Pierrick Bouvier [Thu, 19 Feb 2026 04:01:47 +0000 (20:01 -0800)]
target/arm/tcg/vec_helper.c: make compilation unit common
We need to extract 64 bits helper in a new file (vec_helper64.c), and
extract some macro definition also, since they will be used in both
files.
As well, DO_3OP_PAIR was defined twice, so rename the second variant
to DO_3OP_PAIR_NO_STATUS to reflect what it does.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-12-pierrick.bouvier@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Pierrick Bouvier [Thu, 19 Feb 2026 04:01:44 +0000 (20:01 -0800)]
target/arm: move exec/helper-* plumbery to helper.h
Since we cleaned helper.h, we can continue further and remove
all exec/helper-* inclusion. This way, all helpers use the same pattern,
and helper include details are limited to those headers.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-9-pierrick.bouvier@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Pierrick Bouvier [Thu, 19 Feb 2026 04:01:43 +0000 (20:01 -0800)]
tcg: move tcg_use_softmmu to tcg/tcg-internal.h
In next commit, we'll apply same helper pattern for base helpers
remaining.
Our new helper pattern always include helper-*-common.h, which ends up
including include/tcg/tcg.h, which contains one occurrence of
CONFIG_USER_ONLY.
Thus, common files not being duplicated between system and target
relying on helpers will fail to compile. Existing occurrences are:
- target/arm/tcg/arith_helper.c
- target/arm/tcg/crypto_helper.c
This occurrence of CONFIG_USER_ONLY is for defining variable
tcg_use_softmmu, and we rely on dead code elimination with it in various
tcg-target.c.inc.
Thus, move its definition to tcg/tcg-internal.h, so helpers can be
included by common files. Also, change it to a define, as it has fixed
values for now.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-8-pierrick.bouvier@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Pierrick Bouvier [Thu, 19 Feb 2026 04:01:39 +0000 (20:01 -0800)]
target/arm: extract helper-mve.h from helper.h
A few points to mention:
- We mix helper prototypes and gen_helper definitions in a single header
for convenience and to avoid headers boilerplate.
- We rename existing tcg/helper-mve.h to helper-mve-defs.h to avoid
conflict when including helper-mve.h.
- We move mve helper_info definitions to tcg/mve_helper.c
We'll repeat the same for other helpers.
This allow to get rid of TARGET_AARCH64 in target/arm/helper.h.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-4-pierrick.bouvier@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 19 Feb 2026 04:01:38 +0000 (20:01 -0800)]
target/arm: Don't require helper prototypes in helper.c
In arm_cpu_do_interrupt_aarch64() we call the TCG helper function
helper_rebuild_hflags_a64(), which requires helper.c to include the
TCG helper function prototypes even when this file is being compiled
with TCG disabled.
We don't actually need to do this -- because we have already written
the new EL into pstate and updated env->aarch64, we can call
aarch64_rebuild_hflags() to achieve the same effect. This is the
function we use everywhere else in this file to update hflags.
Switch to aarch64_rebuild_hflags() and drop the include of the
TCG helper headers.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-3-pierrick.bouvier@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 19 Feb 2026 04:01:37 +0000 (20:01 -0800)]
target/arm: Move TCG-specific code out of debug_helper.c
The target/arm/debug_helper.c file has some code which we need
for non-TCG accelerators, but quite a lot which is guarded by
a CONFIG_TCG ifdef. Move all this TCG-only code out to a
new file target/arm/tcg/debug.c.
In particular all the code requiring access to the TCG
helper function prototypes is in the moved code, so we can
drop the use of tcg/helper.h from debug_helper.c.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-id: 20260219040150.2098396-2-pierrick.bouvier@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 19 Feb 2026 09:37:09 +0000 (09:37 +0000)]
Merge tag 'pull-vfio-20260218' of https://github.com/legoater/qemu into staging
vfio queue:
* Improves VFIO region mmap alignment for hugepfnmap support on
Grace-based systems (GB200)
* Documents vfio_device_get_region_info() API
* Adds a new VFIO_MIGRATION event notifying PRE_COPY_P2P transition
* tag 'pull-vfio-20260218' of https://github.com/legoater/qemu:
vfio: Document vfio_device_get_region_info()
hw/vfio: align mmap to power-of-2 of region size for hugepfnmap
vfio: Add Error ** parameter to vfio_region_setup()
hw/vfio: sort and validate sparse mmap regions by offset
vfio/migration: Send VFIO_MIGRATION event before PRE_COPY_P2P transition
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 19 Feb 2026 09:13:49 +0000 (09:13 +0000)]
Merge tag 'qga-pull-2026-02-16-2' of https://github.com/kostyanf14/qemu into staging
qga-pull-2026-02-16-2
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEwsLBCepDxjwUI+uE711egWG6hOcFAmmVjNEACgkQ711egWG6
# hOeDqQ/+L0jk9fXV8trbQ+J+b82AGrx+pMy9MWIppitO3xxqP0Z6RBh/F3iPLL0j
# 9vDzjL80R52gfH2o2n4jp0krBtUglieRr9Z+/Ttl6UiJvXHhCGYOf5ooifXsn1zH
# Le84BV9qtax9kHeYgqQ6FRUpZ+qThVGpbbnMwlRgeKF8mZBUiLFOOO8P9FZ9djBg
# Ysu8wpxr40YE7WhU9w1HCoegMLwdnb9TID9Oc6y0LHqdeW/5ap/RacbxKicXswQ3
# sJK8n+g0Z4Xo63NJye3ygHshLsQTQRcZOyVgdn9G9OZWjnBQ0Fzwcc9megTTcVAD
# Gd5avRvDj+iMSIb/dRzBcxSrKNwM/XC31awGgOna/UFsZlnz0oL3cFkdzCo3FHiM
# CV+z36tAJT5b2qepVMEnPuW1TtcYknzrqSRNK9TfTROdEmKqECRvweAbGfgDx6aK
# Fuiah2XoBCShy4SQF3Z4lEaAZyKMz90Mhmf9PrzG+QOZgPSJtuF4XQvV37BKr+8b
# 7V82DuIucdEoQvAedtiZueXH/8moN0L1MRrqxBjOk/g8AozOQD8Pykgg7cuRuA39
# dK/seTVIdP4YAPVGfcq/lwXuOAbx/0Hmwku5O59mSp6OC7UDWFeenbKzOq0U4cgr
# 1r4a4bGuSvusFGOfflKdWUMcDMlLWKOva9pDoywJsoRHdbfDrFU=
# =lIXl
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed Feb 18 09:56:33 2026 GMT
# gpg: using RSA key C2C2C109EA43C63C1423EB84EF5D5E8161BA84E7
# gpg: Good signature from "Kostiantyn Kostiuk (Upstream PR sign) <kkostiuk@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C2C2 C109 EA43 C63C 1423 EB84 EF5D 5E81 61BA 84E7
* tag 'qga-pull-2026-02-16-2' of https://github.com/kostyanf14/qemu:
qga: Fix VSS provider GetSnapshotProperties return value
qga: Move CoInitialize/CoInitializeSecurity to main process thread
qga: implement guest-network-get-route for Windows
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'firmware-20260218-pull-request' of https://gitlab.com/kraxel/qemu:
docs/interop/firmware: Add 'uefi-vars' member for FirmwareMappingMemory
igvm: Add NULL checks for igvm_get_buffer()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
BALATON Zoltan [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
hw/usb/hcd-ohci: Implement frame number overflow event
According to the USB OHCI specification section 6.5.6
("FrameNumberOverflow Event"), when bit 15 of the frame count changes
(either from 1 to 0 or 0 to 1) a FrameNumberOverflow interrupt should
be generated.
This fixes usb-audio on mac99,via=pmu with MacOS 9.
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm: Permit configurations with SME but not SVE
In commit f7767ca30179 ("target/arm: Disable SME if SVE is disabled")
we added code that forces SME to be disabled if SVE is disabled.
This was something we did in the run-up to a release to avoid an
assertion failure in smcr_write() if the user disabled SVE on the
'max' CPU without disabling SME also.
Now that we have corrected the code so that it doesn't assert
in an SME-without-SVE setup, we can let users select it.
Note that this now means that command lines like "-cpu max,sve=off"
which used to turn off SME and SVE will now give you a CPU with SME
but not SVE. This is permitted by our loose "max can always give you
extra stuff" rules, but may be unexpected to users. Mention this in
the CPU property documentation.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260202133353.2231685-16-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm: Squash FEAT_SME_FA64 if FEAT_SVE is not present
FEAT_SME_FA64 allows Streaming SVE code to access the whole
SVE instruction set; it requires FEAT_SVE to be present. If
we have a CPU with SME but not SVE, squash the FA64 bit in
arm_cpu_sme_finalize().
This doesn't have any effect at the moment because we don't
let the user create an SME-without-SVE CPU, but we are about
to lift that restriction.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-15-peter.maydell@linaro.org
Fields used for SVE and SME (in some cases there is also a
field for SME in ID_AA64SMFR0_EL1, but it is just a "present
or absent" single bit flag and the ZFR0 field then tells you
what level of support is present):
* I8MM, SHA3, BF16, BitPerm, EltPerm, AES
Currently we zero the whole ID_AA64ZFR0_EL1 register in
arm_cpu_sve_finalize() if SVE is not present, which wipes also the
fields we need for SME. Only clear the fields which are SVE-specific
here, and clear the rest in arm_cpu_sme_finalize() if we
have neither SME nor SVE.
This requires us to update our ID_AA64ZFR0 field definitions
to match the rev M.a.a Arm ARM, as the F16MM SVE-only field
is not one we had a definition for previously.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-14-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm/tcg: Correct SVE/SME BF16 checks
As with I8MM, the BF16 field of ID_AA64ZFR0_EL1 is set when the
CPU implements FEAT_BF16 and either FEAT_SVE or FEAT_SME, so
we need to have separate checks for "(SVE || SME) && BF16"
and "SVE && BF16". Follow the same pattern as with I8MM:
* aa64_sve_sme_bf16 means (SVE || SME) && BF16
* aa64_sve_bf16 means (SVE && BF16)
BFMMLA is the only SVE BF16 insn that isn't in SME.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-13-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm/tcg: Correct SVE/SME I8MM checks
The I8MM field of ID_AA64ZFR0_EL1 is set when the CPU implements
FEAT_I8MM and either FEAT_SVE or FEAT_SME. Currently we assume
that it is only set for FEAT_SVE. Update the feature checks:
* we rename the existing feature check function to sve_sme_i8mm
to indicate that it is true for either SVE or SME I8MM
* we add a new check function for FEAT_SVE && FEAT_I8MM (giving
it the sve_i8mm name that the old function used to have)
* the instructions which are (SVE || SME) && I8MM need their
checks updating to sve_sme_i8mm: these are SUDOT, USDOT
* instructions which are SVE && I8MM (i.e. really SVE-only) stay
unchanged with sve_i8mm: these are SMMLA, USMMLA, UMMLA
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-12-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm/tcg: Use "or SME" feature checks where needed
Many SVE instructions should be provided where the CPU implements
either SVE or SME. Currently we largely check only for features
aa64_sve or aa64_sve2. This happens to work because we forbid
creation of a CPU with SME but not SVE. To allow users to create
SME-only CPUs we need to update the conditions to use the "or SME"
versions of the feature tests instead.
This commit was created by going through translate-sve.c from
top to bottom looking for aa64_sve feature tests and cross
checking those against the instruction descriptions in the Arm ARM,
which will say "(FEAT_SVE || FEAT_SME)" for instructions that
are provided for both features, and "(FEAT_SME)" for the rarer
instructions that are SME only.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-11-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm/tcg: Drop unnecessary aa64_sve check from do_trans_pmull()
Part of the logic inside do_trans_pmull() applies the aa64_sve
feature check for the non-128-bit-element versions of these insns
(PMULLB and PMULLT). This is currently a redundant check because we
only invoke this function via the macro invocation
TRANS_FEAT(..., aa64_sve2, do_trans_pmull, ...)
and it's actively wrong for an SME-only CPU, because these insns
are also available via SME. Remove the unnecessary logic.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-10-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm: Add aa64_sme_or_sve, aa64_sme_or_sve2 features
With FEAT_SME, even a CPU which does not implement FEAT_SVE is
allowed to execute the subset of SVE instructions which are permitted
in streaming SVE mode. We correctly handle this when the emulated
CPU has both FEAT_SVE and FEAT_SME, because sve_access_check()
includes the logic for this, matching the pseudocode
CheckSVEEnabled(). However if the emulated CPU only implement
FEAT_SME, it will fail the initial dc_isar_feature(aa64_sve, s)
feature check, because this doesn't match the check in the
per-instruction decode pseudocode, which is typically:
Add a new aa64_sme_or_sve feature function that we can use
to update the relevant uses of aa64_sve, and similarly
aa64_sme_or_sve2 for where we need to check FEAT_SVE2 || FEAT_SME.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260202133353.2231685-9-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm: Handle SME-without-SVE on change of EL
aarch64_sve_change_el() currently assumes that SME implies
SVE, and will return without doing anything if SVE is not
implemented, skipping a possible requirement to change
the vector register state because the SME vector length
has changed. Update it to handle SME also.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260202133353.2231685-8-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:14 +0000 (18:40 +0000)]
target/arm: Handle SME-only CPUs in sve_vqm1_for_el_sm()
In sve_vqm1_for_el_sm(), we implicitly assume that the CPU has SVE:
if called with sm == false for non-streaming mode, we try to return a
vector length from svq_vq. This hits the "assert(sm)" at the bettom
of the function in an SME-only CPU where sve_vq.map is zero.
Add code to handle the "SME-only CPU not in streaming mode" case: we
report an effective VL of 128 bits, which is what the architecture
rule R_KXKNK says should be used when SVE instructions are disabled
or trapped but floating point instructions are enabled.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-7-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:13 +0000 (18:40 +0000)]
target/arm: Don't let 'sme=on' downgrade SME
In our handling of the boolean 'sme' CPU property, we write this 0/1
value directly to ID_AA64PFR1_EL1.SME. This worked when the only
valid values in that field were 0 (for no SME) and 1 (for SME1).
However, with the addition of SME2 the SME field can now also read 2.
This means that "-cpu max,sme=on" will result in an inconsistent set
of ID registers, where ID_AA64PFR1_EL1.SME claims SME1 but
ID_AA64SMFR0_EL1.SMEver claims SME2p1. This isn't a valid thing to
report, and confuses Linux into reporting SME2 to userspace but not
actually enabling userspace access for it.
Fix this bug by having arm_cpu_sme_finalize() fix up the
ID_AA64PFR1_EL1.SME field to match ID_AA64SMFR0.SMEver. This means
the "sme" property's semantics are "off" for "no SME" and "on" for
"enable at whatever the default SME version this CPU provides is".
Update the documentation to clarify what 'sve=on' and 'sme=on' do.
(We don't have the equivalent bug for 'sve=on' because
ID_AA64PFR0_EL1.SVE only has 0 and 1 as valid values, but the
semantics of the property are the same.)
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-id: 20260202133353.2231685-6-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:13 +0000 (18:40 +0000)]
target/arm: Fix feature check in DO_SVE2_RRX, DO_SVE2_RRX_TB
In the macros DO_SVE2_RRX and DO_SVE2_RRX_TB we use the
feature check aa64_sve, thus exposing this set of instructions
in SVE as well as SVE2. Use aa64_sve2 instead, so they UNDEF
on an SVE1-only CPU as they should.
Strictly, the condition here should be "SVE2 or SME"; but we
will correct that in a following commit with all the other
missing "or SME" checks.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-id: 20260202133353.2231685-4-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:13 +0000 (18:40 +0000)]
target/arm: Report correct vector width in gdbstub when SME present
Our gdbstub implementation of the org.gnu.gdb.aarch64.sve feature
doesn't account for SME correctly. We always report the Zn vector
registers with a width based on the maximum SVE vector register size,
even though SME's maximum size could be larger.
This is particularly bad in the case of a CPU with SME but not SVE,
because there the SVE vector width will be zero. If we report the Zn
registers in the XML as having a zero width then gdb falls over with
an internal error:
(gdb) target remote :1234
Remote debugging using :1234
/build/gdb-1WjiBe/gdb-15.0.50.20240403/gdb/aarch64-tdep.c:3066: internal-error: aarch64_pseudo_register_type: bad register number 160
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Report the Zn registers with their correct size. This matches how we
already handle the 'vg' pseudoregister in org.gnu.gdb.aarch64.sve: we
call sve_vqm1_for_el(), which returns the vector size accounting for
SME, not the pure SVE vector size.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260202133353.2231685-3-peter.maydell@linaro.org
Peter Maydell [Wed, 18 Feb 2026 18:40:13 +0000 (18:40 +0000)]
target/arm: Account for SME in aarch64_sve_narrow_vq() assertion
In aarch64_sve_narrow_vq() we assert that the new VQ is within
the maximum supported range for the CPU. We forgot to update
this to account for SME, which might have a different maximum.
Update the assert to permit any VQ which is valid for either
SVE or SME.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260202133353.2231685-2-peter.maydell@linaro.org
Ankit Agrawal [Tue, 17 Feb 2026 15:30:10 +0000 (15:30 +0000)]
hw/vfio: align mmap to power-of-2 of region size for hugepfnmap
On Grace-based systems such as GB200, device memory is exposed as a
BAR but the actual mappable size is not power-of-2 aligned. The
previous algorithm aligned each sparse mmap area based on its
individual size using ctz64() which prevented efficient huge page
usage by the kernel.
Adjust VFIO region mapping alignment to use the next power-of-2 of
the total region size and place the sparse subregions at their
appropriate offset. This provides better opportunities to get huge
alignment allowing the kernel to use larger page sizes for the VMA.
This enables the use of PMD-level huge pages which can significantly
improve memory access performance and reduce TLB pressure for large
device memory regions.
With this change:
- Create a single aligned base mapping for the entire region
- Change Alignment to be based on pow2ceil(region->size), capped at 1GiB
- Unmap gaps between sparse regions
- Use MAP_FIXED to overlay sparse mmap areas at their offsets
Example VMA for device memory of size 0x2F00F00000 on GB200:
Ankit Agrawal [Tue, 17 Feb 2026 15:30:09 +0000 (15:30 +0000)]
vfio: Add Error ** parameter to vfio_region_setup()
Add an Error **errp parameter to vfio_region_setup() and
vfio_setup_region_sparse_mmaps to allow proper error handling
instead of just returning error codes.
The function sets errors via error_setg() when failure occur.
Ankit Agrawal [Tue, 17 Feb 2026 15:30:08 +0000 (15:30 +0000)]
hw/vfio: sort and validate sparse mmap regions by offset
Sort sparse mmap regions by offset during region setup to ensure
predictable mapping order, avoid overlaps and a proper handling
of the gaps between sub-regions.
Add validation to detect overlapping sparse regions early during
setup before any mapping operations begin.
The sorting is performed on the subregions ranges during
vfio_setup_region_sparse_mmaps(). This also ensures that subsequent
mapping code can rely on subregions being in ascending offset order.
This is preparatory work for alignment adjustments needed to support
hugepfnmap on systems where device memory (e.g., Grace-based systems)
may have non-power-of-2 sizes.
cc: Alex Williamson <alex@shazbot.org> Reviewed-by: Alex Williamson <alex@shazbot.org> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Signed-off-by: Ankit Agrawal <ankita@nvidia.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260217153010.408739-2-ankita@nvidia.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Avihai Horon [Mon, 2 Feb 2026 17:34:06 +0000 (19:34 +0200)]
vfio/migration: Send VFIO_MIGRATION event before PRE_COPY_P2P transition
The VFIO_MIGRATION event notifies users when a VFIO device transitions
to a new state.
One use case for this event is to prevent timeouts for RDMA connections
to the migrated device. In this case, an external management application
(not libvirt) consumes the events and disables the RDMA timeout
mechanism when receiving the event for PRE_COPY_P2P state, which
indicates that the device is non-responsive.
This is essential because RDMA connections typically have very low
timeouts (tens of milliseconds), which can be far below migration
downtime.
However, under heavy resource utilization, the device transition to
PRE_COPY_P2P can take hundreds of milliseconds to complete. Since the
VFIO_MIGRATION event is currently sent only after the transition
completes, it arrives too late, after RDMA connections have already
timed out.
To address this, send an additional "prepare" event immediately before
initiating the PRE_COPY_P2P transition. This guarantees timely event
delivery regardless of how long the actual state transition takes.
qga: Move CoInitialize/CoInitializeSecurity to main process thread
Problem:
Two issues with COM initialization:
Issue #1: Incorrect call order
- requester_init() called CoInitializeSecurity first
- Per Microsoft documentation, CoInitialize() must be called BEFORE
CoInitializeSecurity()
Issue #2: Incorrect call location
- CoInitializeSecurity was called from dll instead of the main process
- Per Microsoft documentation, CoInitializeSecurity() must be called exactly once per process from
the main executable, not from a DLL
This caused incorrect COM initialization, preventing VSS Writers from
calling back via IVssWriterCallback (hr = 0x80070005, Access denied,
Event ID 8194).
Fix:
- Initialize COM in main.c for both service and CLI modes
- Call CoInitialize() followed by CoInitializeSecurity() in correct order
in the main thread before any VSS operations
- Add proper CoUninitialize() cleanup
Result:
VSS Writers can now successfully call back to the agent. Event ID 8194
error is resolved.
qga: implement guest-network-get-route for Windows
Add Windows implementation of guest-network-get-route command to provide
network routing information on Windows guests.
Features implemented:
- IPv4 and IPv6 route information retrieval using GetIpForwardTable2
- Human-readable interface names via GetAdaptersAddresses
- Proper route metrics combining route and interface metrics
- MTU information for network interfaces
- Support for destination, gateway, mask, and metric fields for IPv4
- Support for destination, nexthop, and desprefixlen fields for IPv6
Implementation uses modern Windows IP Helper API (GetIpForwardTable2,
GetIfEntry2).
# -----BEGIN PGP SIGNATURE-----
#
# iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmmUkycQHGZhcm9zYXNA
# c3VzZS5kZQAKCRDHmNx0G+wxnRUQD/9tRGwSAmIY6T9X20eH+KFbPK+QquPGpyt7
# CPuTPAIx3fXCPZWq4syjJ1hKfoB3n8IHirTfKLmpW/0UKPZReOvsW7EDvZ5pati5
# Zsj/DtVYIEEwRDPRq2OL1kT//ofqhL8htjs2sTypEVgHTToIxYuT7kNGr1xVAKyB
# lUZWgQUJoihX4czNLkxKddxrG4BQx9hEYrq6kTgqmRdVUVo2xiQMSyHElE76L37g
# JZB2kOgf2Y6o8T4WTROiiEkn5CwWw181Nl/Iic1CNh44mFt/xSB7RQU91lU1Pu9b
# 4cqk6pf6WR35b0BS27b8jYfLGCf1GJJKMpoZLCEKbHPYs1rnGcD0gxoOx6NtscpR
# xNhaFm+iH4UtD2yX7Z3TlA7u/DfwsFpIMMtxc91bhYCnLX9AMm2MB+71T/v4HWvX
# f0dqXMSxlDpuzubuA+Ztw7h43+vidQCYXknFFtHVSv4SNAJbSqyzWiALpUibsT3I
# 2cQ+xm4mCT+7hYei59P2cnPOR9DW4/ONbvua2VAVeipgARwWnzn882B1zQrGYirJ
# gsQchT0/PTZEikkd3WWTUtSRO8r61AUnFgkTTIKkgZDF7rRAwm79gkM9yPFddIQQ
# GcssvGiuwdnWmSov0zW24285zRTOJendi1gMtd66jaEEWcvsONl285904RnrxQnm
# uypzwZgzaw==
# =5jYW
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Feb 17 16:11:19 2026 GMT
# gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D
# gpg: issuer "farosas@suse.de"
# gpg: Good signature from "Fabiano Rosas <farosas@suse.de>" [unknown]
# gpg: aka "Fabiano Almeida Rosas <fabiano.rosas@suse.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D
* tag 'migration-20260217-pull-request' of https://gitlab.com/farosas/qemu: (32 commits)
tests/qtest/migration/tls-tests.c: Don't use tls_psk end hook for no_tls tests
migration/cpr: Include vfio-cpr.h instead of vfio-device.h
migration/colo/xen: Use generic helpers in qemu_save_device_state()
migration: Simplify qemu_save_device_state()
migration: Make qemu_savevm_state_non_iterable() take errp
migration/bg-snapshot: Cleanup error paths
migration: Introduce qemu_savevm_state_active()
migration: Refactor qemu_savevm_state_setup()
migration: Cleanup error propagates in qemu_savevm_state_setup()
migration: qemu_savevm_state_complete_precopy() take MigrationState*
migration: Split qemu_savevm_state_complete_precopy_non_iterable()
migration: Provide helper for save vm description
migration: Introduce qemu_savevm_state_end()
migration/postcopy: Send device states without copying buffer
migration/colo: Send device states without copying buffer
migration: Drop qemu_file_set_error() when save non-iterable fails
migration: Drop iterable_only in qemu_savevm_state_complete_precopy
migration/colo: Document qemu_fflush(fb)
migration/colo: Use the RAM iterable helper directly
colo: Forbid VM resume during checkpointing
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Andrea Bolognani [Tue, 17 Feb 2026 13:15:53 +0000 (14:15 +0100)]
docs/interop/firmware: Add 'uefi-vars' member for FirmwareMappingMemory
This allows describing firmwares that are loaded as ROMs but also
support a UEFI variable store. This is the case for edk2 builds
that are set up to use the uefi-vars QEMU device, and whose
descriptors would advertise the 'host-uefi-vars' feature.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260217131553.313772-2-abologna@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Oliver Steffen [Thu, 12 Feb 2026 15:41:14 +0000 (16:41 +0100)]
igvm: Add NULL checks for igvm_get_buffer()
According to the documentation we are supposed to do a null-pointer
check on the buffers returned by igvm_get_buffer() (part of the IGVM C
library).
Add these checks in the IGVM backend.
Signed-off-by: Oliver Steffen <osteffen@redhat.com> Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Message-ID: <20260212154114.1119944-1-osteffen@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Peter Maydell [Thu, 12 Feb 2026 11:47:47 +0000 (11:47 +0000)]
tests/qtest/migration/tls-tests.c: Don't use tls_psk end hook for no_tls tests
If you run the TLS tests under a clang undefined-behaviour sanitizer build
it will fall over like this:
../../tests/unit/crypto-tls-psk-helpers.c:53:12: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/unistd.h:858:48: note: nonnull attribute specified here
#0 0x62bd810762ee in test_tls_psk_cleanup /home/pm215/qemu/build/clang/../../tests/unit/crypto-tls-psk-helpers.c:53:5
#1 0x62bd81073f89 in migrate_hook_end_tls_psk /home/pm215/qemu/build/clang/../../tests/qtest/migration/tls-tests.c:101:5
#2 0x62bd81062ef0 in test_precopy_common /home/pm215/qemu/build/clang/../../tests/qtest/migration/framework.c:947:9
This happens because test_precopy_tcp_no_tls() uses a custom start_hook
that only sets a couple of parameters, but reuses the tsk_psk end_hook.
However, the end_hook runs cleanup that assumes that the data was set
up by migrate_hook_start_tls_psk_common(). In particular, it will
unconditionally call test_tls_psk_cleanup(data->pskfile), and
test_tls_psk_cleanup() will unconditionally unlink() the filename it
is passed, which is undefined behaviour if you pass it a NULL pointer.
Instead of creating a TestMigrateTLSPSKData struct which we never set
any fields in and requiring the migrate_hook_end_tls_psk() hook to
cope with that, don't allocate the struct in the start_hook. Then
there is nothing we need to clean up, and we can set the end_hook
to NULL (which the test framework will interpret as "don't call
any end_hook").
Peter Xu [Tue, 27 Jan 2026 18:52:54 +0000 (13:52 -0500)]
migration/colo/xen: Use generic helpers in qemu_save_device_state()
Use qemu_savevm_state_non_iterable*() helpers for saving device states,
rather than walking the vmstate handlers on its own.
Non-iterables can be either early_setup devices, or otherwise.
Note that QEMU only has one early_setup device currently, which is
virtio-mem, and I highly doubt if it is used in either COLO or Xen users..
However this step is still better needed to provide full coverage of all
non-iterable vmstates.
When at it, allow it to report errors.
Cc: David Woodhouse <dwmw2@infradead.org> Cc: Paul Durrant <paul@xen.org> Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Tested-by: Lukas Straub <lukasstraub2@web.de> Link: https://lore.kernel.org/qemu-devel/20260127185254.3954634-25-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Peter Xu [Tue, 27 Jan 2026 18:52:53 +0000 (13:52 -0500)]
migration: Simplify qemu_save_device_state()
This function is used by both COLO and Xen. Simplify it with two changes:
- Remove checks on qemu_savevm_se_iterable(): this is not needed as
vmstate_save() also checks for "save_state() || vmsd" instead. Here,
save_setup() (or say, iterable states) should be mutual exclusive to
"save_state() || vmsd" [*].
- Remove migrate_error_propagate(): both of the users are not using live
migration framework, but raw vmstate operations. Error propagation is
only needed for query-migrate persistence.
[*] One tricky user is VFIO, who provided _both_ save_state() and
save_setup(). However VFIO mustn't have been used in these paths or it
means both COLO and Xen have ignored VFIO data instead (that is,
qemu_savevm_se_iterable() will return true for VFIO). Hence, this change is
safe.
Peter Xu [Tue, 27 Jan 2026 18:52:52 +0000 (13:52 -0500)]
migration: Make qemu_savevm_state_non_iterable() take errp
Let the function report errors to upper layers. Out of three current
users, two of them already process the errors, except one outlier,
qemu_savevm_state_complete_precopy(), where we do it manually for now with
a comment for TODO.
Peter Xu [Tue, 27 Jan 2026 18:52:51 +0000 (13:52 -0500)]
migration/bg-snapshot: Cleanup error paths
Cleanup bg_migration_thread() function on error handling. First of all,
early_fail is almost only used to say if BQL is taken. Since we already
have separate jumping labels, we don't really need it, hence removed.
Also, since local_err is around, making sure every failure path will set a
proper error string for the failure, then propagate to MigrationState.error.
Peter Xu [Tue, 27 Jan 2026 18:52:50 +0000 (13:52 -0500)]
migration: Introduce qemu_savevm_state_active()
Introduce this helper to detect if a SaveStateEntry is active.
Note that this helper can actually also be used in loadvm paths, but let's
stick with this name for now because we still use SaveStateEntry for the
shared structure that both savevm/loadvm uses, where this name still suites.
Peter Xu [Tue, 27 Jan 2026 18:52:49 +0000 (13:52 -0500)]
migration: Refactor qemu_savevm_state_setup()
Split it into two smaller chunks:
- Dump of early_setup VMSDs
- Dump of save_setup() sections
They're mutual exclusive, hence we can run two loops and do them
sequentially. This will cause migration thread to loop one more time, but
it should be fine when migration just started and only do it once. It's
needed because we will need to reuse the early_vmsd helper later to
deduplicate code elsewhere.
QEMU almost sticks with qemu_savevm_state_XXX() to represent the dump of
vmstates's section XXX. With that in mind, this patch renamed the original
qemu_savevm_state_setup() to qemu_savevm_state_do_setup() instead.
So after this patch:
- qemu_savevm_state_non_iterable_early() dumps early_vmsds only,
- qemu_savevm_state_setup() dumps save_setup() sections only,
- qemu_savevm_state_do_setup() does all things needed during setup
phase (including migration SETUP notifies)
Split the function, making itself to be the helper to dump all non-iterable
device states (early_vmsd excluded). Move the precopy end logic out to the
two callers that need it.
With it, we can remove the in_postcopy parameter. Meanwhile, renaming the
function to be qemu_savevm_state_non_iterable(): we don't need the keyword
"complete" because non-iterable doesn't iterate anyway, and we don't need
precopy because we moved precopy specialties out.
NOTE: this patch introduced one new migrate_get_current() user; will be
removed in follow up patch.
Peter Xu [Tue, 27 Jan 2026 18:52:43 +0000 (13:52 -0500)]
migration/postcopy: Send device states without copying buffer
Put buffer can be async as long as the flush happens before the buffer will
be recycled / reused. Do it for postcopy package data. Quick measurement
shows a small VM the time to push / flush the package shrinks from 91us to
38us.
Peter Xu [Tue, 27 Jan 2026 18:52:41 +0000 (13:52 -0500)]
migration: Drop qemu_file_set_error() when save non-iterable fails
All users of qemu_savevm_state_complete_precopy_non_iterable() process
return values. There's no need to set error on qemufile (which we likely
should remove gradually across the tree). Remove it for possible code
dedup to happen later.
Peter Xu [Tue, 27 Jan 2026 18:52:39 +0000 (13:52 -0500)]
migration/colo: Document qemu_fflush(fb)
COLO caches all device states in a buffer channel `fb'. Add some comments
explaining the flush, that (1) it's the `fb' not the main channel, (2) on
what it updates.
Peter Xu [Mon, 26 Jan 2026 21:36:13 +0000 (16:36 -0500)]
migration: Drop explicit block activation in postcopy fail path
Postcopy (in failure path) should share with precopy on disk reactivations.
Explicit activiation should used to be fine even if called twice, but after 26f65c01ed ("migration: Do not try to start VM if disk activation fails")
we may want to avoid it and always capture failure when reactivation
happens (even if we do not expect the failure to happen). Remove this
redundant call.
Peter Xu [Mon, 26 Jan 2026 21:36:12 +0000 (16:36 -0500)]
migration: Notify migration FAILED before starting VM
Devices may opt-in migration FAILED notifiers to be invoked when migration
fails. Currently, the notifications happen in migration_cleanup(). It is
normally fine, but maybe not ideal if there's dependency of the fallback
v.s. VM starts.
This patch moves the FAILED notification earlier, so that if the failure
happened during switchover, it'll notify before VM restart.
After walking over all existing FAILED notifier users, I got the conclusion
that this should also be a cleaner approach at least from design POV.
We have these notifier users, where the first two do not need to trap
FAILED:
For cpr-exec, it tries to cleanup some cpr-exec specific fd or env
variables. This should be fine either way, as long as before
migration_cleanup().
For virtio-net, we need to re-plug the primary device back to guest in the
failover mode. Likely benign.
VFIO needs to re-start the device if FAILED. IIUC it should do it before
vm_start(), if the VFIO device can be put into a STOPed state due to
migration, we should logically make it running again before vCPUs run.
VDPA will disable SVQ when migration is FAILED. Likely benign too, but
looks better if we can do it before resuming vCPUs.
For spice, we should rely on "spice_server_migrate_end(false)" to retake
the ownership. Benign, but looks more reasonable if the spice client does
it before VM runs again.
Note that this change may introduce slightly more downtime, if the
migration failed exactly at the switchover phase. But that's very rare,
and even if it happens, none of above expects a long delay, but a short
one, likely will be buried in the total downtime even if failed.
Cc: Cédric Le Goater <clg@redhat.com> Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Acked-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Signed-off-by: Peter Xu <peterx@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260126213614.3815900-4-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Peter Xu [Mon, 26 Jan 2026 21:36:11 +0000 (16:36 -0500)]
migration: Fix double notification of DONE/FAIL for postcopy
Migration notifiers will notify at any of three places: (1) SETUP
phase, (2) migration completes, (3) migration fails.
There's actually a special case for spice: one can refer to b82fc321bf ("Postcopy+spice: Pass spice migration data earlier"). It
doesn't need another 4th event because in commit 9d9babf78d ("migration:
MigrationEvent for notifiers") we merged it together with the DONE event.
The merge makes some sense if we treat "switchover" of postcopy as "DONE",
however that also means for postcopy we'll notify DONE twice.. The other
one at the end of postcopy when migration_cleanup().
In reality, the current code base will also notify FAILED for postcopy
twice. It's because an (maybe accidental) change in commit 4af667f87c ("migration: notifier error checking").
First of all, we still need that notification when switchover as stated in
Dave's commit, however that's only needed for spice. To fix it, introduce
POSTCOPY_START event to differenciate it from DONE. Use that instead in
postcopy_start(). Then spice will need to capture this event too.
Then we remove the extra FAILED notification in postcopy_start().
If one wonder if other DONE users should also monitor POSTCOPY_START
event.. We have two more DONE users:
- kvm_arm_gicv3_notifier
- cpr_exec_notifier
Both of them do not need a notification for POSTCOPY_START, but only when
migration completed. Actually, both of them are used in CPR, which doesn't
support postcopy.
When at this, update the notifier transition graph in the comment, and move
it from migration_add_notifier() to be closer to where the enum is defined.
I didn't attach Fixes: because I am not aware of any real bug on such
double reporting. I'm wildly guessing the 2nd notify might be silently
ignored in many cases. However this is still worth fixing.
Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: Dr. David Alan Gilbert <dave@treblig.org> Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/qemu-devel/20260126213614.3815900-3-peterx@redhat.com Signed-off-by: Fabiano Rosas <farosas@suse.de>
Chao Liu [Tue, 3 Feb 2026 14:27:06 +0000 (22:27 +0800)]
tests/qtest: Add RISC-V IOMMU bare-metal test
Add a qtest suite for the RISC-V IOMMU PCI device on the virt machine.
The test exercises bare, S-stage, G-stage, and nested translation paths
using iommu-testdev and the qos-riscv-iommu helpers.
The test validates:
- Device context (DC) configuration
- SV39 page table walks for S-stage translation
- SV39x4 page table walks for G-stage translation
- Nested translation combining both stages
- FCTL register constraints
This provides regression coverage for the RISC-V IOMMU implementation
without requiring a full guest OS boot.
Introduce a libqos helper module for RISC-V IOMMU testing with
iommu-testdev. The helper provides routines to:
- Build device contexts (DC) and 3-level page tables for SV39/SV39x4
- Program command queue (CQ), fault queue (FQ), and DDTP registers
following the RISC-V IOMMU specification
- Execute DMA translations and verify results
The current implementation supports SV39 for S-stage and SV39x4 for
G-stage translation. Support for SV48/SV48x4/SV57/SV57x4 can be added
in future patches.
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (41 commits)
target/i386/mshv: remove unused optimization of gva=>gpa translation
accel/mshv: Remove remap overlapping mappings code
tests: add /qdev/free-properties test
qdev: make release_tpm() idempotent
qdev: make release_drive() idempotent
qdev: make release_string() idempotent
qdev: Free property array on release
target/i386/kvm: support perfmon-v2 for reset
target/i386/kvm: reset AMD PMU registers during VM reset
target/i386/kvm: rename architectural PMU variables
target/i386/kvm: extract unrelated code out of kvm_x86_build_cpuid()
target/i386/kvm: set KVM_PMU_CAP_DISABLE if "-pmu" is configured
i386/cpu: Fix incorrect initializer in Diamond Rapids definition
hw/char/virtio-serial: Do not expose the 'emergency-write' property
hw/virtio/virtio-pci: Remove VirtIOPCIProxy::ignore_backend_features field
hw/i386/intel_iommu: Remove IntelIOMMUState::buggy_eim field
hw/core/machine: Remove hw_compat_2_7[] array
hw/audio/pcspk: Remove PCSpkState::migrate field
target/i386/cpu: Remove CPUX86State::full_cpuid_auto_level field
hw/i386/pc: Remove pc_compat_2_7[] array
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'char-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
baum: Add copy/paste bindings
chardev: add logtimestamp option
error-report: make real_time_iso8601() public
char: qemu_chr_write_log() use qemu_write_full()
chardev/char: qemu_char_open(): add return value
chardev: rework filename handling
chardev: introduce .chr_get_pty_name() handler
chardev/char-pty: store pty_name into PtyChardev state
chardev: .chr_open(): add boolean return value
chardev: .chr_open(): drop be_opened parameter
chardev: consistent naming for ChardevClass handlers implementations
chardev: ChardevClass: consistent naming for handlers
ui/spice: drop SPICE_HAS_ATTACHED_WORKER macro
ui/spice: Require spice-server >= 0.15.0
char-udp: Fix initial backend open status
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Magnus Kulke [Tue, 25 Nov 2025 12:08:52 +0000 (13:08 +0100)]
target/i386/mshv: remove unused optimization of gva=>gpa translation
The removed parameters are remnants of a prior attempt to optimize
gva=>gpa translation. Currently there is only one call site and it's
not using it. So we can remove it as dead code.
This change removes userland code that worked around a restriction
in the mshv driver in the 6.18 kernel: regions from userland
couldn't be mapped to multiple regions in the kernel. We maintained a
shadow mapping table in qemu and used a heuristic to swap in a requested
region in case of UNMAPPED_GPA exits.
However, this heuristic wasn't reliable in all cases, since HyperV
behaviour is not 100% reliable across versions. HyperV itself doesn't
prohibit to map regions at multiple places into the guest, so the
restriction has been removed in the mshv driver.
Hence we can remove the remapping code. Effectively this will mandate a
6.19 kernel, if the workload attempt to map e.g. BIOS to multiple
reagions. I still think it's the right call to remove this logic:
- The workaround only seems to work reliably with a certain revision
of HyperV as a nested hypervisor.
- We expect Direct Virtualization (L1VH) to be the main platform for
the mshv accelerator, which also requires a 6.19 kernel
Chandan Somani [Thu, 8 Jan 2026 23:03:07 +0000 (15:03 -0800)]
qdev: Free property array on release
Before this patch, users of the property array would free the
array themselves in their cleanup functions. This causes
inconsistencies where some users leak the array and some free them.
This patch makes it so that the property array's release function
frees the property array (instead of just its elements). It fixes any
leaks and requires less code.
DEFINE_PROP_ARRAY leakers that are fixed in this patch:
ebpf-rss_fds in hw/net/virtio-net.c
rnmi_irqvec, rnmi_excpvec in hw/riscv/riscv_hart.c
common.display_modes in hw/display/apple-gfx-mmio.m
common.display_modes in hw/display/apple-gfx-pci.m
Dongli Zhang [Fri, 9 Jan 2026 07:54:00 +0000 (23:54 -0800)]
target/i386/kvm: support perfmon-v2 for reset
Since perfmon-v2, the AMD PMU supports additional registers. This update
includes get/put functionality for these extra registers.
Similar to the implementation in KVM:
- MSR_CORE_PERF_GLOBAL_STATUS and MSR_AMD64_PERF_CNTR_GLOBAL_STATUS both
use env->msr_global_status.
- MSR_CORE_PERF_GLOBAL_CTRL and MSR_AMD64_PERF_CNTR_GLOBAL_CTL both use
env->msr_global_ctrl.
- MSR_CORE_PERF_GLOBAL_OVF_CTRL and MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR
both use env->msr_global_ovf_ctrl.
No changes are needed for vmstate_msr_architectural_pmu or
pmu_enable_needed().
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Sandipan Das <sandipan.das@amd.com> Reviewed-by: Zide Chen <zide.chen@intel.com> Link: https://lore.kernel.org/r/20260109075508.113097-6-dongli.zhang@oracle.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Dongli Zhang [Fri, 9 Jan 2026 07:53:59 +0000 (23:53 -0800)]
target/i386/kvm: reset AMD PMU registers during VM reset
QEMU uses the kvm_get_msrs() function to save Intel PMU registers from KVM
and kvm_put_msrs() to restore them to KVM. However, there is no support for
AMD PMU registers. Currently, pmu_version and num_pmu_gp_counters are
initialized based on cpuid(0xa), which does not apply to AMD processors.
For AMD CPUs, prior to PerfMonV2, the number of general-purpose registers
is determined based on the CPU version.
To address this issue, we need to add support for AMD PMU registers.
Without this support, the following problems can arise:
1. If the VM is reset (e.g., via QEMU system_reset or VM kdump/kexec) while
running "perf top", the PMU registers are not disabled properly.
2. Despite x86_cpu_reset() resetting many registers to zero, kvm_put_msrs()
does not handle AMD PMU registers, causing some PMU events to remain
enabled in KVM.
3. The KVM kvm_pmc_speculative_in_use() function consistently returns true,
preventing the reclamation of these events. Consequently, the
kvm_pmc->perf_event remains active.
4. After a reboot, the VM kernel may report the following error:
[ 0.092011] Performance Events: Fam17h+ core perfctr, Broken BIOS detected, complain to your hardware vendor.
[ 0.092023] [Firmware Bug]: the BIOS has corrupted hw-PMU resources (MSR c0010200 is 530076)
5. In the worst case, the active kvm_pmc->perf_event may inject unknown
NMIs randomly into the VM kernel:
[...] Uhhuh. NMI received for unknown reason 30 on CPU 0.
To resolve these issues, we propose resetting AMD PMU registers during the
VM reset process.
AMD does not have what is commonly referred to as an architectural PMU.
Therefore, we need to rename the following variables to be applicable for
both Intel and AMD:
Dongli Zhang [Fri, 9 Jan 2026 07:53:57 +0000 (23:53 -0800)]
target/i386/kvm: extract unrelated code out of kvm_x86_build_cpuid()
The initialization of 'has_architectural_pmu_version',
'num_architectural_pmu_gp_counters', and
'num_architectural_pmu_fixed_counters' is unrelated to the process of
building the CPUID.
Extract them out of kvm_x86_build_cpuid().
In addition, use cpuid_find_entry() instead of cpu_x86_cpuid(), because
CPUID has already been filled at this stage.
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com> Reviewed-by: Zide Chen <zide.chen@intel.com> Link: https://lore.kernel.org/r/20260109075508.113097-3-dongli.zhang@oracle.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Dongli Zhang [Fri, 9 Jan 2026 07:53:56 +0000 (23:53 -0800)]
target/i386/kvm: set KVM_PMU_CAP_DISABLE if "-pmu" is configured
Although AMD PERFCORE and PerfMonV2 are removed when "-pmu" is configured,
there is no way to fully disable KVM AMD PMU virtualization. Neither
"-cpu host,-pmu" nor "-cpu EPYC" achieves this.
As a result, the following message still appears in the VM dmesg:
[ 0.263615] Performance Events: AMD PMU driver.
However, the expected output should be:
[ 0.596381] Performance Events: PMU not available due to virtualization, using software events only.
[ 0.600972] NMI watchdog: Perf NMI watchdog permanently disabled
This occurs because AMD does not use any CPUID bit to indicate PMU
availability.
To address this, KVM_CAP_PMU_CAPABILITY is used to set KVM_PMU_CAP_DISABLE
when "-pmu" is configured.
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com> Reviewed-by: Zide Chen <zide.chen@intel.com> Link: https://lore.kernel.org/r/20260109075508.113097-2-dongli.zhang@oracle.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Aidan Khoury [Sat, 7 Feb 2026 13:40:11 +0000 (14:40 +0100)]
i386/cpu: Fix incorrect initializer in Diamond Rapids definition
The new Diamond Rapids x86 cpu model definition that was added in 7a6dd8bde1
has an unexpected comma in the `.features[FEAT_VMX_EXIT_CTLS]` subobject
initializer, causing the prior initialization to be overridden. For this
reason `VMX_VM_EXIT_SAVE_DEBUG_CONTROLS | VMX_VM_EXIT_HOST_ADDR_SPACE_SIZE`
is not included.
Fix this by replacing the comma with the missing bitwise OR to properly
combine all the flags into a single bitmask value.
Fixes: 7a6dd8bde159 ("i386/cpu: Add CPU model for Diamond Rapids") Signed-off-by: Aidan Khoury <aidan@aktech.ai>
Peter Maydell [Fri, 13 Feb 2026 09:33:49 +0000 (09:33 +0000)]
Merge tag 'pr-plugins-20260212' of https://gitlab.com/pbo-linaro/qemu into staging
Changes:
- contrib/plugins/uftrace: add riscv64 support (Pierrick Bouvier <pierrick.bouvier@linaro.org>)
# -----BEGIN PGP SIGNATURE-----
#
# iQGzBAABCgAdFiEEZrmU7KFPfy5auggff5BUDQoc0A8FAmmOc4AACgkQf5BUDQoc
# 0A89QAv/TgRSGaiYfOziVTAephxNlzCJTsiHOKETTaGnKUbWTe6eNGVCsNtsnXuk
# CETe/5vc5WAF3QYml2NJVl8YqmMOw6YbbCDJgVosmRvGTaYhi6Ner5se9cD2Io1Z
# FzOXgzLO9dXr24OQ404Gjlndos5EBp82LTA/wmh84Ucgzez7193gTKTBjd729Feb
# 5cz320yz9UkFhpTciZHK6X59Y2V5xp+ecJVlYORzzHSjI0Vpi2eDiF2suAAonIB9
# n+Ch/TCkt7ZSicX+IA2tp5hNMbF4PzVYr2fEDu005LHomN/TmwDrVBrWhat49Fkp
# iZ144Riy1LcpenZY50f4kr5vnFM40QG0w/DxemBrdHUQ91RvM//wrKG9QCYXe7hp
# SJJRwcZLZP7m6T9zvRSJIieX4I9ZgWRR3KvAqaX7Hd5H0k+thC4UgQ7rlwnoLJpA
# KPU/bgiZhsTEIWHoeOtqgdMTgK9k9FMR+t9u04J25bHXFcMUh7JpV96n/gFvBOPR
# n4POwZ+j
# =3a3y
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Feb 13 00:42:40 2026 GMT
# gpg: using RSA key 66B994ECA14F7F2E5ABA081F7F90540D0A1CD00F
# gpg: Good signature from "Pierrick Bouvier <pierrick.bouvier@linaro.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 66B9 94EC A14F 7F2E 5ABA 081F 7F90 540D 0A1C D00F
* tag 'pr-plugins-20260212' of https://gitlab.com/pbo-linaro/qemu:
contrib/plugins/uftrace: add riscv64 support
docs/about/emulation/uftrace: add info about automatic tracing
contrib/plugins/uftrace: add ops for walking frame pointers chain
contrib/plugins/uftrace: fix infinite stack unwind detection
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 13 Feb 2026 09:33:35 +0000 (09:33 +0000)]
Merge tag 'pull-aspeed-20260212' of https://github.com/legoater/qemu into staging
aspeed-next queue:
* Adds support for the AST2700 A2 SoC, including a new machine and
a functional test
* Enhances AST2600 OTP functional test
* Restructures Aspeed ARM tests into separate files for better
parallelism.
* Includes new SDK tests with Linux 5.15.
* Fixes Aspeed I2C models
* tag 'pull-aspeed-20260212' of https://github.com/legoater/qemu:
tests/functional/aarch64/test_aspeed_ast2700fc: Use AST2700 A2 SDK image for FC tests
hw/arm/aspeed_ast27x0-fc: Increase BMC DRAM size to 2GB for AST2700 A2
hw/arm/aspeed_ast27x0-fc: Switch AST2700 FC machine to A2 SoC
tests/functional/aarch64/test_aspeed_ast2700a2: Add AST2700 A2 EVB functional tests
tests/functional/aarch64/test_aspeed_ast2700: Rename AST2700 A1 test to reduce test runtime
tests/qtest/ast2700-hace-test: Use ast2700-evb alias for AST2700 HACE tests
hw/arm/aspeed_ast27x0_evb: Move ast2700-evb alias to AST2700 A2 EVB
hw/arm/aspeed_ast27x0_evb: Add AST2700 A2 EVB machine
hw/arm/aspeed_ast27x0: Add AST2700 A2 SoC support
hw/misc/aspeed_scu: Add AST2700 A2 silicon revisions
hw/misc/aspeed_scu: Remove unused SoC silicon revision definitions
tests/functional/arm/aspeed_ast2600: Enhance OTP test with functional validation
hw/i2c/aspeed_i2c: Increase I2C device register size to 0xA0
hw/i2c/aspeed_i2c: Fix out-of-bounds read in I2C MMIO handlers
tests/functional: Add SDK tests with Linux 5.15
tests/functional: Split Aspeed ARM tests into separate files
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 13 Feb 2026 09:33:24 +0000 (09:33 +0000)]
Merge tag 'ipmi-add-fake-lan-config' of https://github.com/cminyard/qemu into staging
Add a fake LAN config operation for testing
Just add the commands, the proper data that can be set, and some tests.
Submitter ran migration test.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEE/Q1c5nzg9ZpmiCaGYfOMkJGb/4EFAmmODfcACgkQYfOMkJGb
# /4EGEg/+NAygBBmU3gyBwrbSwS6Zch1Csq9M8sBGexEmbi/T9ICHI8Sfb3aX7JSr
# 3hZS/pPXn9Bb1vNQ5fQ2KCfDY0CjXtNBiSOvttgtYHiYu+Dz7+0WicusGKUoUywp
# jYwzsFaa8Nf//rhNGdXLXOOhNtMHD5ia3awhg5lPBgFTTrfGiKaz9CzTQCaFZtub
# Tt4nWjN+qBXPTBOsLTEZiIJ7qh9LhM56qT6e85wLwLjNSPgmctCTR+j1gg4nWSq2
# SOUQ6KeIY+DGk4G21i2HnHpjZK9BrUoISBElrSUECxRMokOAgPapMzAFZvErDI5n
# SiIuLjJqsOsPqjw60zrGhM81lawqJxSViQtVdHZ2vM4XABMOUs5msgE7doJMPGIH
# Hmnchv7WGZuWIwAsvF1T3fTyLvGES/8pv6UMKLjscdEIO7JMveUAvQHjUN1j06Ny
# p1VEB2EgkPz6YnvxZ2WN693SuWGhAuixRmjBHABwp+l43QvCYen+XMEnaBzcAnKl
# qrNMrU44OXDqofUrb5zaqj5o5Lmv8vjApGa3ouhKmYCinluboEEvPtP8szGVGat3
# k6cRPtz6FkngM1jtAUBCxH2pb0Rol3gFqfkoZRjqO3hyOl8q1ky5nSWcZqiJ5DPE
# fPIZW22ZF3yJPdVtSzwaiJ8klk9z3hgOoFlyZQkojaGuSeu2UOE=
# =QbzC
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Feb 12 17:29:27 2026 GMT
# gpg: using RSA key FD0D5CE67CE0F59A6688268661F38C90919BFF81
# gpg: Good signature from "Corey Minyard <cminyard@mvista.com>" [unknown]
# gpg: aka "Corey Minyard <minyard@acm.org>" [unknown]
# gpg: aka "Corey Minyard <corey@minyard.net>" [unknown]
# gpg: aka "Corey Minyard <minyard@mvista.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FD0D 5CE6 7CE0 F59A 6688 2686 61F3 8C90 919B FF81
* tag 'ipmi-add-fake-lan-config' of https://github.com/cminyard/qemu:
hw/ipmi/ipmi_bmc_sim: Support setting fake LAN channel config
hw/ipmi/ipmi_bmc_sim: Support getting fake LAN channel config
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Add an option to inject timestamps into serial log file.
That simplifies debugging a lot, when you can simply compare
QEMU logs with guest console logs.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Acked-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20260201173633.413934-4-vsementsov@yandex-team.ru>
projects / thirdparty / qemu.git / log
