Since we are going to convert audio_driver-based backends, we need to
properly handle reference counting to allow for a different order of
class finalization (for example, pulse class before base driver class).
audio: move object creation to audio_driver_init()
As we will allow other kind of AudioBackend objects to be instantiated,
move the object allocation to a audio_driver_init() and rename it
audio_be_new().
Introduce a sub-class for current "audio_driver" based implementations.
Future AudioBackend implementations can do without it.
Next cleanup will actually remove "audio_driver" struct altogether and
make the subclass proper QOM objects.
Public APIs still rely on backend being an AudioMixeng. They will
assert() if not. This will be addressed later to allow other backends.
Note that the initial naming proposed for this object was AudioDriver,
however the semantics for "driver" is already overloaded and leads to
confusion, in particular with the QAPI AudiodevDriver. The defining
characteristic is of using QEMU's software mixing engine, so
AudioMixengBackend.
Start a simple test program that will exercise the QEMU audio APIs.
It is meant to run manually for now, as it accesses the sound system and
produces sound by default, and also runs for a few seconds. We may want
to make it silent or use the "none" (noaudio) backend by default though,
so it can run as part of the automated test suite.
audio: replace vm_running with runstate_is_running()
AudioBackend had a vm_running field which was set in
audio_vm_change_state_handler().
The state change handler "bool running" argument is true when
vm_prepare_start() calls it, and the VM runstate is either SUSPENDED or
RUNNING.
Audio hw voices shouldn't be running when the VM is suspended, but only
when running. Thus replacing the vm_running field with a call to
runstate_is_running() is both simpler and more correct.
AUD_init_time_stamp_{in,out} and AUD_get_elapsed_usec_{in,out} are only
used by the adlib device. The result isn't actually being used since
ADLIB_KILL_TIMERS was set some 20y ago. Let's drop this dead code now.
Drop QEMUAudioTimeStamp as well as reported by Akihiko Odaki.
Peter Maydell [Mon, 23 Feb 2026 09:56:00 +0000 (09:56 +0000)]
Merge tag 'hw-misc-20260223' of https://github.com/philmd/qemu into staging
Misc HW & Net patches
- Fix trace event name in m68k system controller
- Constify and rename virtio_is_big_endian()
- Fix heap buffer overflow in virtio-serial-bus
- Set graphic display dimensions generically (removing system/globals-target.c)
- Mark eth_header, udp_header, tcp_header as packed structures
- Minor doc / header cleanups
* tag 'hw-misc-20260223' of https://github.com/philmd/qemu: (21 commits)
net: mark struct tcp_header as QEMU_PACKED
net: mark struct udp_header as QEMU_PACKED
net: mark struct eth_header as QEMU_PACKED
hw/net/rocker: Don't assume h_proto is aligned in eth_strip_vlan_ex()
hw/net/rocker: Don't keep pointer to h_proto as uint16_t* in OfDpaFlowPktFields
hw/net/rtl8139: Remove ineffective parameter
hw/core/cpu: expand cpu_reset function docs
hw/alpha: remove unused includes
hw/ppc/spapr: extract SPAPR_MAX_RAM_SLOTS in a new header
system/globals: Build as common code
hw/ppc: Set graphic display dimensions generically
hw/sparc: Set graphic display dimensions generically
hw/m68k: Set graphic display dimensions generically
hw/m68k/q800: Set MACFB_DISPLAY_APPLE_21_COLOR within MacFrameBuffer
hw/m68k/q800: Use MacFbMode fields in q800_machine_init()
hw/display/macfb: Constify macfb_mode_table[] array
hw/display/macfb: Constify macfb_sense_table[] array
hw/char/virtio-serial-bus: Fix Heap-buffer-overflow in set_config()
hw/virtio: rename virtio_is_big_endian to virtio_vdev_is_big_endian
hw/virtio: Constify virtio_is_big_endian() argument
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 12 Feb 2026 14:09:17 +0000 (14:09 +0000)]
net: mark struct tcp_header as QEMU_PACKED
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:144:24: runtime error: member access within misaligned address 0x619a74c32033 for type 'tcp_header' (aka 'struct tcp_header'), which requires 4 byte alignment
0x619a74c32033: note: pointer points here
0a 00 02 02 86 aa 00 16 52 c1 d3 70 00 00 00 00 a0 02 fa f0 00 00 00 00 02 04 05 b4 04 02 08 0a
^
#0 0x619a6ba84794 in net_checksum_calculate /home/pm215/qemu/build/clang/../../net/checksum.c:144:24
#1 0x619a6b5940da in gem_transmit /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x619a6b592141 in gem_write /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the tcp_header struct as QEMU_PACKED.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-6-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 12 Feb 2026 14:09:16 +0000 (14:09 +0000)]
net: mark struct udp_header as QEMU_PACKED
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:168:24: runtime error: member access within misaligned address 0x5b7a7f829033 for type 'udp_header' (aka 'struct udp_header'), which requires 2 byte alignment
0x5b7a7f829033: note: pointer points here
ff ff ff ff 00 44 00 43 01 34 58 54 01 01 06 00 85 95 80 60 00 00 00 00 00 00 00 00 00 00 00 00
^
#0 0x5b7a71a5887e in net_checksum_calculate /home/pm215/qemu/build/clang/../../net/checksum.c:168:24
#1 0x5b7a7156819a in gem_transmit /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x5b7a71566201 in gem_write /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the udp_header struct as QEMU_PACKED,
so that the compiler knows it might be unaligned and will
generate the right code for accessing fields.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-5-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 12 Feb 2026 14:09:15 +0000 (14:09 +0000)]
net: mark struct eth_header as QEMU_PACKED
The eth_header is not actually guaranteed to be aligned. We attempt
to deal with this in some places such as net_checksum_calculate() by
using lduw_be_p() and so on to access the fields, but this is not
sufficient to be correct, because even accessing a byte member within
a misaligned struct is undefined behaviour. The clang sanitizer will
emit an error like this if you run the sifive_u_mmc functional test
with sanitizers enabled:
../../net/checksum.c:78:47: runtime error: member access within misaligned address 0x561f52f35011 for type 'struct eth_header', which requires 2 byte alignment
0x561f52f35011: note: pointer points here
00 00 00 00 33 33 00 00 00 16 52 54 00 12 34 56 86 dd 60 00 00 00 00 24 00 01 00 00 00 00 00 00
^
#0 0x561f20608459 in net_checksum_calculate /home/pm215/qemu/build/clang/../../net/checksum.c:78:47
#1 0x561f20117bfa in gem_transmit /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1386:21
#2 0x561f20115c61 in gem_write /home/pm215/qemu/build/clang/../../hw/net/cadence_gem.c:1650:13
Fix this by marking the eth_header struct as QEMU_PACKED, so that the
compiler knows it might be unaligned and will generate the right code
for accessing fields.
This is similar to commit f8b94b4c520 ("net: mark struct ip_header as
QEMU_PACKED") where we fixed this for a different struct defined in
this file.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 12 Feb 2026 14:09:14 +0000 (14:09 +0000)]
hw/net/rocker: Don't assume h_proto is aligned in eth_strip_vlan_ex()
In eth_strip_vlan_ex() we take a pointer to the eth_header h_proto
field into a local uint16_t* variable, and then later in the function
we dereference that pointer. This isn't safe, because the eth_header
struct may not be aligned, and if we mark the struct as QEMU_PACKED
then gcc will complain about taking the address of a field in a
packed struct.
Instead, make the local variable be a void* and use the appropriate
functions for accessing 16 bits of possibly unaligned data through
it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 12 Feb 2026 14:09:13 +0000 (14:09 +0000)]
hw/net/rocker: Don't keep pointer to h_proto as uint16_t* in OfDpaFlowPktFields
In rocker_of_dpa.c we assume that the h_proto field in an eth_header
struct is aligned, and we copy its address into a uint16_t* in the
OfDpaFlowPktFields struct which we then dereference later. This
isn't a safe assumption; it will also result in compilation failures
with gcc if we mark the eth_header struct as QEMU_PACKED because gcc
will not let you take the address of an unaligned struct field.
Make the h_proto field in OfDpaFlowPktFields a void*, and make all
the places where we previously read through that pointer instead use
a new accessor function which allows for the possible lack of
alignment.
(Compare commit 5814c084679
"hw/net/virtio-net.c: Don't assume IP length field is aligned"
which fixed a similar problem elsewhere for an ip_header field.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260212140917.1443253-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Tue, 27 Jan 2026 17:38:49 +0000 (18:38 +0100)]
hw/net/rtl8139: Remove ineffective parameter
The do_interrupt parameter for rtl8139_do_receive was originally added
in commit 6cadb320c7 to avoid generating interrupt when receiving in
loopback mode. Later commit 5311fb805a changed this so that this
parameter became ineffective and now this parameter is unused and
always 1. If this turns out to be a problem maybe there's a better way
to fix this so remove the do_interrupt parameter for now to simplify
code.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260127173849.588F25969F0@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Now that all targets have the graphic dimension variables
initialized the same way, we can move them to the common
file unit, having them built once. Remove the now empty
globals-target.c file. The command line '-g WxH[xD]' option
is not changed and behaves the same.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260216213121.47122-9-philmd@linaro.org>
hw/ppc: Set graphic display dimensions generically
If a dimension is not set, have the machine init code set
the default values.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260216213121.47122-8-philmd@linaro.org>
hw/m68k/q800: Use MacFbMode fields in q800_machine_init()
Once the Mac Frame Buffer device is realized on the NuBus,
its MacFbMode might be different of the global graphic_depth
and graphic_width globals. Prefer the device MacFbMode fields
to initialize the BootInfo structure.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20260216213121.47122-4-philmd@linaro.org>
hw/char/virtio-serial-bus: Fix Heap-buffer-overflow in set_config()
When removing the 'emergency-write' property in commit d0660e5b7fc
we neglected to remove the code reducing the virtio_console_config
structure size, allowing to access up to the unallocated 'emerg_wr'
field.
Can be reproduced running:
$ cat << EOF | qemu-system-i386 -nodefaults \
-machine q35 -m 512M \
-device virtio-serial \
-display none \
-machine accel=qtest -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xc000
outl 0xcf8 0x80000804
outw 0xcfc 0x01
outl 0xc014 0x00
EOF
==3210206==ERROR: AddressSanitizer: heap-buffer-overflow
on address 0x502000090858 at pc 0x5638f1300a9b bp 0x7fff6b525b80 sp 0x7fff6b525b70
READ of size 4 at 0x502000090858 thread T0
#0 0x5638f1300a9a in set_config hw/char/virtio-serial-bus.c:590
#1 0x5638f0bccdcf in virtio_config_writel hw/virtio/virtio-config-io.c:104
#2 0x5638f0bd0c89 in virtio_pci_config_write hw/virtio/virtio-pci.c:637
#3 0x5638f0cf90cf in memory_region_write_accessor system/memory.c:491
#4 0x5638f0cf975b in access_with_adjusted_size system/memory.c:567
#5 0x5638f0d01d3f in memory_region_dispatch_write system/memory.c:1547
#6 0x5638f0d2fa1e in address_space_stm_internal system/memory_ldst.c.inc:85
#7 0x5638f0d30013 in address_space_stl_le system/memory_ldst_endian.c.inc:53
#8 0x5638f0ceb568 in cpu_outl system/ioport.c:79
#9 0x5638f0d3c0f9 in qtest_process_command system/qtest.c:483
0x502000090858 is located 0 bytes to the right of 8-byte region [0x502000090850,0x502000090858)
allocated by thread T0 here:
#0 0x7f0dc32cba57 in __interceptor_calloc src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f0dc2382c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
#2 0x5638f1303c27 in virtio_serial_device_realize hw/char/virtio-serial-bus.c:1046
#3 0x5638f1396a9c in virtio_device_realize hw/virtio/virtio.c:4053
#4 0x5638f13ea370 in device_set_realized hw/core/qdev.c:523
#5 0x5638f13fdaf6 in property_set_bool qom/object.c:2376
#6 0x5638f13f9098 in object_property_set qom/object.c:1450
#7 0x5638f140283c in object_property_set_qobject qom/qom-qobject.c:28
#8 0x5638f13f9616 in object_property_set_bool qom/object.c:1520
#9 0x5638f13e91cc in qdev_realize hw/core/qdev.c:276
#10 0x5638f0c3d94b in virtio_serial_pci_realize hw/virtio/virtio-serial-pci.c:69
#11 0x5638f0bda886 in virtio_pci_realize hw/virtio/virtio-pci.c:2351
#12 0x5638f09bc2ae in pci_qdev_realize hw/pci/pci.c:2310
#13 0x5638f0bdb2f2 in virtio_pci_dc_realize hw/virtio/virtio-pci.c:2473
#14 0x5638f13ea370 in device_set_realized hw/core/qdev.c:523
SUMMARY: AddressSanitizer: heap-buffer-overflow hw/char/virtio-serial-bus.c:590 in set_config
Fixes: d0660e5b7fc ("hw/char/virtio-serial: Do not expose the 'emergency-write' property") Reported-by: Alexander Bulekov <alxndr@bu.edu>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3303 Buglink: https://issues.oss-fuzz.com/issues/484647006 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20260216205527.45938-1-philmd@linaro.org>
Kuan-Wei Chiu [Sun, 11 Jan 2026 18:49:15 +0000 (18:49 +0000)]
hw/misc/virt_ctrl: Fix incorrect trace event in read operation
The virt_ctrl_read() function currently invokes trace_virt_ctrl_write()
instead of trace_virt_ctrl_read(). This results in read operations
appearing as write operations in the trace output, which is misleading
during debugging and analysis.
Replace the incorrect trace call with the proper read-specific trace
event to accurately reflect the hardware behavior.
Fixes: 0791bc02b8fb ("m68k: add a system controller") Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260111184915.1363318-1-visitorckw@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Sun, 22 Feb 2026 18:58:36 +0000 (18:58 +0000)]
Merge tag 'hppa-a400-pull-request' of https://github.com/hdeller/qemu-hppa into staging
hppa a400 machine support
Major enhancements to SeaBIOS-hppa to support an A400 server. This server
requires 64-bit PAT firmware, so SeaBIOS-hppa was extendend a lot. PAT firmware
is required as well to support 64-bit HP-UX 11i3 or MPE.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCaZcFewAKCRD3ErUQojoP
# X+DzAP92OFkgItNkG1Rv7z1Bk9J+6wzs2aYDyZud7Fc8/xB4IgD+Okm8B5LwXyQx
# BQIvYQiIo3e3Ix51tDQQXBvpLappTAw=
# =rCC8
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Feb 19 12:43:39 2026 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-a400-pull-request' of https://github.com/hdeller/qemu-hppa:
hw/hppa: Add emulation for the 64-bit A400 server
hw/hppa: Require SeaBIOS version 22 for A400 machine
target/hppa: Update SeaBIOS-hppa to version 22
hw/hppa: Add BMC on 64-bit machines only
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: (33 commits)
vhost: fix vhost_inflight_buffer_pre_load
virtio-snd: tighten read amount in in_cb
virtio-snd: fix max_size bounds check in input cb
virtio-snd: handle 5.14.6.2 for PCM_INFO properly
virtio-snd: remove TODO comments
MAINTAINERS: add me as maintainer to virtio-snd
hw/cxl: Add Physical Port Control FMAPI Command (Opcode 5102h)
hw/cxl: Get Physical Port State - update for PCIe flit mode
hw/cxl: Physical Port Info FMAPI - update to current spec and add defines.
virtio-gpu-virgl: Add virtio-gpu-virgl-hostmem-region type
intel_iommu: Do not report recoverable faults to host
net/vhost-vdpa: Whitelist virtio-net GSO for shadow virtqueue
hw/cxl: Remove register special_ops->read()
hw/cxl: Support type3 HDM-DB
tests/acpi/cxl: Update CEDT.cxl to allow BI in CFWMS
hw/cxl: Update CXL Fixed Memory Window ACPI description to include Back Invalidate support.
tests/bios-tables-test: Excluded CEDT.cxl for BI restriction relaxation.
hw/cxl: Refactor component register initialization
hw/pcie: Support enabling flit mode
hw/cxl: Add emulation for memory sparing control feature
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alexandr Moshkov [Fri, 20 Feb 2026 09:48:01 +0000 (14:48 +0500)]
vhost: fix vhost_inflight_buffer_pre_load
While I was rebasing my series about inflight migration, I missed a
small issue in vhost_inflight_buffer_preload:
* fix wrong return type in function
* fix error check
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru> Fixes: tag pls? Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220094800.276489-1-dtalexundeer@yandex-team.ru>
The amount of bytes to read passed to AUD_read() should never surpass
the maximum available buffer length. Tighten the current amount by
MIN(<amount>, max_size - <existing size>).
Cc: qemu-stable@nongnu.org Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb") Reported-by: DARKNAVY <vr@darknavy.com> Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-5-207c4f7200a2@linaro.org>
In 98e77e3d we calculated the max size and checked that each buffer is smaller than it.
We neglected to subtract the size of the virtio_snd_pcm_status header
from the max size, and max_size was thus larger than the correct value,
leading to potential OOB writes.
If the buffer cannot fit the header or can fit only the header, return
the buffer immediately.
Cc: qemu-stable@nongnu.org Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb") Reported-by: DARKNAVY <vr@darknavy.com> Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org>
5.14.6.2 Driver Requirements: Item Information Request
- The driver MUST NOT set start_id and count such that start_id +
count is greater than the total number of particular items that is
indicated in the device configuration space.
- The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
count * size bytes for the response.
While we performed some check for the second requirement, it failed to
check for integer overflow.
Add also a check for the first requirement, which should limit exposure
to any overflow, since realistically the number of streams will be low
enough in value such that overflow is improbable.
Cc: qemu-stable@nongnu.org Reported-by: 罗铭源 <myluo24@m.fudan.edu.cn> Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-3-207c4f7200a2@linaro.org>
Replying with a VIRTIO_SND_S_BAD_MSG error does not warrant a device
reset. Instead, a device reset happens when the driver requests it from the
transport.
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-2-207c4f7200a2@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-1-207c4f7200a2@linaro.org>
Arpit Kumar [Wed, 4 Feb 2026 17:32:23 +0000 (17:32 +0000)]
hw/cxl: Add Physical Port Control FMAPI Command (Opcode 5102h)
Added assert-deassert PERST implementation for physical ports (both USP
and DSP's).
Assert PERST involves bg operation for holding 100ms.
Reset PPB implementation for physical ports.
Signed-off-by: Arpit Kumar <arpit1.kumar@samsung.com> Co-developed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204173223.44122-4-Jonathan.Cameron@huawei.com>
hw/cxl: Get Physical Port State - update for PCIe flit mode
Recent support for 256B flits, was not accounted for in this FMAPI command
that should be retrieving the current status of Physical Switch Ports.
Note x-flit-mode control is via the downstream devices, so for USPs the
property must be checked to establish support, but for DSPs this mode is
always supported (control is with the next port downstream, typically the
end point. All cases the linksta2 register may be queried to obtain
current status. Note the PCI spec is a little confusing as it refers to
this bit only being non 0 if Device Readiness Status (DRS) is in particular
states (basically link trained) but Flit mode is a separate feature and DRS
may not be present. It is not yet emulated in QEMU. So assume that we
should reflect what states DRS would be reporting if it were actually
present.
One small thing to note is that the current link width for a port with
nothing connected reports the same as the capability. This is odd but valid
because the value under these circumstances is undefined (PCIe r6.2 table
7-26 Link Status Register - field Current Link Speed.)
Signed-off-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204173223.44122-3-Jonathan.Cameron@huawei.com>
Arpit Kumar [Wed, 4 Feb 2026 17:32:21 +0000 (17:32 +0000)]
hw/cxl: Physical Port Info FMAPI - update to current spec and add defines.
Add a new cxl/cxl_ports.h header for field definitions related only to port
commands. Bring field naming up to date with spec as 'version' bitmasks
have been replaced with bitmasks of the specific features.
Fix a small issue where a reserved value for USP was set to 2 rather
than 0.
Signed-off-by: Arpit Kumar <arpit1.kumar@samsung.com> Co-developed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204173223.44122-2-Jonathan.Cameron@huawei.com>
Akihiko Odaki [Sat, 14 Feb 2026 04:33:36 +0000 (13:33 +0900)]
virtio-gpu-virgl: Add virtio-gpu-virgl-hostmem-region type
Commit e27194e087ae ("virtio-gpu-virgl: correct parent for blob memory
region") made the name member of MemoryRegion unset, causing a NULL
pointer dereference[1]:
> Thread 2 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> (gdb) bt
> #0 0x00007ffff56565e2 in __strcmp_evex () at /lib64/libc.so.6
> #1 0x0000555555841bdb in find_fd (head=0x5555572337d0 <cpr_state>,
> name=0x0, id=0) at ../migration/cpr.c:68
> #2 cpr_delete_fd (name=name@entry=0x0, id=id@entry=0) at
> ../migration/cpr.c:77
> #3 0x000055555582290a in qemu_ram_free (block=0x7ff7e93aa7f0) at
> ../system/physmem.c:2615
> #4 0x000055555581ae02 in memory_region_finalize (obj=<optimized out>)
> at ../system/memory.c:1816
> #5 0x0000555555a70ab9 in object_deinit (obj=<optimized out>,
> type=<optimized out>) at ../qom/object.c:715
> #6 object_finalize (data=0x7ff7e936eff0) at ../qom/object.c:729
> #7 object_unref (objptr=0x7ff7e936eff0) at ../qom/object.c:1232
> #8 0x0000555555814fae in memory_region_unref (mr=<optimized out>) at
> ../system/memory.c:1848
> #9 flatview_destroy (view=0x555559ed6c40) at ../system/memory.c:301
> #10 0x0000555555bfc122 in call_rcu_thread (opaque=<optimized out>) at
> ../util/rcu.c:324
> #11 0x0000555555bf17a7 in qemu_thread_start (args=0x555557b99520) at
> ../util/qemu-thread-posix.c:393
> #12 0x00007ffff556f464 in start_thread () at /lib64/libc.so.6
> #13 0x00007ffff55f25ac in __clone3 () at /lib64/libc.so.6
The intention of the aforementioned commit is to prevent a MemoryRegion
from parenting itself while its references is counted indendependently
of the device. To achieve the same goal, add a type of QOM objects that
count references and parent MemoryRegions.
intel_iommu: Do not report recoverable faults to host
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260208082252.288-1-clement.mathieu--drif@eviden.com>
Eugenio Pérez [Fri, 6 Feb 2026 14:47:17 +0000 (15:47 +0100)]
net/vhost-vdpa: Whitelist virtio-net GSO for shadow virtqueue
Even if it is deprecated by the VirtIO standard it does not affect the
layout of the queue, or introduces new operations. So Shadow Virtqueue
can handle it just fine.
Tested with OVS DPDK and VDUSE.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260206144717.730799-1-eperezma@redhat.com>
Davidlohr Bueso [Wed, 4 Feb 2026 17:09:35 +0000 (17:09 +0000)]
hw/cxl: Remove register special_ops->read()
... this is unused, unlike its write counterpart.
Scope needs to be added to avoid _Static_assert() immediately
after a label. c23 makes this valid but before then it is compiler
dependent.
Suggested-by: Jonathan.Cameron@huawei.com Tested-by: Dongjoo Seo <dongjoo.seo1@samsung.com> Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-8-Jonathan.Cameron@huawei.com>
Davidlohr Bueso [Wed, 4 Feb 2026 17:09:34 +0000 (17:09 +0000)]
hw/cxl: Support type3 HDM-DB
Add basic plumbing for memory expander devices that support Back
Invalidation. This introduces a 'hdm-db=on|off' parameter and
exposes the relevant BI RT/Decoder component cachemem registers.
Some noteworthy properties:
- Devices require enabling Flit mode across the CXL topology.
- Explicit BI-ID commit is required.
- HDM decoder support both host and dev coherency models.
Tested-by: Dongjoo Seo <dongjoo.seo1@samsung.com> Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-7-Jonathan.Cameron@huawei.com>
tests/acpi/cxl: Update CEDT.cxl to allow BI in CFWMS
With the addition of back invalidate support in the CXL emulation relax
the restriction on the CXL Fixed Memory Window Structures so all
advertised ranges continue to support being used with all features that
QEMU emulates.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-6-Jonathan.Cameron@huawei.com>
hw/cxl: Update CXL Fixed Memory Window ACPI description to include Back Invalidate support.
Defaults for these windows has always been to enable anything QEMU supports.
With the addition of back invalidate support it is necessary to specify that
host windows support this.
CXL emulation is currently only suitable for software stack verification.
The relaxation of the restrictions on this window to include BI have no
affect on the OS until BI capable devices are added and until now these
have not existed. As such no backwards compatibility impacts are expected
from this change.
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-5-Jonathan.Cameron@huawei.com>
tests/bios-tables-test: Excluded CEDT.cxl for BI restriction relaxation.
The next patch will relax restrictions on the fixed memory window
to allow use with back invalidate capable devices.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-4-Jonathan.Cameron@huawei.com>
CXL 3.2 8.2.4 Table 8-22 defines which capabilities are mandatory, not
permitted, or optional for each type of device.
cxl_component_register_init_common() uses a rather odd 'fall through'
mechanism to define each component register set. This assumes that any
device or capability being added builds on the previous devices
capabilities. This is not true as there are mutually exclusive
capabilities defined. For example, downstream ports can not have snoop
but it can have Back Invalidate capable decoders.
Refactor this code to make it easier to add individual capabilities as
defined by a device type. Any capability which is not specified by the
type is left NULL'ed out which complies with the packed nature of the
register array.
Update all spec references to 3.2.
No functional changes should be seen with this patch.
Signed-off-by: Ira Weiny <ira.weiny@intel.com> Tested-by: Dongjoo Seo <dongjoo.seo1@samsung.com>
[rebased, no RAS for HBs, r3.2 references] Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-3-Jonathan.Cameron@huawei.com>
Davidlohr Bueso [Wed, 4 Feb 2026 17:09:29 +0000 (17:09 +0000)]
hw/pcie: Support enabling flit mode
PCIe Flit Mode, introduced with the PCIe 6.0 specification, is a
fundamental change in how data is transmitted over the bus to
improve transfer rates. It shifts from variable-sized Transaction
Layer Packets (TLPs) to fixed 256-byte Flow Control Units (FLITs).
As with the link speed and width training, have ad-hoc property for
setting the flit mode and allow CXL components to make use of it.
For the CXL root port and dsp cases, always report flit mode but
the actual value after 'training' will depend on the downstream
device configuration.
Suggested-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Tested-by: Dongjoo Seo <dongjoo.seo1@samsung.com> Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260204170936.43959-2-Jonathan.Cameron@huawei.com>
Shiju Jose [Wed, 17 Sep 2025 14:33:30 +0000 (15:33 +0100)]
hw/cxl: Add emulation for memory sparing control feature
Memory sparing is defined as a repair function that replaces a portion of
memory with a portion of functional memory at that same DPA. The
subclasses for this operation vary in terms of the scope of the sparing
being performed. The Cacheline sparing subclass refers to a sparing
action that can replace a full cacheline. Row sparing is provided as an
alternative to PPR sparing functions and its scope is that of a single
DDR row. Bank sparing allows an entire bank to be replaced. Rank sparing
is defined as an operation in which an entire DDR rank is replaced.
Memory sparing maintenance operations may be supported by CXL devices
that implement CXL.mem protocol. A sparing maintenance operation requests
the CXL device to perform a repair operation on its media.
For example, a CXL device with DRAM components that support memory sparing
features may implement sparing Maintenance operations.
The host may issue a query command by setting Query Resources flag in the
Input Payload (CXL Spec 3.2 Table 8-120) to determine availability of
sparing resources for a given address. In response to a query request,
the device shall report the resource availability by producing the Memory
Sparing Event Record (CXL Spec 3.2 Table 8-60) in which the Channel, Rank,
Nibble Mask, Bank Group, Bank, Row, Column, Sub-Channel fields are a copy
of the values specified in the request.
During the execution of a sparing maintenance operation, a CXL memory
device:
- May or may not retain data
- May or may not be able to process CXL.mem requests correctly.
These CXL memory device capabilities are specified by restriction flags
in the memory sparing feature readable attributes.
When a CXL device identifies error on a memory component, the device
may inform the host about the need for a memory sparing maintenance
operation by using DRAM event record, where the 'maintenance needed' flag
may set. The event record contains some of the DPA, Channel, Rank,
Nibble Mask, Bank Group, Bank, Row, Column, Sub-Channel fields that
should be repaired. The userspace tool requests for maintenance operation
if the 'maintenance needed' flag set in the CXL DRAM error record.
CXL spec 3.2 section 8.2.10.7.2.3 describes the memory sparing feature
discovery and configuration.
Add emulation for CXL memory device memory sparing control feature
and memory sparing maintenance operation command.
Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20250917143330.294698-4-Jonathan.Cameron@huawei.com>
hw/cxl: Add support for Maintenance command and Post Package Repair (PPR)
This adds initial support for the Maintenance command, specifically
the soft and hard PPR operations on a dpa. The implementation allows
to be executed at runtime, therefore semantically, data is retained
and CXL.mem requests are correctly processed.
Keep track of the requests upon a general media or DRAM event.
Post Package Repair (PPR) maintenance operations may be supported by CXL
devices that implement CXL.mem protocol. A PPR maintenance operation
requests the CXL device to perform a repair operation on its media.
For example, a CXL device with DRAM components that support PPR features
may implement PPR Maintenance operations. DRAM components may support two
types of PPR, hard PPR (hPPR), for a permanent row repair, and Soft PPR
(sPPR), for a temporary row repair. Soft PPR is much faster than hPPR,
but the repair is lost with a power cycle.
CXL spec 3.2 section 8.2.10.7.1.2 describes the device's sPPR (soft PPR)
maintenance operation and section 8.2.10.7.1.3 describes the device's
hPPR (hard PPR) maintenance operation feature.
CXL spec 3.2 section 8.2.10.7.2.1 describes the sPPR feature discovery and
configuration.
CXL spec 3.2 section 8.2.10.7.2.2 describes the hPPR feature discovery and
configuration.
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Co-developed-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20250917143330.294698-3-Jonathan.Cameron@huawei.com>
Shiju Jose [Wed, 17 Sep 2025 14:33:28 +0000 (15:33 +0100)]
hw/cxl/cxl-mailbox-utils: Move declaration of scrub and ECS feature attributes in cmd_features_set_feature()
Move the declaration of scrub and ECS feature attributes in
cmd_features_set_feature() to the local scope where they are used.
Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20250917143330.294698-2-Jonathan.Cameron@huawei.com>
Shiju Jose [Thu, 5 Feb 2026 11:23:50 +0000 (11:23 +0000)]
hw/cxl/events: Updates for rev3.2 memory module event record
CXL spec rev3.2 section 8.2.10.2.1.3 Table 8-59, memory module
event record has updated with following new fields.
1. Validity Flags
2. Component Identifier
3. Device Event Sub-Type
Add updates for the above spec changes in the CXL memory module
event reporting and QMP command to inject memory module event.
Updated all references for this command to the CXL r3.2
specification.
Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260205112350.60681-6-Jonathan.Cameron@huawei.com>
Shiju Jose [Thu, 5 Feb 2026 11:23:49 +0000 (11:23 +0000)]
hw/cxl/events: Updates for rev3.2 DRAM event record
CXL spec rev3.2 section 8.2.10.2.1.2 Table 8-58, DRAM event record
has updated with following new fields.
1. Component Identifier
2. Sub-channel of the memory event location
3. Advanced Programmable Corrected Memory Error Threshold Event Flags
4. Corrected Volatile Memory Error Count at Event
5. Memory Event Sub-Type
Add updates for the above spec changes in the CXL DRAM event
reporting and QMP command to inject DRAM event.
In order to ensure consistency update all specification references
for this command to CXL r3.2.
Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260205112350.60681-5-Jonathan.Cameron@huawei.com>
Shiju Jose [Thu, 5 Feb 2026 11:23:48 +0000 (11:23 +0000)]
hw/cxl/events: Updates for rev3.2 general media event record
CXL spec rev3.2 section 8.2.10.2.1.1 Table 8-57, general media event
table has updated with following new fields.
1. Advanced Programmable Corrected Memory Error Threshold Event Flags
2. Corrected Memory Error Count at Event
3. Memory Event Sub-Type
4. Support for component ID in the PLDM format.
Add updates for the above spec changes in the CXL general media event
reporting and QMP command to inject general media event.
In order to have one consistent source of references, update all to
references for this command to CXL r3.2.
Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260205112350.60681-4-Jonathan.Cameron@huawei.com>
Shiju Jose [Thu, 5 Feb 2026 11:23:47 +0000 (11:23 +0000)]
hw/cxl/events: Update for rev3.2 common event record format
CXL spec 3.2 section 8.2.9.2.1 Table 8-55, Common Event Record
format has updated with optional Maintenance Operation Subclass,
LD ID and ID of the device head information.
Add updates for the above optional parameters in the related
CXL events reporting and in the QMP commands to inject CXL events.
Update all related specification references to CXL r3.2 to ensure
one consistent source.
Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Acked-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Ravi Jonnalagadda <ravis.opensrc@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260205112350.60681-3-Jonathan.Cameron@huawei.com>
Shiju Jose [Thu, 5 Feb 2026 11:23:46 +0000 (11:23 +0000)]
qapi: cxl: Refactor CXL event injection for common commands arguments
Refactor CXL event injection to use struct for common command
arguments.
Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Acked-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Ravi Jonnalagadda <ravis.opensrc@gmail.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260205112350.60681-2-Jonathan.Cameron@huawei.com>
virtio_reset() expects a VirtIODevice pointer, which
is what the single caller - virtio_bus_reset - passes.
Promote the opaque argument to a plain VirtIODevice.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260201223929.78790-1-philmd@linaro.org>
Mohamed Mediouni [Tue, 10 Feb 2026 04:12:48 +0000 (05:12 +0100)]
tests/data/acpi: disassemble-aml: rename and change interpreter line
/usr/bin/bash isn't guaranteed to be present. Switch
to /usr/bin/env bash.
Specifically, on Darwin/macOS:
$ which bash
/opt/homebrew/bin/bash
Rename disassemle to disassemble in the same commit (typo fix).
Adapt the correponding message in rebuild-expected-aml.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260210041248.14701-1-mohamed@unpredictable.fr>
Yanfeng Liu [Fri, 14 Nov 2025 09:34:46 +0000 (17:34 +0800)]
audio/virtio-snd: fix latency calc
Media players needs meaningful latency_bytes update but it is
zero now most of the time. This adds stream-wise latency_bytes
calculation so that to improve the situation.
Signed-off-by: Yanfeng Liu <p-liuyanfeng9@xiaomi.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <tencent_66E8C146EA79CD00E966DEDAEF8CACD97D05@qq.com>
vhost-user-bridge debug prints UDP TX hexdumps in its transmit handler,
but does not for receives, even though they are beneficial for testing.
Add an RX hexdump in the receive callback.
To delineate between transmits and receives, also add a debug print
indicating that the program is in the transmit handler.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Yodel Eldar <yodel.eldar@yodel.dev> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260129133049.119829-4-yodel.eldar@yodel.dev>
Yodel Eldar [Thu, 29 Jan 2026 13:30:48 +0000 (07:30 -0600)]
tests/functional/x86_64: Add vhost-user-bridge test
Introduce a functional test of vhost-user-bridge and enter it into
MAINTAINERS under the vhost section.
The test runs vhost-user-bridge as a subprocess, then launches a guest
with four backends: a unix domain socket for vhost-user, a UDP socket, a
user-mode net, and a hubport to hub the UDP and user backends; only the
vhost-user backend is exposed, the rest are deviceless. This
configuration mimics the testing setup described in the initial commit
of vhost-user-bridge in 3595e2eb0a23.
The test creates a scratch file containing a hardcoded UUID on the host
and exposes it to the the guest via the tftp parameter of the user
netdev. After the guest invokes tftp to request the file, the test
verifies the transfer by hashsum.
Similarly, the test creates a file with another hardcoded UUID in the
guest. A call to check_http_download() serves the file to the host via
http, whereupon a check of the file hashsum occurs on the host.
Lastly, add the test to the thorough tests suite in meson.build.
Suggested-by: Cédric Le Goater <clg@redhat.com> Suggested-by: Marc-André Lureau <marcandre.lureau@gmail.com> Suggested-by: Michael S. Tsirkin <mst@redhat.com> Suggested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Yodel Eldar <yodel.eldar@yodel.dev> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260129133049.119829-3-yodel.eldar@yodel.dev>
Yodel Eldar [Thu, 29 Jan 2026 13:30:47 +0000 (07:30 -0600)]
tests/vhost-user-bridge: Move to contrib/vhost-user-bridge/
After the introduction of vhost-user-bridge and libvhost-user, we
formed the convention of placing vhost-user daemons in eponymous subdirs
of contrib/. Follow this convention.
Create a contrib/vhost-user-bridge/ directory and move vhost-user-bridge
into it. Extract its build target definition from tests/meson.build into
the new directory, and include its subdir in the root-level meson.build.
Add a section about it in the "vhost-user daemons in contrib" document.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Yodel Eldar <yodel.eldar@yodel.dev> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260129133049.119829-2-yodel.eldar@yodel.dev>
Pierrick Bouvier [Sat, 14 Feb 2026 06:10:24 +0000 (22:10 -0800)]
contrib/plugins/cpp: use __has_include
This make sure we can include all possible headers without breaking
build for environments missing them. It fixes compilation on openbsd.
We don't want to pollute configure script, as it's really a special case
here to make sure we don't have a compilation regression with
qemu-plugins header.
Helge Deller [Thu, 29 Jan 2026 17:14:09 +0000 (18:14 +0100)]
hw/hppa: Add emulation for the 64-bit A400 server
The A400 machine is the very first 64-bit-only machines which uses the 64-bit
PAT firmware and doesn't support 32-bit PDC any longer. Long-term goal is to
support the MPE and HP-UX 11iv3 operating systems, which both require a machine
with PAT firmware.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Anton Johansson <anjo@rev.ng>
Helge Deller [Fri, 13 Feb 2026 17:58:26 +0000 (18:58 +0100)]
hw/hppa: Require SeaBIOS version 22 for A400 machine
Require at least SeaBIOS version 22 before adding the A400 machine.
This is required, because version 22 adds the A400 machine definition
and provides the necessary 64-bit PAT firmware. All other machines up to
now used only the 32- or 64-bit PDC firmware without the PAT extensions.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Anton Johansson <anjo@rev.ng>
Helge Deller [Wed, 18 Feb 2026 20:01:55 +0000 (21:01 +0100)]
target/hppa: Update SeaBIOS-hppa to version 22
The new firmware includes support for an A400-44 machine
with initial functional 64-bit PAT PDC support:
- Linux 64-bit kernel runs nicely.
- ODE 2006 works nicely on 715, B160L, and A400, but has problems on C3700.
- MPE and 64-bit HP-UX11 need more work, although HP-UX11 boot up to a crash
where it reports where it had problems.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Anton Johansson <anjo@rev.ng>
Helge Deller [Wed, 18 Feb 2026 16:05:05 +0000 (17:05 +0100)]
hw/hppa: Add BMC on 64-bit machines only
Prevent adding the BMC with it's serial ports on 32-bit machines, even
if they have a PCI bus like the B160L. This fixes boot problems with
HP-UX on B160L.
Signed-off-by: Helge Deller <deller@gmx.de> Fixes: 557bc5260cfd ("hw/hppa: PCI devices depend on availability of PCI bus") Cc: qemu-stable@nongnu.org Reviewed-by: Anton Johansson <anjo@rev.ng>
Peter Maydell [Thu, 19 Feb 2026 10:36:06 +0000 (10:36 +0000)]
Merge tag 'pull-target-arm-20260219' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* Allow TCG to emulate CPUs with SME but not SVE
* Refactorings for single-binary
* whpx: minor fixes
* hw/usb/hcd-ohci: Implement frame number overflow event
* tag 'pull-target-arm-20260219' of https://gitlab.com/pm215/qemu: (32 commits)
include/tcg/tcg-op.h: eradicate TARGET_INSN_START_EXTRA_WORDS
target/arm/tcg/translate.h: replace target_long with int64_t
target/arm/tcg/translate.h: replace target_ulong with vaddr
target/arm/tcg/vec_helper.c: make compilation unit common
target/arm/tcg/cpu-v7m.c: make compilation unit common
target/arm/tcg/psci.c: make compilation unit common
target/arm: move exec/helper-* plumbery to helper.h
tcg: move tcg_use_softmmu to tcg/tcg-internal.h
target/arm: extract helper-sme.h from helper.h
target/arm: extract helper-sve.h from helper.h
target/arm: extract helper-a64.h from helper.h
target/arm: extract helper-mve.h from helper.h
target/arm: Don't require helper prototypes in helper.c
target/arm: Move TCG-specific code out of debug_helper.c
whpx: fix FP register loop
whpx: remove duplicate include
hw/usb/hcd-ohci: Implement frame number overflow event
target/arm: Permit configurations with SME but not SVE
target/arm: Squash FEAT_SME_FA64 if FEAT_SVE is not present
target/arm: Don't squash all ID_AA64ZFR0_EL1 fields for non-SVE
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit removes TARGET_INSN_START_EXTRA_WORDS and force all arch to
call the same version of tcg_gen_insn_start, with additional 0 arguments
if needed. Since all arch have a single call site (in translate.c), this
is as good documentation as having a single define.
The notable exception is target/arm, which has two different translate
files for 32/64 bits. Since it's the only one, we accept to have two
call sites for this.
As well, we update parameter type to use uint64_t instead of
target_ulong, so it can be called from common code.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-15-pierrick.bouvier@linaro.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
