The HPPA target is a 64-bit one, so tcg_global_mem_new()
expands to tcg_global_mem_new_i64(). Use the latter which
is more explicit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260205212914.10382-1-philmd@linaro.org>
tcg/optimize: possibly expand deposit into zero with shifts
Use tcg_op_imm_match to choose between expanding with AND+SHL vs SHL+SHR.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260303010833.1115741-8-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Paolo Bonzini [Tue, 3 Feb 2026 08:18:16 +0000 (09:18 +0100)]
tcg: target-dependent lowering of extract to shr/and
Instead of assuming only small immediates are available for AND,
consult the backend in order to decide between SHL/SHR and SHR/AND.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[rth: Split from a larger patch] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-7-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Paolo Bonzini [Tue, 3 Feb 2026 07:53:53 +0000 (08:53 +0100)]
tcg: Add tcg_op_imm_match
Create a function to test whether the second operand of a
binary operation allows a given immediate.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[rth: Split out from a larger patch; keep the declaration internal.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-6-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Use extract2 to implement rotri. To make this easier,
redefine rotli in terms of rotri, rather than the reverse.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-5-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
tcg/optimize: Lower unsupported extract2 during optimize
The expansions that we chose in tcg-op.c may be less than optimal.
Delay lowering until optimize, so that we have propagated constants
and have computed known zero/one masks.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260303010833.1115741-4-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
tcg/optimize: Lower unsupported deposit during optimize
The expansions that we chose in tcg-op.c may be less than optimal.
Delay lowering until optimize, so that we have propagated constants
and have computed known zero/one masks.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260303010833.1115741-3-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
tcg: Drop extract+shl expansions in tcg_gen_deposit_z_*
The extract+shl expansion is handled in tcg_gen_andi_*
by preferring supported extract.
The shl+extract expansion is simply removed for now; it was
only present for slightly smaller code generation on x86.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-2-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
* tag 'python-pull-request' of https://gitlab.com/jsnow/qemu:
python: add formal python3.14 support and testing
python: drop avocado
python: replace avocado tests with pytest
python: pin 'wheel' version in minreqs test
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
whpx: i386: remove SIPI trapping
whpx: arm64: enable enlightenments if asked for
whpx: make Hyper-V enlightenments configurable
whpx: i386: enable some more enlightenments
target/i386: emulate: LA57 fix
whpx: i386: do not enable nested virt when kernel-irqchip=off
hvf: arm: unbreak the x86 build
target/i386/hvf/hvf.c: fix compilation
qemu-coroutine-lock: fix has_waiters()
xen-block: remove NULL pointer dereference
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Luigi Leonardi [Mon, 9 Mar 2026 08:55:52 +0000 (09:55 +0100)]
igvm: fix build when igvm is not installed in a well known path
`stubs/igvm.c` includes `igvm-internal.h`, that in turn includes the igvm library.
This is required just for the QIgvm declaration and creates an
unnecessary dependency on the library.
Since igvm is not listed as a dependency of stubs, this results in build
failing when the library is not installed in a "well known" path of the
system.
Add a forward declaration for QIgvm and move the definition of
`qigvm_directive_madt` to `igvm.h` so that we can drop `igvm-internal.h` from
`stubs/igvm.c`.
Fixes: dea1f68a5c ("igvm: Fill MADT IGVM parameter field on x86_64") Suggested-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Message-ID: <20260309-master-v2-1-7e02f07a1096@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Thomas Huth [Fri, 6 Mar 2026 20:36:45 +0000 (21:36 +0100)]
pc-bios/s390-ccw: Fix compiler warning when compiling with DEBUG enabled
When compiling with DEBUG=1, there is currently a compiler warning:
pc-bios/s390-ccw: Compiling main.o
In file included from /home/thuth/devel/qemu/pc-bios/s390-ccw/main.c:14:
In file included from /home/thuth/devel/qemu/pc-bios/s390-ccw/helper.h:16:
/home/thuth/devel/qemu/pc-bios/s390-ccw/s390-ccw.h:122:31: warning: format specifies type
'unsigned int' but the argument has type 'u64' (aka 'unsigned long long') [-Wformat]
122 | printf("%s 0x%X\n", desc, addr);
| ~~ ^~~~
| %llX
1 warning generated.
Fix it by using the right format string here.
Message-ID: <20260306203645.28232-1-thuth@redhat.com> Reviewed-by: Farhan Ali<alifm@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:36:01 +0000 (20:36 -0400)]
tests/qtest: Add s390x PCI boot test to cdrom-test.c
Add a rudimentary test for s390x IPL to verify that a guest may boot using
virtio-blk-pci device.
Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-16-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:36:00 +0000 (20:36 -0400)]
hw: Add "loadparm" property to virtio block PCI devices booting on s390x
The loadparm is required on s390x to pass the information to the boot loader
such as which kernel should be started or whether the boot menu should be shown.
Because PCI devices do not naturally allocate space for this, the property is
added on an architecture specific basis for supported device types.
Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-15-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:59 +0000 (20:35 -0400)]
s390x: Build IPLB for virtio-pci devices
Search for a corresponding S390PCIBusDevice and build an IPLB if a device has
been indexed for boot but does not identify as a CCW device,
PCI devices are not yet included in boot probing (they must have a boot index).
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-14-jrossi@linux.ibm.com>
[thuth: Fix endianness issue when running on a little endian host] Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:57 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Introduce virtio-pci functions
Define common functionality for interacting with virtio-pci devices.
Signed-off-by: Jared Rossi <jrossi@linux.ibm.com> Acked-by: Matthew Rosato <mjrosato@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260309003601.242634-12-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:56 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Introduce PCI device
Define selected s390x PCI instructions.
Signed-off-by: Jared Rossi <jrossi@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Acked-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260309003601.242634-11-jrossi@linux.ibm.com> Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
[thuth: Remove unused defines as suggested by Farhan] Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:55 +0000 (20:35 -0400)]
s390x: Add definitions for PCI IPL type
Define a new PBT code and IPLB layout in preparation for supporting PCI device
IPL on s390x.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-10-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:54 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Introduce CLP Architecture
Call Logical Processor (CLP) Architecture is used for managing PCI functions on
s390x. Define and include the structures and routines needed to interact with
PCI devices during IPL.
Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Message-ID: <20260309003601.242634-9-jrossi@linux.ibm.com>
[thuth: fix a typo in one of the comments] Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:53 +0000 (20:35 -0400)]
include/hw/s390x: Move CLP definitions for easier BIOS access
Move the s390-pci-clp definitions into the "ipl" sub-directory, which is visible
to the s390-bios. This allows the bios to reuse the architected definitions and
prevents code duplication.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-8-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:52 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Split virtio-ccw and generic virtio
Separate the CCW specific virtio routines and create generic wrappers for easier
reuse of existing virtio functions with non-CCW devices.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-7-jrossi@linux.ibm.com>
[thuth: Use SPDX license identifier in virtio-ccw.c] Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:51 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Store device type independent of sense data
Store the device type (e.g. block) directly as an attribute of the VDev rather
than assume all devices can be identified by accessing CCW specific sense data.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Farhan Ali <alifm@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-6-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:50 +0000 (20:35 -0400)]
s390x: Remove duplicate definitions of IPL types
Remove the duplicate definitions from hw/s390x/ipl.h and pc-bios/s390-ccw/iplb.h
and add a shared definition. The new definition is an enum to enforce default
handling in switches.
Because the IPL type is determined by the IPLB, and because an IPLB is not
strictly necessary, the IPL type is set to a default value if not otherwise
specified. A default IPL type is required so future functionality may add
IPL new bus and/or device types that dictate specific behavior during IPL.
Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-5-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:49 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Always reset virtio device on failed boot attempt
The virtio spec necessitates that live virtqueues must not be altered. Reset
the failed device so that the queues are not live before we attempt to boot any
fallback devices.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-4-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
The schid is already stored as an attribute of the VDev itself and any other
instances are copies of this same value. To avoid CCW specific attributes in
the VRing let's just access the existing VDev schid attribute as needed.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Farhan Ali <alifm@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-3-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Jared Rossi [Mon, 9 Mar 2026 00:35:47 +0000 (20:35 -0400)]
pc-bios/s390-ccw: Fix misattributed function prototypes
The virtio-blkdev functions are incorrectly listed in s390-ccw.h as belonging to
virtio.c. Additionally, virtio_load_direct() has an unused subchan_id argument.
Remove the unused argument and move the prototypes to virtio.h so that they are
independent from the CCW bus.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Farhan Ali <alifm@linux.ibm.com> Signed-off-by: Jared Rossi <jrossi@linux.ibm.com>
Message-ID: <20260309003601.242634-2-jrossi@linux.ibm.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Don't implement a custom migration routine at PpcMigrationTest and
instead reuse the generic one from MigrationTest.
This removes the dependency of PpcMigrationTest from
PseriesMachine. Having one test import another causes unittest code to
instantiate the imported test, resulting in the setup and teardown
methods being invoked for the imported test class, even if no test
from that class will be executed.
If run in parallel, the extra setup/teardown methods that result from
importing can race with the ones from the actual test being executed
and cause the following error:
File "<SRC_DIR>/tests/functional/qemu_test/testcase.py", line 238, in tearDown
shutil.rmtree(self.workdir)
...
FileNotFoundError: [Errno 2] No such file or directory:
'<SRC_DIR>/build/tests/functional/ppc64/.../test_migration_with_exec/scratch'
The PseriesMachine class is changed to inherit from MigrationTest so
both the migration routines and the class attributes of PseriesMachine
can be accessed without the need to instantiate another object.
Fixes: f4e34d0fd5 ("tests/functional: Add a OS level migration test for pseries") Reported-by: Aditya Gupta <adityag@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Peter Xu <peterx@redhat.com> Tested-by: Aditya Gupta <adityag@linux.ibm.com>
Message-ID: <20260303173320.10942-5-farosas@suse.de>
[thuth: Remove superfluous ";" as suggested by Aditya] Signed-off-by: Thomas Huth <thuth@redhat.com>
Fabiano Rosas [Tue, 3 Mar 2026 17:33:19 +0000 (14:33 -0300)]
tests/functional/migration: Use the migrate_vms helper
Change do_migrate() to call the migrate_vms() helper and provide it
with the two VMs already created. Rename do_migrate -> migrate and
adjust the callers.
While here, standardize on the "src" and "dst" names.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-ID: <20260303173320.10942-4-farosas@suse.de> Signed-off-by: Thomas Huth <thuth@redhat.com>
Fabiano Rosas [Tue, 3 Mar 2026 17:33:18 +0000 (14:33 -0300)]
tests/functional/migration: Add migrate_vms
Add a migration helper to MigrationTest that uses the migrate-incoming
QMP command and takes the already instantiated VMs. The -incoming
'defer' command line option is preferred way instead of the -incoming
URI syntax that's currently used.
Suggested-by: Peter Xu <peterx@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-ID: <20260303173320.10942-3-farosas@suse.de> Signed-off-by: Thomas Huth <thuth@redhat.com>
Fabiano Rosas [Tue, 3 Mar 2026 17:33:17 +0000 (14:33 -0300)]
tests/functional/migration: Use socket_dir
Use QemuBaseTest.socket_dir instead of calling tempfile directly so
all tests have consistent directory prefixes.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-ID: <20260303173320.10942-2-farosas@suse.de> Signed-off-by: Thomas Huth <thuth@redhat.com>
Peter Maydell [Mon, 9 Mar 2026 10:45:45 +0000 (10:45 +0000)]
tests/functional/x86_64: Disable memlock test for asan builds
The address-sanitizer intercepts mlock() and makes it a no-op,
because it interacts badly with the sanitizer's own use of large
amounts of memory. This means that our 'memlock' test will always
fail, because it checks via /proc for whether the QEMU process really
locked some pages. Don't add the test when QEMU is built with asan.
Suggested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260309104545.1550888-1-peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Thomas Huth [Tue, 13 Jan 2026 14:17:44 +0000 (15:17 +0100)]
tests/qemu-iotests: Mark 182 as Linux-only
Running test 182 on FreeBSD fails with this error message in the output:
+warning: File lock requested but OFD locking syscall is unavailable, falling back to POSIX file locks
+Due to the implementation, locks can be lost unexpectedly.
OFD locks seem to be only available on Linux, so let's mark this
test as Linux-only to silence the failure.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260113141744.97469-1-thuth@redhat.com>
kvm: replace RamDicardManager by the RamBlockAttribute
No need to cast through the RamDiscardManager interface, use the
RamBlock already retrieved. Makes it more direct and readable, and allow
further refactoring to make RamDiscardManager an aggregator object in
the following patches.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Chenyi Qiang <chenyi.qiang@intel.com> Reviewed-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/r/20260226140001.3622334-6-marcandre.lureau@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
BALATON Zoltan [Sat, 7 Mar 2026 23:06:06 +0000 (00:06 +0100)]
memory: Factor out common ram region initialization
Introduce internal helper function to remove duplicated code from
different memory_region_init_*ram functions. Remove local err and
error_propagate and pass errp and check return value instead.
Also shorten some function prototypes while at it.
BALATON Zoltan [Sat, 7 Mar 2026 23:06:05 +0000 (00:06 +0100)]
memory: Add internal memory_region_register_ram function
Factor out common operation from memory_region_init_{ram,rom}
functions to register the region for migration. This avoids
duplicating the long comment in several functions.
BALATON Zoltan [Sat, 7 Mar 2026 23:06:03 +0000 (00:06 +0100)]
memory: Remove memory_region_init_ram_nomigrate()
Convert the last remaining use outside of memory.c in vga to use
memory_region_init_ram_flags_nomigrate() instead and inline and remove
the memory_region_init_ram_nomigrate() variant. This leaves
memory_region_init_ram_flags_nomigrate() as the only nomigrate variant
that is still needed at a few places.
BALATON Zoltan [Sat, 7 Mar 2026 23:06:01 +0000 (00:06 +0100)]
sun4m,sun4u,tcx: Do not use memory_region_init_ram_nomigrate()
Convert to use memory_region_init_{ram,rom} instead. This breaks
migration but these machines have no migration compatibility guarantee
and this removes most remaining usages of this nomigrate variant.
BALATON Zoltan [Sat, 7 Mar 2026 23:05:59 +0000 (00:05 +0100)]
hw/display/{cg3.tcx}: Do not use memory_region_init_rom_nomigrate()
Use memory_region_init_rom() instead which is what other devices do.
This breaks migration but these devices are only used by sparc Sun
machines which have no migration compatibility guarantee.
John Snow [Thu, 26 Feb 2026 21:34:00 +0000 (16:34 -0500)]
python: add formal python3.14 support and testing
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260226213400.1254014-5-jsnow@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 26 Feb 2026 21:33:59 +0000 (16:33 -0500)]
python: drop avocado
Avocado-framework is no longer used for anything, so it can be removed.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260226213400.1254014-4-jsnow@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 26 Feb 2026 21:33:58 +0000 (16:33 -0500)]
python: replace avocado tests with pytest
Following suit with the rest of this repository, drop avocado and
replace it with the Python standard "pytest" package.
Our ultimate goal is to merge these python tests with the meson test
suite, so the use of 'pytest' here is only a stop-gap solution to get
the GitLab CI 'check-python-tox' passing again following recent Python
packaging ecosystem changes.
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260226213400.1254014-3-jsnow@redhat.com>
[ran black autoformatter. --js] Signed-off-by: John Snow <jsnow@redhat.com>
John Snow [Thu, 26 Feb 2026 21:33:57 +0000 (16:33 -0500)]
python: pin 'wheel' version in minreqs test
With recent python packaging ecosystem updates, the latest 'wheel' is no
longer compatible with older packages - and was somehow still compatible
with our Python 3.9 environment. Pin wheel to an older version (Version
based on Debian 11's available wheel package) to remove warnings during
the minreqs test.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260226213400.1254014-2-jsnow@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com>
Peter Maydell [Mon, 9 Mar 2026 17:19:26 +0000 (17:19 +0000)]
Merge tag 'hw-misc-20260309' of https://github.com/philmd/qemu into staging
Misc HW patches
- Remove versioned machines released in QEMU 3.1 and 4.0
- Enable X.Org text rendering on ATI VGA model
- Various memory leaks / overflows fixed
- Build using -Wformat-overflow=2 CPPFLAG
* tag 'hw-misc-20260309' of https://github.com/philmd/qemu: (49 commits)
hw/misc/riscv_cpc: Free CPU array in instance_finalize
hw/misc/sifive_e_aon: Don't leak timer
hw/i3c/dw-i3c: Fix memory leaks in error logging paths
ati-vga: Do not access pixel outside the screen
ati-vga: Simplify hw cursor drawing
ati-vga: Implement HOST_DATA flush to VRAM
ati-vga: Implement HOST_DATA register writes
ati-vga: Implement scissor rectangle clipping for 2D operations
ati-vga: Remove ATIVGAState param from ati_2d_do_blt
ati-vga: Split ati_2d_do_blt from ati_2d_blt
ati-vga: Extract setup_2d_blt_ctx from ati_2d_blt
ati-vga: Introduce ATI2DCtx struct for 2D blit context
ati-vga: Use local variables for register values in ati_2d_blt
ati-vga: Remove src and dst stride mutation in ati_2d_blt
hw: Make qdev_get_printable_name() consistently return freeable string
hw/qdev: Document qdev_get_dev_path()
hw/timer/slavio_timer: Free resources allocated in instance_init
hw/sparc/sun4m: Use qdev GPIOs rather than qemu_allocate_irqs()
hw/sparc/sun4m: Don't set up dummy cpu interrupts
hw/net/npcm_gmac: Catch accesses off the end of the register array
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 9 Mar 2026 09:53:28 +0000 (09:53 +0000)]
hw/misc/riscv_cpc: Free CPU array in instance_finalize
The TYPE_RISCV_CPC device allocates an array in its instance_init,
but does not free this, leading to leaks like this from QOM/QMP
introspection:
Direct leak of 512 byte in 1 object allocated from:
#0 in calloc
#1 in g_malloc0
#2 in riscv_cpc_init /home/pm215/qemu/build/san/../../hw/misc/riscv_cpc.c:175:15
#3 in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#4 in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#5 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
#6 in qdev_device_help /home/pm215/qemu/build/san/../../system/qdev-monitor.c:313:17
#7 in hmp_device_add /home/pm215/qemu/build/san/../../system/qdev-monitor.c:1005:9
Free the array in instance_finalize.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260309095328.1406779-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Mon, 9 Mar 2026 09:51:29 +0000 (09:51 +0000)]
hw/misc/sifive_e_aon: Don't leak timer
The sifive_e_aon watchdog creates a timer with timer_new_ns() in its
instance_init method, but does not free it in instance_finalize.
This means that QMP introspection of the device leaks it:
Direct leak of 48 byte in 1 object allocated from:
#0 in calloc
#1 in g_malloc0
#2 in timer_new_full /home/pm215/qemu/include/qemu/timer.h:520:21
#3 in timer_new /home/pm215/qemu/include/qemu/timer.h:543:12
#4 in timer_new_ns /home/pm215/qemu/include/qemu/timer.h:563:12
#5 in sifive_e_aon_init /home/pm215/qemu/build/san/../../hw/misc/sifive_e_aon.c:286:21
#6 in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#7 in object_initialize /home/pm215/qemu/build/san/../../qom/object.c:578:5
#8 in object_initialize_child_with_propsv /home/pm215/qemu/build/san/../../qom/object.c:608:5
#9 in object_initialize_child_with_props /home/pm215/qemu/build/san/../../qom/object.c:591:10
#10 in object_initialize_child_internal /home/pm215/qemu/build/san/../../qom/object.c:645:5
#11 in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#12 in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#13 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
Allocating a separate QEMUTimer with timer_new() is not the preferred
interface (per the comments in include/qemu/timer.h); switch to an
inline struct initialized with timer_init(), which we can clean up
with timer_del() in finalize.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260309095129.1406506-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/i3c/dw-i3c: Fix memory leaks in error logging paths
object_get_canonical_path() returns an allocated string that must be
freed by the caller. Use g_autofree variables to ensure that memory is
not leaked.
Resolves: Coverity CID 1645550
Resolves: Coverity CID 1645553 Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260309093838.364126-1-clg@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sun, 8 Mar 2026 22:49:17 +0000 (23:49 +0100)]
ati-vga: Do not access pixel outside the screen
We check end of screen before writing the pixel but before that
complement color also accesses screen pixel so we have to check before
that. This fixes a segmentation fault with guest_hwcursor when pointer
is partially out of screen at lower right corner.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <26db0715a6b9f6504f394010513facc9a37882ad.1773009887.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:52 +0000 (02:47 +0100)]
ati-vga: Implement HOST_DATA flush to VRAM
Implement flushing the 128-bit HOST_DATA accumulator to VRAM to enable
text rendering in X. Supports all datatypes (monochrome frgd/bkgd,
monochrome frgd, and color), however monochrome frgd support is
partial and does not properly handle transparency/leave-alone.
The flush is broken up into two steps. First, if necessary, expansion of the
monochrome bits to the destination color depth. Then the expanded pixels
are sent to the ati_2d_do_blt one scanline at a time. ati_2d_do_blt then
clips and performs the blit.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
[balaton: Fix build without pixman] Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <8d0d4b52a16f5564e37bbc88496d7ab8d41477ac.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:51 +0000 (02:47 +0100)]
ati-vga: Implement HOST_DATA register writes
Writing to any of the HOST_DATA0-7 registers pushes the written data
into a 128-bit accumulator. When the accumulator is full a flush is
triggered to copy it to the framebuffer. A final write to HOST_DATA_LAST
will also initiate a flush. The flush itself is left for the next patch.
Unaligned HOST_DATA* writes result in, from what I can tell, undefined
behavior on real hardware. A well-behaved driver shouldn't be doing this
anyway. For that reason they are not handled here at all.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <235adb69787c818afd023e7f32286166cc70744c.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:50 +0000 (02:47 +0100)]
ati-vga: Implement scissor rectangle clipping for 2D operations
Use scissor registers to clip blit operations. This is required
for text rendering in X using the r128 driver. Without it overly-wide
glyphs are drawn and create all sorts of chaos.
The visible destination rectangle (vis_dst) is the intersection of the
scissor rectangle and the destination rectangle (dst).
The src also needs to be offset if clipped on the top and/or
left sides to ensure that src data is read correctly and appears
clipped when drawn rather than shifted.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
[balaton: Fix build without pixman] Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <4752dfbe240102c2ffa1f2cdab4c9442d4f0dcfb.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:48 +0000 (02:47 +0100)]
ati-vga: Split ati_2d_do_blt from ati_2d_blt
ati_2d_blt remains the public interface to the blitter but the bulk of
the implementation is moved down into ati_2d_do_blt which is passed an
ATI2DCtx.
ati_2d_do_blt returns a bool that is true when the blit succeeded, which
means that a screen region will need to be set dirty. Otherwise false is
returned.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
[balaton: Fix build without pixman] Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <367949c50ca140a2d18ae66234dafbbc586b553c.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:47 +0000 (02:47 +0100)]
ati-vga: Extract setup_2d_blt_ctx from ati_2d_blt
setup_2d_blt_ctx is responsible for knowing how to retrieve the state
needed by ati_2d_blt from the registers and assigning it to the ATI2DCtx.
This will be useful in a future patch when HOST_DATA needs to make small
modifications to the ctx.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
[balaton: Fix build without pixman] Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <6e2dccba65d9b369e0db633c0149a77351827222.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:45 +0000 (02:47 +0100)]
ati-vga: Use local variables for register values in ati_2d_blt
ati_2d_blt uses a mixture of locals and direct register access of needed
state. This assigns all values derived from register state to local
variables. It prepares the function for a larger refactor that removes
the dependency on the full device and direct register access entirely.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
[balaton: Fix build without pixman] Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <2c7f8fdc527e8c5bad237933a1c8a7a8e5068a3d.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Mon, 9 Mar 2026 01:47:44 +0000 (02:47 +0100)]
ati-vga: Remove src and dst stride mutation in ati_2d_blt
Pixman requires stride in words. So over the course of the ati_2d_blt
function both src and dst stride were mutated before being passed to
pixman and then back afterwards.
This creates local variables holding src and dst stride in words
avoiding the potentially confusing mutation.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
[balaton: Fix build without pixman] Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <7ab2227b96b73a63cb4fc61d0e6921e01900a4ee.1773020351.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Sat, 7 Mar 2026 15:50:46 +0000 (15:50 +0000)]
hw: Make qdev_get_printable_name() consistently return freeable string
The current implementation of qdev_get_printable_name() sometimes
returns a string that must not be freed (vdev->id or the fixed
fallback string "<unknown device>" and sometimes returns a string
that must be freed (the return value of qdev_get_dev_path()). This
forces callers to leak the string in the "must be freed" case.
Make the function consistent that it always returns a string that
the caller must free, and make the three callsites free it.
This fixes leaks like this that show up when running "make check"
with the address sanitizer enabled:
Direct leak of 13 byte(s) in 1 object(s) allocated from:
#0 0x5561de21f293 in malloc (/home/pm215/qemu/build/san/qemu-system-i386+0x1a2d293) (BuildId: 6d6fad7130fd5c8dbbc03401df554f68b8034936)
#1 0x767ad7a82ac9 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62ac9) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5561deaf34f2 in pcibus_get_dev_path /home/pm215/qemu/build/san/../../hw/pci/pci.c:2792:12
#3 0x5561df9d8830 in qdev_get_printable_name /home/pm215/qemu/build/san/../../hw/core/qdev.c:431:24
#4 0x5561deebdca2 in virtio_init_region_cache /home/pm215/qemu/build/san/../../hw/virtio/virtio.c:298:17
#5 0x5561df05f842 in memory_region_write_accessor /home/pm215/qemu/build/san/../../system/memory.c:491:5
#6 0x5561df05ed1b in access_with_adjusted_size /home/pm215/qemu/build/san/../../system/memory.c:567:18
#7 0x5561df05e3fa in memory_region_dispatch_write /home/pm215/qemu/build/san/../../system/memory.c
#8 0x5561df0aa805 in address_space_stm_internal /home/pm215/qemu/build/san/../../system/memory_ldst.c.inc:85:13
#9 0x5561df0bcad3 in qtest_process_command /home/pm215/qemu/build/san/../../system/qtest.c:480:13
Cc: qemu-stable@nongnu.org Fixes: e209d4d7a31b9 ("virtio: improve virtqueue mapping error messages") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260307155046.3940197-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Sat, 7 Mar 2026 15:50:45 +0000 (15:50 +0000)]
hw/qdev: Document qdev_get_dev_path()
We don't document qdev_get_dev_path() at all; in particular
we do not mention that it returns a string that the caller
must free.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260307155046.3940197-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Sat, 7 Mar 2026 11:29:31 +0000 (11:29 +0000)]
hw/timer/slavio_timer: Free resources allocated in instance_init
The slavio_timer device's instance_init function allocates memory for
TimerContext structs and a ptimer, but it never frees this memory, so
we will leak it if the QMP interface does introspection of this
device type, as reported by the clang address sanitizer:
Indirect leak of 4896 byte(s) in 17 object(s) allocated from:
#0 0x5f2948d9b14d in calloc (/home/pm215/qemu/build/san/qemu-system-sparc+0xe0c14d) (BuildId: 7210711bdf6f7fbd0b863bd2dfcc7c42c7175db1)
#1 0x758584b11771 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5f2949097b8a in slavio_timer_init /home/pm215/qemu/build/san/../../hw/timer/slavio_timer.c:403:14
#3 0x5f29495d790f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#4 0x5f29495d96ef in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#5 0x5f2949a30a26 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
Indirect leak of 1632 byte(s) in 17 object(s) allocated from:
#0 0x5f2948d9b14d in calloc (/home/pm215/qemu/build/san/qemu-system-sparc+0xe0c14d) (BuildId: 7210711bdf6f7fbd0b863bd2dfcc7c42c7175db1)
#1 0x758584b11771 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5f2948f7c65a in ptimer_init /home/pm215/qemu/build/san/../../hw/core/ptimer.c:464:9
#3 0x5f2949097c1f in slavio_timer_init /home/pm215/qemu/build/san/../../hw/timer/slavio_timer.c:407:32
#4 0x5f29495d790f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#5 0x5f29495d96ef in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#6 0x5f2949a30a26 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
Avoid the TimerContext leaks by making them an array inside the
SLAVIO_TimerState struct instead of allocating a compile-time-fixed
number of them each individually with g_new0() and then throwing away
the pointer.
Avoid the ptimer() leak by calling ptimer_free in
instance_finalize().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <20260307112931.3322532-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Sat, 7 Mar 2026 11:29:30 +0000 (11:29 +0000)]
hw/sparc/sun4m: Use qdev GPIOs rather than qemu_allocate_irqs()
In the sun4m machine creation code, we currently use qemu_allocate_irqs()
to set up the IRQ lines that act as the inbound IRQ lines to the CPUs.
This results in a memory leak:
Direct leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x5a23c1281ec3 in malloc (/home/pm215/qemu/build/sparc-san/qemu-system-sparc+0xdf1ec3) (BuildId: e6aa10be01feb5524656dd083997bc82b85e3e93)
#1 0x79e8f78f0ac9 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62ac9) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5a23c1a94e54 in qemu_extend_irqs /home/pm215/qemu/build/sparc-san/../../hw/core/irq.c:77:51
#3 0x5a23c1a39e03 in cpu_devinit /home/pm215/qemu/build/sparc-san/../../hw/sparc/sun4m.c:802:17
#4 0x5a23c1a39e03 in sun4m_hw_init /home/pm215/qemu/build/sparc-san/../../hw/sparc/sun4m.c:838:9
The leak is unimportant as it is a "once at startup" leak, but
fixing it helps in getting a clean leak-sanitizer test run.
Switch the sun4m code to handle CPU interrupt lines in the same way
as the leon3 machine does: the machine init code uses
qdev_init_gpio_in to create GPIO lines on the CPU objects. This is a
little bit odd as ideally the CPU would do that itself, but for these
32-bit SPARC machines the machine and the CPU are very closely
coupled already (the functions handling the IRQ lines modify data
fields inside the CPU).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <20260307112931.3322532-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Sat, 7 Mar 2026 11:29:29 +0000 (11:29 +0000)]
hw/sparc/sun4m: Don't set up dummy cpu interrupts
In the sun4m machine init, we set up the cpu_irqs[] array
with the real inbound IRQs for each CPU, followed by some
dummy IRQs for the remaining slots from smp_cpus up to
MAX_CPUS. These dummy IRQs do nothing when set/cleared
because the dummy_cpu_set_irq() function does nothing.
Instead of creating these "do nothing" qemu_irqs, instead
pass the number of CPUs to slavio_intctl_init() so that it
can only wire up the interrupt controller's interrupts
for the CPUs that actually exist. Calling qemu_set_irq()
on an irq that isn't connected does nothing, so this is
a simpler way to achieve the same result.
This cleanup fixes an unimportant memory leak reported by
the address sanitizer that happens because we allocate these
dummy IRQs with qemu_allocate_irqs():
Direct leak of 1920 byte(s) in 15 object(s) allocated from:
#0 0x5cb7b120cf63 in malloc (/home/pm215/qemu/build/san/qemu-system-sparc+0xe0bf63) (BuildId: d27f9230a7cc82ebfaf0cf9e439dc215ddd7ac68)
#1 0x743cd6dc5ac9 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62ac9) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5cb7b1a42fb4 in qemu_extend_irqs /home/pm215/qemu/build/san/../../hw/core/irq.c:77:51
#3 0x5cb7b19e7e72 in sun4m_hw_init /home/pm215/qemu/build/san/../../hw/sparc/sun4m.c:845:23
#4 0x5cb7b141d3dd in machine_run_board_init /home/pm215/qemu/build/san/../../hw/core/machine.c:1709:5
#5 0x5cb7b1542895 in qemu_init_board /home/pm215/qemu/build/san/../../system/vl.c:2717:5
#6 0x5cb7b1542895 in qmp_x_exit_preconfig /home/pm215/qemu/build/san/../../system/vl.c:2811:5
#7 0x5cb7b15493ac in qemu_init /home/pm215/qemu/build/san/../../system/vl.c:3849:9
#8 0x5cb7b1f3f201 in main /home/pm215/qemu/build/san/../../system/main.c:71:5
#9 0x743cd4a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x743cd4a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#11 0x5cb7b1172114 in _start (/home/pm215/qemu/build/san/qemu-system-sparc+0xd71114) (BuildId: d27f9230a7cc82ebfaf0cf9e439dc215ddd7ac68)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <20260307112931.3322532-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Fri, 6 Mar 2026 15:40:16 +0000 (15:40 +0000)]
hw/net/npcm_gmac: Catch accesses off the end of the register array
In the npcm_gmac device, we create the iomem MemoryRegion with
a size of 8KB, but NPCM_GMAC_NR_REGS is only 0x1060 / 4. This
means there's a range of offsets that the guest can access
that don't have gmac->regs[] entries. We weren't catching this,
so the guest could get us to index off the end of the regs array.
Catch and log these invalid accesses.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3316 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260306154016.2194091-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Akihiko Odaki [Thu, 5 Mar 2026 06:16:47 +0000 (15:16 +0900)]
meson: Add -Wformat-overflow=2
https://gcc.gnu.org/onlinedocs/gcc-15.2.0/gcc/Warning-Options.html
> Level 2 warns also about calls that might overflow the destination
> buffer given an argument of sufficient length or magnitude. At level
> 2, unknown numeric arguments are assumed to have the minimum
> representable value for signed types with a precision greater than 1,
> and the maximum representable value otherwise. Unknown string
> arguments whose length cannot be assumed to be bounded either by the
> directive’s precision, or by a finite set of string literals they may
> evaluate to, or the character array they may point to, are assumed to
> be 1 character long.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260305-nvme-v4-4-b65b9de1839f@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Akihiko Odaki [Thu, 5 Mar 2026 06:16:46 +0000 (15:16 +0900)]
tests: Clean up double comparisons to avoid compiler warning
To enable -Wformat-overflow=2, we need to clean up a couple of false
positives:
[2/5] Compiling C object tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o
../tests/unit/test-qobject-output-visitor.c: In function ‘test_visitor_out_list_struct’:
../tests/unit/test-qobject-output-visitor.c:577:28: error: ‘%.6f’ directive writing between 3 and 317 bytes into a region of size 32 [-Werror=format-overflow=]
577 | sprintf(expected, "%.6f", (double)i / 3);
| ^~~~
../tests/unit/test-qobject-output-visitor.c:577:27: note: assuming directive output of 8 bytes
577 | sprintf(expected, "%.6f", (double)i / 3);
| ^~~~~~
In file included from /usr/include/stdio.h:970,
from /home/me/q/var/qemu/include/qemu/osdep.h:114,
from ../tests/unit/test-qobject-output-visitor.c:13:
In function ‘sprintf’,
inlined from ‘test_visitor_out_list_struct’ at ../tests/unit/test-qobject-output-visitor.c:577:9:
/usr/include/bits/stdio2.h:30:10: note: ‘__builtin___sprintf_chk’ output between 4 and 318 bytes into a destination of size 32
30 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
31 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
FAILED: tests/unit/test-qobject-output-visitor.p/test-qobject-output-visitor.c.o
These buffers cannot actually overflow because the doubles are
between 0 and 31.0/3 inclusive.
However, formatting doubles just to compare them is silly. Compare
them directly instead. To avoid potential rounding trouble, change
the numbers tested to be representable exactly in double.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260305-nvme-v4-3-b65b9de1839f@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Akihiko Odaki [Thu, 5 Mar 2026 06:16:45 +0000 (15:16 +0900)]
vfio/pci: Grow buffer in vfio_pci_host_match()
Each field of PCIHostDeviceAddress is an unsigned int, therefore
while a valid address is limited to 13 characters, an invalid
address could exceed the specified format, up to:
Akihiko Odaki [Thu, 5 Mar 2026 06:16:44 +0000 (15:16 +0900)]
contrib/elf2dmp: Grow PDB URL buffer
The buffers used to construct a PDB URL overflow when the "age" property
is greater than 0xf, so grow it. This also simplifies the logic of the
URL construction to use one buffer instead of two to avoid the chore to
synchronize the sizes of two buffers.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260305-nvme-v4-1-b65b9de1839f@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Roman Kiryanov [Thu, 5 Mar 2026 04:25:23 +0000 (04:25 +0000)]
virtio-snd: remove redundant fields
VirtIOSoundPCM does not need a pointer to
VirtIOSound because each VirtIOSoundPCMStream
already carries a pointer to it.
Signed-off-by: Roman Kiryanov <rkir@google.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260305042523.335493-2-rkir@google.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Roman Kiryanov [Thu, 5 Mar 2026 04:25:22 +0000 (04:25 +0000)]
virtio-snd: remove a redundant memory allocation
This change also makes its lifetime explicit and
prevents NULL dereferences.
Signed-off-by: Roman Kiryanov <rkir@google.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260305042523.335493-1-rkir@google.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/rtc/pl031: : Remove PL031State::migrate_tick_offset field
The PL031State::migrate_tick_offset boolean was only set in
the hw_compat_4_0[] array, via the 'migrate-tick-offset=false'
property. We removed all machines using that array, lets remove
that property, along with the pl031_properties[] array which is
now empty.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260307154202.86309-7-philmd@linaro.org>
hw/virtio: Remove VirtIOBalloon::qemu_4_0_config_size field
The VirtIOBalloon::qemu_4_0_config_size boolean was only set in
the hw_compat_4_0[] array, via the 'qemu-4-0-config-size=true'
property. We removed all machines using that array, lets remove
that property.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260307154202.86309-6-philmd@linaro.org>
The hw_compat_4_0[] array was only used by the pc-q35-4.0
and pc-i440fx-4.0 machines, which got removed. Remove it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260307154202.86309-5-philmd@linaro.org>
The pc_compat_4_0[] array was only used by the pc-q35-4.0,
pc-q35-4.0.1 and pc-i440fx-4.0 machines, which got removed.
Remove it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260307154202.86309-4-philmd@linaro.org>
hw/i386/pc: Remove deprecated pc-q35-4.0[.1] and pc-i440fx-4.0 machines
These machines has been supported for a period of more than 6 years.
According to our versioned machine support policy (see commit ce80c4fa6ff "docs: document special exception for machine type
deprecation & removal") they can now be removed.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260307154202.86309-2-philmd@linaro.org>
hw/pci-bridge/pcie_rp: Remove PCIESlot::disable_acs field
The PCIESlot::disable_acs boolean was only set in the
hw_compat_3_1[] array, via the 'disable-acs=true' property.
We removed all machines using that array, lets remove that
property and all the code around it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260307152635.83893-10-philmd@linaro.org>
projects / thirdparty / qemu.git / log
