This is the minimal change beginning with TARGET_ARCH in
configs/targets/or1k-* from openrisc to or1k, then adjust
TARGET_OR1K, QEMU_ARCH_OR1K, directory names,
and meson.build to match.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260205030244.266447-2-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
configs/targets: Restrict the legacy ldst_phys() API on x86 targets
The x86 targets don't use the legacy ldst_phys() API anymore.
Set the TARGET_NOT_USING_LEGACY_LDST_PHYS_API variable to hide
the legacy API to the x86 binaries, avoiding further API uses
to creep in.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260204204103.46343-5-philmd@linaro.org>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault. However the
IOAPIC datasheet (82093AA Order Number: 290566-001) doesn't
mention any fault occuring when the system bus (ISA bus) is
accessed. The ISA bus neither offer a way to signal recoverable
access faults. Therefore just inline the stl_le_phys() call,
not specifying any memory transaction attribute nor expecting
transation result, per the definition in
"system/memory_ldst_phys_endian.h.inc":
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260204204103.46343-4-philmd@linaro.org>
hw/intc: Mark x86-specific [IO]APIC peripherals as little-endian
These devices are only used by the x86 targets, which are
only built as little-endian. Therefore the DEVICE_NATIVE_ENDIAN
definition expand to DEVICE_LITTLE_ENDIAN (besides, the
DEVICE_BIG_ENDIAN case isn't tested). Simplify directly
using DEVICE_LITTLE_ENDIAN.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260204204103.46343-3-philmd@linaro.org>
The x86 architecture uses little endianness. Directly use
the little-endian LD/ST API.
Mechanical change running:
$ for a in uw w l q; do \
sed -i -e "s/ld${a}_p(/ld${a}_le_p(/" \
$(git grep -wlE '(ld|st)u?[wlq]_p' target/i386/);
done
Coding style adapted manually.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260204204103.46343-2-philmd@linaro.org>
configs/targets: Restrict legacy ldst_phys() API on 32-bit SPARC target
Since we removed the last legacy uses of the legacy ldst_phys()
API, set the TARGET_NOT_USING_LEGACY_LDST_PHYS_API variable to
hide the legacy API to the qemu-system-sparc binary, avoiding
further API uses to creep in.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260204215304.52757-3-philmd@linaro.org>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.
get_physical_address() already accessed the PTE stored at
%pde_ptr and is going to update it. Assume the address space
is also writeable there. The SPARC v8 manual only mentions
faults (with error condition bits updated) in the READ path
but not on the WRITE (update) one.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260204215304.52757-2-philmd@linaro.org>
configs/targets: Forbid SPARC to use legacy native endianness APIs
All SPARC-related binaries are buildable without a single
use of the legacy "native endian" API. Set the transitional
TARGET_NOT_USING_LEGACY_NATIVE_ENDIAN_API definition to forbid
further uses of the legacy API.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260203230054.23667-6-philmd@linaro.org>
We only build the SPARC targets using big endianness order,
therefore the MO_TE definitions expand to the big endian
one. Use the latter which is more explicit.
The s390x target is a 64-bit one, so tcg_global_mem_new()
expands to tcg_global_mem_new_i64(). Use the latter which
is more explicit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-11-philmd@linaro.org>
Use the expanded form which is more explicit when a target
isn't built for different words size.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-10-philmd@linaro.org>
The s390x target is a 64-bit one, so TCGv expands to TCGv_i64.
Use the latter which is already used about a hundred times in
this file, and is also more explicit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-9-philmd@linaro.org>
target/s390x: Build system units in common source set
Except the ioinst.c file which uses the TARGET_PAGE_SIZE
definition in the ioinst_handle_chsc() method, all other
files in meson's s390x_system_ss[] source set don't use
any target-specific code. Moving them in the other
s390x_common_system_ss[] set to build as common objects
ensures these files won't use any target-specific API
such target_ulong / TARGET_PAGE_SIZE, thus forcing to use
the appropriate types instead (such vaddr, hwaddr, uint64_t,
...).
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-8-philmd@linaro.org>
Next patch will move s390x system objects from the target
specific source set to the common one. Unfortunately the
kvm_enabled() macro won't be evaluable at built-time
anymore. Add stubs for KVM symbols unreachable at runtime.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20260206181953.18683-7-philmd@linaro.org>
By removing the target-specific 'CONFIG_KVM' definition this
header can be used by files in meson common_ss[].
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20260206181953.18683-6-philmd@linaro.org>
target/s390x: Replace %target_ulong -> %hwaddr where appropriate
Use the %hwaddr type for physical addresses.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-5-philmd@linaro.org>
target/s390x: Replace %target_ulong -> %vaddr where appropriate
Use the %vaddr type for virtual addresses.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-4-philmd@linaro.org>
target/s390x: Rename get_phys_page_debug() @vaddr argument as @v_addr
In order to use the %vaddr type in s390_cpu_get_phys_page_debug()
in the next commit, rename the argument @vaddr -> @v_addr.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260206181953.18683-3-philmd@linaro.org>
target/s390x: Use address_space_ldq_be() in read_table_entry()
address_space_read/write() is meant for accessing random
amount of memory blobs. When the access size is known,
use the address_space_ld/st() API which can directly swap
endianness.
Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20260206181953.18683-2-philmd@linaro.org>
riscv64/test_boston.py: fix intermitent test timeout
The recently added Boston MIPS board selftest times out consistently in a
machine running 'make check-functional' with -j 16:
18/18 func-thorough+func-riscv64-thorough+thorough - qemu:func-riscv64-boston
TIMEOUT 120.09s killed by signal 15 SIGTERM
The reason is quite boring: it is testing too much stuff.
Note that functional tests aren't supposed to be used as stress tests,
e.g. it doesn't have to test every single corner case that might hit the
board. It is supposed to catch most common user ooopsies. A timeout, in
this context, is most likely to be considered something abnormal slowing
down the emulation, not a lack of CPU horsepower to run all the tests
before timeout.
Some of the tests claim to test odd CPU SMP numbers to either "ensures
proper core distribution across clusters" or "validating proper handling
of larger asymmetric SMP configurations". But there's no SMP/NUMA check
made anywhere after boot, so in the end we're just testing whether the
board is able to boot with 7/35 CPUs. As far as these tests are concerned
we could have a completely broken, but bootable, SMP topology with 7/35
CPUS, and we're oblivious about it.
Remove the 7 and 35 SMP tests, keeping the minimal CPUs (2) and maximum
(64) tests. With these changes we're now able to run the test with a
good TIMEOUT margin:
17/18 func-thorough+func-riscv64-thorough+thorough - qemu:func-riscv64-boston
OK 61.28s 3 subtests passed
Fixes: e71111e26b ("test/functional: Add test for boston-aia board") Signed-off-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Djordje Todorovic <Djordje.Todorovic@htecgroup.com>
Message-ID: <20260126174534.9860-1-daniel.barboza@oss.qualcomm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Mon, 9 Feb 2026 14:50:30 +0000 (14:50 +0000)]
Merge tag 'pull-tcg-20260206' of https://gitlab.com/rth7680/qemu into staging
linux-user/syscall.c: Prevent acquiring clone_lock while fork()
accel/tcg: Remove a redundant argument attrs in io_prepare()
accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp
Revert "tcg/user: do not set exit_request gratuitously"
* tag 'pull-tcg-20260206' of https://gitlab.com/rth7680/qemu:
accel/tcg: Remove a redundant argument attrs in io_prepare()
Revert "tcg/user: do not set exit_request gratuitously"
linux-user/syscall.c: Prevent acquiring clone_lock while fork()
accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp
accel/tcg: Don't pass NULL to get_page_addr_code_hostp
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Thu, 29 Jan 2026 21:20:35 +0000 (16:20 -0500)]
docs: add SCSI migrate-pr documentation
Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20260129212035.219676-6-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 29 Jan 2026 21:20:34 +0000 (16:20 -0500)]
scsi: save/load SCSI reservation state
Add a vmstate subsection to SCSIDiskState so that scsi-block devices can
transfer their reservation state during live migration. Upon loading the
subsection, the destination QEMU invokes the PERSISTENT RESERVE OUT
command's PREEMPT service action to atomically move the reservation from
the source I_T nexus to the destination I_T nexus. This results in
transparent live migration of SCSI reservations.
This approach is incomplete since SCSI reservations are cooperative and
other hosts could interfere. Neither the source QEMU nor the destination
QEMU are aware of changes made by other hosts. The assumption is that
reservation is not taken over by a third host without cooperation from
the source host.
I considered adding the vmstate subsection to SCSIDevice instead of
SCSIDiskState, since reservations are part of the SCSI Primary Commands
that other devices apart from disks could support. However, due to
fragility of migrating reservations, we will probably limit support to
scsi-block and maybe scsi-disk in the future. In the end, I think it
makes sense to place this within scsi-disk.c.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20260129212035.219676-5-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 29 Jan 2026 21:20:33 +0000 (16:20 -0500)]
scsi: track SCSI reservation state for live migration
SCSI Persistent Reservations are stateful and external to the guest. In
order to transparently move reservations to the destination host during
live migration, it is necessary to track the state built up on the
source host before migration. Only then can the destination host ensure
an equivalent state is restored upon migration.
Snoop on successful PERSISTENT RESERVE OUT commands and save the
reservation key and reservation type. This will allow registered keys
and reservations to be migrated.
Also patch PERSISTENT RESERVE IN replies with the REPORT CAPABILITIES
service action since features that involve the physical SCSI bus target
ports must not be exposed to the guest (it sees a virtual SCSI bus).
Usually this plays out as follows:
1. The guest invokes the REGISTER service action to register a
reservation key on its I_T nexus.
2. The guest invokes the RESERVE service action to create a reservation
using the previously-registered key.
This commit implements the snooping and stores the reservation key and
type (if any) for each LUN. The snooped PR state and the migrate_pr flag
to enable PR migration will be used in later commits.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20260129212035.219676-4-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 29 Jan 2026 21:20:32 +0000 (16:20 -0500)]
scsi: add error reporting to scsi_SG_IO()
Report the details of the SG_IO ioctl failure if an Error pointer is
provided. This information aids troubleshooting and will be used by the
SCSI Persistent Reservations migration code.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20260129212035.219676-3-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 29 Jan 2026 21:20:31 +0000 (16:20 -0500)]
scsi: generalize scsi_SG_IO_FROM_DEV() to scsi_SG_IO()
Add a direction argument so that scsi_SG_IO() can be used for
SG_DXFER_FROM_DEV and SG_DXFER_TO_DEV transfers.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20260129212035.219676-2-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
scripts/qemugdb: coroutine: Add option for obtaining detailed trace in coredump
Commit 772f86839f ("scripts/qemu-gdb: Support coroutine dumps in
coredumps") introduced coroutine traces in coredumps using raw stack
unwinding. While this works, this approach does not allow to view the
function arguments in the corresponding stack frames.
As an alternative, we can obtain saved registers from the coroutine's
jmpbuf, patch them into the coredump's struct elf_prstatus in place, and
execute another gdb subprocess to get backtrace from the patched temporary
coredump.
While providing more detailed info, this alternative approach, however, is
more invasive as it might potentially corrupt the coredump file. We do take
precautions by saving the original registers values into a separate binary
blob /path/to/coredump.ptregs, so that it can be restores in the next
GDB session. Still, instead of making it a new deault, let's keep raw unwind
the default behaviour, but add the '--detailed' option for 'qemu bt' and
'qemu coroutine' command which would enforce the new behaviour.
That's how this looks:
(gdb) qemu coroutine 0x7fda9335a508
#0 0x5602bdb41c26 in qemu_coroutine_switch<+214> () at ../util/coroutine-ucontext.c:321
#1 0x5602bdb3e8fe in qemu_aio_coroutine_enter<+493> () at ../util/qemu-coroutine.c:293
#2 0x5602bdb3c4eb in co_schedule_bh_cb<+538> () at ../util/async.c:547
#3 0x5602bdb3b518 in aio_bh_call<+119> () at ../util/async.c:172
#4 0x5602bdb3b79a in aio_bh_poll<+457> () at ../util/async.c:219
#5 0x5602bdb10f22 in aio_poll<+1201> () at ../util/aio-posix.c:719
#6 0x5602bd8fb1ac in iothread_run<+123> () at ../iothread.c:63
#7 0x5602bdb18a24 in qemu_thread_start<+355> () at ../util/qemu-thread-posix.c:393
(gdb) qemu coroutine 0x7fda9335a508 --detailed
patching core file /tmp/tmpq4hmk2qc
found "CORE" at 0x10c48
assume pt_regs at 0x10cbc
write r15 at 0x10cbc
write r14 at 0x10cc4
write r13 at 0x10ccc
write r12 at 0x10cd4
write rbp at 0x10cdc
write rbx at 0x10ce4
write rip at 0x10d3c
write rsp at 0x10d54
#0 0x00005602bdb41c26 in qemu_coroutine_switch (from_=0x7fda9335a508, to_=0x7fda8400c280, action=COROUTINE_ENTER) at ../util/coroutine-ucontext.c:321
#1 0x00005602bdb3e8fe in qemu_aio_coroutine_enter (ctx=0x5602bf7147c0, co=0x7fda8400c280) at ../util/qemu-coroutine.c:293
#2 0x00005602bdb3c4eb in co_schedule_bh_cb (opaque=0x5602bf7147c0) at ../util/async.c:547
#3 0x00005602bdb3b518 in aio_bh_call (bh=0x5602bf714a40) at ../util/async.c:172
#4 0x00005602bdb3b79a in aio_bh_poll (ctx=0x5602bf7147c0) at ../util/async.c:219
#5 0x00005602bdb10f22 in aio_poll (ctx=0x5602bf7147c0, blocking=true) at ../util/aio-posix.c:719
#6 0x00005602bd8fb1ac in iothread_run (opaque=0x5602bf42b100) at ../iothread.c:63
#7 0x00005602bdb18a24 in qemu_thread_start (args=0x5602bf7164a0) at ../util/qemu-thread-posix.c:393
#8 0x00007fda9e89f7f2 in start_thread (arg=<optimized out>) at pthread_create.c:443
#9 0x00007fda9e83f450 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
CC: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> CC: Peter Xu <peterx@redhat.com> Originally-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20251204105019.455060-5-andrey.drobyshev@virtuozzo.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* Add the 'attributes' field from QEMUTimer;
* Stringify the field's value in accordance with macros from
include/qemu/timer.h;
* Make timer expiration times human-readable by converting from nanoseconds
to appropriate units (ms/s/min/hrs/days) and showing the scale factor
(ns/us/ms/s).
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20251204105019.455060-4-andrey.drobyshev@virtuozzo.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
scripts/qemugdb: timers: Fix KeyError in 'qemu timers' command
Currently invoking 'qemu timers' command results into: "gdb.error: There
is no member named last". Let's remove the legacy 'last' field from
QEMUClock, as it was removed in v4.2.0 by the commit 3c2d4c8aa6a
("timer: last, remove last bits of last").
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20251204105019.455060-3-andrey.drobyshev@virtuozzo.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Peter Maydell [Sat, 7 Feb 2026 17:46:07 +0000 (17:46 +0000)]
Merge tag 'pull-11.0-gdbstub-updates-060226-1' of https://gitlab.com/stsquad/qemu into staging
gdbstub updates:
- don't duplicate gdb help text in configure
- re-build meson-buildoptions.sh if the python updated
- re-factor stop packet handling
- add EIO and ENOSYS errno defines
- move host_to_gdb_errno into common gdbstub code
- return GDB errno values for F packets
- bool-ify user's running_state state
* tag 'pull-11.0-gdbstub-updates-060226-1' of https://gitlab.com/stsquad/qemu:
gdbstub/user: rename and use bool for running_state
include/gdbstub: tweak language
gdbstub/user-target: Convert host errno to GDB File-I/O errno
gdbstub: Export host_to_gdb_errno File-I/O helper function
include/gdbstub/syscalls: Add EIO and ENOSYS GDB File-I/O errno values
gdbstub/user: localise variables for reading gdb socket
gdbstub: extract stop reply message construction
gdbstub: remove the need for goto cleanup
Makefile: add python script dependency for meson-buildoptions.sh
meson-buildoptions: Remove duplicated entry of --gdb in the help text
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
hw/char/virtio-serial: Do not expose the 'emergency-write' property
The VIRTIO_CONSOLE_F_EMERG_WRITE feature bit was only set
in the hw_compat_2_7[] array, via the 'emergency-write=off'
property. We removed all machines using that array, lets remove
that property. All instances have this feature bit set and
it can not be disabled. VirtIOSerial::host_features mask is
now unused, remove it.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-28-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/virtio/virtio-pci: Remove VirtIOPCIProxy::ignore_backend_features field
The VirtIOPCIProxy::ignore_backend_features boolean was only set
in the hw_compat_2_7[] array, via the 'x-ignore-backend-features=on'
property. We removed all machines using that array, lets remove
that property, simplify by only using the default version.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-27-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/i386/intel_iommu: Remove IntelIOMMUState::buggy_eim field
The IntelIOMMUState::buggy_eim boolean was only set in
the hw_compat_2_7[] array, via the 'x-buggy-eim=true'
property. We removed all machines using that array, lets
remove that property, simplifying vtd_decide_config().
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-26-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The hw_compat_2_7[] array was only used by the pc-q35-2.7 and
pc-i440fx-2.7 machines, which got removed. Remove it.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-25-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The PCSpkState::migrate boolean was only set in the
pc_compat_2_7[] array, via the 'migrate=off' property.
We removed all machines using that array, lets remove
that property, simplifying vmstate_spk[].
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-24-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
target/i386/cpu: Remove CPUX86State::full_cpuid_auto_level field
The CPUX86State::full_cpuid_auto_level boolean was only
disabled for the pc-q35-2.7 and pc-i440fx-2.7 machines,
which got removed. Being now always %true, we can remove
it and simplify x86_cpu_expand_features().
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-23-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The pc_compat_2_7[] array was only used by the pc-q35-2.7
and pc-i440fx-2.7 machines, which got removed. Remove it.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-22-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/i386/pc: Remove deprecated pc-q35-2.7 and pc-i440fx-2.7 machines
These machines has been supported for a period of more than 6 years.
According to our versioned machine support policy (see commit ce80c4fa6ff "docs: document special exception for machine type
deprecation & removal") they can now be removed. Remove the qtest
in test-x86-cpuid-compat.c file.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-21-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/virtio/virtio-mmio: Remove VirtIOMMIOProxy::format_transport_address field
The VirtIOMMIOProxy::format_transport_address boolean was only set
in the hw_compat_2_6[] array, via the 'format_transport_address=off'
property. We removed all machines using that array, lets remove
that property, simplifying virtio_mmio_bus_get_dev_path().
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-20-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The hw_compat_2_6[] array was only used by the pc-q35-2.6 and
pc-i440fx-2.6 machines, which got removed. Remove it.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-19-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/intc/apic: Remove APICCommonState::legacy_instance_id field
The APICCommonState::legacy_instance_id boolean was only set
in the pc_compat_2_6[] array, via the 'legacy-instance-id=on'
property. We removed all machines using that array, lets remove
that property, simplifying apic_common_realize().
Because instance_id is initialized as initial_apic_id, we can
not register vmstate_apic_common directly via dc->vmsd.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-18-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The pc_compat_2_6[] array was only used by the pc-q35-2.6
and pc-i440fx-2.6 machines, which got removed. Remove it.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-17-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
All machines now use the linuxboot_dma.bin binary, so it's safe to
remove the non-DMA version (linuxboot.bin).
Suggested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Link: https://lore.kernel.org/r/20260108033051.777361-16-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Now all calls of x86 machines to fw_cfg_init_io_dma() pass DMA
arguments, so the FWCfgState (FWCfgIoState) created by x86 machines
enables DMA by default.
Although other callers of fw_cfg_init_io_dma() besides x86 also pass
DMA arguments to create DMA-enabled FwCfgIoState, the "dma_enabled"
property of FwCfgIoState cannot yet be removed, because Sun4u and Sun4v
still create DMA-disabled FwCfgIoState (bypass fw_cfg_init_io_dma()) in
sun4uv_init() (hw/sparc64/sun4u.c).
Maybe reusing fw_cfg_init_io_dma() for them would be a better choice, or
adding fw_cfg_init_io_nodma(). However, before that, first simplify the
handling of FwCfgState in x86.
Considering that FwCfgIoState in x86 enables DMA by default, remove the
handling for DMA-disabled cases and replace DMA checks with assertions
to ensure that the default DMA-enabled setting is not broken.
Then 'linuxboot.bin' isn't used anymore, and it will be removed in the
next commit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Link: https://lore.kernel.org/r/20260108033051.777361-15-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
All PC machines now use the multiboot_dma.bin binary,
we can remove the non-DMA version (multiboot.bin).
This doesn't change multiboot_dma binary file.
Suggested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-14-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/i386/x86: Remove X86MachineClass::fwcfg_dma_enabled field
The X86MachineClass::fwcfg_dma_enabled boolean was only used
by the pc-q35-2.6 and pc-i440fx-2.6 machines, which got
removed. Remove it and simplify.
'multiboot.bin' isn't used anymore, we'll remove it in the
next commit.
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-13-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
"wide" in fw_cfg_init_mem_wide() means "DMA support".
Rename for clarity.
Suggested-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-12-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/nvram/fw_cfg: Factor fw_cfg_init_mem_internal() out
Factor fw_cfg_init_mem_internal() out of fw_cfg_init_mem_wide().
In fw_cfg_init_mem_wide(), assert DMA arguments are provided.
Callers without DMA have to use the fw_cfg_init_mem() helper.
Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-11-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/mips/loongson3_virt: Prefer using fw_cfg_init_mem_nodma()
fw_cfg_init_mem_wide() is prefered to initialize fw_cfg
with DMA support. Without DMA, use fw_cfg_init_mem_nodma().
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-10-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
hw/nvram/fw_cfg: Rename fw_cfg_init_mem() with '_nodma' suffix
Rename fw_cfg_init_mem() as fw_cfg_init_mem_nodma()
to distinct with the DMA version (currently named
fw_cfg_init_mem_wide).
Suggested-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-9-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Zhao Liu [Thu, 8 Jan 2026 03:30:29 +0000 (11:30 +0800)]
acpi: Remove legacy cpu hotplug utilities
The cpu_hotplug.h and cpu_hotplug.c contain legacy cpu hotplug
utilities. Now there's no use case of legacy cpu hotplug, so it's safe
to drop legacy cpu hotplug support totally.
hw/i386/pc: Remove PCMachineClass::legacy_cpu_hotplug field
Now all PC & Q35 machiens are using modern hotplug from the beginning,
and all legacy_cpu_hotplug flags keep false during runtime.
So it's safe to remove legacy_cpu_hotplug flags and related properties,
with unused gpe_cpu field.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Acked-by: Igor Mammedov <imammedo@redhat.com> Link: https://lore.kernel.org/r/20260108033051.777361-5-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Zhao Liu [Thu, 8 Jan 2026 03:30:27 +0000 (11:30 +0800)]
pc: Start with modern CPU hotplug interface by default
For compatibility reasons PC/Q35 will start with legacy CPU hotplug
interface by default but with new CPU hotplug AML code since 2.7
machine type (in commit 679dd1a957df ("pc: use new CPU hotplug interface
since 2.7 machine type")). In that way, legacy firmware that doesn't use
QEMU generated ACPI tables was able to continue using legacy CPU hotplug
interface.
While later machine types, with firmware supporting QEMU provided ACPI
tables, generate new CPU hotplug AML, which will switch to new CPU
hotplug interface when guest OS executes its _INI method on ACPI tables
loading.
Since 2.6 machine type is now gone, and consider that the legacy BIOS
(based on QEMU ACPI prior to v2.7) should be no longer in use, previous
compatibility requirements are no longer necessary. So initialize
'modern' hotplug directly from the very beginning for PC/Q35 machines
with cpu_hotplug_hw_init(), and drop _INIT method.
Additionally, remove the checks and settings around cpu_hotplug_legacy
in cpuhp VMState (for piix4 & ich9), to eliminate the risk of
segmentation faults, as gpe_cpu no longer has the opportunity to be
initialized. This is safe because all hotplug now start with the modern
way, and it's impossible to switch to legacy way at runtime (even the
"cpu-hotplug-legacy" properties does not allow it either).
hw/i386/pc: Remove deprecated pc-q35-2.6 and pc-i440fx-2.6 machines
These machines has been supported for a period of more than 6 years.
According to our versioned machine support policy (see commit ce80c4fa6ff "docs: document special exception for machine type
deprecation & removal") they can now be removed.
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260108033051.777361-2-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Andrey Erokhin [Sat, 22 Nov 2025 20:19:09 +0000 (01:19 +0500)]
9pfs: local: read native symlinks when security-model=mapped
Directories attached using virtfs with security-model=mapped
may contain native symlinks
This can happen e.g. when booting from a rootfs directory tree
(usually with a writable overlay set up on the host side)
Currently, when security-model=mapped[-xattr|-file],
QEMU assumes that host-side "symlinks" are in the mapped format,
i.e. are regular files storing the linked path,
so it tries to open with O_NOFOLLOW
and fails with ELOOP on native symlinks
This patch introduces a fallback for such cases:
reuse security-model=[none|passthrough] else if branch logic
where readlink will be called for the path basename
Alex Bennée [Tue, 3 Feb 2026 11:52:01 +0000 (11:52 +0000)]
gdbstub/user: rename and use bool for running_state
This is just a clean-up to document what we using the running variable
for in user-mode.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260203115201.2387721-12-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Yodel Eldar [Tue, 3 Feb 2026 11:51:58 +0000 (11:51 +0000)]
gdbstub: Export host_to_gdb_errno File-I/O helper function
Move host_to_gdb_errno from target/m68k/m68k-semi.c to
gdbstub/syscalls.c. Declare it in include/gdbstub/syscalls.h.
Add both newly added GDB File-I/O supported errno values, EIO and
ENOSYS, to the mapping.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Yodel Eldar <yodel.eldar@yodel.dev> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260116014612.226183-3-yodel.eldar@yodel.dev>
Message-ID: <20260203115201.2387721-9-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Yodel Eldar <yodel.eldar@yodel.dev> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260116014612.226183-2-yodel.eldar@yodel.dev>
Message-ID: <20260203115201.2387721-8-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 3 Feb 2026 11:51:55 +0000 (11:51 +0000)]
gdbstub/user: localise variables for reading gdb socket
Keep things tidy by moving the declarations to the block where they
are used.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260203115201.2387721-6-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 3 Feb 2026 11:51:54 +0000 (11:51 +0000)]
gdbstub: extract stop reply message construction
The stop reply message we send can include a lot of extra information
and a bunch is mode dependant. Extract the construction into a helper
and add specialised versions for system and user mode.
The correct response for system mode should be of the form:
T05core:N;
Where N is the core ID. We pass GString to gdb_build_stop_packet as
other functions we are going to clean-up work variously with their own
dynamically allocated GStrings or with the common shared buffer.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260203115201.2387721-5-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 3 Feb 2026 11:51:53 +0000 (11:51 +0000)]
gdbstub: remove the need for goto cleanup
We already set a default error reply which we can only overwrite if we
successfully follow the chain of checks. Initialise the variables as
NULL and use that to gate the construction of the filled out
stop/reply packet.
Message-ID: <20260203115201.2387721-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 3 Feb 2026 11:51:52 +0000 (11:51 +0000)]
Makefile: add python script dependency for meson-buildoptions.sh
If we update the script we should also make sure we regenerate the
help text.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20260203115201.2387721-3-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 3 Feb 2026 11:51:51 +0000 (11:51 +0000)]
meson-buildoptions: Remove duplicated entry of --gdb in the help text
Since --gdb has recently been added to meson_options.txt, the help
text shows up twice in the output of "./configure --help":
$ ./configure --help | grep gdb
--gdb=GDB-path gdb to use for gdbstub tests [/usr/bin/gdb]
--gdb=VALUE Path to GDB
As the probed value is of interest we want to keep the configure text
so make meson-buildoptions able to handle deferring to configure.
Fixes: b46b3818cf8 ("tests/functional: Provide GDB to the functional tests") Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260203115201.2387721-2-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260203142737.2164763-1-jim.shu@sifive.com>
The reporter says "The commit breaks go; if you run go build in a loop,
it eventually hangs uninterruptible (except -9) with a couple of zombie
children left over".
Reported-by: Andreas Schwab <schwab@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202091753.28459-1-pbonzini@redhat.com>
linux-user/syscall.c: Prevent acquiring clone_lock while fork()
By the spec, fork() copies only the thread which executes it.
So it may happen, what while one thread is doing a fork,
another thread is holding `clone_lock` mutex
(e.g. doing a `fork()` or `exit()`).
So the child process is born with the mutex being held,
and there are nobody to release it.
As the thread executing do_syscall() is not considered running,
start_exclusive() does not protect us from the case.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3226 Signed-off-by: Aleksandr Sergeev <sergeev0xef@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260126151612.2176451-1-sergeev0xef@gmail.com>
accel/tcg: Fix uninitialized hostp in get_page_addr_code_hostp
This uninitialized value violates the contract in the
documentation comment, and may lead to a SEGV during
translaton with -d in_asm.
Change the documentation to disallow hostp NULL.
Pass hostp to probe_access_internal directly.
Reported-by: Panda Jiang <3160104094@zju.edu.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Thu, 5 Feb 2026 13:54:50 +0000 (13:54 +0000)]
Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu into staging
virtio,pci,pc: features, fixes
intel_iommu:
SVM support
vhost:
support for indirect descriptors in shadow virtqueue
vhost-user:
vhost-user-spi support
vhost-user-blk inflight migration support
vhost-user-blk inflight migration support
misc fixes in pci, vhost, virtio, acpi, cxl
cleanups in acpi/ghes
* tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: (38 commits)
hw/cxl: Take into account how many media operations are requested for param check
hw/cxl: Check for overflow on santize media as both base and offset 64bit.
vhost-user-blk: support inter-host inflight migration
vhost: add vmstate for inflight region with inner buffer
vmstate: introduce VMSTATE_VBUFFER_UINT64
vhost-user: introduce protocol feature for skip drain on GET_VRING_BASE
vhost-user.rst: specify vhost-user back-end action on GET_VRING_BASE
virtio-gpu: use consistent error checking for virtio_gpu_create_mapping_iov
virtio-gpu: fix error handling in virgl_cmd_resource_create_blob
virtio-pmem: ignore empty queue notifications
virtio-gpu-virgl: correct parent for blob memory region
MAINTAINERS: Update VIOT maintainer
cryptodev-builtin: Limit the maximum size
hw/virtio/virtio-crypto: verify asym request size
virtio-spi: Add vhost-user-spi device support
standard-headers: Update virtio_spi.h from Linux v6.18-rc3
q35: Fix migration of SMRAM state
pcie_sriov: Fix PCI_SRIOV_* accesses in pcie_sriov_pf_exit()
virtio: Fix crash when sriov-pf is set for non-PCI-Express device
virtio-dmabuf: Ensure UUID persistence for hash table insertion
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
hw/cxl: Take into account how many media operations are requested for param check
Whilst the spec doesn't speak to it directly my assumption is that
a request for more operations than exist should result in an invalid
input error return.
Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3)") Closes: https://lore.kernel.org/qemu-devel/CAFEAcA-p5wZkNxK7wNVq_3PAzEE-muOd1Def-0O-FSpck4DrBQ@mail.gmail.com/ Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260102154731.474859-3-Jonathan.Cameron@huawei.com>
hw/cxl: Check for overflow on santize media as both base and offset 64bit.
The both the size and base of a media sanitize operation are both provided
by the VM, an overflow is possible which may result in checks on valid
range passing when they should not. Close that by checking for overflow
on the addition.
Fixes: 40ab4ed10775 ("hw/cxl/cxl-mailbox-utils: Media operations Sanitize and Write Zeros commands CXL r3.2(8.2.10.9.5.3)") Closes: https://lore.kernel.org/qemu-devel/CAFEAcA8Rqop+ju0fuxN+0T57NBG+bep80z45f6pY0ci2fz_G3A@mail.gmail.com/ Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260102154731.474859-2-Jonathan.Cameron@huawei.com>
Alexandr Moshkov [Thu, 15 Jan 2026 08:11:09 +0000 (13:11 +0500)]
vhost-user-blk: support inter-host inflight migration
During inter-host migration, waiting for disk requests to be drained
in the vhost-user backend can incur significant downtime.
This can be avoided if QEMU migrates the inflight region in
vhost-user-blk.
Thus, during the qemu migration, with feature flag the vhost-user
back-end can immediately stop vrings, so all in-flight requests will be
migrated to another host.
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Raphael Norwitz <raphael.s.norwitz@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260115081103.655749-6-dtalexundeer@yandex-team.ru>
Alexandr Moshkov [Thu, 15 Jan 2026 08:11:07 +0000 (13:11 +0500)]
vhost: add vmstate for inflight region with inner buffer
Prepare for future inflight region migration for vhost-user-blk.
We need to migrate size, queue_size, and inner buffer.
So firstly it migrate size and queue_size fields, then allocate memory
for buffer with
migrated size, then migrate inner buffer itself.
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260115081103.655749-5-dtalexundeer@yandex-team.ru>
Alexandr Moshkov [Thu, 15 Jan 2026 08:11:05 +0000 (13:11 +0500)]
vmstate: introduce VMSTATE_VBUFFER_UINT64
This is an analog of VMSTATE_VBUFFER_UINT32 macro, but for uint64 type.
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru> Acked-by: Peter Xu <peterx@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260115081103.655749-4-dtalexundeer@yandex-team.ru>
Now on GET_VRING_BASE this feature can control whether to wait for
in-flight requests to complete or not.
Also we have to validate that this feature will be enabled only when
qemu and back-end supports in-flight buffer and in-flight migration
It will be helpfull in future for in-flight requests migration in
vhost-user devices.
Update docs, add ref to label for inflight-io-tracking
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260115081103.655749-3-dtalexundeer@yandex-team.ru>
Alexandr Moshkov [Thu, 15 Jan 2026 08:11:01 +0000 (13:11 +0500)]
vhost-user.rst: specify vhost-user back-end action on GET_VRING_BASE
By default, we assume that server need to wait all inflight IO on
GET_VRING_BASE. However, this fact is not recorded anywhere in the
documentation.
So, add this info in rst.
Signed-off-by: Alexandr Moshkov <dtalexundeer@yandex-team.ru> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260115081103.655749-2-dtalexundeer@yandex-team.ru>
Honglei Huang [Tue, 13 Jan 2026 01:52:03 +0000 (09:52 +0800)]
virtio-gpu: use consistent error checking for virtio_gpu_create_mapping_iov
Unify error checking style for virtio_gpu_create_mapping_iov() across the
codebase to improve consistency and readability.
virtio_gpu_create_mapping_iov() returns 0 on success and negative values
on error. The original code used inconsistent patterns for checking errors:
- Some used 'if (ret != 0)' in virtio-gpu-virgl.c and virtio-gpu.c
- Some used 'CHECK(!ret, cmd)' in virtio-gpu-rutabaga.c
For if-statement checks, change to 'if (ret < 0)' which is the preferred
QEMU coding convention for functions that return 0 on success and negative
on error. This makes the return value convention immediately clear to code
readers.
For CHECK macro usage in virtio-gpu-rutabaga.c, keep the original
'CHECK(!ret, cmd)' pattern as it is more concise and consistent with other
error checks in the same file.
Honglei Huang [Tue, 13 Jan 2026 01:52:02 +0000 (09:52 +0800)]
virtio-gpu: fix error handling in virgl_cmd_resource_create_blob
Fix inverted error check in virgl_cmd_resource_create_blob() that causes
the function to return error when virtio_gpu_create_mapping_iov() succeeds.
virtio_gpu_create_mapping_iov() returns 0 on success and negative values
on error. The check 'if (!ret)' incorrectly treats success (ret=0) as an
error condition, causing the function to fail when it should succeed.
Change the condition to 'if (ret != 0)' to properly detect errors.
Fixes: 7c092f17ccee ("virtio-gpu: Handle resource blob commands") Signed-off-by: Honglei Huang <honghuan@amd.com> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260113015203.3643608-2-honghuan@amd.com>
Li Chen [Tue, 6 Jan 2026 08:38:59 +0000 (16:38 +0800)]
virtio-pmem: ignore empty queue notifications
virtio_pmem_flush() treats a NULL return from virtqueue_pop() as a fatal
error and calls virtio_error(), which puts the device into NEEDS_RESET.
However, virtqueue handlers can be invoked when no element is available,
so an empty queue should be handled as a benign no-op.
With a Linux guest this avoids spurious NEEDS_RESET and the resulting
-EIO propagation (e.g. EXT4 journal abort and remount-ro).
Signed-off-by: Li Chen <me@linux.beauty> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260106083859.380338-1-me@linux.beauty>
projects / thirdparty / qemu.git / log
