Jamin Lin [Mon, 1 Jun 2026 02:50:32 +0000 (02:50 +0000)]
hw/pci-host/aspeed_pcie: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 6 standalone TypeInfo variables (aspeed_pcie_phy_info, aspeed_2700_pcie_phy_info
aspeed_pcie_root_port_info, aspeed_pcie_rc_info, aspeed_pcie_cfg_info and
aspeed_2700_pcie_cfg_info directly into the 'aspeed_pcie_types[]'
array, removing the need for separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:31 +0000 (02:50 +0000)]
hw/fsi/aspeed_apb2opb: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
This file contains two independent subsystems (aspeed_apb2opb and
fsi_opb), each with its own type_init() call. Both are converted to
separate DEFINE_TYPES() blocks to preserve the original registration
boundary.
Inline the standalone 'aspeed_apb2opb_info' and 'fsi_opb_info'
TypeInfo variables directly into their respective types arrays,
removing the need for separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:29 +0000 (02:50 +0000)]
hw/timer/aspeed_timer: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 6 standalone TypeInfo variables (aspeed_timer_info as abstract
base, aspeed_2400_timer_info, aspeed_2500_timer_info,
aspeed_2600_timer_info, aspeed_1030_timer_info, aspeed_2700_timer_info)
directly into the 'aspeed_timer_types[]' array, removing the need for
separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:26 +0000 (02:50 +0000)]
hw/watchdog/wdt_aspeed: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 6 standalone TypeInfo variables (aspeed_wdt_info as abstract
base, aspeed_2400_wdt_info, aspeed_2500_wdt_info, aspeed_2600_wdt_info,
aspeed_1030_wdt_info, aspeed_2700_wdt_info) directly into the
'aspeed_wdt_types[]' array, removing the need for separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:22 +0000 (02:50 +0000)]
hw/intc/aspeed_intc: convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 9 standalone TypeInfo variables (aspeed_intc_info as abstract
base, aspeed_2700_intc_info, aspeed_2700_intcio_info,
aspeed_2700_intcioexp1_info, aspeed_2700_intcioexp2_info,
aspeed_2700ssp_intc_info, aspeed_2700ssp_intcio_info,
aspeed_2700tsp_intc_info, aspeed_2700tsp_intcio_info) directly into
the 'aspeed_intc_types[]' array, removing the need for separate
declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:20 +0000 (02:50 +0000)]
hw/gpio/aspeed_sgpio: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 2 standalone TypeInfo variables (aspeed_sgpio_info and
aspeed_sgpio_ast2700_info) directly into the 'aspeed_sgpio_types[]'
array, removing the need for separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:19 +0000 (02:50 +0000)]
hw/gpio/aspeed_gpio: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 7 standalone TypeInfo variables (aspeed_gpio_info as abstract
base, aspeed_2400_gpio_info, aspeed_2500_gpio_info,
aspeed_2600_1_8v_gpio_info, aspeed_2600_3_3v_gpio_info,
aspeed_1030_gpio_info, aspeed_2700_gpio_info)
directly into the 'aspeed_gpio_types[]'
array, removing the need for separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:16 +0000 (02:50 +0000)]
hw/adc/aspeed_adc: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 7 standalone TypeInfo variables (aspeed_adc_engine_info,
aspeed_adc_info as abstract base, aspeed_2400_adc_info,
aspeed_2500_adc_info, aspeed_2600_adc_info, aspeed_1030_adc_info,
aspeed_2700_adc_info) directly into the 'aspeed_adc_types[]' array,
removing the need for separate declarations. Note that aspeed_2400 and
aspeed_2500 variants carry only .name and .parent with no class_init.
Jamin Lin [Mon, 1 Jun 2026 02:50:14 +0000 (02:50 +0000)]
hw/misc/aspeed_xdma: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 4 standalone TypeInfo variables (aspeed_xdma_info as abstract
base, aspeed_2400_xdma_info, aspeed_2500_xdma_info,
aspeed_2600_xdma_info) directly into the 'aspeed_xdma_types[]'
array, removing the need for separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:13 +0000 (02:50 +0000)]
hw/misc:aspeed_sli: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 3 standalone TypeInfo variables (aspeed_sli_info as abstract
base, aspeed_2700_sli_info, aspeed_2700_sliio_info) directly into the
'aspeed_sli_types[]' array, removing the need for separate
declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:11 +0000 (02:50 +0000)]
hw/misc/aspeed_sdmc: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 5 standalone TypeInfo variables (aspeed_sdmc_info as abstract
base, aspeed_2400_sdmc_info, aspeed_2500_sdmc_info,
aspeed_2600_sdmc_info, aspeed_2700_sdmc_info) directly into the
'aspeed_sdmc_types[]' array, removing the need for separate
declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:10 +0000 (02:50 +0000)]
hw/misc/aspeed_scu: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 7 standalone TypeInfo variables (aspeed_scu_info as abstract
base, aspeed_2400_scu_info, aspeed_2500_scu_info, aspeed_2600_scu_info,
aspeed_1030_scu_info, aspeed_2700_scu_info, aspeed_2700_scuio_info)
directly into the 'aspeed_scu_types[]' array, removing the need for
separate declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:08 +0000 (02:50 +0000)]
hw/misc/aspeed_sbc: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 3 standalone TypeInfo variables (aspeed_2600_sbc_info,
aspeed_ast10x0_sbc_info, aspeed_sbc_info) directly into the
'aspeed_sbc_types[]' array, removing the need for separate
declarations.
Jamin Lin [Mon, 1 Jun 2026 02:50:05 +0000 (02:50 +0000)]
hw/misc/aspeed_ltpi: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline the standalone 'aspeed_ltpi_info' TypeInfo variable directly
into the 'aspeed_ltpi_types[]' array, removing the need for a separate
declaration.
Jamin Lin [Mon, 1 Jun 2026 02:50:02 +0000 (02:50 +0000)]
hw/misc/aspeed_hace: Convert to DEFINE_TYPES() with inlined TypeInfo
Replace the legacy type_register_static()/type_init() registration
pattern with the modern DEFINE_TYPES() macro.
Inline 6 standalone TypeInfo variables (aspeed_hace_info as abstract
base, aspeed_2400_hace_info, aspeed_2500_hace_info,
aspeed_2600_hace_info, aspeed_1030_hace_info, aspeed_2700_hace_info)
directly into the 'aspeed_hace_types[]' array, removing the need for
separate declarations.
Stefan Hajnoczi [Sat, 6 Jun 2026 18:47:04 +0000 (14:47 -0400)]
Merge tag 'qom-tests-pr-v2' of https://gitlab.com/marcandre.lureau/qemu into staging
Fix various QOM object life-cycle issues
This series adds a new "qom-tests" qtest command that exercises basic QOM
object life-cycle: it instantiates all non-abstract object types, gets/sets
their properties, and unrefs them. This quickly surfaces leaks and crashes
that could otherwise be triggered at runtime via QMP qom commands.
* tag 'qom-tests-pr-v2' of https://gitlab.com/marcandre.lureau/qemu: (23 commits)
qtest: add "qom-tests" command
hw/i2c/pmbus: fix undefined behavior in pmbus_direct_mode2data
target/riscv: use hash table as set for user_options
target/riscv: fix general_user_opts hash table leak
hw/ppc/spapr: free host_model and host_serial on finalization
hw/loongarch/virt: free flash devices and OEM strings on finalization
hw/tpm: free PPI buffer on finalization
hw/i386/pc: free pcspk on finalization
hw/i386/nitro_enclave: add instance finalize
target/i386/kvm/tdx: free strings in tdx_guest_finalize
target/i386/sev: add finalize functions and fix leaking setters
net/filter: free old values in property setters
hw/core/machine: free shim_filename on finalization
system/ioport: minor code simplification
backends/cryptodev-lkcf: skip cleanup when not initialized
hw/intc/apic: move checks to realize()
hw/xlnx_dp: reject NULL 'dpdma' property rather than crash
hw/ipmi: reject NULL 'bmc' property rather than crash
hw/pci-host/q35: handle NULL bus in pci-hole64 getters
hw/pci-host/i440fx: handle NULL bus in pci-hole64 getters
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Sat, 6 Jun 2026 18:46:04 +0000 (14:46 -0400)]
Merge tag 's390x-20260605' of https://gitlab.com/cohuck/qemu into staging
s390x updates:
- several fixes, mostly pci related, also in the STSI implementation
- fix up some file patterns in MAINTAINERS
- stop looking for ESA/390 (pre-64 bit zArch) hosts
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQRpo7U29cv8ZSCAJsHeiLtWQd5mwQUCaiLhyBIcY29odWNrQHJl
# ZGhhdC5jb20ACgkQ3oi7VkHeZsGWiwD9FBIWXkKmaiGHf9ZExaUQIOJQhwz6E3rY
# mePjnFxbxXcBALq/ODbmy38XDHLzXTzPFIiSXA6Y5xM02IA2zqd0GOQO
# =okD7
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 05 Jun 2026 10:48:40 EDT
# gpg: using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1
# gpg: issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg: aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
# Subkey fingerprint: 69A3 B536 F5CB FC65 2080 26C1 DE88 BB56 41DE 66C1
* tag 's390x-20260605' of https://gitlab.com/cohuck/qemu:
buildsys: Stop checking for ESA/390 host
MAINTAINERS: Fix tcg/s390x/ path
MAINTAINERS: Fix s390x storage key/attribute device paths
s390x/pci: Fix interrupt forwarding disable for interpreted devices
hw/s390x/ccw: Mark virtio-pci disable-legacy property as optional
target/s390x: Make container ids in SysIB_15x 1-based
hw/s390x: Fix memory leaks after removing elements with QTAILQ_REMOVE
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
hw/i2c/pmbus: fix undefined behavior in pmbus_direct_mode2data
The intermediate result of (Y * 10^-R - b) / m can be negative when
the bias (b) is large and the raw register value is small (e.g. zero
on an uninitialized device). Assigning that negative double to uint32_t
is undefined behavior, caught by UBSan/clang.
Use a double intermediate and clamp negative results to zero (suggested
by Daniel Berrangé)
Fixes: 3746d5c15e70 ("hw/i2c: add support for PMBus") Reviewed-by: Titus Rwantare <titusr@google.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
target/riscv: use hash table as set for user_options
The values stored in user_options are never retrieved, only key
presence is checked. Use g_hash_table_add() instead of
g_hash_table_insert() and drop the unused value parameter.
Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/loongarch/virt: free flash devices and OEM strings on finalization
Flash devices created in virt_initfn() via qdev_new() hold an extra
reference that is only dropped on sysbus_realize_and_unref(). When the
machine is destroyed before realization, the flash objects leak. Also,
the oem_id and oem_table_id strings from g_strndup() are never freed.
Fixes: 445c9c645 ("hw/loongarch/virt: Allow user to customize OEM ID and OEM table ID") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The PPI buffer is allocated with qemu_memalign() in instance_init but
never freed when the device is destroyed.
Fixes: 46cd2c1050f0 ("hw/tpm: add PPI support to tpm-tis-device for ARM64 virt") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Property setter strings (vsock, id, parent_role, parent_id) were
never freed because nitro_enclave_machine_info had no
instance_finalize.
Fixes: f1826463d2e8 ("machine/nitro-enclave: New machine type for AWS Nitro Enclaves") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
target/i386/kvm/tdx: free strings in tdx_guest_finalize
tdx_guest_finalize was empty, so mrconfigid, mrowner, and
mrownerconfig set by property setters were never freed.
Fixes: d05a0858cf87 ("i386/tdx: Support user configurable mrconfigid/mrowner/mrownerconfig") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
target/i386/sev: add finalize functions and fix leaking setters
None of the three SEV types (sev-common, sev-guest, sev-snp-guest)
had instance_finalize functions, so all string fields allocated
during init or by property setters were leaked on object destruction.
Add sev_common_finalize, sev_guest_finalize, and
sev_snp_guest_finalize to free the allocated fields.
Also fix sev_common_set_sev_device, sev_guest_set_dh_cert_file,
and sev_guest_set_session_file to free the old value before
replacing it.
netfilter_set_position and netfilter_set_netdev_id overwrote their
respective fields with g_strdup without freeing the previous value,
leaking memory on each property write.
Fixes: fdccce459621 ("init/cleanup of netfilter object") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
backends/cryptodev-lkcf: skip cleanup when not initialized
cryptodev_lkcf_cleanup() locks a mutex that is only initialized
during the init vfunc (called at realize time). When the backend
is destroyed without ever being realized, the mutex is uninitialized
and the lock aborts.
Return early from cleanup when the backend was never started.
Note: it looks like cryptodev init/cleanup callbacks should rather be
regular complete/finalize overrides (calling the parent method).
Fixes: 39fff6f3e8b3 ("cryptodev: Add a lkcf-backend for cryptodev") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
apic_common_set_id() dereferences s->cpu to check for x2APIC support
when the APIC ID is >= 255. On a standalone APIC object that has not
been attached to a CPU, s->cpu is NULL, causing a segfault.
To solve this, move validation during realize().
Fixes: b5ee0468e9d2 ("apic: add support for x2APIC mode") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/pci-host/q35: handle NULL bus in pci-hole64 getters
When called on an unrealized Q35 host bridge (e.g. from
qmp_qom_list_properties), h->bus is NULL since the root bus is only
created during realize. Guard against this in both the
pci_hole64_start and pci_hole64_end getters.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/pci-host/i440fx: handle NULL bus in pci-hole64 getters
When called on an unrealized i440FX host bridge (e.g. from
qmp_qom_list_properties), h->bus is NULL since the root bus is only
created during realize. Guard against this in both
pci_hole64_start and pci_hole64_end getters, reporting an error.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
hw/pci-bridge: handle missing parent in prop_pxb_uid_get
When called on an unrealized pxb bus (e.g. from
qmp_qom_list_properties), bus->parent_dev is NULL. The pxb_bus_num()
callback dereferences it unconditionally. Check for this to avoid a
NULL dereference.
Fixes: 97b9cb066e5f ("hw/pci-bridge: Add acpi_uid property to TYPE_PXB_BUS") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
When called on an unrealized device (e.g. from
qmp_qom_list_properties), pci_get_bus() returns NULL since the device
has no parent bus. Check for this to avoid a NULL dereference in
pci_bus_num().
Fixes: df9ac7254fd9 ("hw/pci: Add a busnr property to pci_props and use for acpi/gi") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
We still build QEMU tools on 32-bit hosts (see commit cf634dfcd8f), however no OS supported by QEMU still runs
on ESA/390 (Linux dropped support in release 4.1 in 2015).
Remove the configure check, directly checking for the 64-bit
z/Architecture.
Farhan Ali [Thu, 21 May 2026 18:29:46 +0000 (11:29 -0700)]
s390x/pci: Fix interrupt forwarding disable for interpreted devices
Remove the FH_MASK_ENABLE check when disabling interrupt forwarding
during device reset. This check was broken for the default case in
the switch statement above, preventing proper cleanup of interrupt
forwarding.
The pbdev->aif check in s390_pci_kvm_aif_disable() already guards
against double-disabling of interrupt forwarding.
Jaehoon Kim [Wed, 20 May 2026 18:33:58 +0000 (13:33 -0500)]
hw/s390x/ccw: Mark virtio-pci disable-legacy property as optional
The s390-ccw-virtio-11.0 compatibility property for TYPE_VIRTIO_PCI
"disable-legacy" causes QEMU to abort when instantiating
vhost-user-fs-pci devices:
Unexpected error in object_property_find_err() at
../qom/object.c:1284:
qemu-system-s390x: -device vhost-user-fs-pci: can't apply
global virtio-pci.disable-legacy=off: Property
'vhost-user-fs-pci.disable-legacy' not found
The issue occurs because some vhost-user devices like
vhost-user-fs-pci only implement the non-transitional variant
and do not define a generic device type. Non-transitional
devices have disable-legacy hardcoded to "on" and do not
expose it as a property, while only generic device types have
the "disable-legacy" property. This affects users running
older machine versions (11.0 and earlier) even when using the
latest QEMU version.
Mark the global property as optional so it only applies to
devices that actually have the property, allowing vhost-user
devices without a generic variant to be instantiated
successfully on older machine versions.
Fixes: 26103c13cff0 ("hw/s390x/ccw: Disable legacy virtio-pci by default (v11.1+)") Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260520183403.223983-1-jhkim@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Alexandra Winter [Mon, 11 May 2026 13:49:09 +0000 (15:49 +0200)]
target/s390x: Make container ids in SysIB_15x 1-based
The Container Id in a container-type TLE of SysIB_15x is defined as 8-bit
unsigned nonzero integer. Make stsi fc 15 emulation architecture compliant,
by starting the container ids at 1 for the lowest numbered container.
The qemu misbehaviour without this patch becomes obvious due to a recently
proposed kernel fix. Older linux kernels pass the container ids from stsi
fc15 unchanged to sysfs, i.e. starting at 1 on s390 hardware. This resulted
in off-by-one values when compared to the values from HMC. A Linux kernel
fix is being proposed to correct the sysfs topology ids by -1, so they
start at 0, e.g. when displayed by 'lscpu -ye'. In case a KVM guest with a
fixed kernel runs on a host with a qemu without this fix, this can result
in container ids erroneously being shown as 255.
Example (Fixed guest on unfixed qemu):
$ lscpu -ye
CPU NODE DRAWER BOOK SOCKET CORE L1d:L1i:L2 ONLINE CONFIGURED POLARIZATION ADDRESS
0 0 255 255 255 0 0:0:0 yes yes vert-medium 0
1 0 255 255 0 1 1:1:1 yes yes vert-medium 1
After this fix:
$ lscpu -ye
CPU NODE DRAWER BOOK SOCKET CORE L1d:L1i:L2 ONLINE CONFIGURED POLARIZATION ADDRESS
0 0 0 0 0 0 0:0:0 yes yes vert-medium 0
1 0 0 0 1 1 1:1:1 yes yes vert-medium 1
Fixes: f4f54b582f ("target/s390x/cpu topology: handle STSI(15) and build the SYSIB") Signed-off-by: Alexandra Winter <wintera@linux.ibm.com> Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com> Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Gautam Gala <ggala@linux.ibm.com>
Message-ID: <20260511134909.43802-1-wintera@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Stefan Hajnoczi [Tue, 2 Jun 2026 16:24:54 +0000 (12:24 -0400)]
gitlab: remove x64-freebsd-14-build Cirrus job
Cirrus has shut down and the x64-freebsd-14-build is failing:
https://gitlab.com/qemu-project/qemu/-/jobs/14656732122
Remove the x64-freebsd-14-build job to get the CI pipeline passing
again. The next commit will be to remove Cirrus integration from the
GitLab YAML and lcitool since it is no longer used.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
Message-id: 20260602162457.828969-2-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 21:26:28 +0000 (23:26 +0200)]
tests/unit: add test-envlist covering setenv/unsetenv name matching
util/envlist had no test coverage. Add tests/unit/test-envlist
exercising the public envlist API and pinning down the prefix-match
hazard fixed in the previous commit:
- envlist_unsetenv("FOO") must not remove an entry named "FOOBAR";
- envlist_setenv("FOO=...") must not replace an existing "FOOBAR=..."
entry placed earlier in the list (envlist_setenv() inserts at the
head, so the first prefix match wins under the old strncmp rule).
Also cover the rest of the contract: head-insertion order observed
through envlist_to_environ(), replacement of an existing variable,
the count argument of envlist_to_environ(), and the documented EINVAL
paths (NULL inputs, setenv without '=', unsetenv with '=').
Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20260520212628.479772-3-den@openvz.org Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 21:26:27 +0000 (23:26 +0200)]
util/envlist: fix prefix-match in envlist_unsetenv() name lookup
envlist_unsetenv() looked up the entry to remove with
strncmp(entry->ev_var, env, strlen(env)). The comparison length is
the requested name's length, so any stored entry whose name *starts*
with that name compares equal. envlist_setenv() inserts at the head
of the list, so the first hit wins: with FOO=... stored first and
FOOBAR=... stored afterward, envlist_unsetenv("FOO") iterates from
the head, matches FOOBAR=... on the prefix, and drops it instead of
FOO=...
linux-user and bsd-user reach this code via the -U command-line
switch, so the bug is reachable from a normal qemu-user invocation.
envlist_setenv() used the same strncmp pattern but with
envname_len = (eq_sign - env + 1), so the '=' byte sat inside the
compared window and acted as an implicit boundary. setenv was
therefore not buggy -- but the safety lived in the byte layout of
ev_var rather than in the entry, so a future edit could easily
drift the two sites apart again.
Store the name length on each entry at insertion time and compare
with explicit length equality plus memcmp via a small helper. Use
the helper at both lookup sites so the boundary becomes a
structural property of the entry: envlist_unsetenv() stops
prefix-matching, and envlist_setenv()'s self-search no longer
depends on the '=' byte serving as a sentinel.
Fixes: 04a6dfebb6b5 ("linux-user: Add generic env variable handling") Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20260520212628.479772-2-den@openvz.org Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Shiju Jose [Fri, 6 Mar 2026 10:14:22 +0000 (10:14 +0000)]
hw/cxl/events: Fix handling of component ID in event records generation to not assume it is a string
Fix handling of component ID in event records generation to not assume it
is a string. Component ID in CXL events is 16 bytes data, but event record
generation copy 15 bytes only from the qmp "component-id" field using
strncpy. Replace strncpy with memcpy and copy the entire component ID
data.
Fixes: ea9b6d647f2f("hw/cxl/events: Add injection of General Media Events") Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260306101423.986-4-shiju.jose@huawei.com>
Shiju Jose [Fri, 6 Mar 2026 10:14:21 +0000 (10:14 +0000)]
hw/cxl: Add fixes in Post Package Repair (PPR)
Add following fixes to the commit: hw/cxl: Add support for Maintenance
command and Post Package Repair (PPR).
In cxl_perform_ppr(), remove and free the maintenance entry from QLIST
if match is found and PPR operation is performed.
Fixes: 5e5a86bab830("hw/cxl: Add support for Maintenance command and Post Package Repair (PPR)") Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260306101423.986-3-shiju.jose@huawei.com>
Shiju Jose [Fri, 6 Mar 2026 10:14:20 +0000 (10:14 +0000)]
hw/cxl: Fix handling of component ID to not assume it is a string
Add following fixes,
1. Coverity reports a warning (CID 1645325) for use of strncpy() in
handling of component ID. In cxl_create_mem_sparing_event_records(),
fix handling of component ID to not assume it is a string by replacing
strncpy with memcpy to solve this warning and copy the entire component
ID data, which is 16 bytes.
2. In cxl_maintenance_insert(),
- replace strncpy with memcpy to copy full data because component ID,
which is 16 bytes data.
- remove memset which is not required.
Fixes: 5e5a86bab830("hw/cxl: Add support for Maintenance command and Post Package Repair (PPR)") Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Shiju Jose <shiju.jose@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260306101423.986-2-shiju.jose@huawei.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:23 +0000 (17:52 +0100)]
vhost-user-device: Add shared memory BAR
Add shared memory BAR support to vhost-user-device-pci
to enable direct file mapping for VIRTIO Shared
Memory Regions.
The implementation creates a consolidated shared
memory BAR that contains all VIRTIO Shared
Memory Regions as subregions. Each region is
configured with its proper shmid, size, and
offset within the BAR. The number and size of
regions are retrieved via VHOST_USER_GET_SHMEM_CONFIG
message sent by vhost-user-base during realization
after virtio_init().
Specifically, it uses BAR 4 to avoid conflicts, as
it is currently unused.
The shared memory BAR is only created when the
backend supports VHOST_USER_PROTOCOL_F_SHMEM and
has configured shared memory regions. This maintains
backward compatibility with backends that do not
support shared memory functionality.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-8-aesteve@redhat.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:22 +0000 (17:52 +0100)]
qmp: add shmem feature map
Add new vhost-user protocol
VHOST_USER_PROTOCOL_F_SHMEM feature to
feature map.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-7-aesteve@redhat.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:21 +0000 (17:52 +0100)]
vhost_user.rst: Add GET_SHMEM_CONFIG message
Add GET_SHMEM_CONFIG vhost-user frontend
message to the spec documentation.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Alyssa Ross <hi@alyssa.is> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-6-aesteve@redhat.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:20 +0000 (17:52 +0100)]
vhost_user: Add frontend get_shmem_config command
The frontend can use this command to retrieve
VirtIO Shared Memory Regions configuration from
the backend. The response contains the number of
shared memory regions, their size, and shmid.
This is useful when the frontend is unaware of
specific backend type and configuration,
for example, in the `vhost-user-device` case.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-5-aesteve@redhat.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:19 +0000 (17:52 +0100)]
vhost_user.rst: Add SHMEM_MAP/_UNMAP to spec
Add SHMEM_MAP/_UNMAP request to the vhost-user
spec documentation.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Alyssa Ross <hi@alyssa.is> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-4-aesteve@redhat.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:18 +0000 (17:52 +0100)]
vhost_user.rst: Align VhostUserMsg excerpt members
Add missing members to the VhostUserMsg excerpt in
the vhost-user spec documentation.
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-3-aesteve@redhat.com>
Albert Esteve [Wed, 4 Mar 2026 16:52:17 +0000 (17:52 +0100)]
vhost-user: Add VirtIO Shared Memory map request
Add SHMEM_MAP/UNMAP requests to vhost-user for dynamic management of
VIRTIO Shared Memory mappings.
This implementation introduces VirtioSharedMemoryMapping as a unified
QOM object that manages both the mapping metadata and MemoryRegion
lifecycle. This object provides reference-counted lifecycle management
with automatic cleanup of file descriptors and memory regions
through QOM finalization.
This request allows backends to dynamically map file descriptors into a
VIRTIO Shared Memory Region identified by their shmid. Maps are created
using memory_region_init_ram_from_fd() with configurable read/write
permissions, and the resulting MemoryRegions are added as subregions to
the shmem container region. The mapped memory is then advertised to the
guest VIRTIO drivers as a base address plus offset for reading and
writting according to the requested mmap flags.
The backend can unmap memory ranges within a given VIRTIO Shared Memory
Region to free resources. Upon receiving this message, the frontend
removes the MemoryRegion as a subregion and automatically unreferences
the VirtioSharedMemoryMapping object, triggering cleanup if no other
references exist.
Error handling has been improved to ensure consistent behavior across
handlers that manage their own vhost_user_send_resp() calls. Since
these handlers clear the VHOST_USER_NEED_REPLY_MASK flag, explicit
error checking ensures proper connection closure on failures,
maintaining the expected error flow.
Note the memory region commit for these operations needs to be delayed
until after we reply to the backend to avoid deadlocks. Otherwise,
the MemoryListener would send a VHOST_USER_SET_MEM_TABLE message
before the reply.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304165223.2166175-2-aesteve@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Acked-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260303092532.2410177-7-imammedo@redhat.com>
Igor Mammedov [Tue, 3 Mar 2026 09:25:16 +0000 (10:25 +0100)]
tests: acpi: x86/q35: add WDAT table test case
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260303092532.2410177-6-imammedo@redhat.com>
Igor Mammedov [Tue, 3 Mar 2026 09:25:15 +0000 (10:25 +0100)]
tests: acpi: x86/q35: whitelist new WDAT table
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Acked-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260303092532.2410177-5-imammedo@redhat.com>
Igor Mammedov [Tue, 3 Mar 2026 09:25:14 +0000 (10:25 +0100)]
x86: q35: generate WDAT ACPI table
It will generate WDAT table [1] customized for TCO watchdog.
This allows Windows guests (Windows Server 2008/Vista+) to
use TCO watchdog using built-in generic driver, which
alleviates need to install vendor specific drivers.
Given that enabling it might change guest behaviour
(both Windows/Linux) the feature is disabled by default.
Users that need it can enable the feature with
following CLI option.
-machine wdat=on
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260303092532.2410177-4-imammedo@redhat.com>
Igor Mammedov [Tue, 3 Mar 2026 09:25:13 +0000 (10:25 +0100)]
x86: q35: add 'wdat' property
Used for enabling WDAT based watchdog for builtin iTCO watchdog.
Usage:
-M q35,wdat={on|off}
By default it is disabled.
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260303092532.2410177-3-imammedo@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260303092532.2410177-2-imammedo@redhat.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Thomas Huth [Tue, 17 Feb 2026 14:18:27 +0000 (15:18 +0100)]
hw/i386/pc: Add a proper owner for the ioport memory regions
Without a proper owner, the memory regions show up in /machine/unattached
in the QOM tree, which is something that should be avoided.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260217141827.534426-1-thuth@redhat.com>
Kuan-Wei Chiu [Sat, 28 Feb 2026 18:22:46 +0000 (18:22 +0000)]
virtio-rtc: Add basic virtio-rtc support
Introduce the core device and PCI bindings for the virtio-rtc device
(VIRTIO_ID_CLOCK).
This implementation provides a read-only clock that returns the host's
time (QEMU_CLOCK_HOST) to the guest. It handles fundamental control
requests, reporting a single supported clock of type
VIRTIO_RTC_CLOCK_UTC, and responds to standard read requests.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260228182246.700714-3-visitorckw@gmail.com>
Kuan-Wei Chiu [Sat, 28 Feb 2026 18:22:45 +0000 (18:22 +0000)]
standard-headers: Add virtio_rtc.h from Linux 7.0-rc1
Add virtio_rtc.h from the upstream Linux kernel using
scripts/update-linux-headers.sh.
Source:
- Linux commit 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f (v7.0-rc1)
- Author: Linus Torvalds <torvalds@linux-foundation.org>
- Date: Sun Feb 22 13:18:59 2026 -0800
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260228182246.700714-2-visitorckw@gmail.com>
Sairaj Kodilkar [Mon, 2 Mar 2026 11:51:30 +0000 (17:21 +0530)]
amd_iommu: Generate XT interrupts when xt support is enabled
When MMIO 0x18[IntCapXTEn]=1, interrupts originating from the IOMMU itself are
sent based on the programming in XT IOMMU Interrupt Control Registers in MMIO
0x170-0x180 instead of the programming in the IOMMU's MSI capability registers.
The guest programs these registers with appropriate vector and destination
ID instead of writing to PCI MSI capability.
Current AMD vIOMMU is capable of generating interrupts only through PCI
MSI capability and does not care about xt mode. Because of this AMD
vIOMMU cannot generate event log interrupts when the guest has enabled
xt mode.
Introduce a new flag "intcapxten" which is set when guest writes control
register [IntCapXTEn] (bit 51) and use vector and destination field in
the XT MMIO register (0x170) to support XT mode.
Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Reviewed-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260302115130.5903-4-sarunkod@amd.com>
Sairaj Kodilkar [Mon, 2 Mar 2026 11:51:29 +0000 (17:21 +0530)]
amd_iommu: Turn on XT support only when guest has enabled it
Current code uses 32 bit destination ID irrespective of the fact that
guest has enabled x2APIC support through control register[XTEn] and
completely depends on command line parameter xtsup=on. This is not a
correct hardware behaviour and can cause problems in the guest which has
not enabled XT mode.
Introduce new flag "xten", which is enabled when guest writes 1 to the
control register bit 50 (XTEn). Also, add a new subsection in
`VMStateDescription` for backward compatibility during vm migration.
Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Reviewed-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260302115130.5903-3-sarunkod@amd.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:35 +0000 (18:35 +0100)]
vhost: accept in order feature flag
Let's accept the feature flag with all the infrastructure to process it
in place.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-8-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:34 +0000 (18:35 +0100)]
vhost: add in_order feature to shadow virtqueue
Some vdpa devices benefit from the in order feature. Add support to SVQ
so QEMU can migrate these.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-7-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:33 +0000 (18:35 +0100)]
vhost: factor out the detach buf logic in SVQ
This code path is modified to handle in order devices. Abstract here so
we can generalize on the caller.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-6-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:32 +0000 (18:35 +0100)]
vhost: factor out the get of last used desc in SVQ
This code path is modified to handle in order devices. Abstract here so
we can generalize on the caller.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-5-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:31 +0000 (18:35 +0100)]
vhost: factor out the descriptor next fetching
The next field will not be used if IN_ORDER is enabled.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-4-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:30 +0000 (18:35 +0100)]
vhost: move svq next desc array to descs state struct
It's the right place for it as it is part of the descriptor state. We
save the memory management of the array, and make the code changes of
the next patches easier.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-3-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:35:29 +0000 (18:35 +0100)]
virtio: Allow to fill a whole virtqueue in order
As the while steps < max_steps is already one less than the vq size, the
right maximum max_steps variable is queue length, not the maximum
possible remainder of % vq->vring.num.
Fixes: b44135daa37 ("virtio: virtqueue_ordered_fill - VIRTIO_F_IN_ORDER support") Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173535.2702587-2-eperezma@redhat.com>
Eugenio Pérez [Wed, 4 Mar 2026 17:38:57 +0000 (18:38 +0100)]
net/vhost-vdpa: enable vqs before DRIVER_OK if no cvq
VDUSE do not forward the enable message to the userland device at the
moment, leaving the dataplane disabled. As there is no functional
difference if the device have no CVQ, enable them before DRIVER_OK in
that case.
For devices with a control vq, keep the enabling of the dataplane after
CVQ so QEMU can restore the device configuration.
Signed-off-by: Eugenio Pérez <eperezma@redhat.com> Fixes: 6c4825476a43 ("vdpa: move vhost_vdpa_set_vring_ready to the caller") Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260304173857.2705296-1-eperezma@redhat.com>
There are two small issues in PCIEXBAR address mask handling:
- wrong bit positions for address mask bits (see PCIEXBAR description
in Q35 datasheet)
- incorrect usage of 64ADR_MASK
Due to this, attempting to write a valid PCIEXBAR address may cause it
to shift to another address, causing memory layout corruption where
emulated MMIO regions may overlap real (passed through) MMIO ranges. Fix
this by providing correct values.
Fixes: df2d8b3ed4 ("q35: Introduce q35 pc based chipset emulator") Signed-off-by: Alexey Gerasimenko <x1917x@gmail.com> Signed-off-by: Thierry Escande <thierry.escande@vates.tech> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260313164649.794591-4-thierry.escande@vates.tech> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Kuan-Wei Chiu [Sun, 15 Mar 2026 23:10:47 +0000 (23:10 +0000)]
vhost-user: Fix stale error logs and return values in teardown paths
Commit bc85aae42045 ("vhost-user: return failure if backend crash when
live migration") refactored the set_guest_notifiers error handling but
introduced two regressions across multiple vhost devices.
By moving the function call directly into the if condition, the
subsequent error_report prints the stale ret variable instead of the
actual error code. Additionally, the refactoring hardcoded a return
value of -1 rather than propagating the true error status to the
caller.
Fix these issues by storing the set_guest_notifiers result in a local
err variable.
Fixes: bc85aae42045 ("vhost-user: return failure if backend crash when live migration") Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260315231047.310029-1-visitorckw@gmail.com>
Aditya Gupta [Thu, 26 Mar 2026 19:04:38 +0000 (00:34 +0530)]
hw/pci: Replace assert with bounds check and return
As reported in https://gitlab.com/qemu-project/qemu/-/work_items/3334,
callers of 'pci_host_config_{read,write}_common' can pass length as 8,
causing an assert failure
The original issue with pnv_phb3 triggering the assert was fixed in a
previous commit
Instead of asserting on invalid length, check if the length is valid
(<=4), otherwise return (with the failure error code in read)
Reported-by: Zexiang Zhang <chan9yan9@gmail.com> Signed-off-by: Aditya Gupta <adityag@linux.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260326190438.734239-3-adityag@linux.ibm.com>
Max Makarov [Tue, 31 Mar 2026 13:47:21 +0000 (16:47 +0300)]
vhost-user-blk: do not force VIRTIO_BLK_F_SIZE_MAX
vhost_user_blk_get_features() unconditionally advertises
VIRTIO_BLK_F_SIZE_MAX regardless of what the backend reports in
its config. The built-in QSD vhost-user-blk backend sets
size_max=0, creating a contradictory state where the feature bit
tells the guest that size_max is valid but the value is zero.
The in-process virtio-blk device does not advertise
VIRTIO_BLK_F_SIZE_MAX (it also sets size_max=0 in config), so
guests never see this contradiction with native virtio-blk.
Linux tolerates size_max=0 because blk_validate_limits() silently
corrects max_segment_size=0 to BLK_MAX_SEGMENT_SIZE (65536).
Windows viostor, however, trusts the feature bit and uses the raw
size_max=0 in its scatter-gather calculations, producing
zero-length segments that hang I/O. The disk appears empty to
Windows (no GPT, no partitions), causing INACCESSIBLE_BOOT_DEVICE.
Stop force-adding VIRTIO_BLK_F_SIZE_MAX in the frontend. The
feature remains in user_feature_bits[], so backends that properly
advertise it with a valid config value will still work.
Signed-off-by: Max Makarov <maxpain@linux.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260331134721.96047-1-maxpain@linux.com>
Max Makarov [Tue, 31 Mar 2026 15:28:56 +0000 (18:28 +0300)]
vhost-user-blk-server: do not advertise VIRTIO_BLK_F_SIZE_MAX with size_max=0
The QSD vhost-user-blk backend advertises VIRTIO_BLK_F_SIZE_MAX but
sets size_max=0 in config, creating a contradictory state. The feature
bit tells the guest that size_max is valid, but the value is zero.
Windows viostor trusts the feature bit, reads size_max=0, and uses it
in scatter-gather calculations producing zero-length segments that hang
I/O. The disk appears empty (no GPT, no partitions), causing
INACCESSIBLE_BOOT_DEVICE BSOD. Linux tolerates this because
blk_validate_limits() silently corrects max_segment_size=0 to
BLK_MAX_SEGMENT_SIZE (65536).
This affects any VMM using QSD as a vhost-user-blk backend (QEMU,
Cloud Hypervisor, etc.), since both pass through SIZE_MAX from the
backend to the guest via feature intersection.
Remove VIRTIO_BLK_F_SIZE_MAX from the backend feature bits. The
size_max config field remains zero but is now ignored by guests since
the feature is not negotiated.
Signed-off-by: Max Makarov <maxpain@linux.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260331152856.1802-1-maxpain@linux.com>
amd_iommu: Reject non-decreasing NextLevel in fetch_pte()
The AMD-Vi specification requires that the NextLevel field for a page table
entry must not be greater or equal to the current page table entry level.
Enforce this to avoid infinite page walk loops on corrupted or buggy guest
page tables.
The initial implementation of fetch_pte() did not implement this check, but
was not vulnerable since the page walk code explicitly decremented the level
instead of retrieving it from the page table entry.
Cc: qemu-stable@nongnu.org Reviewed-by: Sairaj Kodilkar <sarunkod@amd.com> Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260330212817.992673-3-alejandro.j.jimenez@oracle.com>
amd_iommu: Follow root pointer before page walk and use 1-based levels
DTE[Mode] and PTE NextLevel encode page table levels as 1-based values, but
fetch_pte() currently uses a 0-based level counter, making the logic
harder to follow and requiring conversions between DTE mode and level.
Switch the page table walk logic to use 1-based level accounting in
fetch_pte() and the relevant macro helpers. To further simplify the page
walking loop, split the root page table access from the walk i.e. rework
fetch_pte() to follow the DTE Page Table Root Pointer and retrieve the top
level pagetable entry before entering the loop, then iterate only over the
PDE/PTE entries.
The reworked algorithm fixes a page walk bug where the page size was
calculated for the next level before checking if the current PTE was already
a leaf/hugepage. That caused hugepage mappings to be reported as 4K pages,
leading to performance degradation and failures in some setups.
Fixes: a74bb3110a5b ("amd_iommu: Add helpers to walk AMD v1 Page Table format") Cc: qemu-stable@nongnu.org Reported-by: David Hoppenbrouwers <qemu@demindiro.com> Reviewed-By: David Hoppenbrouwers <qemu@demindiro.com> Reviewed-by: Sairaj Kodilkar <sarunkod@amd.com> Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260330212817.992673-2-alejandro.j.jimenez@oracle.com>
vhost-user.rst: Explicitly allow front-end to write to kick FDs
Migration of back-end state happens while the device is suspended (i.e
all vrings are stopped). To resume normal operation on the destination,
the vrings need to be started again with a kick (either a write on the
FD or the VHOST_USER_VRING_KICK in-band message if negotiated). While
these notifications are typically sent by the driver, it has no reason
to send them in the destination if it already sent them in the source as
the driver is unaware that a migration took place. Therefore it should
be the responsibility of the vhost-user front-end to ensure these vrings
are started. This is particularly necessary for queues where data only
flows from device to driver, such as those used by the vsock and input
devices.
This behavior is already used by some qemu vhost-user front-ends (e.g
vhost-user-blk) and by front-ends implemented on other VMMs(e.g CrosVm).
Adding it to the vhost-user documentation makes it explicit that this
strategy is permitted and suggest it to vhost-user front-end authors.
Explicitly documenting it is necessary because vring kicks appear
designed to originate in the driver, so having some originate in the
front-end can be counterintuitive and cause developers to waste time
looking for other alternatives or face pushback during code review.
Signed-off-by: Jorge E. Moreira <jemoreira@google.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260411021205.3592118-1-jemoreira@google.com>
Jonathan Cameron [Wed, 15 Apr 2026 14:30:39 +0000 (15:30 +0100)]
MAINTAINERS: Update CXL maintainers entry including adding linux-cxl list
The CXL maintainers entry needs an update.
For a while convention has been to +CC linux-cxl@vger.kernel.org to get
better coverage for CXL aspects so formalize that with an L entry.
Drop Fan as he has not been at Samsung for a while now.
Switch my email address over to my kernel.org one.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260415143040.22223-1-Jonathan.Cameron@huawei.com>
libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
vduse_queue_read_indirect_desc() copies an indirect descriptor table
into a buffer in chunks when the table crosses a memory region
boundary. The destination is a struct vring_desc pointer but is
advanced by a byte count, so each increment moves the pointer by
read_len elements instead of read_len bytes, writing beyond the
buffer.
Use a char pointer for the destination so that the arithmetic
advances correctly.
While at it, change the source from a struct vring_desc pointer
to a void pointer: when the table is split across regions,
iova_to_va() can return a pointer into the middle of a descriptor,
so casting it to a struct vring_desc pointer is wrong. The pointer is
only used as a memcpy() source, so a void pointer is fine.
Fixes: CVE-2026-6425 Fixes: a6caeee811 ("libvduse: Add VDUSE (vDPA Device in Userspace) library") Cc: qemu-stable@nongnu.org Reported-by: DARKNAVY <vr@darknavy.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260417132645.121192-3-sgarzare@redhat.com>
libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
virtqueue_read_indirect_desc() copies an indirect descriptor table
into a buffer in chunks when the table crosses a memory region
boundary. The destination is a struct vring_desc pointer but is
advanced by a byte count, so each increment moves the pointer by
read_len elements instead of read_len bytes, writing beyond the
buffer.
Use a char pointer for the destination so that the arithmetic
advances correctly.
While at it, change the source from a struct vring_desc pointer
to a void pointer: when the table is split across regions,
vu_gpa_to_va() can return a pointer into the middle of a descriptor,
so casting it to a struct vring_desc pointer is wrong. The pointer is
only used as a memcpy() source, so a void pointer is fine.
Fixes: CVE-2026-6425 Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access") Cc: qemu-stable@nongnu.org Reported-by: DARKNAVY <vr@darknavy.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260417132645.121192-2-sgarzare@redhat.com>
projects / thirdparty / qemu.git / log
