as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-6-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-5-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of initialising the CPUs in
the SoC init let's instead do it in the realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-4-alistair.francis@wdc.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of setting the CPU
num-harts in the init function let's set it in realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-3-alistair.francis@wdc.com>
[thuth: Fix a complaint from checkpatch.pl with regards to multi-line comment] Signed-off-by: Thomas Huth <thuth@redhat.com>
as the machine wasn't created yet. We call qdev_get_machine() to obtain
the number of CPUs in the machine. So instead of setting the CPU
num-harts in the init function let's set it in realise where the machine
will exist.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260312043158.4191378-2-alistair.francis@wdc.com>
[thuth: Fix a complaint from checkpatch.pl with regards to multi-line comment] Signed-off-by: Thomas Huth <thuth@redhat.com>
Move the initialization of the memory regions to the realize function
to fix this problem.
Reported-by: Markus Armbruster <armbru@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260311202503.107026-1-thuth@redhat.com>
Peter Maydell [Thu, 12 Mar 2026 15:21:06 +0000 (15:21 +0000)]
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* accel/kvm: fix typo in variable name
* system: fix coverity issues related to confidential guest reset
* target/i386: add compat for migrating error code
* docs fixes
* hyperv/syndbg: check length returned by cpu_physical_memory_map()
* typedefs: move QIgvm out of typedefs.h
* rust: Update Cargo.lock
* i386/cpu: cleanups for ClearwaterForest, AMX and more
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
typedefs: move QIgvm out of typedefs.h
rust: Update Cargo.lock
target/i386: add compat for migrating error code
docs: mention that WHPX supports Arm too
qemu-options.hx: document Hyper-V enlightenments accelerator option
docs: remove 64-bit only mentions for accelerators
accel/kvm: fix typo in variable name
coverity: fix coverity issues related to confidential guest reset
i386/cpu: Enable CPUID 0x1f & cache model for ClearwaterForest
i386/cpu: Adjust the note for CPU models with its-no
i386/cpu: Remove unnecessary cache_info fields from builtin CPU model
i386/cpu: Rename AMX mirror feature words with -alias suffix
i386/cpu: Rename AMX mirror cpuid macros with _ALIAS suffix
hyperv/syndbg: check length returned by cpu_physical_memory_map()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Paolo Bonzini [Wed, 11 Mar 2026 16:19:16 +0000 (17:19 +0100)]
typedefs: move QIgvm out of typedefs.h
Typedefs.h should only be used for really core types; QIgvm is
just an opaque struct that is defined in system/igvm-internal.h,
and the typedef itself can be placed simply in system/igvm.h.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Fiona Ebner [Tue, 10 Mar 2026 15:43:23 +0000 (16:43 +0100)]
target/i386: add compat for migrating error code
If cpu->env.has_error_code is true, backwards migration of a VM from
a QEMU binary with commit 27535e9cca to a QEMU binary without commit 27535e9cca will fail:
> kvm: error while loading state for instance 0x0 of device 'cpu'
In practice, wrongly setting the error code to 0 on the target is
often unproblematic, so additionally checking error_code != 0 in
cpu_errcode_needed() is not enough to mitigate the issue. Instead, add
proper machine version compat handling.
Cc: qemu-stable@nongnu.org Fixes: 27535e9cca ("target/i386: Add support for save/load of exception error code") Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Link: https://lore.kernel.org/r/20260310154348.495332-1-f.ebner@proxmox.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Ani Sinha [Wed, 11 Mar 2026 07:40:48 +0000 (13:10 +0530)]
coverity: fix coverity issues related to confidential guest reset
Fix issues reported by Peter.
Fixes: ec9bafd2ea9d12c ("i386/sev: add support for confidential guest reset") Fixes: e76c30bb13ecb9d ("hw/machine: introduce machine specific option 'x-change-vmfd-on-reset'") Reported-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Ani Sinha <anisinha@redhat.com> Link: https://lore.kernel.org/r/20260311074048.61367-1-anisinha@redhat.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Peter Maydell [Thu, 12 Mar 2026 09:48:03 +0000 (09:48 +0000)]
Merge tag 'qtest-20260311-pull-request' of https://gitlab.com/farosas/qemu into staging
Qtest pull request
- memory leak fixes
# -----BEGIN PGP SIGNATURE-----
#
# iQJEBAABCAAuFiEEqhtIsKIjJqWkw2TPx5jcdBvsMZ0FAmmx49sQHGZhcm9zYXNA
# c3VzZS5kZQAKCRDHmNx0G+wxnSVPEAC5YnD2OAn6MYYWolLtauIMI1VKL0Z2fKLg
# f/qymCek5w7ktfi455kQoQIfixBYV8yPT5CLC+qvgYuL+BRQykUYwzHYP+As+boC
# etdmjdwJUkUEQEuIDuoSBWomVNEB6f2plgFJpcyTCbHlXAmEQYhcSQruEhWGMmwg
# F5UgJPbHOIhm0wk6S3wLs43V3M+wZnEnxa+AxT7wkWdTI3ZCAymRpvL3coUA0ACZ
# SkImWuxdx1Y8LW970vCw/AbIdTYnaB8WiPShbvVAkbTe2Sk9WkWyJ5zB2bEdVg/Z
# 8AsP1+/nVZDb4PdCeSYlD/0G378NFGpm5lF1I0OSPeI9yRuSxo0rS/aZsfxajOrH
# XNM0s6daWmyRkqPz00EcuKjWQwd26tv0sz6rmTkIj/XMBvlW5H455Z0lUM5TQ6K3
# dbmkZ0fkwlxpcIJqBi0JzVakBNjNnRVv6NzyFoYJ6I5gvv/8h/SwGk36pRBb0BSi
# X0sle6qEmpF9IRb56FI9vVhUdldCrIu8I0lY0cSWqWleMKO+geVcMOFixdmCOKwk
# CR8ZhaqkC6qdhFqlGX4nIoy2bvhrj5ULtQjXSnpfSRZCZajpfMxG4VNhrNpDy/CE
# bFajU+mNO29wJ9ACqE43cx/YpvGzkv5qvAg8yR52gjPQ8+sx7HU4cSdm1VTLcU/Z
# /UnojkSTJg==
# =8Bwh
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed Mar 11 21:51:23 2026 GMT
# gpg: using RSA key AA1B48B0A22326A5A4C364CFC798DC741BEC319D
# gpg: issuer "farosas@suse.de"
# gpg: Good signature from "Fabiano Rosas <farosas@suse.de>" [unknown]
# gpg: aka "Fabiano Almeida Rosas <fabiano.rosas@suse.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: AA1B 48B0 A223 26A5 A4C3 64CF C798 DC74 1BEC 319D
* tag 'qtest-20260311-pull-request' of https://gitlab.com/farosas/qemu:
tests/qtest/test-x86-cpuid-compat: Switch test_feature_flag to data-driven
tests/qtest/test-x86-cpuid-compat: Switch test_cpuid_prop to data-driven
tests/qtest/vhost-user-test: Use g_timeout_add() to schedule connect
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Sun, 8 Mar 2026 18:54:21 +0000 (18:54 +0000)]
tests/qtest/test-x86-cpuid-compat: Switch test_feature_flag to data-driven
As with add_cpuid_test(), the add_feature_test() function also
allocates memory that is leaked if the test case is not run. Fix
this in the same way, by moving all the allocations into
test_feature_flag() and passing it a pointer to a struct with the
necessary parameters which is a compile-time constant.
Peter Maydell [Sun, 8 Mar 2026 18:54:20 +0000 (18:54 +0000)]
tests/qtest/test-x86-cpuid-compat: Switch test_cpuid_prop to data-driven
In test-x86-cpuid-compat, we allocate memory in add_cpuid_test()
which is then freed in the test function test_cpuid_prop(). This
means that this memory is leaked if the test is never run, which
happens in several cases:
* user asks to list tests with -l option
* user asks to run only some tests with -p or similar option
* we are running a "subprocess" test and glib re-invokes the
test binary telling it to run a specific single test
As noted in the commit message of commit 93ed7d330321dc, we cannot
deal with this by using g_test_add_data_func_full() and passing a
free-function, because glib doesn't call that if the test is not
executed.
Instead, move all the data allocations into test_cpuid_prop(),
and pass it a pointer to a struct with the necessary parameters
which is a compile-time constant.
Peter Maydell [Fri, 6 Mar 2026 17:01:29 +0000 (17:01 +0000)]
tests/qtest/vhost-user-test: Use g_timeout_add() to schedule connect
In vhost-user-test, we currently create a new g_thread to run the
connect_thread() function. This function sleeps for 1 second, and
then calls test_server_create_chr() to create and configure a
chardev:
This has a race condition, because when we set the
'reconnect-ms=1000' option on the chardev the socket chardev's
implementation handles the connect asynchronously, via a background
thread and a callback invoked in the main-loop thread. This means
that that callback and the test_server_create_chr() call to
qemu_chr_fe_set_handlers() can both enter the char-socket code
simultaneously. The result is random assertion failures and memory
leaks reported by the clang address-sanitizer.
Fix this by using g_timeout_source_new() to set up a GSource that
will run test_server_connect() on the main-loop thread. This ensures
it can't execute in parallel with the callback that the socket
chardev sets up. This is similar to how we already handle the
reconnect_cb() in test_reconnect().
This patch adds docstrings for typedefs and function declarations in
include/plugins/qemu-plugin.h that were previously missing. This
resolves inconsistencies in the docs, e.g., the description for
qemu_plugin_read_register() referring to qemu_plugin_register_flush_cb()
but code cache flush callbacks not being documented themselves.
Zhao Liu [Tue, 10 Mar 2026 14:08:18 +0000 (22:08 +0800)]
i386/cpu: Adjust the note for CPU models with its-no
For new versioned CPU models with its-no enabled, since CET was already
enabled in previous versions, remove the related description from the
notes of its-no related CPU models.
Zhao Liu [Tue, 10 Mar 2026 14:08:17 +0000 (22:08 +0800)]
i386/cpu: Remove unnecessary cache_info fields from builtin CPU model
In x86_cpu_get_versioned_cache_info(), higher version CPU models will
inherit cache_info from lower versions if the cache_info field is not
specified, so there is no need to repeatedly set the same cache_info.
Therefore, remove the repeated cache models from SapphireRapids-v6
(SapphireRapids-v4 has set the cache model), GraniteRapids-v5
(GraniteRapids-v3 has set) and SierraForest-v5 (SierraForest-v3 has
set).
Zhao Liu [Tue, 10 Mar 2026 14:08:16 +0000 (22:08 +0800)]
i386/cpu: Rename AMX mirror feature words with -alias suffix
The commit 956b8f0fc38a ("i386/cpu: Add CPUID.0x1E.0x1 subleaf for AMX
instructions") names amx-int8/amx-bf16/amx-complex-amx-fp16 in CPUID
0x1E.1.EAX with "-mirror" suffix.
To align with the naming style of corresponding macros, rename these
feature words with "-alias" suffix.
Since the commit 956b8f0fc38a is merged in v11.0 development cycle,
it's safe to modify the names of feature words (before v11.0 is
released).
Zhao Liu [Tue, 10 Mar 2026 14:08:15 +0000 (22:08 +0800)]
i386/cpu: Rename AMX mirror cpuid macros with _ALIAS suffix
For the similar case - CPUID_EXT2_AMD_ALIASES, the term "alias" has
already been used. Therefore, reintroducing the new term "mirror" is
likely to cause confusion.
Rename the relevant CPUID macros of AMX with _ALIAS suffix, aligning
with KVM's naming convention.
Paolo Bonzini [Mon, 9 Mar 2026 12:20:35 +0000 (13:20 +0100)]
hyperv/syndbg: check length returned by cpu_physical_memory_map()
If cpu_physical_memory_map() returns a length shorter than the one
that was passed into the function, writing the full out_len bytes
causes an access beyond the memory allocated to the guest; or in
the case of the MMIO bounce buffer, an out-of-bounds access in a
heap-allocated object.
Add a check similar to the one already in handle_send_msg(),
and take the occasion to remove repeated computations of
recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
code does not write past out_len bytes.
Reported-by: Oleh Konko <https://github.com/1seal> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Fixes: CVE-2026-3842 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Peter Maydell [Wed, 11 Mar 2026 10:55:27 +0000 (10:55 +0000)]
Merge tag 'pr-gdbstub-20260310' of https://gitlab.com/pbo-linaro/qemu into staging
- [PATCH v4 00/16] gdbstub: Always infer base register index from GDB (=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>) Link: https://lore.kernel.org/qemu-devel/20260310232045.58440-1-philmd@linaro.org
# -----BEGIN PGP SIGNATURE-----
#
# iQGzBAABCgAdFiEEZrmU7KFPfy5auggff5BUDQoc0A8FAmmwx5IACgkQf5BUDQoc
# 0A8L3Av/e0tWHqkofKIkvA1O1hWPM8pb1oa5HKdZXxzyto/gvDaborqwEIOBpfGu
# PBR+N6zbYeKu+/7WR6WJePcQSrx/cPZ8AwOCO0rkUVIVKbod4Gxoa9nv+1F7LgPe
# 8zW7DSCcILfOXnNWy6StCkOziqaeabEOEE/XNta7qBj5xYSJd9duBorkLIxFP31t
# guYBM6911uBA6XLro/OHk+ryrTMHjCj9Z3QH4aNfspz7alG0pN7Ibd4EM3C8cgB8
# WDQncSLWBeXSJemIJdPa2J0kXvsaVzHxXy1MYurwWh67fhy4yFRuazAgLxeFFMXO
# j2UDlGTxeJ3lTpVBT69xXmUUwQuu7KxkVF4hteRy2il8DfswUJ3ONCE+WMmd28lc
# Tx4tyRTeMrm9zL2Of6fAZ3LFbIMSiF8RK7qLOcgySFGanvqU5yL+4e0b+EHnbBxG
# Q5gYdziiDJ9bELZA/M5UAJZVcjZIp09kar7GF8ioFC+VSxzOh6dX/NvIOntHs9AM
# spnK+r0A
# =t241
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed Mar 11 01:38:26 2026 GMT
# gpg: using RSA key 66B994ECA14F7F2E5ABA081F7F90540D0A1CD00F
# gpg: Good signature from "Pierrick Bouvier <pierrick.bouvier@linaro.org>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 66B9 94EC A14F 7F2E 5ABA 081F 7F90 540D 0A1C D00F
* tag 'pr-gdbstub-20260310' of https://gitlab.com/pbo-linaro/qemu:
gdbstub: Generate a single gdbstub-xml.c / gdb_static_features[]
gdbstub: Move gdb-xml/ within gdbstub/
gdbstub: Remove 'gdb-xml/' directory prefix in TARGET_XML_FILES
tests/tcg: Re-enable disabled multiarch tests for PPC targets
gdbstub: Consider GDBFeature::base_reg in gdb_register_coprocessor()
gdbstub: Emit base_register index in GDBFeature entries
gdbstub: Remove @g_pos argument in gdb_register_coprocessor()
gdbstub: Make base register explicit in m68k GDB XML files
gdbstub: Have scripts/feature_to_c.py generate more verbose output
gdbstub: Add trace events for around XML parsing / generation
gdbstub: Simplify gdb_init_cpu() logic
meson: Restrict gdbstub to user/system builds
target/i386/gdbstub: Remove stale comment
tests/docker: add gdb-multiarch to all-test-cross
tests/tcg: Disable prot-none test on GitLab
tests/tcg: Temporary disable multiarch tests for PPC targets
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
gdbstub: Generate a single gdbstub-xml.c / gdb_static_features[]
gdb_static_features[] does not depend on target-specific code.
Instead of generating one file per target, generate a single file
with a single gdb_static_features[] array.
Co-developed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Acked-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260310232045.58440-17-philmd@linaro.org Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
gdbstub: Consider GDBFeature::base_reg in gdb_register_coprocessor()
When a feature XML file provides a "regnum=" tag to indicate
the registers base index, respect it, as it might not be the
same as our current number of registered entries, in particular
when there are gaps.
This fixes a bug with the "power-fpu.xml" file [*] which was
loaded at index 70 while the base register is 71. This latent
bug was exposed by commit 1ec0fbe2dda ("target/ppc: Fix
CPUClass::gdb_num_core_regs value").
gdbstub: Emit base_register index in GDBFeature entries
Record the base register index in the generated C file.
Check at runtime that either @g_pos argument of
gdb_register_coprocessor() is zero, or it the base register
index.
This change pass 'make check-tcg' test suite, which runs the
tests/tcg/multiarch/gdbstub/registers.py test, itself calling
gdb_register_coprocessor() for each target tested.
Limited builds (tools, documentation) don't need to generate /
build gdbstub files. Only process the gdbstub/ folder when
user / system emulation / acceleration is built.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Acked-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260310232045.58440-6-philmd@linaro.org Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Since commit ecd6f6a8820 ("gdbstub: Infer number of core
registers from XML") gdb_num_core_regs is inferred for
the x86 targets. Remove a stale comment.
When adding gdb-multiarch on our container images, we
see the prot-none tests to pass on GitHub but fail on
GitLab. Disable and track:
https://gitlab.com/qemu-project/qemu/-/issues/3329
tests/tcg: Temporary disable multiarch tests for PPC targets
gdbstub is currently broken for the PPC targets [*]. We
didn't notice because our tests require gdb-multiarch which
isn't installed on our containers. Next patch will fix that,
but we need to temporary disable the PPC target test to keep
our CI green.
* tag 'for-upstream' of https://gitlab.com/kmwolf/qemu: (28 commits)
block/curl: add support for S3 presigned URLs
qapi: block: Refactor HTTP(s) common arguments
block/nfs: add support for libnfs v6
iotests/308: Add multi-threading sanity test
qapi/block-export: Document FUSE's multi-threading
fuse: Implement multi-threading
fuse: Make shared export state atomic
iotests/307: Test multi-thread export interface
block/export: Add multi-threading interface
fuse: Process requests in coroutines
fuse: Reduce max read size
fuse: Manually process requests (without libfuse)
fuse: Drop permission changes in fuse_do_truncate
block: Move qemu_fcntl_addfl() into osdep.c
fuse: Explicitly handle non-grow post-EOF accesses
iotests/308: Use conv=notrunc to test growability
fuse: fuse_{read,write}: Rename length to blk_len
fuse: Add halted flag
fuse: Introduce fuse_{inc,dec}_in_flight()
fuse: Introduce fuse_{at,de}tach_handlers()
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Antoine Damhet [Fri, 27 Feb 2026 12:45:53 +0000 (13:45 +0100)]
block/curl: add support for S3 presigned URLs
S3 presigned URLs are signed for a specific HTTP method (typically GET
for our use cases). The curl block driver currently issues a HEAD
request to discover the web server features and the file size, which
fails with 'HTTP 403' (forbidden).
Add a 'force-range' option that skips the HEAD request and instead
issues a minimal GET request (querying 1 byte from the server) to
extract the file size from the 'Content-Range' response header. To
achieve this the 'curl_header_cb' is redesigned to generically parse
HTTP headers.
Enabling the 'force-range' option without the web server specified with
@url supporting it might cause the server to respond successfully with
'HTTP 200' and attempt to send the whole file body. With the
'CURLOPT_NOBODY' option set the libcurl will skip reading after the
headers and close the connection. QEMU still gracefully detects the
missing feature. This might waste a small number of TCP packets but is
otherwise transparent to the user.
Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Antoine Damhet <adamhet@scaleway.com>
Message-ID: <20260227-fix-curl-v3-v3-3-eb8a4d88feef@scaleway.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Antoine Damhet [Fri, 27 Feb 2026 12:45:52 +0000 (13:45 +0100)]
qapi: block: Refactor HTTP(s) common arguments
The HTTPs curl block driver is a superset of the HTTP driver, reflect
that in the QAPI.
Suggested-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Antoine Damhet <adamhet@scaleway.com>
Message-ID: <20260227-fix-curl-v3-v3-2-eb8a4d88feef@scaleway.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Peter Lieven [Fri, 6 Mar 2026 14:28:40 +0000 (14:28 +0000)]
block/nfs: add support for libnfs v6
libnfs v6 added a new api structure for read and write requests.
This effectively also adds zero copy read support for cases where
the qiov coming from the block layer has only one vector.
The .brdv_refresh_limits implementation is needed because libnfs v6
silently dropped support for splitting large read/write request into
chunks.
Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com> Signed-off-by: Peter Lieven <pl@dlhnet.de>
Message-ID: <20260306142840.72923-1-pl@dlhnet.de> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* tag 'firmware-20260310-pull-request' of https://gitlab.com/kraxel/qemu:
i386/sev/igvm: do not reset guest policy if IGVM does not set it
igvm: fix build when igvm is not installed in a well known path
docs/interop: Add AMD SEV-SNP SVSM interface to firmware.json
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 10 Mar 2026 13:32:16 +0000 (13:32 +0000)]
Merge tag 'pull-loongarch-20260310' of https://github.com/gaosong715/qemu into staging
loongarch bug fix
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQTKRzxE1qCcGJoZP81FK5aFKyaCFgUCabAI8QAKCRBFK5aFKyaC
# FpRjA/sEr6qXd39gBPudz/qUJQ5b+4yJIk7KUknw0vR/Dxo97XwNBRoBYkKPQED5
# mcPJkjBrZdNQnWQmWZPK4LSMzfW7juhW+OeG59fX/hD5JgzXVM9MgRLG89VwiZbc
# 1oTEI0paFaCjImzamHuGxIxVQ5/niyo3X5/dLluKDdYX9uk1+g==
# =d2Zg
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 10 12:05:05 2026 GMT
# gpg: using RSA key CA473C44D6A09C189A193FCD452B96852B268216
# gpg: Good signature from "Song Gao <gaosong@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CA47 3C44 D6A0 9C18 9A19 3FCD 452B 9685 2B26 8216
* tag 'pull-loongarch-20260310' of https://github.com/gaosong715/qemu:
target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch
target/loongarch: Preserve PTE permission bits in LDPTE
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'accel-tcg-20260310' of https://github.com/philmd/qemu:
accel/qtest: Build once as common object
accel/xen: Build without target-specific knowledge
accel/hvf: Build without target-specific knowledge
accel/mshv: Build without target-specific knowledge
accel/mshv: Forward-declare mshv_root_hvcall structure
accel/stubs: Build stubs once
accel/kvm: Make kvm_irqchip*notifier() declaration non target-specific
accel/kvm: Include missing 'exec/cpu-common.h' header
target/hppa: Expand tcg_global_mem_new() -> tcg_global_mem_new_i64()
tcg/optimize: possibly expand deposit into zero with shifts
tcg: target-dependent lowering of extract to shr/and
tcg: Add tcg_op_imm_match
tcg: Expand missing rotri with extract2
tcg/optimize: Lower unsupported extract2 during optimize
tcg/optimize: Lower unsupported deposit during optimize
tcg: Drop extract+shl expansions in tcg_gen_deposit_z_*
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Ani Sinha [Tue, 10 Mar 2026 09:44:49 +0000 (15:14 +0530)]
i386/sev/igvm: do not reset guest policy if IGVM does not set it
The guest policy is set either through command-line or through IGVM. If none of
the above applies, default guest policy applies. However, if IGVM does not set
the guest policy, currently the policy gets set to 0 regardless of whether it
was previously set to default value or command line. This change fixes this by
checking if IGVM indeed has set a policy value. If not, do not reset existing
value.
This avoids guest crashes such as the following during reset when the IGVM
has not explicitly set any guest policies:
qemu-system-x86_64: sev_snp_launch_start: SNP_LAUNCH_START ret=-22 fw_error=0 ''
qemu-system-x86_64: sev_common_kvm_init: failed to create encryption context
qemu-system-x86_64: unable to rebuild guest: Operation not permitted(-1)
rail5 [Fri, 6 Mar 2026 07:33:37 +0000 (15:33 +0800)]
target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch
loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction with cpu_ldl_code_mmu().
For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.
Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.
Fixes: 410dfbf620a ("target/loongarch: Move TCG specified functions to tcg_cpu.c") Cc: qemu-stable@nongnu.org Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org> Reviewed-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Song Gao <gaosong@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
rail5 [Fri, 6 Mar 2026 07:33:36 +0000 (15:33 +0800)]
target/loongarch: Preserve PTE permission bits in LDPTE
The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.
That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.
Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.
Peter Maydell [Tue, 10 Mar 2026 11:39:08 +0000 (11:39 +0000)]
Merge tag 'pull-request-2026-03-10' of https://gitlab.com/thuth/qemu into staging
- Improve the s390-ccw bios to be able to boot from virtio-blk-pci devices
- Rework migration functional test to avoid a problem in the ppc64 test
- Disable functional memlock test for asan builds
- Some other minor tests improvements
* tag 'pull-request-2026-03-10' of https://gitlab.com/thuth/qemu: (25 commits)
pc-bios/s390-ccw.img: Update the s390 bios blog with the latest changes
pc-bios/s390-ccw: Fix compiler warning when compiling with DEBUG enabled
tests/qtest: Add s390x PCI boot test to cdrom-test.c
hw: Add "loadparm" property to virtio block PCI devices booting on s390x
s390x: Build IPLB for virtio-pci devices
pc-bios/s390-ccw: Add support for virtio-blk-pci IPL
pc-bios/s390-ccw: Introduce virtio-pci functions
pc-bios/s390-ccw: Introduce PCI device
s390x: Add definitions for PCI IPL type
pc-bios/s390-ccw: Introduce CLP Architecture
include/hw/s390x: Move CLP definitions for easier BIOS access
pc-bios/s390-ccw: Split virtio-ccw and generic virtio
pc-bios/s390-ccw: Store device type independent of sense data
s390x: Remove duplicate definitions of IPL types
pc-bios/s390-ccw: Always reset virtio device on failed boot attempt
pc-bios/s390-ccw: Remove redundant vring schid attribute
pc-bios/s390-ccw: Fix misattributed function prototypes
tests/functional/ppc64/pseries: Remove custom migration routine
tests/functional/migration: Use the migrate_vms helper
tests/functional/migration: Add migrate_vms
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 10 Mar 2026 11:38:58 +0000 (11:38 +0000)]
Merge tag 'staging-pull-request' of https://gitlab.com/peterx/qemu into staging
Memory pull for 11.0 softfreeze
- BALATON's memory cleanups on _nomigrate MRs and else
- Phil's small constify series and else
- Marc-André's initial cleanup patches around ram discard manager
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCaa8v2xIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wbiNgD/ZLS5BtRGva5eUQNXKkE3oOiXfDBkLyQ1
# BowQ12zjPZMBAOxrVvyGbpgsI5SOcSjsvFSsWLs1GFfHjVUAyCNusl4D
# =+4wZ
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Mar 9 20:38:51 2026 GMT
# gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg: issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal]
# gpg: aka "Peter Xu <peterx@redhat.com>" [marginal]
# gpg: WARNING: The key's User ID is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706
* tag 'staging-pull-request' of https://gitlab.com/peterx/qemu:
system/memory: Have memory_region_type() correctly describe containers
system/xen: Constify various MemoryRegion arguments
system/memory: Constify various MemoryRegion arguments
system/ramblock: Constify various RAMBlock arguments
kvm: replace RamDicardManager by the RamBlockAttribute
system/memory: minor doc fix
virtio-mem: use warn_report_err_once()
memory: drop RamDiscardListener::double_discard_supported
system/rba: use DIV_ROUND_UP
memory: Factor out common ram ptr initialization
memory: Factor out common ram region initialization
memory: Add internal memory_region_register_ram function
memory: Shorten memory_region_init_ram_device_ptr and memory_region_init_rom_device
memory: Remove memory_region_init_ram_nomigrate()
hw/xtensa/xtfpga: Do not use memory_region_init_ram_nomigrate()
sun4m,sun4u,tcx: Do not use memory_region_init_ram_nomigrate()
memory: Remove memory_region_init_rom_nomigrate()
hw/display/{cg3.tcx}: Do not use memory_region_init_rom_nomigrate()
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:56 +0000 (16:08 +0100)]
iotests/308: Add multi-threading sanity test
Run qemu-img bench on a simple multi-threaded FUSE export to test that
it works.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-26-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Document for users that FUSE's multi-threading implementation
distributes requests in a round-robin manner, regardless of where they
originate from.
As noted by Stefan, this will probably change with a FUSE-over-io_uring
implementation (which is supposed to have CPU affinity), but documenting
that is left for once that is done.
Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-25-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
For configuration, we don't need any more information beyond the simple
array provided by the core block export interface: The FUSE kernel
driver feeds these FDs in a round-robin fashion, so all of them are
equivalent and we want to have exactly one per thread.
These are the benchmark results when using four threads (compared to a
single thread); note that fio still only uses a single job, but
performance can still be improved because of said round-robin usage for
the queues. (Not in the sync case, though, in which case I guess it
just adds overhead.)
As probably expected, little difference in the AIO case, but great
improvements in the sync cases because it kind of gives it an artificial
iodepth of 4.
"After", i.e. with four threads in QSD/FUSE (now results compared to the
above):
So this helps mainly for the AIO cases, but also in the null sync cases,
because null is always CPU-bound, so more threads help.
One unsolved mystery: When using a multithreaded export, running fio
with 1 job (benchmark at the top of this commit) yields better seqread
performance than doing so with 4 jobs. Actually, with 4 jobs, it's
significantly than randread, which is quite strange.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-24-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:53 +0000 (16:08 +0100)]
fuse: Make shared export state atomic
The next commit is going to allow multi-threaded access to a FUSE
export. In order to allow safe concurrent SETATTR operations that
can modify the shared st_mode, st_uid, and st_gid, make any access to
those fields atomic operations.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-23-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:52 +0000 (16:08 +0100)]
iotests/307: Test multi-thread export interface
Test the QAPI interface for multi-threaded exports. None of our exports
currently support multi-threading, so it's always an error in the end,
but we can still test the specific errors.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-22-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:51 +0000 (16:08 +0100)]
block/export: Add multi-threading interface
Make BlockExportType.iothread an alternate between a single-thread
variant 'str' and a multi-threading variant '[str]'.
In contrast to the single-thread setting, the multi-threading setting
will not change the BDS's context (and so is incompatible with the
fixed-iothread setting), but instead just pass a list to the export
driver, with which it can do whatever it wants.
Currently no export driver supports multi-threading, so they all return
an error when receiving such a list.
Suggested-by: Kevin Wolf <kwolf@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-21-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:50 +0000 (16:08 +0100)]
fuse: Process requests in coroutines
Make fuse_process_request() a coroutine_fn (fuse_co_process_request())
and have read_from_fuse_fd() launch it inside of a newly created
coroutine instead of running it synchronously. This way, we can process
requests in parallel.
These are the benchmark results, compared to (a) the original results
with libfuse, and (b) the results after switching away from libfuse
(i.e. before this patch):
So there is not much difference, especially when compared to how it was
with libfuse, except for the randread AIO case with an actual file.
That improves greatly.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-20-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:49 +0000 (16:08 +0100)]
fuse: Reduce max read size
We are going to introduce parallel processing via coroutines, a maximum
read size of 64 MB may be problematic, allowing users of the export to
force us to allocate quite large amounts of memory with just a few
requests.
At least tone it down to 1 MB, which is still probably far more than
enough. (Larger requests are split automatically by the FUSE kernel
driver anyway.)
(Yes, we inadvertently already had parallel request processing due to
nested polling before. Better to fix this late than never.)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-19-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:48 +0000 (16:08 +0100)]
fuse: Manually process requests (without libfuse)
Manually read requests from the /dev/fuse FD and process them, without
using libfuse. This allows us to safely add parallel request processing
in coroutines later, without having to worry about libfuse internals.
(Technically, we already have exactly that problem with
read_from_fuse_export()/read_from_fuse_fd() nesting.)
We will continue to use libfuse for mounting the filesystem; fusermount3
is a effectively a helper program of libfuse, so it should know best how
to interact with it. (Doing it manually without libfuse, while doable,
is a bit of a pain, and it is not clear to me how stable the "protocol"
actually is.)
Take this opportunity of quite a major rewrite to update the Copyright
line with corrected information that has surfaced in the meantime.
Here are some benchmarks from before this patch (4k, iodepth=16, libaio;
except 'sync', which are iodepth=1 and pvsync2):
So not much difference, aside from write AIO to a null-co export getting
a bit better.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-18-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:47 +0000 (16:08 +0100)]
fuse: Drop permission changes in fuse_do_truncate
This function is always called with writable == true. This makes
add_resize_perm always false, and thus we can drop the quite ugly
permission-changing code.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-17-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:46 +0000 (16:08 +0100)]
block: Move qemu_fcntl_addfl() into osdep.c
Move file-posix's helper to add a flag (or a set of flags) to an FD's
existing set of flags into osdep.c for other places to use.
Suggested-by: Eric Blake <eblake@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-16-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
When reading to / writing from non-growable exports, we cap the I/O size
by `offset - blk_len`. This will underflow for accesses that are
completely past the disk end.
Check and handle that case explicitly.
This is also enough to ensure that `offset + size` will not overflow;
blk_len is int64_t, offset is uint32_t, `offset < blk_len`, so from
`INT64_MAX + UINT32_MAX < UINT64_MAX` it follows that `offset + size`
cannot overflow.
Just one catch: We have to allow write accesses to growable exports past
the EOF, so then we cannot rely on `offset < blk_len`, but have to
verify explicitly that `offset + size` does not overflow.
The negative consequences of not having this commit are luckily limited
because blk_pread() and blk_pwrite() will reject post-EOF requests
anyway, so a `size` underflow post-EOF will just result in an I/O error.
So:
- Post-EOF reads will incorrectly result in I/O errors instead of just
0-length reads. We will also attempt to allocate a very large buffer,
which is wrong and not good, but not terrible.
- Post-EOF writes on non-growable exports will result in I/O errors
instead of 0-length writes (which generally indicate ENOSPC).
- Post-EOF writes on growable exports can theoretically overflow on EOF
and truncate the export down to a much too small size, but in
practice, FUSE will never send an offset greater than signed INT_MAX,
preventing a uint64_t overflow. (fuse_write_args_fill() in the kernel
uses loff_t for the offset, which is signed.)
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-15-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:44 +0000 (16:08 +0100)]
iotests/308: Use conv=notrunc to test growability
Without conv=notrunc, dd will automatically truncate the output file to
the @seek value at least. We want to test post-EOF I/O, not truncate,
so pass conv=notrunc.
(It does not make a difference in practice because we only seek to the
EOF, so the truncate effectively does nothing, but this is still
cleaner.)
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-14-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:43 +0000 (16:08 +0100)]
fuse: fuse_{read,write}: Rename length to blk_len
The term "length" is ambiguous, use "blk_len" instead to be clear.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-13-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:42 +0000 (16:08 +0100)]
fuse: Add halted flag
This is a flag that we will want when processing FUSE requests
ourselves: When the kernel sends us e.g. a truncated request (i.e. we
receive less data than the request's indicated length), we cannot rely
on subsequent data to be valid. Then, we are going to set this flag,
halting all FUSE request processing.
We plan to only use this flag in cases that would effectively be kernel
bugs.
While not necessary yet, access the flag atomically so that it will be
safe to use once we introduce multi-threading.
(Right now, the flag is unused because libfuse still does our request
processing.)
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-12-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:41 +0000 (16:08 +0100)]
fuse: Introduce fuse_{inc,dec}_in_flight()
This is how vduse-blk.c does it, and it does seem better to have
dedicated functions for it.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-11-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:40 +0000 (16:08 +0100)]
fuse: Introduce fuse_{at,de}tach_handlers()
Pull setting up and tearing down the AIO context handlers into two
dedicated functions.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-10-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:39 +0000 (16:08 +0100)]
fuse: Set direct_io and parallel_direct_writes
In fuse_open(), set these flags:
- direct_io: We probably actually don't want to have the host page cache
be used for our exports. QEMU block exports are supposed to represent
the image as-is (and thus potentially changing).
This causes a change in iotest 308's reference output.
- parallel_direct_writes: We can (now) cope with parallel writes, so we
should set this flag. For some reason, it doesn't seem to make an
actual performance difference with libfuse, but it does make a
difference without it, so let's set it.
(See "fuse: Copy write buffer content before polling" for further
discussion.)
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-9-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:38 +0000 (16:08 +0100)]
fuse: Fix mount options
Since I actually took a look into how mounting with libfuse works[1], I
now know that the FUSE mount options are not exactly standard mount
system call options. Specifically:
- We should add "nosuid,nodev,noatime" because that is going to be
translated into the respective MS_ mount flags; and those flags make
sense for us.
- We can set rw/ro to make the mount writable or not. It makes sense to
set this flag to produce a better error message for read-only exports
(EROFS instead of EACCES).
This changes behavior as can be seen in iotest 308: It is no longer
possible to modify metadata of read-only exports.
Similarly, in fuse-allow-other, we must now make the export writable
to use SETATTR.
In addition, in the comment, we can note that the FUSE mount() system
call actually expects some more parameters that we can omit because
fusermount3 (i.e. libfuse) will figure them out by itself:
- fd: /dev/fuse fd
- rootmode: Inode mode of the root node
- user_id/group_id: Mounter's UID/GID
[1] It invokes fusermount3, an SUID libfuse helper program, which parses
and processes some mount options before actually invoking the
mount() system call.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-8-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:37 +0000 (16:08 +0100)]
fuse: Destroy session on mount_fuse_export() fail
If mount_fuse_export() fails to mount the session, destroy it.
Depending on the allow_other configuration, fuse_export_create() may
retry this function on error, which may leak one session instance
otherwise.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-7-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:36 +0000 (16:08 +0100)]
fuse: Change setup_... to mount_fuse_export()
There is no clear separation between what should go into
setup_fuse_export() and what should stay in fuse_export_create().
Make it clear that setup_fuse_export() is for mounting only. Rename it,
and move everything that has nothing to do with mounting up into
fuse_export_create().
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-6-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:35 +0000 (16:08 +0100)]
fuse: Explicitly set inode ID to 1
Setting .st_ino to the FUSE inode ID is kind of arbitrary. While in
practice it is going to be fixed (to FUSE_ROOT_ID, which is 1) because
we only have the root inode, that is not obvious in fuse_getattr().
Just explicitly set it to 1 (i.e. no functional change).
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-5-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:34 +0000 (16:08 +0100)]
fuse: Remove superfluous empty line
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-4-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:33 +0000 (16:08 +0100)]
fuse: Ensure init clean-up even with error_fatal
When exports are created on the command line (with the storage daemon),
errp is going to point to error_fatal. Without ERRP_GUARD, we would
exit immediately when *errp is set, i.e. skip the clean-up code under
the `fail` label. Use ERRP_GUARD so we always run that code.
As far as I know, this has no actual impact right now[1], but it is
still better to make this right.
[1] Not cleaning up the mount point is the only thing I can imagine
would be problematic, but that is the last thing we attempt, so if
it fails, it will clean itself up.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-3-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Mon, 9 Mar 2026 15:08:32 +0000 (16:08 +0100)]
fuse: Copy write buffer content before polling
aio_poll() in I/O functions can lead to nested read_from_fuse_export()
calls, overwriting the request buffer's content. The only function
affected by this is fuse_write(), which therefore must use a bounce
buffer or corruption may occur.
Note that in addition we do not know whether libfuse-internal structures
can cope with this nesting, and even if we did, we probably cannot rely
on it in the future. This is the main reason why we want to remove
libfuse from the I/O path.
I do not have a good reproducer for this other than:
Other shell:
$ qemu-img convert -p -n -f raw -O raw -t none image fuse-export
$ killall -SIGINT qemu-storage-daemon
$ qemu-img compare image copy
Content mismatch at offset 0!
(The -t none in qemu-img convert is important.)
I tried reproducing this with throttle and small aio_write requests from
another qemu-io instance, but for some reason all requests are perfectly
serialized then.
I think in theory we should get parallel writes only if we set
fi->parallel_direct_writes in fuse_open(). In fact, I can confirm that
if we do that, that throttle-based reproducer works (i.e. does get
parallel (nested) write requests). I have no idea why we still get
parallel requests with qemu-img convert anyway.
Also, a later patch in this series will set fi->parallel_direct_writes
and note that it makes basically no difference when running fio on the
current libfuse-based version of our code. It does make a difference
without libfuse. So something quite fishy is going on.
I will try to investigate further what the root cause is, but I think
for now let's assume that calling blk_pwrite() can invalidate the buffer
contents through nested polling.
Cc: qemu-stable@nongnu.org Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260309150856.26800-2-hreitz@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
accel/kvm: Make kvm_irqchip*notifier() declaration non target-specific
Commit 3607715a308 ("kvm: Introduce KVM irqchip change notifier")
restricted the kvm_irqchip*notifier() declarations to target-specific
files, guarding them under the NEED_CPU_H (later renamed as
COMPILING_PER_TARGET) #ifdef check.
This however prohibit building the kvm-stub.c file once:
../accel/stubs/kvm-stub.c:70:6: error: no previous prototype for function 'kvm_irqchip_add_change_notifier' [-Werror,-Wmissing-prototypes]
70 | void kvm_irqchip_add_change_notifier(Notifier *n)
| ^
../accel/stubs/kvm-stub.c:74:6: error: no previous prototype for function 'kvm_irqchip_remove_change_notifier' [-Werror,-Wmissing-prototypes]
74 | void kvm_irqchip_remove_change_notifier(Notifier *n)
| ^
../accel/stubs/kvm-stub.c:78:6: error: no previous prototype for function 'kvm_irqchip_change_notify' [-Werror,-Wmissing-prototypes]
78 | void kvm_irqchip_change_notify(void)
| ^
Since nothing in these prototype declarations is target specific,
move them around to be generically available, allowing to build
kvm-stub.c once for all targets in the next commit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-Id: <20260309174941.67624-2-philmd@linaro.org>
accel/kvm: Include missing 'exec/cpu-common.h' header
kvm-accel-ops.c uses EXCP_DEBUG, itself defined in
"exec/cpu-common.h". Include it explicitly, otherwise
we get when modifying unrelated headers:
../accel/kvm/kvm-accel-ops.c: In function ‘kvm_vcpu_thread_fn’:
../accel/kvm/kvm-accel-ops.c:54:22: error: ‘EXCP_DEBUG’ undeclared (first use in this function)
54 | if (r == EXCP_DEBUG) {
| ^~~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260225051303.91614-2-philmd@linaro.org>
The HPPA target is a 64-bit one, so tcg_global_mem_new()
expands to tcg_global_mem_new_i64(). Use the latter which
is more explicit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20260205212914.10382-1-philmd@linaro.org>
tcg/optimize: possibly expand deposit into zero with shifts
Use tcg_op_imm_match to choose between expanding with AND+SHL vs SHL+SHR.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260303010833.1115741-8-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Paolo Bonzini [Tue, 3 Feb 2026 08:18:16 +0000 (09:18 +0100)]
tcg: target-dependent lowering of extract to shr/and
Instead of assuming only small immediates are available for AND,
consult the backend in order to decide between SHL/SHR and SHR/AND.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[rth: Split from a larger patch] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-7-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Paolo Bonzini [Tue, 3 Feb 2026 07:53:53 +0000 (08:53 +0100)]
tcg: Add tcg_op_imm_match
Create a function to test whether the second operand of a
binary operation allows a given immediate.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[rth: Split out from a larger patch; keep the declaration internal.] Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-6-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Use extract2 to implement rotri. To make this easier,
redefine rotli in terms of rotri, rather than the reverse.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-5-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
tcg/optimize: Lower unsupported extract2 during optimize
The expansions that we chose in tcg-op.c may be less than optimal.
Delay lowering until optimize, so that we have propagated constants
and have computed known zero/one masks.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260303010833.1115741-4-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
tcg/optimize: Lower unsupported deposit during optimize
The expansions that we chose in tcg-op.c may be less than optimal.
Delay lowering until optimize, so that we have propagated constants
and have computed known zero/one masks.
Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260303010833.1115741-3-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
tcg: Drop extract+shl expansions in tcg_gen_deposit_z_*
The extract+shl expansion is handled in tcg_gen_andi_*
by preferring supported extract.
The shl+extract expansion is simply removed for now; it was
only present for slightly smaller code generation on x86.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260303010833.1115741-2-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
* tag 'python-pull-request' of https://gitlab.com/jsnow/qemu:
python: add formal python3.14 support and testing
python: drop avocado
python: replace avocado tests with pytest
python: pin 'wheel' version in minreqs test
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
whpx: i386: remove SIPI trapping
whpx: arm64: enable enlightenments if asked for
whpx: make Hyper-V enlightenments configurable
whpx: i386: enable some more enlightenments
target/i386: emulate: LA57 fix
whpx: i386: do not enable nested virt when kernel-irqchip=off
hvf: arm: unbreak the x86 build
target/i386/hvf/hvf.c: fix compilation
qemu-coroutine-lock: fix has_waiters()
xen-block: remove NULL pointer dereference
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
