repetition. However, default_options are validated unconditionally at
project initialization, even when Rust is disabled. This breaks builds
with meson < 1.9.0 which does not know about "build.rust_std":
Pierrick Bouvier [Fri, 13 Mar 2026 06:34:41 +0000 (23:34 -0700)]
contrib/plugins/uftrace.c: fix depth for exit events
Uftrace plugin was recording wrong depth for exit events, resulting in
incoherent traces, especially for partial ones.
Thanks to Honggyu Kim, one of the original author of uftrace, who
spotted the issue.
https://github.com/namhyung/uftrace/pull/2031#issuecomment-4051762627
Alberto Garcia [Thu, 12 Mar 2026 12:12:00 +0000 (13:12 +0100)]
throttle-group: Fix race condition in throttle_group_restart_queue()
When a timer is fired a pending I/O request is restarted and
tg->any_timer_armed is reset so other requests can be scheduled.
However we're resetting any_timer_armed first in timer_cb() before
the request is actually restarted, and there's a window between both
moments in which another thread can arm the same timer, hitting an
assertion in throttle_group_restart_queue().
This can be solved by deferring the reset of tg->any_timer_armed to
the moment when the queue is actually restarted, which is protected by
tg->lock, preventing other threads from arming the timer before that.
In addition to that, throttle_group_restart_tgm() is also updated to
hold tg->lock while the timer is being inspected. Here we consider
three different scenarios:
- If the tgm has a timer set, fire it immediately
- If another tgm has a timer set, restart the queue anyway
- If there is no timer set in this group then simulate a timer that
fires immediately, by setting tg->any_timer_armed in order to
prevent other threads from arming a timer in the meantime.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3194 Signed-off-by: Alberto Garcia <berto@igalia.com>
Message-Id: <825598ef34ad384d936da19d634eda75598508f7.1773316842.git.berto@igalia.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
rename CONFIG_EPOLL_CREATE1 to CONFIG_EPOLL, and stop checking for epoll in meson.build
meson.build: do not check for epoll.h (CONFIG_EPOLL)
linux-user: assume epoll is always present
meson.build: stop checking for inotify_init()
linux-user: assume inotify sycalls are always present
meson.build: stop checking for splice()
linux-user/syscall.c: assume splice is always present
docs: Move xbzrle.txt into the migration folder and convert to rst
target/i386: fix NULL pointer dereference in legacy-cache=off handling
hw/usb/core.c: reorder usage and assertion of p->ep
system/physmem.c: remove useless assertion of block
dump/dump.c: reorder usage and assertion of block
migration/savevm.c: reorder usage and assertion of mis->from_src_file
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 16 Mar 2026 13:07:17 +0000 (13:07 +0000)]
Merge tag 'pull-target-arm-20260316' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug
* semihosting: Correctly byteswap data when CPU is in big-endian mode
* hw/dma/pl080: Fix various minor bugs
* MAINTAINERS: Remove some no-longer active maintainers
* tests/qtest: Use g_strdup_printf() in various arm tests
* tag 'pull-target-arm-20260316' of https://gitlab.com/pm215/qemu:
tests/qtest/aspeed_gpio-test: Use g_strdup_printf() instead of char arrays
tests/qtest/ast2700-gpio-test: Use g_strdup_printf() instead of char arrays
tests/qtest/arm-cpu-features: Use g_strdup_printf() instead of char arrays
tests/qtest/ast2700-sgpio-test: Use g_strdup_printf() instead of char arrays
MAINTAINERS: Remove Chris Browy
MAINTAINERS: Remove Andrey Smirnov
MAINTAINERS: Remove Radoslaw Biernacki
MAINTAINERS: Remove Eduardo Habkost
MAINTAINERS: Remove Cameron Esfahani
MAINTAINERS: Remove Hannes Reinecke
hw/dma/pl080: Ignore bottom 2 bits of LLI register
hw/dma/pl080: Update interrupts after pl080_run()
hw/dma/pl080: Handle bogus swidth and dwidth in transfers
semihosting/uaccess: Use the cpu_internal_tswap() functions
include/exec: Provide the cpu_internal_tswap() functions
include/hw/core: Rename virtio_is_big_endian to internal_is_big_endian
hw/net/rtl8319: Work around GCC sanitizer / -Wstringop-overflow bug
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Michael Tokarev [Fri, 9 Jan 2026 21:14:57 +0000 (00:14 +0300)]
linux-user: assume epoll is always present
epoll is in linux since 2.6 (glibc 2.3.2).
epoll_init1 has been added in 2.6.27 (glibc 2.9).
There's no need to check for its presence, including all other
epoll-related syscalls.
Modern architectures don't have epoll_create(), only
epoll_create1(), so keep conditional around the former.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Michael Tokarev [Fri, 9 Jan 2026 20:48:09 +0000 (23:48 +0300)]
meson.build: stop checking for inotify_init()
the only place in qemu which used the check for inotify_init()
was linux-user, which now assumes inotify_init() is always
present. There's no need to check for this function anymore.
Michael Tokarev [Fri, 9 Jan 2026 20:27:05 +0000 (23:27 +0300)]
linux-user/syscall.c: assume splice is always present
splice() &Co are defined since linux 2.6.17 (glibc 2.5).
Assume it is always present.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Thomas Huth [Tue, 10 Mar 2026 09:28:22 +0000 (10:28 +0100)]
docs: Move xbzrle.txt into the migration folder and convert to rst
xbzrle is a feature of migration and thus this file should go
into the docs/devel/migration/ folder. While we're at it, turn
it into proper .rst format, too.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Sergei Heifetz [Thu, 5 Mar 2026 06:04:31 +0000 (11:04 +0500)]
target/i386: fix NULL pointer dereference in legacy-cache=off handling
The check that xcc->model is not NULL occurs after it is dereferenced
inside x86_cpu_get_versioned_cache_info(), so something like
`-cpu host,legacy-cache=off` leads to a segfault rather than an error.
This patch fixes that.
Fixes: cca0a000d06f897411a8a ("target/i386: allow versioned CPUs to specify new cache_info") Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
[Mjt: simplify the following condition too] Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Sergei Heifetz [Sun, 8 Feb 2026 10:39:58 +0000 (15:39 +0500)]
hw/usb/core.c: reorder usage and assertion of p->ep
Reorder the code so the assertion of p->ep occurs before it is
used in the subsequent lines.
Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Sergei Heifetz [Sun, 8 Feb 2026 10:39:57 +0000 (15:39 +0500)]
system/physmem.c: remove useless assertion of block
It is useless to assert that block is not NULL because it is
already dereferenced in the first line of the function.
The assertion is also unnecessary because the function is called
in only two places, and `block` can't be NULL in either of them:
- In `migration/ram.c`, we have already dereferenced `block` in
the code just before the call.
- In `system/memory.c`, we assert `mr->ram_block` before passing
it to the function.
(We could split the declaration and initialization of oldsize,
but then we would need to remove the const qualifier. As the
assertion is useless anyway, removing the const qualifier seems
worse.)
Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Sergei Heifetz [Sun, 8 Feb 2026 10:39:56 +0000 (15:39 +0500)]
dump/dump.c: reorder usage and assertion of block
Reorder the code so the assertion of block occurs before it is
used in the subsequent lines.
Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Sergei Heifetz [Sun, 8 Feb 2026 10:39:55 +0000 (15:39 +0500)]
migration/savevm.c: reorder usage and assertion of mis->from_src_file
Reorder the code so the assertion of mis->from_src_file occurs before
the call to migration_ioc_unregister_yank_from_file, which dereferences
it in qemu_file_get_ioc.
Fixes: 39675ffffb3394 ("migration: Move the yank unregister of channel_close out") Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* tag 'pull-request-2026-03-16' of https://gitlab.com/thuth/qemu:
MAINTAINERS: Add another reviewer to s390x boot
MAINTAINERS: Downgrade the functional testing section to "Odd Fixes"
MAINTAINERS: Remove myself from various sections
MAINTAINERS: Update the s390x maintainers
MAINTAINERS: Update S390-ccw boot maintainers/reviewers
hw/acpi: generic_event_device: Don't call qdev_get_machine in initfn
hw/arm: fsl-imx6: Don't call qdev_get_machine in soc init
hw/arm: fsl-imx8mp: Don't call qdev_get_machine in soc init
hw/arm: fsl-imx7: Don't call qdev_get_machine in soc init
hw/arm: xlnx-zynqmp: Don't call qdev_get_machine in soc init
hw/riscv: microchip_pfsoc: Don't call qdev_get_machine in soc init
hw/riscv: sifive_e: Don't call qdev_get_machine in soc init
target/mips/cpu: Move initialization of memory region to realize function
target/xtensa/cpu: Move initialization of memory region to realize function
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 16 Mar 2026 10:42:41 +0000 (10:42 +0000)]
Merge tag 'linux-user-for-v11-pull-request' of https://github.com/hdeller/qemu-hppa into staging
Two linux-user patches
Two linux-user patches from Razvan Ghiorghe.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCabRXkwAKCRD3ErUQojoP
# X8E4AQDtltuCmD+RnJ5yWNAh4Rx8kOU/tChL8kE44NjMz9HdxAEA37DKINiPHCOs
# G7kmfKqwUpJWVSXeMjUp0iaNOUydbAw=
# =ahOd
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Mar 13 18:29:39 2026 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'linux-user-for-v11-pull-request' of https://github.com/hdeller/qemu-hppa:
linux-user: fix mremap with old_size=0 for shared mappings
linux-user: Fix zero_bss for RX PT_LOAD segments
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Eric Farman [Fri, 13 Mar 2026 19:48:10 +0000 (20:48 +0100)]
MAINTAINERS: Add another reviewer to s390x boot
Jason offered to help review this area of code;
let's make sure he's notified of changes.
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260313194810.1844241-2-farman@linux.ibm.com> Acked-by: Jason J. Herne <jjherne@linux.ibm.com> Acked-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Fri, 13 Mar 2026 11:34:22 +0000 (12:34 +0100)]
MAINTAINERS: Downgrade the functional testing section to "Odd Fixes"
I won't have that much time for QEMU anymore in the future, so downgrade
the status of the "functional testing framework" section to "Odd Fixes"
to avoid wrong expectations. While we're at it, also switch to my other
e-mail address here that I'm already using for the other sections where
I am still listed as maintainer / reviewer.
Message-ID: <20260313113424.15583-5-thuth@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Fri, 13 Mar 2026 11:34:21 +0000 (12:34 +0100)]
MAINTAINERS: Remove myself from various sections
I likely won't have much time in the future for QEMU anymore, so
remove myself from various sections that have already enough other
maintainers / reviewers.
Message-ID: <20260313113424.15583-4-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Fri, 13 Mar 2026 11:34:20 +0000 (12:34 +0100)]
MAINTAINERS: Update the s390x maintainers
I'm going to move to another project next month, so I will not have
enough time to take care of s390x patches anymore. Fortunately,
Cornelia volunteered to take over the job of collecting s390x patches,
and Eric and Matthew offered help to back her up, so we can keep
the "S390 general architecture support" section in the "supported"
state. Thanks for your help, Cornelia, Eric and Matthew!
Message-ID: <20260313113424.15583-3-thuth@redhat.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Acked-by: Eric Farman <farman@linux.ibm.com> Acked-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Christian Borntraeger is no longer active in this space. Promote myself to
maintainer and demote Christian to reviewer.
Signed-off-by: Jared Rossi <jrossi@linux.ibm.com> Acked-by: Eric Farman <farman@linux.ibm.com> Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260310142118.1120291-1-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260313113424.15583-2-thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the ram slots of the machine. So instead of initialising the GED in
the init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-8-alistair.francis@wdc.com>
[thuth: Replaced soc_init with acpi_ged_initfn in the patch description] Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-7-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-6-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-5-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-4-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of setting the CPU
num-harts in the init function let's set it in realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-3-alistair.francis@wdc.com>
[thuth: Fix a complaint from checkpatch.pl with regards to multi-line comment] Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of setting the CPU
num-harts in the init function let's set it in realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-2-alistair.francis@wdc.com>
[thuth: Fix a complaint from checkpatch.pl with regards to multi-line comment] Signed-off-by: Thomas Huth <thuth@redhat.com>
Move the initialization of the memory regions to the realize function
to fix this problem.
Reported-by: Markus Armbruster <armbru@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260311202503.107026-1-thuth@redhat.com>
Ani Sinha [Tue, 10 Mar 2026 09:44:48 +0000 (15:14 +0530)]
runstate: handle return code of EOPNOTSUPP properly from rebuild_guest()
If rebuild_guest() accelerator callback returns EOPNOTSUPP, this means that the
accelerator does not support rebuilding the guest state. Handle this case
properly and separately from other error return codes.
Fixes: 4003e5e65fe0("hw/accel: add a per-accelerator callback to change VM accelerator handle") Reported-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Signed-off-by: Ani Sinha <anisinha@redhat.com> Link: https://lore.kernel.org/r/20260310094450.35861-2-anisinha@redhat.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Peter Maydell [Tue, 10 Mar 2026 15:33:34 +0000 (15:33 +0000)]
tests/qtest/aspeed_gpio-test: Use g_strdup_printf() instead of char arrays
Older versions of gcc with -Wformat-overflow=2 don't like the usage of
fixed size char arrays in this test; gcc 7.5.0 (SUSE Linux) says:
../tests/qtest/aspeed_gpio-test.c: In function ‘test_set_input_pins’:
../tests/qtest/aspeed_gpio-test.c:149:36: error: ‘sprintf’ may write a terminating nul past the end of the destination [-Werror=format-overflow=]
sprintf(name, "gpio%c%d", c, i);
^
../tests/qtest/aspeed_gpio-test.c:149:13: note: ‘sprintf’ output between 7 and 17 bytes into a destination of size 16
sprintf(name, "gpio%c%d", c, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This can't actually happen because of the limited size of the values
being substituted in. However rather than require readers to check
whether the arrays really have been declared large enough, we prefer
to use g_strdup_printf() for this kind of string work.
Reported-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260310153334.3063224-3-peter.maydell@linaro.org
Peter Maydell [Tue, 10 Mar 2026 15:33:33 +0000 (15:33 +0000)]
tests/qtest/ast2700-gpio-test: Use g_strdup_printf() instead of char arrays
Older versions of gcc with -Wformat-overflow=2 don't like the usage of
fixed size char arrays in this test; gcc 7.5.0 (SUSE Linux) says:
../tests/qtest/ast2700-gpio-test.c: In function ‘test_input_pins’:
../tests/qtest/ast2700-gpio-test.c:54:36: error: ‘sprintf’ may write a terminating nul past the end of the destination [-Werror=format-overflow=]
sprintf(name, "gpio%c%d", c, i);
^
../tests/qtest/ast2700-gpio-test.c:54:13: note: ‘sprintf’ output between 7 and 17 bytes into a destination of size 16
sprintf(name, "gpio%c%d", c, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This can't actually happen because of the limited size of the values
being substituted in. However rather than require readers to check
whether the arrays really have been declared large enough, we prefer
to use g_strdup_printf() for this kind of string work.
Reported-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Tested-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260310153334.3063224-2-peter.maydell@linaro.org
projects / thirdparty / qemu.git / log
