Gabriel Brookman [Fri, 29 May 2026 19:52:52 +0000 (12:52 -0700)]
target/arm: tag is not a part of PAuth with MTX
As described in the section on MTX, tag bits should not be used to store
or compute the PAC when MTX is set. See also Authenticate(),
InsertPAC(), and Strip().
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-12-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:51 +0000 (12:52 -0700)]
target/arm: skip tag bit bounds check if MTX is on
Virtual address canonicity checks should ignore mismatch in tag bits
during translation step if MTX is set. This mismatch is checked during
the tag check instead, in that case.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-11-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:50 +0000 (12:52 -0700)]
target/arm: fault on tag store to canonical tag
According to ARM ARM, section "Memory region tagging types", tag-store
instructions targeting canonically tagged regions cause a stage 1
permission fault with MTX enabled.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-10-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:49 +0000 (12:52 -0700)]
target/arm: load on canonical tag loads ext bits
Loading tags from canonically tagged regions should use the canonical
tags (extension bits), not allocation tags. See AArch64_MemTagRead().
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-9-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:48 +0000 (12:52 -0700)]
target/arm: add canonical MTE check logic
With MTX active, address tag bits are checked for canonicity if the
corresponding memory regions are not allocation tagged. See
AArch64_CheckTag.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-8-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:47 +0000 (12:52 -0700)]
target/arm: add canonical tag check helper
Add a helper that checks whether mtx is active from MTEDESC. Refactored
an existing function to use it.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-7-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:46 +0000 (12:52 -0700)]
target/arm: add MTX to MTEDESC and DisasContext
Add fields for MTX to DisasContext and MTEDESC. With MTE4, the fields
will be needed in future patches that alter tag check, tag load and tag
store behavior.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-6-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:45 +0000 (12:52 -0700)]
target/arm: emit tag check when MTX without TBI
Previously, the TBI bit was used to mediate whether tag checks happened.
With MTE4, if the MTX bits are enabled, then tag checking happens even
if TBI is disabled. See AccessIsTagChecked.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-5-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:44 +0000 (12:52 -0700)]
linux-user: add MTE_STORE_ONLY to prctl
Linux-user processes can now control whether MTE_STORE_ONLY is enabled
using the prctl syscall.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-4-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:43 +0000 (12:52 -0700)]
target/arm: mte_check unemitted on STORE_ONLY load
This feature disables generation of the mte check helper on loads when
STORE_ONLY tag checking mode is enabled.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-3-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Gabriel Brookman [Fri, 29 May 2026 19:52:42 +0000 (12:52 -0700)]
target/arm: add TCSO bitmasks to SCTLR
These are the bitmasks used to control the FEAT_MTE_STORE_ONLY feature.
They are now named and setting these fields of SCTLR is ignored if MTE
or MTE4 is disabled, as per convention.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-2-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Wed, 10 Jun 2026 14:57:17 +0000 (10:57 -0400)]
Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging
Block layer patches
- qcow2: Fix data loss on zero write with detect-zeroes=unmap
- qemu-img bitmap: add sub-command --remove-all
- export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag to fix regression
- virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (CVE-2026-48914)
- qed: Don't try to flush during incoming migration
- iotests/136: Test stats-intervals with -blockdev/-device
* tag 'for-upstream' of https://repo.or.cz/qemu/kevin:
qed: Don't try to flush during incoming migration
iotests: test shared mmap for fuse export
block/export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag to fix regression
block/export/fuse: use struct fuse_init_in
qcow2: Fix data loss on zero write with detect-zeroes=unmap
iotests/136: Test stats-intervals with -blockdev/-device
qemu-img: add sub-command --remove-all to 'qemu-img bitmap'
virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (CVE-2026-48914)
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-maintainers-2026-06-10' of https://repo.or.cz/qemu/armbru: (42 commits)
MAINTAINERS: Fix F: in "Rust build system integration"
MAINTAINERS: Drop stale F: from "Sphinx documentation configuration ..."
MAINTAINERS: Fix F: in "Build and test automation"
MAINTAINERS: Fix F: in "VFIO-USER"
MAINTAINERS: Drop stale F: from "Linux io_uring"
MAINTAINERS: Drop stale F: from "TCI TCG target"
MAINTAINERS: Drop stale F: from "EDK2 Firmware"
MAINTAINERS: Fix F: typo in "I3C"
MAINTAINERS: Fix F: in "QMP"
MAINTAINERS: Fix F: in "QDev"
MAINTAINERS: Drop stale F: from "Human Monitor (HMP)"
MAINTAINERS: Fix F: typo in "Dump"
MAINTAINERS: Drop stale F: from "Block I/O path"
MAINTAINERS: Fix F: typo in "pcf8574"
MAINTAINERS: Fix F: in "virtio-snd" and "virtio-gpu"
MAINTAINERS: Fix F: in "vhost-user-stubs"
MAINTAINERS: Fix bad / stale F: in "virtio-user-rng"
MAINTAINERS: Fix F: in "virtio-input"
MAINTAINERS: Fix F: in "vhost"
MAINTAINERS: Fix F: in "SSI"
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Gabriel Brookman [Fri, 29 May 2026 19:52:41 +0000 (12:52 -0700)]
target/arm: implement MTE_PERM
Introduces a new stage 2 memory attribute, NoTagAccess, that raises a
stage 2 data abort on a tag check, tag read, or tag write.
Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260529-feat-mte4-v7-1-ccbd3c14eb3c@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
qdev_get_clocklist() function returns a pointer to the NamedClockList
struct. This function is called in qdev_alias_clock() and the returned
pointer is immediately dereferenced without a null check.
Passing a clock name that doesn't exist to qdev_get_clocklist() is a
programming error, and so this change is not fixing a bug, only making
the reporting of that programming error a bit more helpful and bringing
it in to line with qdev_get_clock_in() and qdev_get_clock_out().
Cc: luc@lmichel.fr Cc: peter.maydell@linaro.org Cc: hemanshu_dev@proton.me
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2342 Signed-off-by: hemanshu.khilari.foss <hemanshu.khilari.foss@gmail.com>
Message-id: 20260531153354.88909-2-hemanshu.khilari.foss@gmail.com Reviewed-by: Luc Michel <luc@lmichel.fr> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Fabiano Rosas [Wed, 3 Jun 2026 19:38:13 +0000 (16:38 -0300)]
qed: Don't try to flush during incoming migration
It's not possible to access the image file while there is an incoming
migration in progress, the QEMU process doesn't hold any locks to the
storage at this point so nodes are inactive. Attempting to flush leads
to an assert at bdrv_co_write_req_prepare():
assert(!(bs->open_flags & BDRV_O_INACTIVE))
The issue is reproducible by running iotest 181 on a host under cpu
load. The migration must coincide with the header already containing
the QED_F_NEED_CHECK flag.
The sequence of events is as follows, with the respective call stacks
referenced below:
During block device init, bdrv_qed_attach_aio_context() starts the
'need_check' timer. The timer will not fire during incoming migration
as it uses QEMU_CLOCK_VIRTUAL (to avoid this very issue, as the code
comment indicates). (0)
However, there's still bdrv_qed_drain_begin() which uses the fact that
the timer is live to decide whether to start the
qed_need_check_timer_entry() directly. (1)
The qed_need_check_timer_entry() eventually calls into
qed_write_header() -> bdrv_co_pwrite() leading to the assert. (2)
Skip creating the 'need_check' timer whenever the image is inactive.
The stacks:
(0) == issues timer_mod ==
#6 in qed_start_need_check_timer at ../block/qed.c:340
#7 in bdrv_qed_attach_aio_context at ../block/qed.c:373
#8 in bdrv_qed_do_open at ../block/qed.c:556
#9 in bdrv_qed_open_entry at ../block/qed.c:582
#10 in coroutine_trampoline at ../util/coroutine-ucontext.c:175
#0 in qemu_coroutine_switch<+120> at ../util/coroutine-ucontext.c:321
#1 in qemu_aio_coroutine_enter<+356> at ../util/qemu-coroutine.c:293
#2 in aio_co_enter<+179> at ../util/async.c:710
#3 in aio_co_wake<+53> at ../util/async.c:695
#4 in thread_pool_co_cb<+47> at ../util/thread-pool.c:283
#5 in thread_pool_completion_bh<+241> at ../util/thread-pool.c:202
#6 in aio_bh_call<+109> at ../util/async.c:173
#7 in aio_bh_poll<+299> at ../util/async.c:220
#8 in aio_poll<+690> at ../util/aio-posix.c:745
#9 in bdrv_qed_open<+392> at ../block/qed.c:607
#10 in bdrv_open_driver<+327> at ../block.c:1678
#11 in bdrv_open_common<+1619> at ../block.c:2008
#12 in bdrv_open_inherit<+2556> at ../block.c:4191
#13 in bdrv_open<+118> at ../block.c:4286
#14 in blk_new_open<+199> at ../block/block-backend.c:458
#15 in blockdev_init<+2011> at ../blockdev.c:612
#16 in drive_new<+3008> at ../blockdev.c:1008
#17 in drive_init_func<+51> at ../system/vl.c:662
#18 in qemu_opts_foreach<+227> at ../util/qemu-option.c:1148
#19 in configure_blockdev<+350> at ../system/vl.c:721
#20 in qemu_create_early_backends<+343> at ../system/vl.c:2076
#21 in qemu_init<+12483> at ../system/vl.c:3778
#22 in main<+46> at ../system/main.c:71
(1) == sees timer_pending ==
#6 in bdrv_qed_drain_begin at ../block/qed.c:391
#7 in bdrv_do_drained_begin at ../block/io.c:366
#8 in bdrv_do_drained_begin_quiesce at ../block/io.c:386
#9 in bdrv_child_cb_drained_begin at ../block.c:1207
#10 in bdrv_parent_drained_begin_single at ../block/io.c:133
#11 in bdrv_parent_drained_begin at ../block/io.c:64
#12 in bdrv_do_drained_begin at ../block/io.c:364
#13 in bdrv_drained_begin at ../block/io.c:393
#14 in blk_drain at ../block/block-backend.c:2101
#15 in blk_unref at ../block/block-backend.c:544
#16 in bdrv_open_inherit at ../block.c:4197
#17 in bdrv_open at ../block.c:4286
#18 in blk_new_open at ../block/block-backend.c:458
#19 in blockdev_init at ../blockdev.c:612
#20 in drive_new at ../blockdev.c:1008
#21 in drive_init_func at ../system/vl.c:662
#22 in qemu_opts_foreach at ../util/qemu-option.c:1148
#23 in configure_blockdev at ../system/vl.c:721
#24 in qemu_create_early_backends at ../system/vl.c:2076
#25 in qemu_init at ../system/vl.c:3778
#26 in main at ../system/main.c:71
(2) == crashes ==
#5 in __assert_fail (assertion="!(bs->open_flags & BDRV_O_INACTIVE)", file="../block/io.c", line=1977
#6 in bdrv_co_write_req_prepare at ../block/io.c:1977
#7 in bdrv_aligned_pwritev at ../block/io.c:2099
#8 in bdrv_co_pwritev_part at ../block/io.c:2316
#9 in bdrv_co_pwritev at ../block/io.c:2233
#10 in bdrv_co_pwrite at ../include/block/block_int-io.h:77
#11 in qed_write_header at ../block/qed.c:128
#12 in qed_need_check_timer at ../block/qed.c:305
#13 in qed_need_check_timer_entry at ../block/qed.c:319
Note that this issue is not exactly the same as what's been reported
in Gitlab, but given how easily this reproduces, I imagine it has to
be happening in that setup as well.
Link: https://gitlab.com/qemu-project/qemu/-/work_items/3515 Signed-off-by: Fabiano Rosas <farosas@suse.de>
Message-ID: <20260603193813.2327596-1-farosas@suse.de> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Fiona Ebner [Wed, 6 May 2026 14:49:58 +0000 (16:49 +0200)]
iotests: test shared mmap for fuse export
This test would have worked before commit 8599559580 ("fuse: Set
direct_io and parallel_direct_writes") and is working again since
commit HEAD~1 ("block/export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag
to fix regression").
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260506145424.10249-4-f.ebner@proxmox.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
MAINTAINERS: Drop stale F: from "Sphinx documentation configuration ..."
We neglected to update MAINTAINERS when we fused the conf.py into one,
and when we deleted the kernel-doc script. Update it now.
Fixes: b93f4fbdc4 (docs: Build and install all the docs in a single manual, 2021-01-15) Fixes: 619d5f0211 (scripts/kernel-doc: Delete the old Perl kernel-doc script, 2025-08-14) Cc: John Snow <jsnow@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-38-armbru@redhat.com>
MAINTAINERS: Fix F: in "Build and test automation"
We neglected to update MAINTAINERS when we split off the testing docs.
Commit 97b091c88f (MAINTAINERS: Update the paths to the testing
documentation files, 2025-06-10) updated it belatedly, but missed one
line. Correct that now.
Fixes: ff41da5030 (docs/devel: Split testing docs from the build docs and move to separate folder, 2024-08-30) Cc: Alex Bennée <alex.bennee@linaro.org> Cc: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260603064032.3733394-37-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
The commit adding the section added two bad F: lines:
include/hw/vfio-user/ never existed, and subprojects/libvfio-user had
long been replaced by subprojects/libvfio.wrap. Drop the former, and
correct the latter.
Fixes: 9fca2b7d70 (vfio-user: add vfio-user class and container, 2025-06-25) Cc: John Levon <john.levon@nutanix.com> Cc: Thanos Makatos <thanos.makatos@nutanix.com> Cc: Cédric Le Goater <clg@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: John Levon <john.levon@nutanix.com>
Message-ID: <20260603064032.3733394-36-armbru@redhat.com>
We neglected to update MAINTAINERS when we dropped disas/tci.c.
Update it now.
Fixes: 59964b4f98 (tcg/tci: Implement the disassembler properly, 2021-01-30) Cc: Stefan Weil <sw@weilnetz.de> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Weil <sw@weilnetz.de>
Message-ID: <20260603064032.3733394-34-armbru@redhat.com>
We neglected to update MAINTAINERS when we renamed
docs/devel/writing-monitor-commands.rst, and when we renamed
monitor/misc.c. The latter file no longer exists, so simply drop the
line. Update the other one.
Fixes: 0e33e3d2c4 (docs/devel: rename file for writing monitor commands, 2021-09-09) Fixes: 864a3fa439 (monitor: Rename misc.c to hmp-target.c, 2023-01-24) Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-31-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
MAINTAINERS: Drop stale F: from "Human Monitor (HMP)"
We neglected to update MAINTAINERS when we moved hmp.h to
include/monitor/. Commit 17dc3ae3e1 (monitor: Extract completion
declarations to 'monitor/hmp-completion.h', 2026-03-20) added the
missing entry without deleting the stale one. Do that now.
Fixes: 275307aaab (hmp: Move hmp.h to include/monitor/, 2019-06-19) Cc: Dr. David Alan Gilbert <dave@treblig.org> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dave@treblig.org>
Message-ID: <20260603064032.3733394-29-armbru@redhat.com>
MAINTAINERS: Fix F: in "virtio-snd" and "virtio-gpu"
We neglected to update MAINTAINERS when we moved
docs/system/devices/virtio-snd.rst and
docs/system/devices/virtio-gpu.rst to docs/system/devices/virtio/.
Update it now.
We neglected to update MAINTAINERS when we renamed
hw/virtio/vhost-user-device-pci.c and hw/virtio/vhost-user-device.c to
hw/virtio/vhost-user-test-device-pci.c and
hw/virtio/vhost-user-test-device.c. Update it now.
Fixes: 722e9022a0 (hw/virtio: rename vhost-user-device and make user creatable, 2025-09-01) Cc: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-24-armbru@redhat.com>
MAINTAINERS: Fix bad / stale F: in "virtio-user-rng"
tools/vhost-user-rng/* never existed. Drop the bad line.
We neglected to update MAINTAINERS when we moved
docs/system/devices/vhost-user-rng.rst to docs/system/devices/virtio/.
We later deleted the file. Drop the stale line.
Fixes: e3e01466bf (MAINTAINERS: Add maintainer for vhost-user RNG implementation, 2021-06-14) Fixes: 487ce6ce99 (docs/system: split VirtIO devices from the rest, 2025-10-16) Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-23-armbru@redhat.com>
We neglected to update MAINTAINERS when we moved
docs/system/devices/vhost-user-input.rst to
docs/system/devices/virtio/. We later folded it into
docs/system/devices/virtio/vhost-user-contrib.rst, so cover that
instead.
Fixes: 487ce6ce99 (docs/system: split VirtIO devices from the rest, 2025-10-16) Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-22-armbru@redhat.com>
We neglected to update MAINTAINERS when we renamed
tests/qtest/m25p80-test.c to tests/qtest/aspeed_smc-test.c. Update it now.
Fixes: 5fde7f10c0 (tests/qtest: Rename m25p80 test in aspeed_smc test, 2021-05-01) Cc: Alistair Francis <alistair@alistair23.me> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-20-armbru@redhat.com> Acked-by: Alistair Francis <alistair.francis@wdc.com>
We neglected to update MAINTAINERS when we deleted
include/hw/ppc/pef.h. Update it now.
Fixes: 00a238b1a8 (ppc/pef: switch to use confidential_guest_kvm_init/reset(), 2024-02-29) Cc: Nicholas Piggin <npiggin@gmail.com> Cc: Harsh Prateek Bora <harshpb@linux.ibm.com> Cc: qemu-ppc@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Reviewed-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Message-ID: <20260603064032.3733394-17-armbru@redhat.com>
Fixes: 246f530cdb (adc: Move the zynq-xadc file to the adc directories, 2021-05-18) Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com> Cc: Alistair Francis <alistair@alistair23.me> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-arm@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-15-armbru@redhat.com> Reviewed-by: Alistair Francis <alistair@alistair23.me>
Cover hw/arm/raspi4b.c. Drop hw/arm/raspi_platform.h, it's in
include/hw/arm/, and covered there.
Fixes: 95a5db3ae5 (MAINTAINERS: Add entries for missing ARM boards, 2018-11-19) Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Philippe Mathieu-Daudé <philmd@mailo.com> Cc: qemu-arm@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260603064032.3733394-14-armbru@redhat.com>
MAINTAINERS: Fix F: in "Overall CPUs other accelerators"
We neglected to update MAINTAINERS when we deleted makefiles. Update
it now.
Fixes: 1a82878a08 (meson: accel, 2019-08-18) Cc: Richard Henderson <richard.henderson@linaro.org> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@mailo.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-7-armbru@redhat.com>
[Add the meson.build that replaces the makefiles, adjust commit message] Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
MAINTAINERS: Drop stale F: from "Overall KVM CPUs"
We neglected to update MAINTAINERS when we moved the only file out of
include/hw/kvm/. Its new location is covered by "X86 TCG CPUs". Drop
the stale line.
Fixes: a09ef8ff0a (hw/i386: Rename 'hw/kvm/clock.h' -> 'hw/i386/kvm/clock.h', 2023-06-20) Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: kvm@vger.kernel.org Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-6-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
MAINTAINERS: Delete trailing colons in section headlines
These are harmless as far as I can tell, so this is just for
consistency.
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20260603064032.3733394-3-armbru@redhat.com>
MAINTAINERS: Improve another "Overall" section headline
Having scripts/get_maintainer.pl report "Overall" like
$ scripts/get_maintainer.pl -f cpu-target.c
Richard Henderson <richard.henderson@linaro.org> (maintainer:Overall)
Paolo Bonzini <pbonzini@redhat.com> (reviewer:Overall)
"Philippe Mathieu-Daudé" <philmd@mailo.com> (reviewer:Overall)
qemu-devel@nongnu.org (open list:All patches CC here)
John Doe <jdoe@example.org> (maintainer:Overall)
is less than useful. Commit 6347e1f1cc (MAINTAINERS: Improve section
headlines, 2019-06-06) took care of the issue, but then commit 79ac391592 (MAINTAINERS: Add an 'overall' entry for accelerators,
2020-06-18) added another instance. Take care of that one.
Cc: Richard Henderson <richard.henderson@linaro.org> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@mailo.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260603064032.3733394-2-armbru@redhat.com>
Fixes: 812b31d3f91 ("configs: rename default-configs to configs and reorganise") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260520123947.12711-1-philmd@linaro.org>
Host user-emulation headers were renamed in commits ba0e7333620
("configure: Merge riscv32 and riscv64 host architectures") and bbf15aaf7c7 ("common-user: Move safe-syscall.* from linux-user"),
then covered in commit 355cdac7d86 ("MAINTAINERS: Add
common-user/host/riscv to RISC-V section"). Remove the obsolete
entries.
test_riscv64_sifive_u.py was renamed in commit e1a8572a8d7
("tests/functional: Move riscv32/riscv64 tests into target-specific
folders").
Reported-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260519172621.98469-1-philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQTKRzxE1qCcGJoZP81FK5aFKyaCFgUCaigJUgAKCRBFK5aFKyaC
# FvvGA/97HT+z/02eIMmGoGGUz2Ft+ud14tFyuljW2e8LAE1nxCAkqEShNNYOynOB
# 2y9FcMWQNAS9euLfq4H+6Blvy4CvkLtk4IC7Sl9Bdx5fJEWk4Q1uLj6Dda4T/3tj
# UK+J7hwyeSTMvIn1paf7flQD+g8Ab015Rjub/b4FhBBRsVIgwg==
# =FEFa
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 09 Jun 2026 08:38:42 EDT
# gpg: using RSA key CA473C44D6A09C189A193FCD452B96852B268216
# gpg: Good signature from "Song Gao <gaosong@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CA47 3C44 D6A0 9C18 9A19 3FCD 452B 9685 2B26 8216
* tag 'pull-loongarch-20260609' of https://github.com/gaosong715/qemu:
target/loongarch: Add new structure CPUSysState
target/loongarch: Add macro CSR_OFFSET and CPU_CSR_OFFSET
target/loongarch: Add wrapper function get_csr_offset()
target/loongarch: Add default CSRFL_BASIC info with flags field
linux-user/loongarch64: Use sys_state when accessing CSR registers
target/loongarch: Use sys_state in op_helper.c when accessing CSR registers
target/loongarch: Use sys_state in csr_helper.c when accessing CSR registers
target/loongarch: Use sys_state in tcg_cpu.c when accessing CSR registers
target/loongarch: Use sys_state in tlb_helper.c when accessing CSR registers
target/loongarch: Use sys_state in kvm.c when accessing CSR registers
target/loongarch: Use sys_state in file arch_dump.c when accessing CSR registers
target/loongarch: Use sys_state in cpu_helper.c when accessing CSR registers
target/loongarch: Use sys_state in cpu.c when accessing CSR registers
target/loongarch: Add new field curState in CPULoongArchState
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Bibo Mao [Fri, 5 Jun 2026 08:39:38 +0000 (16:39 +0800)]
target/loongarch: Add new structure CPUSysState
New structure CPUSysState is added here, now it only contains CSR
registers, in future TLB and timer can be moved to this structure also.
It is only code movement, no function change.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605083938.175658-1-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:39:10 +0000 (16:39 +0800)]
target/loongarch: Add macro CSR_OFFSET and CPU_CSR_OFFSET
Instruction rdtime is to read TSC timestamp and logic vCPU id,
it is also used by Linux user mode emulation. However function
get_csr_offset() cannot be called in user mode emulation, here
macro CSR_OFFSET and CPU_CSR_OFFSET are added. The added macro
can be called in both user emulation and system emulation.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605083910.175647-1-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:39:04 +0000 (16:39 +0800)]
target/loongarch: Add wrapper function get_csr_offset()
Add wrapper function get_csr_offset(), it is to get offset from structure
CPULoongArchState. There is no function change, and it is used for future
LVZ feature.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605083904.175636-1-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:38:54 +0000 (16:38 +0800)]
target/loongarch: Add default CSRFL_BASIC info with flags field
With CSR array structure, its validity is checked from offset field.
Now default CSRFL_BASIC information is added with flags field and its
validility can be checked with flags field.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605083854.175625-1-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:38:44 +0000 (16:38 +0800)]
linux-user/loongarch64: Use sys_state when accessing CSR registers
When accessing CSR registers in directory linux-user/loongarch64/, use
sys_state rather than env. There is no function change.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605083844.175612-1-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:37:56 +0000 (16:37 +0800)]
target/loongarch: Use sys_state in op_helper.c when accessing CSR registers
When accessing CSR registers in file op_helper.c, use sys_state rather
than env. There is no function change.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605083756.175598-1-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:46 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in csr_helper.c when accessing CSR registers
When accessing CSR registers in file csr_helper.c, use sys_state rather
than env. There is no function change.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-9-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:45 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in tcg_cpu.c when accessing CSR registers
When accessing CSR registers in file tcg_cpu.c, use sys_state rather
than env. There is no function change.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-8-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:44 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in tlb_helper.c when accessing CSR registers
When accessing CSR registers in file tlb_helper.c, use sys_state rather
than env. There is no function change.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-7-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:43 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in kvm.c when accessing CSR registers
When accessing CSR registers in file kvm.c, use sys_state rather than
env.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-6-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:42 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in file arch_dump.c when accessing CSR registers
When accessing CSR registers in file arch_dump.c, use sys_state rather
than env.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-5-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:41 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in cpu_helper.c when accessing CSR registers
When accessing CSR register in file cpu_helper.c, use sys_state rather
than env.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-4-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:40 +0000 (16:25 +0800)]
target/loongarch: Use sys_state in cpu.c when accessing CSR registers
When accessing CSR register in file cpu.c, use sys_state rather than
env.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-3-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Fri, 5 Jun 2026 08:25:39 +0000 (16:25 +0800)]
target/loongarch: Add new field curState in CPULoongArchState
New field sys_state is added in structure CPULoongArchState, it points
to CPULoongArchState itself now.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com> Tested-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260605082552.175336-2-maobibo@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Fiona Ebner [Wed, 6 May 2026 14:49:57 +0000 (16:49 +0200)]
block/export/fuse: set FUSE_DIRECT_IO_ALLOW_MMAP flag to fix regression
Commit 8599559580 ("fuse: Set direct_io and parallel_direct_writes")
broke use cases that require mmap() with MAP_SHARED on the export. In
particular, swtpm_setup using its 'file://' protocol requires this.
From the kernel documentation [0]:
> To allow shared mmap, the FUSE_DIRECT_IO_ALLOW_MMAP flag may be
> enabled in the FUSE_INIT reply.
Set the FUSE_DIRECT_IO_ALLOW_MMAP flag to restore compatibility with
users requiring shared mmap. The FUSE_INIT_EXT flag needs to be set
for the flags2 member to have an effect.
Cc: qemu-stable@nongnu.org Fixes: 8599559580 ("fuse: Set direct_io and parallel_direct_writes") Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260506145424.10249-3-f.ebner@proxmox.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Fiona Ebner [Wed, 6 May 2026 14:49:56 +0000 (16:49 +0200)]
block/export/fuse: use struct fuse_init_in
The code is switched to use the current 'struct fuse_init_in' in
preparation to use the FUSE_DIRECT_IO_ALLOW_MMAP feature, which is
part of the flags2 member that got added in protocol version 5.36.
To not break compatibility with older kernels, the check for whether
the full header of an operation was read in co_read_from_fuse_fd()
needs to be adapted. In particular, for a FUSE_INIT operation, the
protocol version must be considered, because the length of the header
changed with protocol version 7.36. Always using the length of the
old, shorter struct was inaccurate, since for newer protocol versions
this might mean accepting a truncated read for FUSE_INIT.
Users of the init header that want to use parts of the extended
structure must check with the using_old_fuse_init_in() helper function
if they may do so.
Cc: qemu-stable@nongnu.org Fixes: a94a1d7699 ("fuse: Manually process requests (without libfuse)") Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260506145424.10249-2-f.ebner@proxmox.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Thomas Lamprecht [Fri, 22 May 2026 15:13:06 +0000 (17:13 +0200)]
qcow2: Fix data loss on zero write with detect-zeroes=unmap
Commit b8bfb1478d ("qcow2: Fix corruption on discard during write with
COW") added a wait_for_dependencies() at the start of
qcow2_subcluster_zeroize(). That fixes the inconsistency it set out to
fix, but turns the lock-protected pre-check in the caller,
qcow2_co_pwrite_zeroes(), into a stale one: the wait yields s->lock,
so an in-flight allocating write whose QCowL2Meta is already on
s->cluster_allocs (but whose L2 entry is not yet linked) gets to link
its entry during the yield. When the zeroize wakes, the cluster is now
NORMAL, and with BDRV_REQ_MAY_UNMAP the free path in zero_in_l2_slice()
unmaps the just-written cluster, silently dropping the data write's
payload.
This is reachable with detect-zeroes=unmap (the default for VirtIO
disks with discard on in Proxmox VE), under which the block layer
auto-promotes all-zero buffers to BDRV_REQ_ZERO_WRITE |
BDRV_REQ_MAY_UNMAP. A memory-constrained Debian guest running 'apt
full-upgrade' on such a disk reproduces it as random SIGSEGVs:
swapped-out code pages come back as zero.
Wait for in-flight dependencies before the lock-protected check in
qcow2_co_pwrite_zeroes(). If a write linked its L2 entry during the
wait, the type check now fails and the block layer falls back to a
bounce-buffered zero write that only touches the requested subrange,
preserving the racing write's data. Promote wait_for_dependencies() to
qcow2_wait_for_dependencies() so qcow2.c can call it.
Fixes: b8bfb1478d ("qcow2: Fix corruption on discard during write with COW") Cc: qemu-stable@nongnu.org Tested-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Fiona Ebner <f.ebner@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Message-ID: <20260522151318.238064-1-t.lamprecht@proxmox.com>
[kwolf: Reverted unnecessary change to 'nr' assignment] Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Thu, 21 May 2026 10:18:54 +0000 (12:18 +0200)]
iotests/136: Test stats-intervals with -blockdev/-device
Commit 9f0c763e introduced the "stats-intervals" qdev property for
block devices, a setting that was previously only accessible with
-drive. Extend the corresponding test to include test cases that set the
property on -device instead, both with -drive and -blockdev.
We wouldn't really improve coverage with testing every combination of
account_invalid and account_failed with all modes to set up statistics,
so it seems good enough to test all combinations with the old way, and
only both True or both False with the additional ways.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260521101854.31997-1-kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 23:59:52 +0000 (01:59 +0200)]
qemu-img: add sub-command --remove-all to 'qemu-img bitmap'
From time to time it is needed to remove all bitmaps from the image.
Before this patch the process is not very convenient. One should
perform
qemu-img info
and parse the output to obtain all names. After that one should
sequentially call
qemu-img bitmap --remove
for each present bitmap.
The patch adds --remove-all sub-command to 'qemu-img bitmap'. The
new sub-command also composes with other bitmap actions in the same
invocation, so a common "wipe and recreate" workflow can be expressed
as
qemu-img bitmap --remove-all --add NEW FILE
instead of enumerating existing bitmaps, removing them one by one,
and only then adding the fresh one.
Cc: Kevin Wolf <kwolf@redhat.com> Cc: Hanna Czenczek <hreitz@redhat.com> Signed-off-by: Denis V. Lunev <den@openvz.org>
Message-ID: <20260520235952.500250-1-den@openvz.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Check that the iovec containing struct virtio_scsi_inhdr is large enough
before storing an error value there.
Feifan Qian <bea1e@proton.me> pointed out that this can be used to
corrupt heap memory when the descriptor uses an MMIO address and a
length of 1, forcing QEMU to allocate a 1-byte heap bounce buffer.
virtio_stl_p() stores 4 bytes and therefore corrupts whatever is beyond
the bounce buffer.
Fixes: CVE-2026-48914 Fixes: f34e73cd69bd ("virtio-blk: report non-zero status when failing SG_IO requests") Reported-by: Feifan Qian <bea1e@proton.me> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20260526154957.1741622-1-stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu:
MAINTAINERS: remove Julia Suvorova from Linux io_uring
block/io: fallback to bounce buffer if BLKZEROOUT is not supported because of alignment
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Mon, 8 Jun 2026 13:28:42 +0000 (09:28 -0400)]
Merge tag 'pull-aspeed-20260608' of https://github.com/legoater/qemu into staging
aspeed queue:
* Convert 14 Aspeed device models to DEFINE_TYPES().
* Improve Aspeed I2C: unify DMA address handling with a dma_addr_lo_mask
field and increase the AST2700 buffer mode size.
* Add ADC, PECI, GPIO, SGPIO, I2C and watchdog support to the AST1040
SoC model, and wire onboard I2C devices to the AST1040 EVB.
* Fix DW-I3C CMD/data FIFO reset values to match real silicon, rename
queue capacity properties from _bytes to _words, keeping the old
names as aliases for backward compatibility.
* tag 'pull-aspeed-20260608' of https://github.com/legoater/qemu: (37 commits)
hw/i3c: keep _bytes aliases for renamed queue-capacity properties
hw/i3c: rename DW-I3C queue capacity fields from _bytes to _words
hw/i3c: fix CMD/data FIFO depth reset values to match real silicon
hw/arm/aspeed_ast1040: Reuse AST2700 watchdog models
hw/arm/aspeed_ast1040_evb: Introduce onboard I2C device
hw/arm/aspeed_ast1040: Introduce I2C support
hw/i2c/aspeed_i2c: Introduce AST1040 I2C model
hw/arm/aspeed_ast1040: Add SGPIO controller support
hw/arm/aspeed_ast1040: Reuse AST2700 GPIO controller model
hw/arm/aspeed_ast1040: Introduce PECI support
hw/arm/aspeed_ast1040: Reuse AST2700 ADC model
hw/i2c/aspeed_i2c: Increase AST2700 buffer mode size and adjust offset
hw/i2c/aspeed_i2c: Introduce dma_addr_lo_mask to unify DMA address handling
hw/ssi/aspeed_smc: Convert to DEFINE_TYPES() with inlined TypeInfo
hw/net/ftgmac100: Convert to DEFINE_TYPES() with inlined TypeInfo
hw/i2c/aspeed_i2c: Convert to DEFINE_TYPES() with inlined TypeInfo
hw/pci-host/aspeed_pcie: Convert to DEFINE_TYPES() with inlined TypeInfo
hw/fsi/aspeed_apb2opb: Convert to DEFINE_TYPES() with inlined TypeInfo
hw/timer/aspeed_timer: Convert to DEFINE_TYPES() with inlined TypeInfo
hw/nvram/aspeed_otp: Convert to DEFINE_TYPES() with inlined TypeInfo
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Wed, 3 Jun 2026 19:47:32 +0000 (15:47 -0400)]
MAINTAINERS: remove Julia Suvorova from Linux io_uring
Julia's email is bouncing because she no longer works for Red Hat. She
has not responded to when asked whether she wishes to update her email
address. Remove her old email address for now.
Cc: Markus Armbruster <armbru@redhat.com> Cc: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-id: 20260603194732.79041-1-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Fiona Ebner [Mon, 5 Jan 2026 14:29:55 +0000 (15:29 +0100)]
block/io: fallback to bounce buffer if BLKZEROOUT is not supported because of alignment
Commit 5634622bcb ("file-posix: allow BLKZEROOUT with -t writeback")
enables the BLKZEROOUT ioctl when using 'writeback' cache, regressing
certain 'qemu-img convert' invocations, because of a pre-existing
issue. Namely, the BLKZEROOUT ioctl might fail with errno EINVAL when
the request is shorter than the block size of the block device.
Fallback to the bounce buffer, similar to when the ioctl is not
supported at all, rather than treating such an error as fatal.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3257
Resolves: https://bugzilla.proxmox.com/show_bug.cgi?id=7197 Cc: qemu-stable@nongnu.org Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260105143416.737482-1-f.ebner@proxmox.com>
[Added TODO comment describing a larger fix that could be implemented in
the future.
--Stefan] Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Jithu Joseph [Thu, 4 Jun 2026 14:22:06 +0000 (07:22 -0700)]
hw/i3c: keep _bytes aliases for renamed queue-capacity properties
The command-response/tx-rx/ibi queue-capacity properties were renamed
from "-bytes" to "-words". The "-bytes" names are user-visible and
shipped in v11.0.0 (reachable via e.g.
-global driver=dw.i3c,property=tx-rx-queue-capacity-bytes,...), so
register them as aliases of the new names to keep existing command
lines working.
object_property_add_alias() forwards both reads and writes to the
target property, so the old names behave exactly as before; introspection
and qom-get/qom-set continue to work under either name.
Jithu Joseph [Thu, 4 Jun 2026 14:22:05 +0000 (07:22 -0700)]
hw/i3c: rename DW-I3C queue capacity fields from _bytes to _words
The cmd/resp, tx/rx, and IBI queue capacity values are passed straight
to fifo32_create(), which interprets its capacity argument as a 32-bit
word count. The fields and device properties were therefore misnamed:
setting e.g. tx-rx-queue-capacity-bytes=N sized the backing FIFO to N
words, not N bytes.
Rename the three struct fields and matching device-property strings:
Defaults are unchanged (0x10 / 0x40 / 0x10) -- they were being
interpreted as word counts by fifo32_create() all along, just under a
misleading label. No behavioral change.
Jithu Joseph [Thu, 4 Jun 2026 14:22:04 +0000 (07:22 -0700)]
hw/i3c: fix CMD/data FIFO depth reset values to match real silicon
The Linux DW-I3C master driver infers controller queue depths at probe
by reading two status registers that report free queue slots, which at
probe (queues empty) equals the full depth. It then uses those values
to gate every I3C transfer -- any batch whose word count exceeds the
advertised depth is rejected with -EOPNOTSUPP.
Per the AST2600 datasheet the reset values are 0x10 and 0x40 (16 cmd
slots, 64 words = 256 B). QEMU was advertising 0x02 and 0x10, making
the kernel believe the controller can only do 64-byte transfers. The
visible symptom was -EOPNOTSUPP on any I3C transfer whose payload
exceeded 64 B (datafifodepth = 0x10 = 16 words = 64 B).
The underlying FIFOs in QEMU were already allocated at the right size
(fifo32_create takes word counts; the existing defaults give 16 cmd
slots and 64 data words). Only the advertised reset values were wrong.
Correct the reset values in dw_i3c_resets[], and additionally drive the
advertised depths from the queue-capacity configs in the reset handlers
(as is already done for the device/char table pointers), so a configured
override is reflected in what the guest reads instead of being silently
ignored. The advertised fields are 8-bit, so the depth saturates at 255
regardless of the wider capacity configs.
With this fix the guest sees datafifodepth=64 words and accepts
transfers up to 256 B.
Instantiate and realize the watchdog models for the AST1040 SoC.
The AST1040 watchdog controller is compatible with the AST2700 watchdog
controller, so reuse the existing AST2700 watchdog model.
Configure the AST1040 SoC with 8 watchdog instances and map them to
their corresponding MMIO regions. The first watchdog controller (WDT0) is
located at 0x74c37000, with subsequent watchdogs placed according to the
controller register space size.
Each watchdog is linked to the SCU device before realization to provide the
required reset and system control interactions.
Jamin Lin [Wed, 3 Jun 2026 04:00:36 +0000 (04:00 +0000)]
hw/i2c/aspeed_i2c: Introduce AST1040 I2C model
Introduce the AST1040 I2C controller model.
The AST1040 I2C controller is compatible with the AST2700 I2C controller,
including DMA support and the 64-bit DMA address registers. Set has_dma64 so
firmware can access the high address register and program it to zero, as the
CM4 CPU only supports 32-bit addressing.
AST1040 has 14 I2C buses and its HyperRAM is limited to 16 MiB,
so restrict the DMA low address mask to 0x00ffffff.
Jamin Lin [Wed, 3 Jun 2026 04:00:32 +0000 (04:00 +0000)]
hw/arm/aspeed_ast1040: Reuse AST2700 ADC model
Instead of introducing a dedicated TYPE_ASPEED_1040_ADC model,
initialize the existing AST2700 ADC device directly for AST1040.
This avoids unnecessary duplication and keeps the codebase simpler
and easier to maintain.
Add ADC device initialization and realization support to the
AST1040 SoC model using TYPE_ASPEED_2700_ADC.
Jamin Lin [Wed, 3 Jun 2026 04:00:30 +0000 (04:00 +0000)]
hw/i2c/aspeed_i2c: Increase AST2700 buffer mode size and adjust offset
Update the AST2700 I2C buffer mode configuration to match
the latest firmware definition:
- Increase buffer mode pool size from 0x20 to 0x40
- Adjust buffer mode base offset to 0x1c0
Since the buffer mode region size changes, the migration state
layout is also modified. Bump the VMState version numbers to
prevent incompatible migration between old and new machine states.
Jamin Lin [Wed, 3 Jun 2026 04:00:29 +0000 (04:00 +0000)]
hw/i2c/aspeed_i2c: Introduce dma_addr_lo_mask to unify DMA address handling
The Aspeed I2C controller has two register layouts.
The AST2500 uses the old mode with a single DMA address register (I2CD_DMA_ADDR)
where the address is 4-byte aligned and masked to 0x3ffffffc.
>From AST2600 onwards, the new mode provides separate master TX/RX and slave RX DMA
address registers (I2CM_DMA_TX_ADDR, I2CM_DMA_RX_ADDR, I2CS_DMA_RX_ADDR)
with different address widths per SoC:
AST2600 (new mode): 0x7fffffff - bits[30:0]
AST1030 (new mode): 0x7fffffff - bits[30:0]
AST1060 (new mode): 0x7fffffff - bits[30:0]
AST2700 (new mode): 0xffffffff - bits[31:0]
Introduce dma_addr_lo_mask as a per-class attribute and apply it
uniformly when storing DMA address register writes and when loading
the address into dma_dram_offset for both master and slave paths.
This replaces the previous FIELD_EX32 extractions (which incorrectly
stripped bit 31 on AST2700) and the hardcoded 0x3ffffffc literal in
the old-mode path.
Jamin Lin [Mon, 1 Jun 2026 02:50:35 +0000 (02:50 +0000)]
hw/net/ftgmac100: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 2 standalone TypeInfo variables (ftgmac100_info,
aspeed_mii_info) directly into the 'ftgmac100_types[]' array,
removing the need for separate declarations. Note that this file
covers both the Faraday FTGMAC100 Gigabit Ethernet controller and
the Aspeed MII controller, which share the same type registration.
Jamin Lin [Mon, 1 Jun 2026 02:50:33 +0000 (02:50 +0000)]
hw/i2c/aspeed_i2c: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 9 standalone TypeInfo variables (aspeed_i2c_bus_info,
aspeed_i2c_bus_slave_info, aspeed_i2c_info as abstract base,
aspeed_2400_i2c_info, aspeed_2500_i2c_info, aspeed_2600_i2c_info,
aspeed_1030_i2c_info and aspeed_2700_i2c_info) directly into the
'aspeed_i2c_types[]' array, removing the need for
separate declarations.
projects / thirdparty / qemu.git / log
