Merge tag 'hppa-updates-qemu-v11-pull-request' of https://github.com/hdeller/qemu-hppa into staging
Please pull fixes and updates for the parisc architecture:
- New SeaBIOS-hppa v21 mit fixes for 715 machine
- ncr710 fixes for NetBSD and HP-UX on 715 machine
- 64-bit gdb support
Thanks!
Helge
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCaUq53gAKCRD3ErUQojoP
# X0fqAP4wmQIDeyknz4uSZlfaNS7L6HElMrz1jiyyh0avKA/TjwD/UkSvVJJ5Ww7W
# DRx9W5Lg7if93+hQl00QnJGTzgQZQQo=
# =zro8
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 24 Dec 2025 02:48:46 AM AEDT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-updates-qemu-v11-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: add 64 bit support to gdbstub
scsi: ncr710: Fix CTEST FIFO status
scsi: ncr710: Fix DSA register
scsi: ncr710: Simplify disconnect handling
scsi: ncr710: Add LUN scanning
scsi: ncr710: Mark command complete in status phase and fix disconnect
scsi: ncr710: Fix table indirect addressing endianness
scsi: ncr710: Fix DMA State machine and flow control
scsi: ncr710: Fix interrupt related register handing
scsi: ncr710: Fix use after free in command_complete
scsi: ncr710: Add null pointer checks
target/hppa: Update SeaBIOS-hppa to version 21
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'next-pull-request' of https://gitlab.com/peterx/qemu into staging
memory + migration pull
- Pawel's misc fixes to mapped-ram when x-ignore-share is enabled
- Peter's series to cleanup migration error reporting
- Peter's added debug property for x-ignore-shared
- Part of Fabiano's series on unify capabilities and parameters
- Chuang's log_clear optimization on unaligned ramblocks
- Maintainer file update from Ben (CPR++) and David (MemoryAPI-)
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCaUqnKhIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wbOSgD/b62g/6CnM3WtvzsGhOodjO1vixaYOxXk
# BO5k8x0mea8A/ibOOI4MreDfJ7cx6KtI+Pn2ooyJBPAtMJLYiPvaDmUF
# =KmkA
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 24 Dec 2025 01:28:58 AM AEDT
# gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg: issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [unknown]
# gpg: aka "Peter Xu <peterx@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706
* tag 'next-pull-request' of https://gitlab.com/peterx/qemu: (31 commits)
MAINTAINERS: remove David from "Memory API" section
migration: merge fragmented clear_dirty ioctls
tests/qtest/migration: Pass MigrateStart into cancel tests
tests/qtest/migration: Pass MigrateCommon into test functions
migration: Use QAPI_CLONE_MEMBERS in query_migrate_parameters
migration: Extract code to mark all parameters as present
migration: Do away with usage of QERR_INVALID_PARAMETER_VALUE
migration: Remove checks for s->parameters has_* fields
migration: Add a flag to track block-bitmap-mapping input
migration: Run a post update routine after setting parameters
qapi/migration: Don't document MigrationParameter
migration: Remove MigrateSetParameters
migration: Normalize tls arguments
tests/qtest/migration: Add a NULL parameters test for TLS
migration: Add a qdev property for StrOrNull
migration: Fix leak of cpr_exec_command
migration: Fix leak of block_bitmap_mapping
MAINTAINERS: Update reviewers for CPR
migration/options: Add x-ignore-shared
migration: Use error_propagate() in migrate_error_propagate()
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
tests/qtest: Do not use versioned pc-q35-5.0 machine anymore
As of QEMU v10.2.0, the v5.0.0 machines are not usable anymore.
Use the latest x86 q35 machine instead, otherwise we get:
$ qemu-system-x86_64 -M pc-q35-5.0
qemu-system-x86_64: unsupported machine type: "pc-q35-5.0"
Use -machine help to list supported machines
See commit a35f8577a07 ("include/hw: add macros for deprecation
& removal of versioned machines") and f59ee044067 ("include/hw/boards:
cope with dev/rc versions in deprecation checks") for explanation
on automatically removed versioned machines.
scsi: ncr710: Fix interrupt related register handing
These fixes ensure proper interrupt signaling and status
register behavior during SCSI operations:
- Mask DFE bit in ncr710_update_irq()
- Remove manual ISTAT_DIP clearing, let ncr710_update_irq()
handle it consistently
- Fix SSTAT0 read to clear unconditionally when non zero
- Fix SSTAT2 read was returning DSTAT instead
- Preserve DFE status bit when clearing DSTAT
scsi: ncr710: Fix use after free in command_complete
Add proper hba_private pointer cleanup in ncr710_command_complete.
This prevents use after free errors from occuring.
This was causing memory corruption in NetBSD device initialization
when commands complete and the request structures were freed while
still being referenced.
MAINTAINERS: remove David from "Memory API" section
I don't have a lot of capacity to do any maintanance (or even review) of
"Memory API" lately, so remove myself. Fortunately we still do have two
other maintainers and one reviewer :)
Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Peter Xu <peterx@redhat.com> Cc: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org> Link: https://lore.kernel.org/r/20251222141438.409218-1-david@kernel.org Signed-off-by: Peter Xu <peterx@redhat.com>
Chuang Xu [Thu, 18 Dec 2025 11:42:20 +0000 (19:42 +0800)]
migration: merge fragmented clear_dirty ioctls
In our long-term experience in Bytedance, we've found that under
the same load, live migration of larger VMs with more devices is
often more difficult to converge (requiring a larger downtime limit).
Through some testing and calculations, we conclude that bitmap sync time
affects the calculation of live migration bandwidth.
When the addresses processed are not aligned, a large number of
clear_dirty ioctl occur (e.g. a 4MB misaligned memory can generate
2048 clear_dirty ioctls from two different memory_listener),
which increases the time required for bitmap_sync and makes it
more difficult for dirty pages to converge.
For a 64C256G vm with 8 vhost-user-net(32 queue per nic) and
16 vhost-user-blk(4 queue per blk), the sync time is as high as *73ms*
(tested with 10GBps dirty rate, the sync time increases as the dirty
page rate increases), Here are each part of the sync time:
- sync from kvm to ram_list: 2.5ms
- vhost_log_sync:3ms
- sync aligned memory from ram_list to RAMBlock: 5ms
- sync misaligned memory from ram_list to RAMBlock: 61ms
Attempt to merge those fragmented clear_dirty ioctls, then syncing
misaligned memory from ram_list to RAMBlock takes only about 1ms,
and the total sync time is only *12ms*.
Fabiano Rosas [Mon, 15 Dec 2025 22:00:11 +0000 (19:00 -0300)]
tests/qtest/migration: Pass MigrateCommon into test functions
With the upcoming addition of the config QDict, the tests will need a
better way of managing the memory of the test data than putting the
test arguments on the stack of the test functions. The config QDict
will need to be merged into the arguments of migrate_qmp* functions,
which causes a refcount increment, so the test functions would need to
allocate and deref the config QDict themselves.
A better approach is to already pass the arguments into the test
functions and do the memory management in the existing wrapper. There
is already migration_test_destroy(), which is called for every test.
Do the following:
- merge the two existing wrappers, migration_test_wrapper() and
migration_test_wrapper_full(). The latter was pioneer in passing
data into the tests, but now all tests will receive data, so we
don't need it anymore.
The usage of migration_test_wrapper_full() was in passing a slightly
different test name string into the cancel tests, so still keep the
migration_test_add_suffix() function.
- add (char *name, MigrateCommon *args) to the signature of all test
functions.
- alter any code to stop allocating args on the stack and instead use
the object that came as parameter.
- pass args around as needed.
- while here, order args (MigrateCommon) before args->start
(MigrateStart) and put a blank like in between.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:59 +0000 (18:59 -0300)]
migration: Use QAPI_CLONE_MEMBERS in query_migrate_parameters
QAPI_CLONE_MEMBERS is a better option than copying parameters one by
one because it operates on the entire struct and follows pointers. It
also avoids the need to alter this function every time a new parameter
is added.
For this to work, the has_* fields of s->parameters need to be already
set beforehand, so move migrate_mark_all_params_present() to the init
routine.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:58 +0000 (18:59 -0300)]
migration: Extract code to mark all parameters as present
MigrationParameters needs to have all of its has_* fields marked as
true when used as the return of query_migrate_parameters because the
corresponding QMP command has all of its members non-optional by
design, despite them being marked as optional in migration.json.
Extract this code into a function and make it assert if any field is
missing. With this we ensure future changes will not inadvertently
leave any parameters missing.
Note that the block-bitmap-mapping is a special case because the empty
list is considered a valid value, so it has historically not been
present in the command's output if it has never been set.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:56 +0000 (18:59 -0300)]
migration: Remove checks for s->parameters has_* fields
The migration parameters validation produces a temporary structure
which is the merge of the current parameter values (s->parameters,
MigrationParameters) with the new parameters set by the user
(former MigrateSetParameters).
When copying the values from s->parameters into the temporary
structure, the has_* fields are copied along, but when merging the
user-input values they are not.
During migrate_params_check(), only the parameters that have the
corresponding has_* field will be checked, so only the parameters that
were initialized in migrate_params_init() will be validated.
This causes (almost) all of the migration parameters to be validated
every time a parameter is set, regardless of which fields the user
touched, but it also skips validation of any values that are not set
in migrate_params_init().
It's not clear what was the intention of the original code, whether to
validate all fields always, or only validate what the user input
changed. Since the current situation is closer to the former option,
make the choice of validating all parameters by removing the checks
for the has_* fields when validating.
Note that bringing the user input into the temporary structure for
validation still needs to look at the has_* fields, otherwise any
parameters not set by the user (i.e. 0) would override the
corresponding value in s->parameters.
The empty migrate_params_init() will be kept because subsequent
patches will add code to it.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:55 +0000 (18:59 -0300)]
migration: Add a flag to track block-bitmap-mapping input
The QAPI converts an empty list on the block-bitmap-mapping input into
a NULL BitmapMigrationNodeAliasList. The empty list is a valid input
for the block-bitmap-mapping option, so commit 3cba22c9ad ("migration:
Fix block_bitmap_mapping migration") started using the
s->parameters.has_block_bitmap_mapping field to tell when the user has
passed in an empty list vs. when no list has been passed at all.
Using s->parameters.has_block_bitmap_mapping field is only possible
because MigrationParameters has had its members made optional due to
historical reasons.
In order to make improvements to the way configuration options are set
for a migration, we'd like to reduce the open-coded usage of the has_*
fields of the global configuration object (s->parameters).
Add a separate boolean to track the status of the block_bitmap_mapping
option.
No functional change intended.
(this was verified to not regress iotest 300, which is the test that 3cba22c9ad refers to)
Fabiano Rosas [Mon, 15 Dec 2025 21:59:54 +0000 (18:59 -0300)]
migration: Run a post update routine after setting parameters
Some migration parameters are updated immediately once they are set
via migrate-set-parameters. Move that work outside of
migrate_params_apply() and leave that function with the single
responsibility of setting s->parameters and not doing any
side-effects.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:53 +0000 (18:59 -0300)]
qapi/migration: Don't document MigrationParameter
The MigrationParameter (singular) enumeration is not part of the
migration QMP API, it's only used for nicely converting HMP strings
into MigrationParameters (plural) members and for providing readline
completion.
Documenting this enum only serves to duplicate documentation between
MigrationParameter and MigrationParameters.
Add an exception to QAPIs pragma.json and stop documenting it.
The generated "QEMU QMP Reference Manual" now lists the enum members
as "Not documented." Tolerable.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:52 +0000 (18:59 -0300)]
migration: Remove MigrateSetParameters
Now that the TLS options have been made the same between
migrate-set-parameters and query-migrate-parameters, a single type can
be used. Remove MigrateSetParameters.
The TLS options documentation from MigrationParameters were replaced
with the ones from MigrateSetParameters which was more complete.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:51 +0000 (18:59 -0300)]
migration: Normalize tls arguments
The migration parameters tls_creds, tls_authz and tls_hostname
currently have a non-uniform handling. When used as arguments to
migrate-set-parameters, their type is StrOrNull and when used as
return value from query-migrate-parameters their type is a plain
string.
Not only having to convert between the types is cumbersome, but it
also creates the issue of requiring two different QAPI types to be
used, one for each command. MigrateSetParameters is used for
migrate-set-parameters with the TLS arguments as StrOrNull while
MigrationParameters is used for query-migrate-parameters with the TLS
arguments as str.
Since StrOrNull could be considered a superset of str, change the type
of the TLS arguments in MigrationParameters to StrOrNull. Also ensure
that QTYPE_QNULL is never used.
1) migrate-set-parameters will always write QTYPE_QSTRING to
s->parameters, either an empty or non-empty string.
2) query-migrate-parameters will always return a QTYPE_QSTRING, either
empty or non-empty.
3) the migrate_tls_* helpers will always return a non-empty string or
NULL, for the internal migration code's consumption.
Points (1) and (2) above help simplify the parameters validation and
the query command handling because s->parameters is already kept in
the format that query-migrate-parameters (and info migrate_paramters)
expect. Point (3) is so people don't need to care about StrOrNull in
migration code.
This will allow the type duplication to be removed in the next
patches.
Note that the type of @tls_creds, @tls-hostname, @tls-authz changes
from str to StrOrNull in introspection of the query-migrate-parameters
command. We accept this imprecision to enable de-duplication.
There's no need to free the TLS options in
migration_instance_finalize() because they're freed by the qdev
properties .release method.
Temporary in this patch:
migrate_params_test_apply() copies s->parameters into a temporary
structure, so it's necessary to drop the references to the TLS options
if they were not set by the user to avoid double-free. This is fixed
in the next patches.
Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/r/20251215220041.12657-6-farosas@suse.de
[peterx: in hmp_info_migrate_parameters(), remove an extra dump of
max_postcopy_bandwidth, introduced likely by accident] Signed-off-by: Peter Xu <peterx@redhat.com>
Fabiano Rosas [Mon, 15 Dec 2025 21:59:50 +0000 (18:59 -0300)]
tests/qtest/migration: Add a NULL parameters test for TLS
Make sure the TLS options handling is working correctly with a NULL
parameter. This is relevant due to the usage of StrOrNull for the
tls-creds, tls-authz and tls-hostname options.
With this, all manners of passing TLS options are somehow covered by
the tests, we should not need to do manual testing when touching TLS
options code.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:49 +0000 (18:59 -0300)]
migration: Add a qdev property for StrOrNull
The MigrationState is a QOM object with TYPE_DEVICE as a parent. This
was done about eight years ago so the migration code could make use of
qdev properties to define the defaults for the migration parameters
and to be able to expose migration knobs for debugging via the
'-global migration' command line option.
Due to unrelated historical reasons, three of the migration parameters
(TLS options) received different types when used via the
query-migrate-parameters QMP command than with the
migrate-set-parameters command. This has created a lot of duplication
in the migration code and in the QAPI documentation because the whole
of MigrationParameters had to be duplicated as well.
The migration code is now being fixed to remove the duplication and
for that to happen the offending fields need to be reconciled into a
single type. The StrOrNull type is going to be used.
To keep the command line compatibility, the parameters need to
continue being exposed via qdev properties accessible from the command
line. Introduce a qdev property StrOrNull just for that.
Note that this code is being kept in migration/options.c as this
version of StrOrNull doesn't need to handle QNULL because it was never
a valid option in the previous command line, which took a string.
Fabiano Rosas [Mon, 15 Dec 2025 21:59:47 +0000 (18:59 -0300)]
migration: Fix leak of block_bitmap_mapping
Caught by inspection, but ASAN also reports:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 in malloc
#1 in g_malloc
#2 in g_memdup
#3 in qapi_clone_start_struct ../qapi/qapi-clone-visitor.c:40:12
#4 in qapi_clone_start_list ../qapi/qapi-clone-visitor.c:59:12
#5 in visit_start_list ../qapi/qapi-visit-core.c:80:10
#6 in visit_type_BitmapMigrationNodeAliasList qapi/qapi-visit-migration.c:639:10
#7 in migrate_params_apply ../migration/options.c:1407:13
#8 in qmp_migrate_set_parameters ../migration/options.c:1463:5
#9 in qmp_marshal_migrate_set_parameters qapi/qapi-commands-migration.c:214:5
#10 in do_qmp_dispatch_bh ../qapi/qmp-dispatch.c:128:5
Note that this is entirely harmless because the migration object which
contains the MigrationParameters structure is kept until the QEMU
process exits.
Peter Xu [Mon, 1 Dec 2025 19:45:10 +0000 (14:45 -0500)]
migration: Replace migrate_set_error() with migrate_error_propagate()
migrate_set_error() currently doesn't take ownership of the error being
passed in. It's not aligned with the error API and meanwhile it also
makes most of the caller free the error explicitly.
Change the API to take the ownership of the Error object instead. This
should save a lot of error_copy() invocations.
The previous commit reverted support for g_autoptr(Error). This one
should stop it from coming back.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Markus Armbruster <armbru@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/r/20251201194510.1121221-4-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
Due to the nature of how Error should be used (normally ownership will be
passed over to Error APIs, like error_report_err), auto-free functions may
be error prone on its own. The auto cleanup function was merged without
proper review as pointed out by Dan and Markus:
Cc: Cédric Le Goater <clg@redhat.com> Acked-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Acked-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com> Link: https://lore.kernel.org/r/20251201194510.1121221-3-peterx@redhat.com Signed-off-by: Peter Xu <peterx@redhat.com>
Peter Xu [Mon, 1 Dec 2025 19:45:04 +0000 (14:45 -0500)]
migration: Use explicit error_free() instead of g_autoptr
There're only two use cases of g_autoptr to free Error objects in migration
code paths.
Due to the nature of how Error should be used (normally ownership will be
passed over to Error APIs, like error_report_err), auto-free functions may
be error prone on its own. The auto cleanup function was merged without
proper review, as pointed out by Dan and Markus:
Pawel Zmarzly [Tue, 25 Nov 2025 17:30:07 +0000 (17:30 +0000)]
scripts/analyze-migration: Rename RAM_SAVE_FLAG_COMPRESS to RAM_SAVE_FLAG_ZERO
It has been renamed on the C side a few years ago. In modern QEMU versions,
fill_byte must be zero. Updating the Python script to make grepping and
understanding the code easier.
Currently if you set these flags and have any shared memory object, saving
a snapshot will fail with:
Failed to write bitmap to file: Unable to write to file: Bad address
We need to skip writing RAMBlocks that are backed by shared objects.
Also, we should mark these RAMBlocks as skipped, so the snapshot format stays
readable to tools that later don't know QEMU's command line (for example
scripts/analyze-migration.py). I used bitmap_offset=0 pages_offset=0 for this.
This minor change to snapshot format should be safe, as offset=0 should not
have ever been possible.
Pawel Zmarzly [Wed, 26 Nov 2025 12:12:33 +0000 (12:12 +0000)]
migration: fix parsing snapshots with x-ignore-shared flag
Snapshots made with mapped-ram and x-ignore-shared flags are
not parsed properly.
The ignore-shared feature adds and extra field in the stream, which
needs to be consumed on the destination side. Even though mapped-ram has
a fixed header format, the ignore-shared is part of the "generic" stream
infomation so the mapped-ram code is currently skipping that be64 read
which incorrectly offsets every subsequent read from the stream.
The current ignore-shared handling can simply be moved earlier in the code
to encompass mapped-ram as well since the ignore-shared doubleword is the
first one read when parsing the ramblock section of the stream.
Co-authored-by: Peter Xu <peterx@redhat.com> Signed-off-by: Pawel Zmarzly <pzmarzly0@gmail.com> Reviewed-by: Fabiano Rosas <farosas@suse.de> Link: https://lore.kernel.org/r/20251126121233.542473-1-pzmarzly0@gmail.com
[peterx: enhance commit log per fabiano] Signed-off-by: Peter Xu <peterx@redhat.com>
Zesen Liu [Wed, 17 Dec 2025 03:59:52 +0000 (11:59 +0800)]
qdev: fix error handling in set_uint64_checkmask
When specifying lbr_fmt=VALUE in cpu options with an invalid VALUE, error_setg() gets triggered twice, causing an assertion failure in error_setv() which requires *errp to be NULL, preventing meaningful error messages from being displayed.
Fix this by checking visit_type_uint64()'s return value and returning early on failure, consistent with other property setters like set_string().
Fixes: 18c22d7112a7 (qdev-properties: Add a new macro with bitmask check for uint64_t property) Cc: qemu-stable@nongnu.org Signed-off-by: Zesen Liu <ftyghome@gmail.com>
Message-ID: <20251217-qdev-fix-v1-1-bd33ea463220@gmail.com> Reviewed-by: Markus Armbruster <armbru@redhat.com>
[Add Fixes: and Cc:] Signed-off-by: Markus Armbruster <armbru@redhat.com>
Cédric Le Goater [Mon, 15 Dec 2025 10:19:37 +0000 (11:19 +0100)]
gdbstub: Fix const qualifier build errors with recent glibc
A recent change in glibc 2.42.9000 [1] changes the return type of
strstr() and other string functions to be 'const char *' when the
input is a 'const char *'. This breaks the build in :
../gdbstub/user.c:322:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
322 | pid_placeholder = strstr(path, "%d");
| ^
Fix this by changing the type of the variables that store the result
of these functions to 'const char *'.
Cédric Le Goater [Mon, 15 Dec 2025 10:19:36 +0000 (11:19 +0100)]
monitor: Fix const qualifier build errors with recent glibc
A recent change in glibc 2.42.9000 [1] changes the return type of
strchr() and other string functions to be 'const char *' when the
input is a 'const char *'. This breaks the build in :
../monitor/hmp.c:589:7: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
589 | p = strchr(type, ':');
| ^
Fix this by changing the type of the variables that store the result
of these functions to 'const char *'.
Cédric Le Goater [Mon, 15 Dec 2025 10:19:35 +0000 (11:19 +0100)]
tests/vhost-user-bridge.c: Fix const qualifier build errors with recent glibc
A recent change in glibc 2.42.9000 [1] changes the return type of
strstr() and other string functions to be 'const char *' when the
input is a 'const char *'. This breaks the build in :
../tests/vhost-user-bridge.c: In function ‘vubr_parse_host_port’:
../tests/vhost-user-bridge.c:749:15: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
749 | char *p = strchr(buf, ':');
| ^~~~~~
Fix this by using the glib g_strsplit() routine instead of strdup().
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Yodel Eldar <yodel.eldar@yodel.dev> Tested-by: Yodel Eldar <yodel.eldar@yodel.dev> Reviewed-by: Thomas Huth <thuth@redhat.com> Link: https://lore.kernel.org/qemu-devel/20251215101937.281722-3-clg@redhat.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Cédric Le Goater [Mon, 15 Dec 2025 10:19:34 +0000 (11:19 +0100)]
i386: Fix const qualifier build errors with recent glibc
A recent change in glibc 2.42.9000 [1] changes the return type of
strstr() and other string functions to be 'const char *' when the
input is a 'const char *'. This breaks the build in :
../hw/i386/x86-common.c:827:11: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
827 | vmode = strstr(kernel_cmdline, "vga=");
| ^
Fix this by changing the type of the variables that store the result
of these functions to 'const char *'.
Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging
Block layer patches
- Fix crash due to BDS use after free during shutdown (in particular
while migration is running)
- iotests: Fix a typo that made a check to prevent overwriting a file
ineffective
# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCgAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmlAQOARHGt3b2xmQHJl
# ZGhhdC5jb20ACgkQfwmycsiPL9YNCBAAqoWuOIdybhv44cLtrl3DZWHZnt1XbYvT
# xSUWI9fQQM6WLI1gAHXzl4awsTz0yZzc7KSyYPXdoub3A5D2LoFl4kJKXDzubAwr
# YP1Zmg6UWfaKfxkM42FV07xV8K4kvD11jMTimuYql6uFpzXZILwIPjl10ifdjwYg
# /5c9HUct+y28CdmvFYyt5B0lxJq2VSgLPjqyF7yltzKglirqBcvc1YbMoXfiN4JY
# tSvUHIiiJft839QbG1jrt5spl2xhORP6N7woqlgSiTeGKpPavp9nkWFPZO01QmkU
# la6/vgFZZPCgZOlmt0lVMWy5UsWqKb0voOzi3QvDpGYNie+85JmI4OEOXtsKQvDw
# 7EV+JaMtE72sjO35ruFo1KlapuFbM3yyJ97OpwpRuua1oCRXSyLYQMr5RvDO4rqf
# sdSJw/h+VZ524ydza3d/kj8qlzXkOhEo2WidBQCRRMpI8va4+IcMwHB8ZuthU3LZ
# MfOoEo4XayCQRUhFslHb6Y870Wsi3TxZCZ/fxpWqrCsxz5U5mNyUWoQHVdsofT6j
# WrzeA5ibt1GOC42dif0178PhdowFQHySz1wDbxUEO4yKIo3ziQbH95aUmcT3hYuI
# 17pSQegCA2EOCEzUXdD09qXSotJz7a+aKjiQ3hDxK7a1JokC9O4hvAwSbgOPsxCd
# BbKwOhhsSM4=
# =zBtX
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 16 Dec 2025 04:09:52 AM AEDT
# gpg: using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg: issuer "kwolf@redhat.com"
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* tag 'for-upstream' of https://repo.or.cz/qemu/kevin:
block: Fix BDS use after free during shutdown
tests/qemu-iotests: Fix check for existing file in _require_disk_usage()
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Kevin Wolf [Mon, 15 Dec 2025 15:07:14 +0000 (16:07 +0100)]
block: Fix BDS use after free during shutdown
During shutdown, blockdev_close_all_bdrv_states() drops any block node
references that are still owned by the monitor (i.e. the user). However,
in doing so, it forgot to also remove the node from monitor_bdrv_states
(which qmp_blockdev_del() correctly does), which means that later calls
of bdrv_first()/bdrv_next() will still return the (now stale) pointer to
the node.
Usually there is no such call after this point, but in some cases it can
happen. In the reported case, there was an ongoing migration, and the
migration thread wasn't shut down yet: migration_shutdown() called by
qemu_cleanup() doesn't actually wait for the migration to be shut down,
but may just move it to MIGRATION_STATUS_CANCELLING. The next time
migration_iteration_finish() runs, it sees the status and tries to
re-activate all block devices that migration may have previously
inactivated. This is where bdrv_first()/bdrv_next() get called and the
access to the already freed node happens.
It is debatable if migration_shutdown() should really return before
migration has settled, but leaving a dangling pointer in the list of
monitor-owned block nodes is clearly a bug either way and fixing it
solves the immediate problem, so fix it.
Cc: qemu-stable@nongnu.org Reported-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20251215150714.130214-1-kwolf@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Said commit changed the replay_bh_schedule_oneshot_event() in
nvme_rw_cb() to aio_co_wake(), allowing the request coroutine to be
entered directly (instead of only being scheduled for later execution).
This can cause the device to become stalled like so:
It is possible that after completion the request coroutine goes on to
submit another request without yielding, e.g. a flush after a write to
emulate FUA. This will likely cause a nested nvme_process_completion()
call because nvme_rw_cb() itself is called from there.
(After submitting a request, we invoke nvme_process_completion() through
defer_call(); but the fact that nvme_process_completion() ran in the
first place indicates that we are not in a call-deferring section, so
defer_call() will call nvme_process_completion() immediately.)
If this inner nvme_process_completion() loop then processes any
completions, it will write the final completion queue (CQ) head index to
the CQ head doorbell, and subsequently execution will return to the
outer nvme_process_completion() loop. Even if this loop now finds no
further completions, it still processed at least one completion before,
or it would not have called the nvme_rw_cb() which led to nesting.
Therefore, it will now write the exact same CQ head index value to the
doorbell, which effectively is an unrecoverable error[1].
Therefore, nesting of nvme_process_completion() does not work at this
point. Reverting said commit removes the nesting (by scheduling the
request coroutine instead of entering it immediately), and so fixes the
stall.
On the downside, reverting said commit breaks multiqueue for nvme, but
better to have single-queue working than neither. For 11.0, we will
have a solution that makes both work.
A side note: There is a comment in nvme_process_completion() above
qemu_bh_schedule() that claims nesting works, as long as it is done
through the completion_bh. I am quite sure that is not true, for two
reasons:
- The problem described above, which is even worse when going through
nvme_process_completion_bh() because that function unconditionally
writes to the CQ head doorbell,
- nvme_process_completion_bh() never takes q->lock, so
nvme_process_completion() unlocking it will likely abort.
Given the lack of reports of such aborts, I believe that completion_bh
simply is unused in practice.
[1] See the NVMe Base Specification revision 2.3, page 180, figure 152:
“Invalid Doorbell Write Value: A host attempted to write an invalid
doorbell value. Some possible causes of this error are: [...] the
value written is the same as the previously written doorbell value.”
To even be notified of this error, we would need to send an
Asynchronous Event Request to the admin queue (p. 178ff), which we
don’t do, and then to handle it, we would need to delete and
recreate the queue (p. 88, section 3.3.1.2 Queue Usage).
Cc: qemu-stable@nongnu.org Reported-by: Lukáš Doktor <ldoktor@redhat.com> Tested-by: Lukáš Doktor <ldoktor@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-id: 20251215141540.88915-1-hreitz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Thomas Huth [Mon, 8 Dec 2025 07:53:20 +0000 (08:53 +0100)]
tests/qemu-iotests: Fix check for existing file in _require_disk_usage()
Looks like the "$" has been forgotten here to get the contents of
the FILENAME variable.
Fixes: c49dda7254d ("iotests: Filter out ZFS in several tests") Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20251208075320.35682-1-thuth@redhat.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Merge tag 'hw-misc-20251209' of https://github.com/philmd/qemu into staging
Misc HW / migration / typo fixes
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmk4gN0ACgkQ4+MsLN6t
# wN6wPw/9EiBPEumIFhsGQZdB4pZZBgjBgOilkazeVaitWwfjhZGWTB6l5O0+aEmH
# jCeK2AAUZEashB/CrGI9irQ8Zli/CGgzV8/pF25AHDnDFyhCwR2czxeVDiZtMmcE
# tOYfjqs57/85r0OiQHHzqgp7w25p/p0Toz5g9GR+7Wu8xFi5SkHVM2gblSViz9ks
# JY+RLnQN4KKessqFKwGJb/m6cnBUWTf3DCscD/j+Crb9OI3WQpz2DsbQaZ06NHR7
# hlPzQ05taMhIqh6OdRAGqGS7Mud+eQ58k9qkYGuSBUkuBoJ/3/EqHJXQ4blZt9IN
# reJ6EtN+xYTT+BGBhIXmAtIVERzyk1MF99hgUZJW0RDuE4Ioa7Omp5bnv82Yensz
# UledFAMrGpX25SlJG2oNGnqZTYnCYoQnRQTB90AlaluJqHSpSgBBoJyfukjKQDVa
# NmL+sJOthonvGsydJP8IYfmcBUC1AzmXFxzN+/xZOSJe1qmSh1kUaehsbyytdd/C
# tgyav8DsvxXR8rfYBX5bSml8pAKL5pSD0DYJD3LCyvRoC0SnYROFU1kaUfMpPA+/
# H1r0RO5Lzkcub1JW253gA89GfrK0Y7ShMtoJ+GBivH/cK+ZYT4uEAZajcgUi5kJJ
# FSWz/sNxOJ03s3CWQhlPOEnkLQ41/1+eqbLpmWceRIAfOmmXE00=
# =vcUd
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 09 Dec 2025 02:04:45 PM CST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20251209' of https://github.com/philmd/qemu:
Revert "hw/net/virtio-net: make VirtIONet.vlans an array instead of a pointer"
Revert "migration/vmstate: remove VMSTATE_BUFFER_POINTER_UNSAFE macro"
Fix const qualifier build errors with recent glibc
scripts/nsis.py: Tell makensis that WoA is 64 bit
hw/pci: Fix typo in documentation
migration: Fix order of function arguments
vhost: Always initialize cached vring data
scripts: fix broken error path in modinfo-collect.py
hw/9pfs: Correct typo
osdep: Undefine FSCALE definition to fix Solaris builds
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Revert "hw/net/virtio-net: make VirtIONet.vlans an array instead of a pointer"
Per https://lore.kernel.org/qemu-devel/7798584d-e861-47b7-af52-2c2efb67a4de@proxmox.com/:
Loading a VM state taken with v10.1.2 or older doesn't work anymore,
using the script [*] we get:
kvm: VQ 1 size 0x100 < last_avail_idx 0x9 - used_idx 0x3e30
kvm: load of migration failed: Operation not permitted: error while loading state for instance 0x0 of device '0000:00:13.0/virtio-net': Failed to load element of type virtio for virtio: -1
qemu-system-x86_64: Missing section footer for 0000:00:13.0/virtio-net
qemu-system-x86_64: Section footer error, section_id: 41