qemu-keymap: fix altgr modifier lookup for newer xkeyboard-config
xkeyboard-config 2.37 removed the "AltGr" virtual modifier in favor
of mapping upper groups directly to Mod5. Since then,
xkb_keymap_mod_get_index(map, "AltGr") returns XKB_MOD_INVALID, so
AltGr-based keysyms were never generated.
hw/timer: ibex_timer: Update IRQs after writing CTRL
When writing to rv_timer.CTRL after setting the compare values the timer
doesn't fire as we don't update the interrupts. Ensure we update the
interrupts after a write to the rv_timer.CTRL register.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2796 Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Message-ID: <20260407043614.372871-5-alistair.francis@wdc.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Remove the Radeon specific masks for offset and pitch registers. While
the documentation is not clear about it I believe it is a copy&paste
error from the combined DST_PITCH_OFFSET register that has less bits
so more constrained than the individual registers which should not
have this mask.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <20260404111318.8334E596A22@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When copying the request response into the pio transfer buffer the code
skips the 'struct mm_header' but does not consider that when calculating
transfer size, so it will copy 24 (== sizeof(struct mm_header)) extra
bytes, which can overflow uv->pio_xfer_buffer.
Fix that by copying the complete buffer, including the header, which
also makes the pio code path consistent with the (unaffected) dma code
path.
Fixes: CVE-2026-5744 Fixes: 90ca4e03c27d ("hw/uefi: add var-service-core.c") Reported-by: Yuma Kurogome <yumak@ricsec.co.jp> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20260408073403.3410541-1-kraxel@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paolo Bonzini [Fri, 27 Mar 2026 21:00:09 +0000 (22:00 +0100)]
virtio-scsi: pass the same cdb_size to virtio_scsi_pop_req and virtio_scsi_handle_cmd_req_prepare
Ensure that there is no allocation/usage mismatch when requests
are processed in virtio_scsi_handle_cmd_vq. To do this,
retrieve the value once and pass it to both functions.
For other calls to virtio_scsi_pop_req the extra size
can be 0, because control and event requests fit
entirely in VirtIOSCSIReq.
Reported-by: Jihe Wang <wangjihe.mail@gmail.com> Tested-by: Jihe Wang <wangjihe.mail@gmail.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Fixes: CVE-2026-5763 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* tag 'hw-misc-20260407' of https://github.com/philmd/qemu:
ati-vga: Do not crash on 24 bits per pixel
ati-vga: Update mode on CRTC_PITCH change
ati-vga: Fix setting CRTC_OFFSET
hw/arm/omap_sx1: map CS3 at the correct base
cirrus-vga: Make frame buffer endianness little endian by default
docs/about/removed-features: Replace 'since' -> 'removed in'
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
util: fix missing aio_wait sym in qemu guest agent only build
Allow building qemu tools on 32-bit hosts
util/meson.build: do not add cpuinfo-$arch to util_ss for 32bit CPUs
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
util/readline: Fix out-of-bounds access in readline_insert_char().
Currently, the readline_insert_char() function is guarded by the cursor
position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_size).
The current check is:
if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE)
This logic is flawed because if the command buffer is full and a user moves the
cursor backward (e.g. by sending left arrow key), cmd_buf_index can be
decreased without descreasing of buffer size.
This allow subsequent insertions to increase cmd_buf_size past its maximum
limit of rs->cmd_buf.
Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is
immediately followed by the cmd_buf_index integer, once the buffer size is
sufficiently inflated, the memmove() operation inside readline_insert_char()
can write past the end of cmd_buf[] and overwrites cmd_buf_index itself.
The subsequent line:
rs->cmd_buf[rs->cmd_buf_index] = ch;
then writes the input character to an address determined by the now-corrupted
index.
By providing a specifically crafted input sequence via HMP, this flaw can be
used to redirect the write operation to overwrite any field within the
ReadLineState structure, which can lead to unpredictable behavior or
application crashes.
Fix this by adding the guard to check for buffer fullness.
FAILED: [code=1] qga/qemu-ga
ld: libqemuutil.a.p/qapi_qmp-dispatch.c.o: in function `do_qmp_dispatch_bh':
qapi/qmp-dispatch.c:140:(.text+0x5c): undefined reference to `aio_wait_kick'
This aio_kick() usage was recently introduced in qmp-dispatch.c
without updating the build logic.
Fixes commit fc1a2ec7da531223b3473185dc2584f8a7c6c659 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Qemu's tools like qemu-img are often needed on 32-bit platforms,
although the actual qemu emulators have been discontinued on 32-bit.
To allow building the tools on 32-bit this patch implements three small
changes:
a) The check in meson.build is changed to still error out if the user
tries to build qemu-system or qemu-user on a 32-bit platform, but allows
building tools (e.g. by "--enable-tools") alone.
b) The compile time check in atomic.h now checks against
sizeof(uint64_t) so that 32-bit environments can still build
successfully, while 128-bit atomic operations are prevented to sneak in.
c) Allow linking against libatomic as long as we don't build the
qemu-system and qemu-user binaries.
Sucessfully tested on the 32-bit big-endian powerpc architecture.
Signed-off-by: Helge Deller <deller@gmx.de> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
The stn_he_p function only supports power of two sizes so it will
assert if we call it with size 3 that happens with 24 bits per pixel.
It's not clear from the documentation if this should be supported or
not and drivers tested so far don't use it so refuse the parameters
that would crash QEMU for now.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <20260406012031.335A0596A24@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Offset (display start address) should also be updated when changing
the register value not only on mode change. Fix the register write
mask to hard code bits 0:2 to 0 as the chip docs say and update the
start address on register write. This fixes virtual screen panning for
screens larger than displayed resolution.
As this register allows values that cannot be handled by the VBE_DISPI
X and Y offsets (which is restricted by line length) we add a function
to set it directly not through the VBE offsets.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <2b8af6022aba06aa98a249ae67922de29d82d86f.1775228029.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
omap_sx1 wires the "sx1.cs3" region to OMAP_CS2_BASE instead of
OMAP_CS3_BASE.
That places both CS2 and CS3 at the same address and leaves the real
CS3 window unmapped. Point the CS3 region at OMAP_CS3_BASE so the
static chip-select layout matches the OMAP address definitions.
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn> Fixes: ba1580299d0 ("omap_sx1: convert to memory API") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260403014441.38725-1-zhaoguohan@kylinos.cn> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
cirrus-vga: Make frame buffer endianness little endian by default
QEMU VGA defaults to target endianness but real Cirrus VGA is little
endian so set it explicitly in cirrus_init_common() to fix it on big
endian machines.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260401205327.914905969EC@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Alex Bennée [Sun, 5 Apr 2026 11:24:10 +0000 (12:24 +0100)]
target/arm: fix fault_s1ns for stage 2 faults
The computation of s1ns was simply wrong. For Stage 2 faults, it
should indicate whether the faulting IPA is in the Non-Secure IPA
space. Correct the logic to check for ARMSS_NonSecure and drop the
extraneous s2_mmu_idx test.
This is effectively a change in the intended semantics of the
ARMMMUFaultInfo::s1ns field, so that we no longer try to make it
exactly match HPFAR_EL2.NS but instead set it for any stage 2 fault
on an NS IPA, relying on users of the field to check whether the
fault is to be taken to Secure EL2 before propagating the field to
the HPFAR_EL2.NS bit. Since the actual writing of HPFAR_EL2.NS is
already gated by arm_is_secure_below_el3(env), we only need to update
the comments to document this change of semantics.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2568 Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260405112410.603223-1-alex.bennee@linaro.org
[PMM: also update comments about the s1ns field] Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Michael Tokarev [Wed, 25 Mar 2026 13:49:26 +0000 (16:49 +0300)]
util/meson.build: do not add cpuinfo-$arch to util_ss for 32bit CPUs
qemu dropped support for 32bit CPUs recently, so this change is an
additional clean-up on top. But in theory it will allow building
qemu-guest-agent on a 32bit system.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Peter Maydell [Tue, 31 Mar 2026 09:23:05 +0000 (10:23 +0100)]
target/arm: do_ats_write(): avoid assertion when ptw failed
In do_ats_write() we try to assert that the cacheattrs from
get_phys_addr_for_at() are in the form we expect:
/*
* ATS operations only do S1 or S1+S2 translations, so we never
* have to deal with the ARMCacheAttrs format for S2 only.
*/
assert(!res.cacheattrs.is_s2_format);
However, the GetPhysAddrResult struct documents that its fields are
only valid when the page table walk succeeded. For a two stage page
table walk which fails during stage two, we will return early from
get_phys_addr_twostage() and depending on the fault type the
res.cacheattrs may have been initialized with the stage 2 cache attr
information in stage 2 format. In this case we will incorrectly
assert here.
Fix the assertion to not look at the res fields if the lookup failed.
Note for stable backports: the do_ats_write() function is in
target/arm/helper.c in older QEMU versions, but the change to the
assert line is the same.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3328 Fixes: 9f225e607f21 ("target/arm: Postpone interpretation of stage 2 descriptor attribute bits") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260331092305.2062580-1-peter.maydell@linaro.org
* tag 'firmware-20260401-for-11.0-pull-request' of https://gitlab.com/kraxel/qemu:
igvm: fix parent object type in IgvmCfg struct
igvm: fix memory leak on failed memory region init
igvm: switch to PRIx64
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Wed, 1 Apr 2026 09:49:09 +0000 (10:49 +0100)]
Merge tag 'pull-linux-user-20260401' of https://gitlab.com/pm215/qemu into staging
linux-user:
* don't incorrectly sign extend guest addresses from mlock etc
* fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
* update select timeout writeback
* make openat2() use -L for absolute paths
* correctly handle SIGSEGV generated when trying to deliver
a synchronous signal
* tag 'pull-linux-user-20260401' of https://gitlab.com/pm215/qemu:
bsd-user, linux-user: signal: recursive signal delivery fix
linux-user: Make openat2() use -L for absolute paths
linux-user: update select timeout writeback
linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
include/user/guest-host.h: Provide g2h etc for both abi_ptr and vaddr
include: Don't include guest-host.h in cpu-ldst.h
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 31 Mar 2026 19:46:13 +0000 (20:46 +0100)]
Merge tag 'hppa-more-v11-fixes-pull-request' of https://github.com/hdeller/qemu-hppa into staging
HPPA patches for qemu-v11
A few late fixes for the HPPA architecture for QEMU v11:
- graphics support was broken for 64-bit machines. This series adds
support for VGA graphics for Linux guests
- the various memory ranges were not correctly implemented
- TOC/NMI was not working on 64-bit machines
- minor 64-bit HP-UX boot fixes (but HP-UX 64-bit still crashes)
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCacwXxAAKCRD3ErUQojoP
# X7NxAQCBszDUKsNX5KiB+cxW1AfT1Gyzo4q9T0NNULO5v2Fn7gD/YVzgtZ6F+crK
# 1eG1R0aVekPmx+NClsCLvy/dX1YmTww=
# =L+6i
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 31 19:51:48 2026 BST
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-more-v11-fixes-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 24
hw/hppa: Implement memory ranges
target/hppa: Fix TOC handler for 64-bit CPUs
hw/pci-host/astro: Add GMMIO mapping
hw/pci-host/astro: Fix LMMIO DIRECT mappings
hw/pci-host/astro: Implement LMMIO registers
hw/pci-host/astro: Fix initial addresses in IOC
hw/pci-host/astro: Make astro address arrays accessible for other users
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Helge Deller [Tue, 31 Mar 2026 18:24:24 +0000 (20:24 +0200)]
target/hppa: Update SeaBIOS-hppa to version 24
New SeaBIOS-hppa v24 release with various fixes for qemu-v11:
- Initialize Astro chip with relevant LMMIO, GMMIO and others
- Disable Artist on 64-bit machines
- Fully implement parisc memory ranges
- Change inventory to list CPU first for HP-UX
- Allow 715 to boot from HP-UX 11iv1 CD-ROM
- Prepare for MULTICELL machines
- Initialize PCI_CACHE_LINE_SIZE PCI value
- Call TOC/HPMC handler code from OS if installed
Helge Deller [Sun, 29 Mar 2026 22:11:12 +0000 (00:11 +0200)]
hw/hppa: Implement memory ranges
All 64-bit PA-RISC machines split the memory into (up to 3) different
memory ranges, which are mapped at specific addresses. This patch
mimics the mapping as it's done on physical machines, which includes the
3.75 GB split for C3700, and 1 GB split for newer 64-bit PAT machines
like the A400.
SeaBIOS-hppa needs to know how the memory split is done, so add a new
memsplit_addr variable which stores the specific split address and hand
this over to SeaBIOS-hppa via fwcfg.
Helge Deller [Sun, 29 Mar 2026 18:46:52 +0000 (20:46 +0200)]
target/hppa: Fix TOC handler for 64-bit CPUs
When the TOC handler is triggered, e.g. by using the "NMI" command
in the QEMU monitor, make sure to call the full 64-bit TOC handler
address in SeaBIOS-hppa firmware.
This fixes the TOC handler on 64-bit CPUs (and 64-bit SeaBIOS).
Helge Deller [Sat, 28 Mar 2026 23:30:36 +0000 (00:30 +0100)]
hw/pci-host/astro: Fix LMMIO DIRECT mappings
Fix the existing code which has the mask wrong.
Implement the direct mapping via overlapping subregion with priority 3
to make sure the direct mapping gets precedence over the LMMIO region.
Helge Deller [Sat, 28 Mar 2026 23:26:14 +0000 (00:26 +0100)]
hw/pci-host/astro: Implement LMMIO registers
Add code to adjust the memory mapping windows according to the LMMIO registers
in Astro. This allows SeaBIOS-hppa to configure Astro depending on existing
PCI cards, and especially makes it possible to enable a VGA PCI card.
Nicholas Piggin [Sat, 21 Mar 2026 13:56:22 +0000 (23:56 +1000)]
bsd-user, linux-user: signal: recursive signal delivery fix
Synchronous signals must accommodate a synchronous signal being
raised during delivery, as asynchronous ones do. For example
badframe errors during delivery will cause SIGSEGV to be raised.
Without this fix, cpu_loop() runs process_pending_signals() which
delivers the first synchronous signal (e.g., SIGILL) which fails
to set the handler and forces SIGSEGV, but that is not picked up.
process_pending_signals() returns. Then cpu_loop() runs cpu_exec()
again, which attempts to execute the same instruction, another
SIGILL.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321135624.581398-3-npiggin@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Sun Haoyu [Tue, 17 Mar 2026 05:38:27 +0000 (13:38 +0800)]
linux-user: Make openat2() use -L for absolute paths
openat2() ignored the -L prefix and opened host files directly.
For example, openat2("/tmp/file") opened /tmp/file on the host, not
QEMU_LD_PREFIX/tmp/file like openat() does.
Fix this by using path() to rewrite absolute paths. Skip this
when RESOLVE_BENEATH or RESOLVE_IN_ROOT is set:
- RESOLVE_BENEATH rejects absolute paths anyway
- RESOLVE_IN_ROOT resolves relative to dirfd
Sun Haoyu [Fri, 20 Mar 2026 11:16:47 +0000 (19:16 +0800)]
linux-user: update select timeout writeback
The Linux kernel writes back the remaining timeout for select-family
syscalls in poll_select_finish(). If that writeback fails, it keeps
the original return value.
However, QEMU only writes back the timeout on success. If the writeback
fails, QEMU returns -TARGET_EFAULT. This can lose the remaining
timeout and change the return value.
Update do_select(), do_pselect6(), and do_ppoll() to always write back
the timeout to match the Linux kernel's behavior. If the timeout
writeback fails, keep the original return value.
Tested with the issue reproducer.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3343 Signed-off-by: Sun Haoyu <shyliuli@aosc.io> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260320111647.138984-1-shyliuli@aosc.io Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Clayton Craft [Thu, 26 Mar 2026 05:59:36 +0000 (22:59 -0700)]
linux-user: fix name_to_handle_at when AT_HANDLE_MNT_ID_UNIQUE flag is set
Linux 6.12 added AT_HANDLE_MNT_ID_UNIQUE, which indicates that mount_id
is 64-bits. If name_to_handle_at is called with this flag set then qemu
passes a 4 byte int to the kernel, which then tries to store 8 bytes in
a 4 byte variable, causing a SIGSEGV[1][2].
This stores mount_id in a 64-bit var if the flag is set.
Peter Maydell [Mon, 30 Mar 2026 14:31:23 +0000 (15:31 +0100)]
include/user/guest-host.h: Provide g2h etc for both abi_ptr and vaddr
In commit 7804c84a ("include/user: Use vaddr in guest-host.h") we
changed all the functions in guest-host.h that took or returned their
guest address argument in type abi_ptr to instead use vaddr.
This introduced regressions for the case of a 32-bit guest and an
address above 2GB for the common situation where the address is a
syscall argument stored in a variable of type 'abi_long'. With
abi_ptr (which will be an unsigned 32-bit type for 32-bit guests),
the address is cast to unsigned 32-bit, and then zero-extended to
64-bits in g2h_untagged_vaddr(). With the switch to vaddr (which is
always a 64-bit unsigned type), the guest address will instead be
sign-extended to 64 bits, which gives the wrong answer.
Fix this by providing two versions of the affected functions: the
standard names (g2h(), g2h_untagged(), guest_addr_valid_untagged(),
guest_range_valid_untagged(), cpu_untagged_addr()) return to using
the logically-correct abi_ptr type; new versions with a _vaddr()
prefix use the vaddr type.
accel/tcg/user-exec.c must change to use the _vaddr() versions; this
is the only file that uses guest-host.h that we want to compile once.
All the other uses are in linux-user and bsd-user code that
inherently has to know the sizes of target-ABI types.
Cc: qemu-stable@nongnu.org Fixes: 7804c84a ("include/user: Use vaddr in guest-host.h")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3333 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260330143123.1685142-3-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Tue, 31 Mar 2026 16:51:08 +0000 (17:51 +0100)]
Merge tag 'for-upstream' of https://gitlab.com/kmwolf/qemu into staging
Block layer patches
- ide: Fix potential assertion failure on VM stop for PIO read error
- scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable
- vhost-user-blk-server: fix opt_io_size=1 causing severe Windows I/O degradation
- monitor: Fix deadlock in monitor_cleanup
- Fix filename references in comments
* tag 'for-upstream' of https://gitlab.com/kmwolf/qemu:
block: Fix crash after setting latency historygram with single bin
vhost-user-blk-server: fix opt_io_size=1 causing severe Windows I/O degradation
monitor: Fix deadlock in monitor_cleanup
block: Fix references in bdrv_bsc_*() function comments
scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable
ide: Fix potential assertion failure on VM stop for PIO read error
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 30 Mar 2026 14:31:22 +0000 (15:31 +0100)]
include: Don't include guest-host.h in cpu-ldst.h
We currently include user/guest-host.h from accel/tcg/cpu-ldst.h.
However that file doesn't need anything from guest-host.h, since we
removed the uses of g2h() in commit 9b74d403b30e ("accel/tcg: Move
user-only tlb_vaddr_to_host out of line").
Move the include of guest-host.h to where it's actually needed.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260330143123.1685142-2-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
* tag 'hw-misc-20260331' of https://github.com/philmd/qemu:
MAINTAINERS: fix OSUOSL typo
hw/hppa: Disable Artist graphics card on 64-bit machines
hw/pci-host/astro: Update copyright and documentation link
ati-vga: Add upper limit to x-linear-aper-size property
ati-vga: Silence warning about operator precedence
target/i386: Treat qtest like TCG for supported-features
target/i386/cpu.c: Correct minor grammar error in warning
backends/igvm: switch to PRIx64
target/mips: save CP0 timer in vmstate
MAINTAINERS: Separate QDev section from QOM one
ppc/pnv: generate dtb after machine initialization is complete
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Kevin Wolf [Tue, 31 Mar 2026 10:26:08 +0000 (12:26 +0200)]
block: Fix crash after setting latency historygram with single bin
Passing an empty list of boundaries to block-latency-histogram-set sets
up a state that leads to a NULL pointer dereference when the next
request should be accounted for. This is not a useful configuration, so
just error out if the user tries to set it.
The crash can easily be reproduced with the following script:
Max Makarov [Mon, 30 Mar 2026 19:34:51 +0000 (22:34 +0300)]
vhost-user-blk-server: fix opt_io_size=1 causing severe Windows I/O degradation
The QSD vhost-user-blk export sets opt_io_size=1 and min_io_size=1 in
the virtio config. These values are reported to the guest through the
VPD Block Limits page as OptimalTransferLength=1 block (512 bytes)
and OptimalTransferLengthGranularity=1 block.
Windows respects these hints and splits all I/O into ~512-byte
requests, causing ~100x sequential throughput degradation (150 MB/s
instead of 15+ GB/s). Linux is unaffected as its block layer ignores
these values.
Set both to 0 which means "not reported" per the SCSI Block Limits
VPD spec, allowing Windows to use its own optimal I/O size defaults.
Signed-off-by: Max Makarov <maxpain@linux.com>
Message-ID: <20260330193451.76037-1-maxpain@linux.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
hongmianquan [Fri, 27 Mar 2026 13:10:24 +0000 (21:10 +0800)]
monitor: Fix deadlock in monitor_cleanup
During qemu_cleanup, if a non-coroutine QMP command (e.g.,
query-commands) is concurrently received and processed by the
mon_iothread, it can lead to a deadlock in monitor_cleanup.
The root cause is a race condition between the main thread's shutdown
sequence and the coroutine's dispatching mechanism. When handling a
non-coroutine QMP command, qmp_dispatcher_co schedules the actual
command execution as a bottom half in iohandler_ctx and then yields. At
this suspended point, qmp_dispatcher_co_busy remains true.
Subsequently, the main thread in monitor_cleanup(), sets
qmp_dispatcher_co_shutdown, and calls qmp_dispatcher_co_wake(). Since
qmp_dispatcher_co_busy is already true, the aio_co_wake is skipped. The
main thread then enters the AIO_WAIT_WHILE_UNLOCKED loop, it executes
the scheduled BH (do_qmp_dispatch_bh) via aio_poll(iohandler_ctx,
false), which attempts to wake up the coroutine, aio_co_wake schedules a
new wake-up BH in iohandler_ctx. The main thread then blocks
indefinitely in aio_poll(qemu_aio_context, true), while the coroutine's
wake-up BH is starved in iohandler_ctx, qmp_dispatcher_co never reaches
termination, resulting in a deadlock.
To fix this, we add an explicit aio_wait_kick() in do_qmp_dispatch_bh()
to break the main loop out of its blocking poll, allowing it to evaluate
the loop condition and poll iohandler_ctx.
Suggested-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: hongmianquan <hongmianquan@bytedance.com> Signed-off-by: wubo.bob <wubo.bob@bytedance.com>
Message-ID: <20260327131024.51947-1-hongmianquan@bytedance.com> Acked-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Alex Bennée [Tue, 31 Mar 2026 07:04:01 +0000 (08:04 +0100)]
MAINTAINERS: fix OSUOSL typo
It stands for Oregon State University Open Source Lab.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260331070401.1125840-1-alex.bennee@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Helge Deller [Mon, 30 Mar 2026 21:18:49 +0000 (23:18 +0200)]
hw/hppa: Disable Artist graphics card on 64-bit machines
The original Artist graphics used the GSC bus, was often installed in old
32-bit machines (e.g. 715) and can not be used on 64-bit machines.
This is why this patch makes the artist driver dependend on the Lasi chip,
which was never used in a 64-bit machine.
Note that there exists a variant of Artist for the PCI-bus (Visualize-EG PCI).
It has quite some differences in the registers, and would require that we write
a PCI ROM for it, so that Linux and HP-UX would be able to use it.
Instead, for now, users can simply use a standard VGA or ATI PCI graphics card
on Linux. This can be enabled on the command line with "-device ati-vga" or
"-device VGA". If the "-nographic" option is omitted, a PCI OCHI controller
with USB keyboard and USB mouse will be added automatically.
This fixes graphics support on 64-bit hppa machines and allows us to boot up a
64-bit Linux installation with VGA graphics.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260330211859.19317-3-deller@kernel.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Helge Deller [Mon, 30 Mar 2026 21:18:48 +0000 (23:18 +0200)]
hw/pci-host/astro: Update copyright and documentation link
Update the link to the documentation, which was still pointing to the
Wiki page. In the meantime the PA-RISC wiki was converted to a
read-the-docs website.
Signed-off-by: Helge Deller <deller@gmx.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260330211859.19317-2-deller@kernel.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Mon, 30 Mar 2026 21:09:17 +0000 (23:09 +0200)]
ati-vga: Add upper limit to x-linear-aper-size property
Coverity warns in CID 1645968 about possible integer overflow. This
should never happen but to ensure that, add an upper limit on the
x-linear-aper-size. This may not silence the warning but makes sure
users cannot cause an overflow.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <541ffffdaa4c67b9dcbca6c2498e69b137bce95d.1774904832.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Mon, 30 Mar 2026 21:09:16 +0000 (23:09 +0200)]
ati-vga: Silence warning about operator precedence
Coverity in CID 1645969 warns about possible operator precendence
issue which is a false positive in this case but simplify the
expression to silence the warning.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <24161ec41f118ad097387f8a84897dee7b4747b8.1774904832.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Mon, 30 Mar 2026 15:14:37 +0000 (16:14 +0100)]
target/i386: Treat qtest like TCG for supported-features
In x86_cpu_get_supported_feature_word() we figure out the supported
features differently for each accelerator. The default case is
"set all feature bits"; however this triggers a warning because
it enables two features which conflict with each other:
$ ./build/x86/qemu-system-x86_64 -cpu max -accel qtest -S
qemu-system-x86_64: warning: this feature conflicts with APX: CPUID[eax=07h,ecx=00h].EBX.mpx [bit 14]
qemu-system-x86_64: warning: this feature conflicts with MPX: CPUID[eax=07h,ecx=01h].EDX.apxf [bit 21]
Treat qtest like TCG here, to avoid the complaint.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Message-ID: <20260330151437.1787008-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Luigi Leonardi [Mon, 30 Mar 2026 12:43:07 +0000 (14:43 +0200)]
backends/igvm: switch to PRIx64
Use the PRIx64 format macro instead of %lX for uint64_t values.
This is to improve portability as %lX is not necessarily 64 bit long.
Signed-off-by: Luigi Leonardi <leonardi@redhat.com> Reviewed-by: Ani Sinha <anisinha@redhat.com>
Message-ID: <20260330-igvm_fixes-v1-1-03587a5a808b@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Trieu Huynh [Sun, 29 Mar 2026 11:37:32 +0000 (20:37 +0900)]
target/mips: save CP0 timer in vmstate
The MIPS R4K CP0 timer (env->timer) is not included in vmstate_mips_cpu,
so after loadvm the QEMUTimer has no scheduled expiry. This causes
qemu_poll_ns() to block indefinitely and the guest to freeze until an
external I/O event (e.g. a keypress) wakes the main loop.
Fix by adding an optional vmstate subsection for the timer, following
the same pattern used by ARM (gt_timer), RISC-V (env.stimer), SPARC
(qtimer), and OpenRISC (timer).
The .needed callback returns false when env->timer is NULL (KVM mode),
keeping the subsection optional for backwards compatibility with
existing snapshots.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1987 Signed-off-by: Trieu Huynh <vikingtc4@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260329113732.482619-1-vikingtc4@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
QDev is about QEMU devices model API, while
QOM is about QEMU object model in plain C.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20260325151728.45378-2-philmd@linaro.org>
Shivang Upadhyay [Tue, 24 Mar 2026 13:50:26 +0000 (19:20 +0530)]
ppc/pnv: generate dtb after machine initialization is complete
Currently, the machine dtb is generated in pnv_init(), before all devices
are fully initialized. This can result in an incomplete dtb for the system,
as seen in bug [1].
Fix this by deferring dtb generation until machine initialization is complete,
using the machine_init_done_notifier hook.
Yunjian Long [Wed, 25 Mar 2026 01:42:04 +0000 (09:42 +0800)]
block: Fix references in bdrv_bsc_*() function comments
Some functions are defined in block_int-io.h, so the correct
annotation is block_int-io.h rather than block_int.h
Signed-off-by: Yunjian Long <long.yunjian@zte.com.cn>
Message-ID: <20260325094204300GFCZYBzAE00cSWaldbDcT@zte.com.cn> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* tag 'for-11.0-rc-pull-request' of https://gitlab.com/marcandre.lureau/qemu:
tests: don't build audio tests when no audio drivers are enabled
ui/vnc-jobs: clear source tag
ui/vnc-jobs: fix VncRectEntry leak on job cleanup
ui/dbus: tear down clipboard callbacks on display finalize
ui/dbus: associate add_client completion with its request
audio/mixeng: fix sw/hw mixup in audio_pcm_sw_init_
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Kevin Wolf [Mon, 30 Mar 2026 12:16:35 +0000 (14:16 +0200)]
scsi: Don't consider LOGICAL UNIT NOT SUPPORTED guest recoverable
When commit bdf9613b introduced scsi_sense_buf_is_guest_recoverable(),
it included LOGICAL UNIT NOT SUPPORTED in the list of guest recoverable
sense codes. It doesn't really explain how the codes to be in the list
were selected.
As the LUN doesn't come from the guest, but from the block backend
(usually the SCSI device on the host that was opened with host_device,
but it could also be the iscsi block driver), there is really no way the
guest could influence this.
It seems that on some storage arrays, LOGICAL UNIT NOT SUPPORTED can
happen during failover operations. When combined with multipath, the
request should be retried on another path instead of being reported to
the guest, which would offline the filesystem in response.
Simply returning false in scsi_sense_buf_is_guest_recoverable() will
enable the retry logic in file-posix, and will also make sure that if
the error persists, the configured error policy is respected so that the
VM can be stopped.
Buglink: https://redhat.atlassian.net/browse/RHEL-158212 Fixes: bdf9613b7f87 ('scsi: explicitly list guest-recoverable sense codes') Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260330121635.49205-1-kwolf@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Thu, 26 Mar 2026 16:51:24 +0000 (17:51 +0100)]
ide: Fix potential assertion failure on VM stop for PIO read error
ide_sector_read() as well as its callers neglect to call ide_set_retry()
before starting I/O. If the I/O fails, this means that the retry
information is stale. In particular, ide_handle_rw_error() has an
assertion that s->bus->retry_unit == s->unit, which can fail if either
there was no previous request or it came from another device on the bus.
If the assertion weren't there, a wrong request would be retried after
resuming the VM.
Fix this by adding a ide_set_retry() call to ide_sector_read().
This affects only reads because ide_transfer_start() does call
ide_set_retry(). For writes, the data transfer comes first and the I/O
is only started when the data has been read into s->io_buffer, so by
that time, ide_set_retry() has been called. For reads, however, the I/O
comes first and only then the data is transferred to the guest, so the
call in ide_transfer_start() is too late.
Buglink: https://redhat.atlassian.net/browse/RHEL-153537 Reported-by: Tingting Mao <timao@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260326165124.138593-1-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Peter Maydell [Tue, 31 Mar 2026 08:39:52 +0000 (09:39 +0100)]
Merge tag 'migration-20260330-pull-request' of https://gitlab.com/farosas/qemu into staging
Migration pull request
- Fix dirty limit (-m thorough) test
- Fix a few error message strings
# -----BEGIN PGP SIGNATURE-----
#
# iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmnKx94QHGZhcm9zYXNA
# c3VzZS5kZQAKCRDHmNx0G+wxnXp7EADLdY2S5gVgc8/R/b0uZRzj9f0A9vrkK2S8
# bcUHJxhY+PkJhUnNRr2l4PuyiwLCKefDWc0gnl9J0mFZ/gqVnkAPEZhVS+hOwjZm
# 6KyHWwEz9hBqU0RmIq/RmVsvKw+jRqAIZ2k43N4aOy38TbRK1o5PLrK8T4Zouycq
# grsg383xahcHUx/RZDGilGXWONeOnnv/Tg8v6rqL51eGa8BllOTZRxqMlXD/r53/
# EyLAdr3gmeawL9o7aLU6bodRwRREWGAPyvHMKB6VBautu28MsMmPjpdAbP+i3aYY
# JoKreKxO1mXvV8UL8xYOTVLbR52qACQ35Q+YKplrT4vO8yqVhN+nr8XVeQmQi2gF
# elLWi//ir6ZQggArkGSIfLdkzsyuLtNlHLtT7i35xudWUx1KcEDuT3i18OY6Qfd+
# faJr9JZPQ0I0QWMo7qRDjfUSzgYYOYoAdrfuG5xND+z2X3W4BK4E8dL4uJ5Eipad
# 8q/yRZf2KbY2vzR/VDRVUXOyVcirV0bg0v3Y7iAdaffIyia/htFvtJoZHNMhKhzU
# zoqa6VtipHJT5YLstei2Nzol9u0ghh7snWmzUKFnPjlbOfP8L11r7hNd6iYW0lFY
# GegIgZWyqwhccIAzAndqS14bwN/yRiDcH1FiZH8wYJaT4gcaTtgRzI5JGA08Ahhc
# SVKJrpsq7A==
# =ynIi
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Mar 30 19:58:38 2026 BST
# gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D
# gpg: issuer "farosas@suse.de"
# gpg: Good signature from "Fabiano Rosas <farosas@suse.de>" [unknown]
# gpg: aka "Fabiano Almeida Rosas <fabiano.rosas@suse.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D
* tag 'migration-20260330-pull-request' of https://gitlab.com/farosas/qemu:
tests/qtest/migration: Fix slow test dirty_limit
migration: Fix references to parameter names in error messages
migration: Fix up error message for max-cpu-throttle
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-target-arm-20260330' of https://gitlab.com/pm215/qemu:
hw/arm/xilinx_zynq: Use strcasecmp to parse boot-mode option values
MAINTAINERS: Remove Igor Mitsyanko
MAINTAINERS: Remove Riku Voipio
hw/net/rocker: Avoid double-free of l2_flood.group_ids
target/arm: Don't skip access flag fault for AccessType_AT
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 30 Mar 2026 15:18:07 +0000 (16:18 +0100)]
hw/arm/xilinx_zynq: Use strcasecmp to parse boot-mode option values
In zynq_set_boot_mode() where we parse the string the user has set
the boot-mode option to, we use strncasecmp(str, "qspi", 4) and so
on. This is wrong, because it means that we will ignore any trailing
junk on the end of the option string, and handle
-machine boot-mode=sdXYZZY
the same as
-machine boot-mode=sd
In the documentation we say:
Supported values are ``jtag``, ``sd``, ``qspi`` and ``nor``.
and that's obviously what we meant to implement.
The correct tool for this job is a simple strcasecmp operation.
Switch to that.
We use the g_ascii_strcasecmp() rather than plain strcasecmp()
because we're comparing ASCII strings here and don't want the
potentially locale-specific behaviour that strcasecmp() implies (and
we're trying to standardize on the glib function for this kind of
string comparison).
Fixes: 7df3747c92d13 ("hw/arm/xilinx_zynq: Add boot-mode property") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Kostiantyn Kostiuk <kkostiuk@redhat.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20260327145012.907264-1-peter.maydell@linaro.org
Peter Maydell [Mon, 30 Mar 2026 15:18:06 +0000 (16:18 +0100)]
hw/net/rocker: Avoid double-free of l2_flood.group_ids
In of_dpa_cmd_add_l2_flood(), we allocate memory for the
group->l2_flood.group_ids array, freeing any previous array.
However, in the error-exit path we free the group_ids memory but do
not clear the pointer to NULL. This means that if the guest causes
us to take the error-exit path and then later call the function
again, we will try again to free the memory we already freed.
Fix this by clearing the group_ids pointer in the error exit
path, so we maintain the invariant of "either it points at
allocated memory, or it is NULL" (both being valid to g_free()).
Cc: qemu-stable@nongnu.org Fixes: dc488f88806 ("rocker: add new rocker switch device")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3253 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260324193530.375628-1-peter.maydell@linaro.org
Zenghui Yu [Mon, 30 Mar 2026 15:18:06 +0000 (16:18 +0100)]
target/arm: Don't skip access flag fault for AccessType_AT
As per the pseudo code from DDI0487 M.a.a (on J1-16021) AArch64.S1Walk():
// Check descriptor AF bit
elsif (descriptor<10> == '0' && walkparams.ha == '0' &&
(!accdesc.acctype IN {AccessType_DC, AccessType_IC} ||
boolean IMPLEMENTATION_DEFINED "Generate access flag fault on IC/DC operations")) then
fault.statuscode = Fault_AccessFlag;
an access flag fault should be generated for AccessType_AT, if the AF bit
is 0 and !param.ha.
Besides, we should continue to not raise the access flag fault for
in_debug = true which is what we've been doing previously (before commit efebeec13d07) for LPAE and is what intention of the debugger access
codepath is.
Cc: qemu-stable@nongnu.org Fixes: efebeec13d07 ("target/arm: Skip AF and DB updates for AccessType_AT") Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
Message-id: 20260324160321.96347-1-zenghui.yu@linux.dev Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Fabiano Rosas [Thu, 26 Mar 2026 16:44:05 +0000 (13:44 -0300)]
tests/qtest/migration: Fix slow test dirty_limit
After the referenced commit, the incoming side doesn't exit
automatically after a failure. Tests that expect the destination to
fail should use -incoming defer, issue QMP migrate-incoming, wait for
the failure event and issue QMP quit.
Fix the dirty_limit test which wasn't updated properly.
migration: Fix references to parameter names in error messages
Migration parameter names separate words with hyphens. A number of
error messages in migrate_params_check() use underscores instead.
Wrong since day one. Fix them.
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
hw/acpi: Do not save/load cpuhp state unconditionally
lsi53c895a: keep SCSIRequest alive during DMA
lsi53c895a: keep lsi_request alive as long as the SCSIRequest
lsi53c895a: keep lsi_request and SCSIRequest in local variables
lsi53c895a: do not do anything else if a reset is requested by writing ISTAT0
lsi53c895a: keep a reference to the device while SCRIPTS execute
hpet: lower HPET_MAX_TIMERS to 24
hpet: fix bounds check for s->timer[]
target/i386: emulate: remove redundant logging for unmapped MMIO access
whpx: i386: trace unsupported MSR accesses
docs: add WHPX section with initial info
meson.build: remove i386-softmmu WHPX support
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-aspeed-20260330' of https://github.com/legoater/qemu:
net/ftgmac100: preserve full VLAN TCI in TX tag insertion
hw/i2c/aspeed_i2c: reset and migrate pending_intr_sts
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 30 Mar 2026 10:50:24 +0000 (11:50 +0100)]
Merge tag 'pull-request-2026-03-30' of https://gitlab.com/thuth/qemu into staging
* Fix some warnings from pylint in the functional tests
* Fix migration of the isa-cirrus-vga device
* Remove obsolete linuxboot.bin prebuilt blob
* Fix migration functional test to check for socat instead of ncat now
* tag 'pull-request-2026-03-30' of https://gitlab.com/thuth/qemu:
tests/functional/migration.py: Skip migration_with_exec() if socat is not available
pc-bios: remove obsolete linuxboot.bin prebuilt blob
hw/display/cirrus_vga_isa: Disable global_vmstate by default for new machines
hw/display/vga-isa: Fix migration of the isa-vga device
tests/functional/qemu_test: Silence warnings from pylint in config.py
tests/functional/qemu_test: Split huge fetch() function in asset.py
tests/functional/qemu_test: Silence (most) warnings from pylint in asset.py
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Zhao Liu [Mon, 30 Mar 2026 05:33:00 +0000 (13:33 +0800)]
tests/functional/migration.py: Skip migration_with_exec() if socat is not available
Commit 643a171f5668 ("tests: Replace ncat with socat in migration test
and drop ncat from containers") replaced ncat with socat, but missed to
skip related test cases if socat is not available, which will cause test
errors on the system without socat.
Fix this by checking socat instead of the original ncat.
Fixes: 643a171f5668 ("tests: Replace ncat with socat in migration test and drop ncat from containers") Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Message-ID: <20260330053300.2721608-1-zhao1.liu@intel.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Zhao Liu [Mon, 30 Mar 2026 05:30:08 +0000 (13:30 +0800)]
hw/acpi: Do not save/load cpuhp state unconditionally
Commit 7aa563630b6b ("pc: Start with modern CPU hotplug interface
by default") removed the .needed callback (vmstate_test_use_cpuhp)
from vmstate_cpuhp_state in both piix4.c and ich9.c.
However, PIIX4 is also used by non-PC boards - MIPS Malta, which does
not select CONFIG_ACPI_CPU_HOTPLUG. For MIPS Malta, the linker resolves
vmstate_cpu_hotplug to the stub one in acpi-cpu-hotplug-stub.c, which is
a zero-initialized VMStateDescription with .fields == NULL.
Before commit 7aa563630b6b, .needed() of PIIX4's vmstate_cpuhp_state
returned false for MIPS Malta since PIIX4PMState always initialized the
field cpu_hotplug_legacy as true. Malta implicitly relies on this
initial value to bypass vmstate_cpuhp_state. However, this is unstable
because Malta itself does not support CPU hotplugging, whether via the
legacy way or the modern way.
Commit 7aa563630b6b removed .needed() check for vmstate_cpuhp_state,
this broke the existing dependency that Malta had relied on, forcing
Malta to save and load vmstate_cpuhp_state during the save/load process,
which in turn caused a segmentation fault due to NULL fields in the
stub-compiled code.
Fix this by bringing back the .needed = cpuhp_needed callback for
vmstate_cpuhp_state of PIIX4, that checks
MachineClass::has_hotpluggable_cpus. Boards that do not support CPU
hotplug (only MIPS Malta) will skip this subsection entirely, which
is both correct and consistent with the previous behavior.
At the same time, add a similar .needed() check to ICH9. Although no
boards with ICH9 are affected by this issue, this helps avoid potential
issues in the future.
Reproducer (MIPS Malta):
$ qemu-img create -f qcow2 dummy.qcow2 32M
$ qemu-system-mipsel -nographic \
-drive if=none,format=qcow2,file=dummy.qcow2
[Type "C-a c" to get the "(qemu)" monitor prompt)]
(qemu) savevm foo # segfault
Reported-by: Peter Maydell <peter.maydell@linaro.org> Fixes: 7aa563630b6b ("pc: Start with modern CPU hotplug interface by default") Signed-off-by: Zhao Liu <zhao1.liu@intel.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3360 Tested-by: Peter Maydell <peter.maydell@linaro.org> Link: https://lore.kernel.org/r/20260330053008.2721532-1-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Fri, 27 Mar 2026 17:42:45 +0000 (18:42 +0100)]
lsi53c895a: keep SCSIRequest alive during DMA
Reentrant MMIO can cause the SCSIRequest to be completed, at which
point lsi_request_orphan would drop the last reference. Anything
that happens afterwards would access freed data. Keep a reference
to the SCSIRequest and, through req->hba_private, to the lsi_request*
for as long as DMA runs.
Reported-by: Jihe Wang <wangjihe.mail@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Fri, 27 Mar 2026 17:40:45 +0000 (18:40 +0100)]
lsi53c895a: keep lsi_request alive as long as the SCSIRequest
To protect against using the lsi_request after SCSIRequest has been freed,
keep the HBA-private data alive until the last reference to the SCSIRequest
is gone. Because req->hba_private was used (even if just for an assertion)
to check that the request was still either current or queued, add a boolean
field that is set when the SCSIRequest is cancelled or completed, which
is when the lsi_request would have been unqueued.
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Fri, 27 Mar 2026 16:39:15 +0000 (17:39 +0100)]
lsi53c895a: do not do anything else if a reset is requested by writing ISTAT0
If the device is reset, anything that is done before will not really
be visible. So do the reset and exit immediately if that is one
of the requests in the value written to ISTAT0.
Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
When a VncJob is freed, its associated VncRectEntry list must also be
freed. Previously, vnc_job_push() and the disconnected path in
vnc_worker_thread_loop() called g_free(job) directly, leaking all
VncRectEntry allocations.
Introduce vnc_job_free() which iterates and frees the rectangle entries
before freeing the job itself, and use it in both paths.
Also add QLIST_REMOVE() in the worker loop before g_free(entry), so
that entries processed during normal operation are properly unlinked.
Without this, vnc_job_free() would iterate dangling pointers to
already-freed entries, causing use-after-free.
Fixes: bd023f953e5e ("vnc: threaded VNC server") Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
GuoHan Zhao [Thu, 26 Mar 2026 06:51:11 +0000 (14:51 +0800)]
ui/dbus: associate add_client completion with its request
Commit 99997823bbbd ("ui/dbus: add p2p=on/off option")
introduced an asynchronous D-Bus client setup path, with the completion
handler reaching back into the global dbus_display state.
This makes the callback effectively operate on whatever request is
current when it runs, rather than the one that created it. A completion
from an older request can therefore clear a newer
add_client_cancellable or install its connection after a replacement
request has already been issued. It also relies on the DBusDisplay
instance remaining alive until completion.
Fix this by passing the DBusDisplay and GCancellable as callback data,
taking references while the async setup is in flight, and only acting
on completion if it still matches the current request. Also drop the
previous cancellable before creating a new request.
audio/mixeng: fix sw/hw mixup in audio_pcm_sw_init_
Commit 42061a14358 ("audio/mixeng: replace redundant pcm_info fields
with AudioFormat") accidentally changed the conv/clip function selection
in audio_pcm_sw_init_ to use hw->info.af (the hardware voice format)
instead of sw->info.af (the software voice format). This causes audio
distortion when the software and hardware voices use different formats,
as the wrong conversion functions are applied to the audio data.
Fix by using sw->info.af, restoring the original behavior.
Paolo Bonzini [Fri, 27 Mar 2026 20:46:54 +0000 (21:46 +0100)]
hpet: lower HPET_MAX_TIMERS to 24
Each timer block occupies 32 bytes, but they only start at
offset 256 of the 1024-byte MMIO register space. Therefore
the correct limit for HPET_MAX_TIMERS is 24, not 32.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Fri, 27 Mar 2026 16:25:06 +0000 (17:25 +0100)]
hpet: fix bounds check for s->timer[]
Fix an off-by-one issue in QEMU's HPET read and write MMIO handlers.
Both handlers check timer_id > s->num_timers instead of timer_id >=
s->num_timers, allowing a guest to access one timer beyond the valid
range.
The affected slot is initialized properly in hpet_realize, which goes
through all HPET_MAX_TIMERS elements of the array, so even though
it is not reset in hpet_reset() the bug does not cause any use of
uninitialized host memory. Because of this, and also because (even
though HPET_MAX_TIMERS is 32) the HPET only has room for 24 timers in
its MMIO region, the bug has no security implications.
Commit 869b0afa4fa ("rust/hpet: Drop BqlCell wrapper for num_timers",
2025-06-06) silently fixed the same bug in rust/hw/timer/hpet/src/device.rs.
Reported-by: Yuma Kurogome, Ricerca Security, Inc. <yumak@ricsec.co.jp> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
linhuang [Fri, 27 Mar 2026 07:39:35 +0000 (15:39 +0800)]
net/ftgmac100: preserve full VLAN TCI in TX tag insertion
The VLAN tag insertion helper took vlan_tci as an 8-bit value, while
the descriptor provides a 16-bit VLAN TCI. This truncated egress tags
and caused VLAN ID corruption (for example, 4088/0x0ff8 became
248/0x00f8 at the receiver).
Change vlan_tci to uint16_t in the TX VLAN insertion path so the full
802.1Q TCI is preserved and transmitted correctly.
GuoHan Zhao [Wed, 25 Mar 2026 08:54:50 +0000 (16:54 +0800)]
hw/i2c/aspeed_i2c: reset and migrate pending_intr_sts
Commit 7e82393ed058 ("hw/i2c/aspeed: fix lost interrupts on
back-to-back commands") introduced pending_intr_sts to preserve
interrupt bits that collide with already pending status bits.
That deferred interrupt state is consumed later when the guest clears
INTR_STS, but it is not reset in aspeed_i2c_bus_reset() and it is not
part of the bus migration state. A reset can therefore leave stale
deferred bits behind, and migration can silently drop them.
Clear pending_intr_sts on reset and include it in VMState while keeping
compatibility with older migration streams.
Fixes: 7e82393ed058 ("hw/i2c/aspeed: fix lost interrupts on back-to-back commands") Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn> Link: https://lore.kernel.org/qemu-devel/20260325085450.126595-1-zhaoguohan@kylinos.cn Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Jithu Joseph <jithu.joseph@oss.qualcomm.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
projects / thirdparty / qemu.git / log
