block/graph-lock: fix missed wakeup in bdrv_graph_co_rdunlock()
tests/qemu-iotests/tests/iothreads-create reproduces the hang on
master under `stress-ng --cpu $(nproc) --timeout 0`. The iotest's
vm.run_job() times out and qemu stays permanently stuck in
ppoll(timeout=-1) inside bdrv_graph_wrlock_drained -> blk_remove_bs
during qemu_cleanup(). The timing window is narrow on modern
bare-metal hardware and much wider in a VM guest; downstream trees
that still use plain bdrv_graph_wrlock() in blk_remove_bs() hit it
on the first iteration under the same stress.
bdrv_graph_wrlock() zeroes has_writer around its AIO_WAIT_WHILE loop
so that callbacks dispatched by aio_poll() can still take the read
lock on the fast path. The rdunlock side, however, only kicks a
waiting writer when has_writer is observed set; a reader that drops
its lock inside the polling window silently returns and nothing ever
wakes the writer:
reader_count is now 0 and num_waiters is still 1, but no BH, fd or
timer on the main AioContext will fire -- the only entity that could
kick just decided it did not have to. Main stays in ppoll() holding
BQL, so RCU, VCPUs and any iothread path that needs BQL stall behind
it. The hang is final; no timeout, no forward progress, no recovery
as there is no other source of wake up inside qemu_cleanup().
bdrv_drain_all_begin() does not close the race on its own: it
quiesces in-flight I/O, but graph readers also include non-I/O
coroutines (block-job cleanup, virtio-scsi polling) that drain does
not evict. The bdrv_graph_wrlock_drained() wrapper narrows the
window but does not eliminate it; every plain bdrv_graph_wrlock()
site is exposed on the same basis.
Drop the has_writer check in bdrv_graph_co_rdunlock() and call
aio_wait_kick() unconditionally. The helper itself loads num_waiters
atomically and only schedules a dummy BH when a waiter exists, so the
change is a no-op on the no-writer path and closes the missed-wakeup
on the writer path.
Signed-off-by: Denis V. Lunev <den@openvz.org> Cc: Kevin Wolf <kwolf@redhat.com> Cc: Hanna Reitz <hreitz@redhat.com> Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Fiona Ebner <f.ebner@proxmox.com>
Message-ID: <20260424103917.248668-2-den@openvz.org> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Mon, 27 Apr 2026 17:05:20 +0000 (19:05 +0200)]
iotests/046: Test that discard/write_zeroes wait for dependencies
This is a regression test for the bug fixed in the previous commit where
discard and write_zeroes operations wouldn't consider their dependencies
in s->cluster_allocs. Without the fix, this results in a corrupted
image.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260427170520.101242-5-kwolf@redhat.com> Reviewed-by: Denis V. Lunev <den@openvz.org> Tested-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Mon, 27 Apr 2026 17:05:19 +0000 (19:05 +0200)]
qcow2: Fix corruption on discard during write with COW
Most code in qcow2 that accesses (and potentially modifies) L2 tables
does so while holding s->lock.
There is one exception, which is allocating writes. They hold the lock
initially while allocating clusters, but drop it for writing the guest
payload before taking the lock again for updating the L2 tables. This
allows concurrent requests that touch other parts of the image file to
continue in parallel and is an important performance optimisation.
However, this means that other requests that run while the lock is
dropped for writing guest data must synchronise with the list of
allocating requests in s->cluster_allocs and wait if they would overlap.
For writes, this is done in handle_dependencies(), but discard and write
zeros operations neglect to synchronise with s->cluster_allocs.
This means that discard can free a cluster whose L2 entry will already
be modified in qcow2_alloc_cluster_link_l2() by a previously started
write. In the case of a pre-allocated zero cluster that is in the
process of being overwritten, this means that discard can lead to a
situation where the cluster is still mapped (because the write will
restore the L2 entry just without the zero flag), but its refcount has
been decreased, resulting in a corrupted image.
Add the missing synchronisation to qcow2_cluster_discard() and
qcow2_subcluster_zeroize() to fix the problem.
Cc: qemu-stable@nongnu.org Reported-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260427170520.101242-4-kwolf@redhat.com> Reviewed-by: Denis V. Lunev <den@openvz.org> Tested-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Mon, 27 Apr 2026 17:05:18 +0000 (19:05 +0200)]
qemu-io: Add 'aio_discard' command
Testing interactions between multiple requests that include discard
requests require that qemu-io can do the discard asynchronously, like it
already does for reads and writes. To this effect, add an 'aio_discard'
command.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260427170520.101242-3-kwolf@redhat.com> Reviewed-by: Denis V. Lunev <den@openvz.org> Tested-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Mon, 27 Apr 2026 17:05:17 +0000 (19:05 +0200)]
commit: Drain nodes across all of bdrv_commit()
The whole implementation of bdrv_commit() is only correct if no new
writes come in while it's running: It has only a single loop checking
the allocation status for each block and finally calls bdrv_make_empty()
without checking if that throws away any new changes.
We already have to drain while taking the graph write lock. Just extend
the drained section to all of bdrv_commit() to make sure that we don't
get any inconsistencies.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260427170520.101242-2-kwolf@redhat.com> Reviewed-by: Denis V. Lunev <den@openvz.org> Tested-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Fri, 10 Apr 2026 15:23:14 +0000 (17:23 +0200)]
block: Add more defaults to DEFAULT_BLOCK_CONF
discard_granularity was missing from this, which means that SCSI disks
created with -drive if=scsi would default to 0 (i.e. disabling discards)
instead of -1, which makes scsi-hd automatically pick a granularity and
is the default of the corresponding qdev property for -device scsi-hd.
Also set other fields whose default isn't an obvious 0. These are not
actual bug fixes because ON_OFF_AUTO_AUTO in fact happens to be 0, but
it's better not to rely on the order of enums.
Cc: qemu-stable@nongnu.org Fixes: 308963746169 ('scsi: Don't ignore most usb-storage properties') Reported-by: Lexi Winter <ivy@FreeBSD.org> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260410152314.86412-3-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Fri, 10 Apr 2026 15:23:13 +0000 (17:23 +0200)]
block: Create DEFAULT_BLOCK_CONF macro
The property default values from include/hw/block/block.h were
duplicated in scsi_bus_legacy_handle_cmdline(), allowing them to go out
of sync easily. There doesn't seem a good way to avoid the duplication,
but moving them next to each other in the header file should help to
avoid this problem in the future.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260410152314.86412-2-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
MAINTAINERS: Add myself as maintainer for replication
I recently took up maintainership for the orphaned COLO migraion component.
Here I take over maintainership for replication which is another important
component for COLO.
Signed-off-by: Lukas Straub <lukasstraub2@web.de>
Message-ID: <20260425-replication_maintainer-v1-1-f6ab019ff0ca@web.de> Reviewed-by: Zhang Chen <zhangckid@gmail.com> Acked-by: Peter Xu <peterx@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Thomas Huth [Mon, 11 May 2026 06:30:13 +0000 (08:30 +0200)]
Remove the deprecated glusterfs block driver
Glusterfs has been marked as deprecated since QEMU v9.2, and as far
as I know, nobody spoke up 'til today that it should be kept.
The listed e-mail address integration@gluster.org in our MAINTAINERS
file seems to be bouncing nowadays, and looking at their website
https://www.gluster.org/ the most recent news are from 2020 / 2021 ...
so it seems like there is really hardly any interest in Glusterfs
anymore. Thus it's time to remove the code now from QEMU.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260511063013.39805-1-thuth@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Tue, 21 Apr 2026 16:11:30 +0000 (18:11 +0200)]
ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code
The previous commit did a minimal conversion of the callback based state
machine for TRIM to a coroutine in order to fix a bug. Refactor it to
actually look like normal coroutine based code, which improves its
readability.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260421161132.99878-6-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Tue, 21 Apr 2026 16:11:29 +0000 (18:11 +0200)]
ide: Minimal fix for deadlock between TRIM and drain
The implementation of TRIM in IDE can chain multiple discard requests
and uses blk_inc/dec_in_flight() to make sure that the whole TRIM
operation has completed when the device needs to be quiescent (e.g. for
the drain when performing an IDE reset, it would be bad if an IDE
request like TRIM were still in flight).
The problem is that each drain request calls blk_wait_while_drained()
and when draining, it waits until the drained section ends. At the same
time, drain_begin can only return if the whole TRIM operation has
completed. This is a classic deadlock.
Use blk_co_start/end_request() and BDRV_REQ_NO_QUEUE to avoid the
problem. This requires moving the TRIM state machine to a coroutine.
This commit does the minimal conversion so that we do have a coroutine
that works for the fix, but it still looks much like a callback-based
implementation. This will be cleaned up in the next patch.
Cc: qemu-stable@nongnu.org Fixes: 7e5cdb345f77 ('ide: Increment BB in-flight counter for TRIM BH') Buglink: https://redhat.atlassian.net/browse/RHEL-121686 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260421161132.99878-5-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Tue, 21 Apr 2026 16:11:27 +0000 (18:11 +0200)]
block: Add blk_co_start/end_request() and BDRV_REQ_NO_QUEUE
If a device uses blk_inc/dec_in_flight() in order to build macro
operations that involve multiple requests for the block layer and that
need to be completed as a unit before the BlockBackend can be considered
drained, it sets the stage for a deadlock: When a drain is requested,
the inner request at the BlockBackend level will be queued in
blk_wait_while_drained() and wait until the drained section ends, but at
the same time, drain_begin can only return if the whole macro operation
at the device level has completed.
Introduce a new interface to allow implementing the logic correctly:
Instead of queueing individual requests, blk_co_start_request() calls
blk_wait_while_drained() once at the beginning. The individual requests
must then set BDRV_REQ_NO_QUEUE to avoid being queued and running into
the deadlock; being wrapped in blk_co_start/end_request() makes sure
that drain_begin waits for them and they don't sneak in when the
BlockBackend is supposed to already be quiescent.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260421161132.99878-3-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Kevin Wolf [Tue, 21 Apr 2026 16:11:26 +0000 (18:11 +0200)]
blkdebug: Add 'delay-ns' option
Sometimes reproducing a problem for debugging involves slow I/O, so
let's add something to blkdebug to make I/O slow when we need it. This
can be used either together with an error so that the request fails
after the delay, or with errno=0, which allows the request to succeed
after the delay.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20260421161132.99878-2-kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Matt Turner [Thu, 14 May 2026 16:55:26 +0000 (12:55 -0400)]
linux-user/sh4: Fix setup_sigtramp to match Linux kernel trampoline pattern
QEMU used MOVW(2) (0x9300), which loads the syscall number from PC+4,
instead of the kernel's MOVW(7) (0x9305), which loads from PC+14. The
kernel uses five "or r0,r0" nop pads between TRAP_NOARG and the syscall
number word to reach that offset. libunwind's unw_is_signal_frame checks
for the exact kernel byte pattern 0xc3109305 at the frame PC, so QEMU's
compact layout was not detected, breaking unwinding through signal frames.
Expand each trampoline from 6 to 16 bytes matching the kernel layout
defined in arch/sh/kernel/signal_32.c:
#define MOVW(n) (0x9300|((n)-2)) /* Move mem word at PC+n to R3 */
#define TRAP_NOARG 0xc310 /* Syscall w/no args (NR in R3) */
#define OR_R0_R0 0x200b /* or r0,r0 (insert to avoid hardware bug) */
The first two halfwords (MOVW(7) || TRAP_NOARG = 0xc3109305) form the
32-bit value libunwind checks at the frame PC, followed by two
OR_R0_R0 halfwords (0x200b200b) at PC+4. The same layout applies to
the rt_sigreturn trampoline (lines 366-373 of signal_32.c).
Neither this fix nor the companion tuc_link fix is independently
sufficient: this fix makes signal frames detectable but register reads
remain garbage without the correct ucontext layout; that fix corrects the
ucontext layout but libunwind still cannot detect the frame without the
correct trampoline pattern. Together they fix the following libunwind
tests on a 64-bit host:
Gtest-sig-context, Gtest-trace, Ltest-init-local-signal,
Ltest-sig-context, Ltest-trace
Signed-off-by: Matt Turner <mattst88@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Thu, 14 May 2026 16:55:25 +0000 (12:55 -0400)]
linux-user/sh4: Fix target_ucontext tuc_link field type
tuc_link is declared as 'struct target_ucontext *', which is a HOST
pointer. On a 64-bit host running a 32-bit SH4 target, this is 8 bytes
instead of the 4 bytes the target expects, padding pushes tuc_mcontext
8 bytes past its correct offset.
When a signal handler receives ucontext_t *, every field accessed through
uc_mcontext (gregs[], pc, pr, ...) is read from the wrong address. In
particular the saved PC comes back as a garbage stack value, which breaks
any code that initialises a libunwind cursor from the signal context.
Fix it by using abi_ulong, which is always sized to the target ABI (4
bytes for SH4), matching the layout the kernel and glibc agree on. This
is the same pattern used by arm/signal.c.
Also remove the (unsigned long *) cast from the __put_user that zeros
tuc_link. The cast was harmless when tuc_link was pointer-sized (8
bytes matching unsigned long on a 64-bit host), but after the type
change __put_user's sizeof dispatch would select stq_le_p (8-byte write)
for a now-4-byte field, silently overwriting the start of tuc_stack.
Neither this fix nor the companion setup_sigtramp fix is independently
sufficient: this fix corrects register values read from the signal context
but libunwind still cannot detect the frame without the correct trampoline
pattern; that fix makes the frame detectable but register reads remain
garbage without the correct ucontext layout. Together they fix the
following libunwind tests on a 64-bit host:
Gtest-sig-context, Gtest-trace, Ltest-init-local-signal,
Ltest-sig-context, Ltest-trace
Signed-off-by: Matt Turner <mattst88@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Helge Deller <deller@gmx.de>
Helge Deller [Fri, 1 May 2026 10:56:12 +0000 (12:56 +0200)]
linux-user: Fix AT_EXECFN in AUXV for symlinked programs
The AT_EXECFN entry in AUXV needs to keep the value which was used when
the program was started. Especially for symlinked programs qemu should
not try to resolve the realpath.
Here is a reproducer:
(arm64-chroot)root@p100:/# cd /usr/bin
(arm64-chroot)root@p100:/usr/bin# ln -s echo testprog
(arm64-chroot)root@p100:/usr/bin# LD_SHOW_AUXV=1 ./testprog | grep AT_EXECFN
AT_EXECFN: ./testprog
In this example, "./testprog" is the correct output, and not "/usr/bin/echo".
This patch fixes parts of commit 258bec39 ("linux-user: Fix access to
/proc/self/exe").
* tag 'firmware-20260519-pull-request' of https://gitlab.com/kraxel/qemu:
hw/i386/microvm: Add IGVM support
hw/uefi: check auth.hdr_length minimum size
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Luigi Leonardi [Tue, 12 May 2026 15:14:12 +0000 (17:14 +0200)]
hw/i386/microvm: Add IGVM support
The IGVM infrastructure operates on X86MachineState and is already
machine-type-agnostic, but the "igvm-cfg" QOM property is only
registered on the PC machine type. Register it on microvm as well.
When an IGVM file is configured, the firmware image is provided as
a payload of the IGVM file so skip loading the default BIOS.
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Message-ID: <20260512-microvm_igvm-v1-1-8b1fd8861235@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Gerd Hoffmann [Tue, 12 May 2026 06:05:23 +0000 (08:05 +0200)]
hw/uefi: check auth.hdr_length minimum size
auth.hdr_length maximum is already checked (against buffer size). The
header has some fixed fields which are included in the header length, so
there also is a minimum size which must be verified. Add a check for
that. Fixes possible integer underflow.
While being at it replace the magic number '24' with sizeof calculations
for better code documentation.
Klaus Jensen [Wed, 18 Mar 2026 09:26:58 +0000 (10:26 +0100)]
hw/nvme: fix admin cq msix setup
If MSI-X is not enabled when the admin completion queue is created,
msix_vector_use() is not called. But, if MSI-X is subsequently enabled,
msix_notify() will fail to fire the interrupt because the use count for
the vector remains at 0.
msix_vector_use/unuse should be called if MSI-X is *present*, not
*enabled*. Fix this.
Cc: qemu-stable@nongnu.org Reported-by: Andreas Hindborg <a.hindborg@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
hw/nvme: add user controlled 'firmware-version' property
This enables overriding the built in default QEMU project version string
with a user specified string. The value can be at most 8 characters
in length.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
hw/nvme: report error for oversized 'serial' parameter
The 'serial' accepted by the NVME device is at most 20 characters
long. An over-sized user supplied value should be reported rather
than silently truncated.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Stefan Hajnoczi [Sat, 16 May 2026 21:35:56 +0000 (17:35 -0400)]
Merge tag 'pull-target-arm-20260515' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* docs: Document TIMEOUT_MULTIPLIER for raising test timeouts
* meson.build: Add -fzero-init-padding-bits=all
* hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32
* tests/functional: Fix tests to not fail on a KVM-only aarch64 build
* target/arm: Rename Aarch64-specific methods
* target/arm: Extract IDAU interface to its own unit
* target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays
* target/arm/hvf: Fix WFI halting to stop idle vCPU spinning
* GICv5: Fix minor bugs spotted by Coverity
* hw/arm: Build ARM/HVF GICv3 stub once
* hw/arm: fsl-imx8mm: Don't call qdev_get_machine in init
* hw/misc/bcm2835_control.c: Don't assert on local timer zero reload value
* hw/display/exynos4210_fimd: Assume display surface is 32bpp
* hw/display/exynos4210_fimd: Use LOG_GUEST_ERROR instead of hw_error()
* hw/arm/integratorcp: Use LOG_UNIMP rather than hw_error()
* tag 'pull-target-arm-20260515' of https://gitlab.com/pm215/qemu: (23 commits)
target/arm/hvf: Fix WFI halting to stop idle vCPU spinning
tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist
tests/functional/test_tuxrun: Restrict to TCG
tests/functional/test_hotplug_pci.py: Require TCG
tests/functional/test_kvm.py: Skip if virtualization not supported
tests/functional/test_kvm.py: Use -cpu max, not cortex-a72
tests/functional/test_virt_vbsa: Skip UEFI test if virtualization not supported
hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32
hw/display/exynos4210_fimd: Assume display surface is 32bpp
hw/display/exynos4210_fimd: Use LOG_GUEST_ERROR instead of hw_error()
hw/arm/integratorcp: Use LOG_UNIMP rather than hw_error()
hw/misc/bcm2835_control.c: Don't assert on local timer zero reload value
meson.build: Add -fzero-init-padding-bits=all
hw/intc/arm_gicv5: Add missing early return in gicv5_set_handling()
hw/intc/arm_gicv5: Avoid NULL dereference in trace line
target/arm: GICv5 cpuif: Don't set HPPIV bit in GICv5PendingIrq::intid
target/arm: GICv5 cpuif: Fix overflow in left shift
target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays
target/arm: Extract IDAU interface to its own unit
target/arm: Rename Aarch64-specific methods
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Sat, 16 May 2026 21:32:41 +0000 (17:32 -0400)]
Merge tag 'pbouvier/pr/target_info-20260514' of https://gitlab.com/p-b-o/qemu into staging
Changes:
- [PATCH v7 0/5] single-binary: deduplicate target_info() (Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>) Link: https://lore.kernel.org/qemu-devel/20260514172303.1484273-1-pierrick.bouvier@oss.qualcomm.com
# -----BEGIN PGP SIGNATURE-----
#
# iQGzBAABCgAdFiEEN8FWlNi6l2Sxlz/btEQ30ZwoYt8FAmoGKG4ACgkQtEQ30Zwo
# Yt/nZgv/SYp7eAW9fnFqGLQl5eRI2dR2oludlJNT5gzAleYl1LZp3d+e99OPmH+3
# 1n5kkhY2AjPFvoqAbiyYd8Y7t/kS9Skw0eMfKi6K/h2Fkldj2i0wTXOjo6dWyEEG
# E/WzZ5hs/law3R3OPPs0pDDuLgkW3hv2BgsKZBDK0gt76NGB5a+qfq8DaptPnLdh
# 4RAAwHsYxC4ljgHc7ufLqEi+Ndsic4QJkQOehBIOuWUw6eYUfjp/sfSt+EAKSz7u
# uYVYXzy+ymfORxtXDN9tjxNincyRGo8V+yY/ipCRRAgkQpvJJ34IFM2z2IlrCe28
# 1TERTC8sa5JvNVtDflOnRJRa3YjIPqmhGCk/6MiqZBxeU9+SPKAK9dlzTE0mqYU2
# /jIsGILUutrCyNOEpGGMa4K3Mj99VnycgzGhb4iCBWc8sRDaG/gK5KUsGDn7a5gJ
# JZ0DAfHHRtP+JSKcqYvFOFxln3ruNR6K1uxvGh59wWjlu+rdwg8dFuOD61keEIcW
# 1BZee4f9
# =GT1w
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 14 May 2026 15:54:22 EDT
# gpg: using RSA key 37C15694D8BA9764B1973FDBB44437D19C2862DF
# gpg: Good signature from "Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 37C1 5694 D8BA 9764 B197 3FDB B444 37D1 9C28 62DF
* tag 'pbouvier/pr/target_info-20260514' of https://gitlab.com/p-b-o/qemu:
target-info: replace target_info() in system-mode
target-info-qom: detect target from QOM
target-info: introduce TargetInfo in QOM
qom/object: initialize type_table in static ctor with fundamental QOM types
qom/object: register OBJECT and INTERFACE QOM types before main
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Scott J. Goldman [Wed, 13 May 2026 02:21:09 +0000 (22:21 -0400)]
target/arm/hvf: Fix WFI halting to stop idle vCPU spinning
Commit b5f8f77271 ("accel/hvf: Implement WFI without using pselect()")
changed hvf_wfi() from blocking the vCPU thread with pselect() to
returning EXCP_HLT, intending QEMU's main event loop to handle the
idle wait. However, cpu->halted was never set, so cpu_thread_is_idle()
always returns false and the vCPU thread spins at 100% CPU per core
while the guest is idle.
Fix this by:
1. Setting cpu->halted = 1 in hvf_wfi() so the vCPU thread sleeps on
halt_cond in qemu_process_cpu_events().
2. Arming a per-vCPU QEMU_CLOCK_VIRTUAL timer to fire when the guest's
virtual timer (CNTV_CVAL_EL0) would expire. This is necessary
because HVF only delivers HV_EXIT_REASON_VTIMER_ACTIVATED during
hv_vcpu_run(), which is not called while the CPU is halted. The
timer callback mirrors the VTIMER_ACTIVATED handler: it raises the
vtimer IRQ through the GIC and marks vtimer_masked, causing the
interrupt delivery chain to wake the vCPU via qemu_cpu_kick().
3. Clearing cpu->halted in hvf_arch_vcpu_exec() when cpu_has_work()
indicates a pending interrupt, and cancelling the WFI timer.
4. Re-arming the WFI timer from hvf_vm_state_change() on the resume
transition for any halted vCPU, since the QEMUTimer is per-instance
state and is not migrated. After cpu_synchronize_all_states() the
migrated vtimer state is mirrored in env, so we can read CNTV_CTL
and CNTV_CVAL from there. If the vtimer has already expired by the
time the destination resumes, hvf_wfi_timer_cb() is invoked
directly so the halted vCPU is woken up.
All wfi_timer handling (allocation, arming, deletion, and the resume
re-arm) is gated on !hvf_irqchip_in_kernel(): with the Apple in-kernel
vGIC, HVF owns the vtimer and delivers wake-ups itself.
Note for stable backports: this commit won't apply to 11.0 as
it has changes to handle the hvf in-kernel irqchip support that
landed after the 11.0 release. The v3 version of this commit:
https://patchew.org/QEMU/20260427195516.46256-1-scottjgo@gmail.com/
should be suitable for 11.0 backporting (it is essentially
identical except that it doesn't make the changes conditional
on !hvf_irqchip_in_kernel()).
Cc: qemu-stable@nongnu.org Fixes: b5f8f77271 ("accel/hvf: Implement WFI without using pselect()") Signed-off-by: Scott J. Goldman <scottjgo@gmail.com> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
[PMM: added note about stable backports to commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 1 May 2026 11:55:06 +0000 (12:55 +0100)]
tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist
The Python os.setxattr() API is Linux-specific, so trying to use
it on other OSes triggers a failure:
File "/Users/pm215/src/qemu/tests/functional/qemu_test/asset.py",
line 227, in fetch
os.setxattr(str(tmp_cache_file), "user.qemu-asset-url",
^^^^^^^^^^^
AttributeError: module 'os' has no attribute 'setxattr'
Since we only set the attributes here for informational
purposes, skip them when os.setxattr() isn't available.
Cc: qemu-stable@nongnu.org Fixes: 9903217a4ed013 ("tests/functional: add a module for handling asset download & caching") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Thomas Huth <th.huth+qemu@posteo.eu>
Message-id: 20260501115506.3792110-1-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:28 +0000 (20:47 +0100)]
tests/functional/test_tuxrun: Restrict to TCG
The tuxrun tests specify the cortex-a57 CPU; this doesn't work on a
KVM-only QEMU build, where the default accelerator is KVM but KVM
doesn't support that CPU type. Restrict the test to TCG, to avoid
failures on KVM-only AArch64 builds:
Output: qemu-system-aarch64: kvm_init_vcpu: kvm_arch_init_vcpu failed (0): Invalid argument
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260507194728.2034696-7-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:27 +0000 (20:47 +0100)]
tests/functional/test_hotplug_pci.py: Require TCG
The hotplug test asks for the cortex-a57 CPU type, so it will
fail on an AArch64 system using KVM where TCG is not compiled
into QEMU and the default accelerator is KVM:
Peter Maydell [Thu, 7 May 2026 19:47:26 +0000 (20:47 +0100)]
tests/functional/test_kvm.py: Skip if virtualization not supported
The test_kvm test runs the virt board with virtualization=on,
which will fail if run with an accelerator that doesn't
support nested virtualization. Catch the VMLaunchFailure
exception and skip the test if startup failed because
the accelerator can't support virtualization.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260507194728.2034696-5-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:25 +0000 (20:47 +0100)]
tests/functional/test_kvm.py: Use -cpu max, not cortex-a72
The test_kvm test claims to run on any accelerator supporting
nested virtualization, but it specifies the cortex-a72 CPU.
This doesn't exist for KVM-only builds. Use max instead.
This fixes a failure like
Output: qemu-system-aarch64: unable to find CPU model 'cortex-a72'
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260507194728.2034696-4-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:24 +0000 (20:47 +0100)]
tests/functional/test_virt_vbsa: Skip UEFI test if virtualization not supported
If you try to run the functional tests on an AArch64 host which doesn't
support nested virtualization in KVM, the UEFI test fails with:
Output: qemu-system-aarch64: mach-virt: host kernel KVM does
not support providing Virtualization extensions to the guest CPU
Catch the VMLaunchFailure exception and if it matches the error
messages the virt board puts out for virtualization not being
supported, skip the test.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260507194728.2034696-3-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:23 +0000 (20:47 +0100)]
hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32
When we updated Arm and AArch64 board types to mark them for the
target_machine_typename() filter, we forgot about the "x-remote"
machine type, which meant that it disappeared from the set of board
types exposed on the qemu-system-arm and qemu-system-aarch64
binaries. We didn't notice this, because although we have a
functional test for it, it requires the KVM accelerator and we don't
run the functional tests on an AArch64 host in CI.
Mark the machine as being OK to expose in qemu-system-arm and
qemu-system-aarch64, in the same way we do for the "none" machine
type. This fixes a check-functional failure on aarch64 host, where
it would otherwise fail with:
qemu-system-aarch64: unsupported machine type: "x-remote"
Cc: qemu-stable@nongnu.org Fixes: eb796c55513d9d39 ("hw/core: Allow ARM/Aarch64 binaries to use the 'none' machine") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260507194728.2034696-2-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:13 +0000 (17:20 +0100)]
hw/display/exynos4210_fimd: Assume display surface is 32bpp
For a long time QEMU has guaranteed that the console surface is 32bpp
and not anything else. This old display device still has code
assuming it might be something else. Remove the code that made
put_pixel_toqemu a function pointer indirection, and use
put_to_qemufb_pixel32() directly.
This removes the last hw_error() in this file.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-5-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:12 +0000 (17:20 +0100)]
hw/display/exynos4210_fimd: Use LOG_GUEST_ERROR instead of hw_error()
The exynos4210_fimd device model uses hw_error() in several places
for "the guest set this register field to something out of range";
update to the more modern LOG_GUEST_ERROR.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3405 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-4-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:11 +0000 (17:20 +0100)]
hw/arm/integratorcp: Use LOG_UNIMP rather than hw_error()
The integratorcp board has some onboard registers which can be used
to raise IRQ and FIQ to the CPU; these outputs are supposed to be
ORed together with the main ones from the PIC. We've never
implemented this obscure bit of functionality, and instead call
hw_error() if the guest does try to raise an interrupt this way.
Replace the hw_error() call with the more modern way to note
unimplemented QEMU behaviour, a LOG_UNIMP log.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3406 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-3-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:10 +0000 (17:20 +0100)]
hw/misc/bcm2835_control.c: Don't assert on local timer zero reload value
The bcm2836 local timer has a basic "counts down, fires at zero,
and reloads to programmed value to count down again" functionality,
as documented in
https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf
The documentation is very sparse and doesn't say what actually
happens if the guest programs the reload value to zero. Currently we
trip an assert in this case.
Instead, log this as a guest error and disable the timer (which seems
a reasonable guess -- effectively the timer will stop counting).
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3395 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-2-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 10:47:23 +0000 (11:47 +0100)]
meson.build: Add -fzero-init-padding-bits=all
The C standard doesn't always guarantee that struct and union padding
bits are zero initialized, even if the code initializes a struct.
For QEMU, this is potentially problematic, because we often have
structs that match data structures in guest memory, where we
initialize them and then bulk copy them into the guest. If the
compiler didn't zero init the whole of the memory containing the
struct, we could potentially leak random data from the host into the
guest via the padding bytes.
We already use -ftrivial-auto-var-init=zero, which will zero out
padding in many of these cases, but -fzero-init-padding-bits=all
closes some gaps, for example cases where we initialize a
variable with a struct initializer, and cases involving unions.
Follow the Linux kernel in using both options. Compare kernel
commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
This option exists in gcc-15 and above; it's not supported
by clang, but clang documents that it guarantees zero init
of these cases always:
https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
Older gcc which don't have the option behave as if it were set.
(These options are passed through the cc.get_supported_arguments()
filter, so we don't need to do anything extra to avoid passing it to
a compiler that doesn't recognize it.)
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-id: 20260508104723.2144051-1-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:56 +0000 (10:38 +0100)]
hw/intc/arm_gicv5: Add missing early return in gicv5_set_handling()
In gicv5_set_handling(), if the guest tried to set the handling mode
on a nonexistent SPI then we print a GUEST_ERROR log message.
However, we forgot to then return, so execution continues into a NULL
pointer dereference.
Add the missing "return", bringing the code structure in to line with
the equivalent parts in other functions like gicv5_set_pending() and
gicv5_set_target().
CID: 1659596 Fixes: 5beb48ab53d ("hw/intc/arm_gicv5: Make gicv5_set_* update SPI state") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260512093856.3197700-5-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:55 +0000 (10:38 +0100)]
hw/intc/arm_gicv5: Avoid NULL dereference in trace line
In the handling of writes to the IRS_SPI_RESAMPLER register,
we call a trace function, passing it information about the SPI
being resampled. However, spi could be NULL if the guest tried
to resample a nonexistent SPI or one configured for a different
domain. Move the trace statement inside the "if (spi)" block,
as it's only interesting trace if we actually did a resample
and potentially changed the state of the SPI.
CID: 1959593 Fixes: 33185e1d64e ("hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260512093856.3197700-4-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:54 +0000 (10:38 +0100)]
target/arm: GICv5 cpuif: Don't set HPPIV bit in GICv5PendingIrq::intid
In gic_hppi() we return the current highest priority pending
interrupt in a GICv5PendingIrq struct. We try to set up the intid
field of that struct to be the form that is used by the ICC_HPPIR
register, which has a "valid" bit in bit 33. Unfortunately the
GICv5PendingIrq defines the intid field as a uint32_t, so Coverity
points out that the bit doesn't actually fit. Move the handling of
the valid bit to the callsite, and make this function report "no
pending interrupt" with GICv5PendingIrq::prio == PRIO_IDLE,
consistently with how we use this struct in other places.
CID: 1659594 Fixes: 9edad4ff3 ("target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260512093856.3197700-3-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:53 +0000 (10:38 +0100)]
target/arm: GICv5 cpuif: Fix overflow in left shift
Coverity points out that we forgot the "ULL" suffix when shifting 1
right by a bitcount in various places, so for bit counts above 31 we
end up shifting off the end of the word. Fix the three problems
Coverity noticed and one more of the same kind that it didn't.
Commit ab2ddc7b66 ("target/arm/machine: Use VMSTATE_VARRAY_INT32_ALLOC
for cpreg arrays") moved cpreg_vmstate_indexes / cpreg_vmstate_values
to be allocated by VMSTATE_VARRAY_INT32_ALLOC and added an assertion
in cpu_pre_load() that they are NULL on entry. The same commit dropped
the redundant g_renew()/array_len assignments from the kvm, whpx and
helper.c cpu init paths, but the hvf cpu init path still pre-allocates
them.
The result is that loading a snapshot or migration stream into an HVF
guest immediately aborts:
Drop the leftover cpreg_vmstate_indexes / cpreg_vmstate_values
allocations and the cpreg_vmstate_array_len assignment from
hvf_arch_init_vcpu(), matching what was already done for the other
arm accelerators.
Signed-off-by: Scott J. Goldman <scottjgo@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Move arm_gicv3_hvf_stub.c, introduced in commit 48396ad6ce9
("hw/intc: arm_gicv3_hvf: save/restore Apple GIC state"), to
the global stub_ss[] source set which holds stub files being
built once for all binaries, instead of one time per system
binary. This prevents symbol clash when trying to build a
single QEMU system binary:
clang: error: linker command failed with exit code 1 (use -v to see invocation)
duplicate symbol '_vmstate_gicv3_hvf' in:
libqemu-aarch64-softmmu.a.p/hw_intc_arm_gicv3_hvf_stub.c.o
libqemu-arm-softmmu.a.p/hw_intc_arm_gicv3_hvf_stub.c.o
ld: 1 duplicate symbols
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Message-id: 20260507135816.71171-1-philmd@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 15 May 2026 07:41:41 +0000 (08:41 +0100)]
docs: Document TIMEOUT_MULTIPLIER for raising test timeouts
Our test infrastructure allows you to set the TIMEOUT_MULTIPLIER
environment variable to raise the test timeouts if you're building
for a slow environment. (scripts/mtest2make.py reads it and sets the
meson test -t argument accordingly.)
Document this so it's not a secret feature only known to a select
few.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-id: 20260427161132.1463385-1-peter.maydell@linaro.org
Pierrick Bouvier [Thu, 14 May 2026 17:23:01 +0000 (10:23 -0700)]
target-info: introduce TargetInfo in QOM
For the single-binary, we want to be able to retrieve at runtime the
current target among the different ones available.
A consequence is that we can't rely on existing target_info() definition
since it will create a conflict once more than one target is available.
To solve this, we add TargetInfo in QOM, with this hierarchy.
We define one class "target-info-X" per target, that inherits from
abstract class "target-info". Using concrete vs abstract class ensure we
can easily filter "target-info-X" from all QOM types.
Associated TargetInfo is directly set through class initialization,
without relying on any instance.
For user mode, we simply define target_info() like it was done
previously. In this patch, we keep the same definition for system-mode
also, and it will be replaced in next commits.
We will introduce detection of target from QOM, so we need to make sure
those types are registered early.
Pierrick Bouvier [Thu, 14 May 2026 17:23:00 +0000 (10:23 -0700)]
qom/object: initialize type_table in static ctor with fundamental QOM types
This saves us having to check if it's initialized everytime we have to
access it. No other QOM type should be initialized or accessed during
static ctor calls, so we don't depend on their ordering.
Pierrick Bouvier [Thu, 14 May 2026 17:22:59 +0000 (10:22 -0700)]
qom/object: register OBJECT and INTERFACE QOM types before main
Those types are special, as they are the base of all other QOM types. In
next commit, we'll introduce an extra step in module initialization for
target-info-* types.
However, those types depend on TYPE_OBJECT, which is only registered
at MODULE_INIT_QOM step.
To avoid having to introduce another step, and modify all code calling
module_call_init(MODULE_INIT_QOM), we simply register those base types
directly in the static constructor, before anything else.
* tag 'pull-maintainers-2026-05-13' of https://repo.or.cz/qemu/armbru:
MAINTAINERS: Add myself as a reviewer for Checkpatch
MAINTAINERS: Update RDMA migration entry with M:
MAINTAINERS: Add self as maintainer for XIVE
MAINTAINERS: update HEST maintainership entries
MAINTAINERS: Add Doru Blânzeanu as MSHV reviewer
MAINTAINERS: add self as reviewer for PowerNV and PPC TCG
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 14 May 2026 14:17:26 +0000 (10:17 -0400)]
Merge tag 'hw-misc-20260512' of https://github.com/philmd/qemu into staging
Misc HW patches
- More ATI VGA fixes
- Add support for pre-setting RPMB authentication key on eMMC cards
- Fix VDPA on big-endian hosts
- Handle sub-page granularity in cpu_memory_rw_debug()
- Fix leak in pca955x_set_led()
- Mark IPv6 header structure as packed
- MAINTAINERS updates
* tag 'hw-misc-20260512' of https://github.com/philmd/qemu: (41 commits)
scripts: strip leading './' when searching MAINTAINERS file
ati-vga: fix ati_set_dirty address calculation
MAINTAINERS: update HEST maintainership entries
MAINTAINERS: Add Doru Blânzeanu as MSHV reviewer
net: mark struct ip6_header as QEMU_PACKED
hw/gpio/pca9552: fix state_str leak in pca955x_set_led
hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]
Remove cpu_get_phys_addr_debug() and cpu_get_phys_addr_attrs_debug()
plugins/api.c: Use cpu_translate_for_debug()
monitor/hmp-cmds: Use cpu_translate_for_debug()
target/xtensa/xtensa-semi: Use cpu_translate_for_debug()
hw/xtensa: Use cpu_translate_for_debug()
target/sparc: Use cpu_translate_for_debug()
hw/i386/vapic.c: Use cpu_translate_for_debug()
system/physmem: Use translate_for_debug() in cpu_memory_rw_debug()
target/arm: Implement translate_for_debug
hw/core: Implement cpu_get_phys_addr_attrs_debug() with cpu_translate_for_debug()
hw/core: Implement new cpu_translate_for_debug()
plugins/api.c: Trust cpu_get_phys_addr_debug() return address
monitor: hmp_gva2gpa: Don't page-align cpu_get_phys_addr_debug() arg and return
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 14 May 2026 13:39:54 +0000 (09:39 -0400)]
Merge tag 'pull-aspeed-20260512' of https://github.com/legoater/qemu into staging
aspeed queue:
* Security fixes for HACE hash engine and SBC OTP controller
* Bug fix of the I3C controller
* Removal of BMC machines (fby35, fp5280g2-bmc, qcom-*, sonorapass-bmc)
deprecated in QEMU 10.2
* tag 'qom-pull-request' of https://gitlab.com/marcandre.lureau/qemu: (24 commits)
target/s390x: add gen-features.h dependency to s390x_system_ss
meson: drop sphinx-build < 1.7 compatiblity check
hw/riscv/virt: free flash devices and OEM strings on finalization
hw/ppc/pnv: drop extra ref on PHB after adding as child
hw/arm/virt: free flash devices and OEM strings on finalization
hw/arm/sbsa-ref: free unrealized flash devices on finalization
hw/arm/aspeed: free fmc_model and spi_model on finalization
hw/gpio/pca9552: fix state_str leak in pca955x_set_led
hw/fsi: move OPBus qbus_init() to instance_init
hw/fsi: move OPBus address space init to realize
system/qtest: add missing qtest_finalize()
accel/kvm: free device path on finalization
scsi/pr-manager-helper: free path on finalization
backends/igvm-cfg: free filename on finalization
net/can: free ifname on socketcan finalization
hw/core/resetcontainer: free children array on finalization
hw/i386/x86: free oem_id and oem_table_id on finalization
ui/console: remove console from global list on finalization
system/ioport: Fix qom-list-properties crash on portio list obj
net/colo-compare: guard finalize against uninitialized state
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
J. Neuschäfer [Wed, 13 May 2026 15:06:40 +0000 (17:06 +0200)]
docs/devel: Fix formatting of `Error **`
Since the ReST conversion, Error ** is expressed as Error ``*````*``, which is
rendered in HTML as Error *````*. Fix it so the HTML output resembles the
intended C syntax.
Fixes: 336a7451e8 ("docs: convert README, CODING_STYLE and HACKING to RST syntax") Signed-off-by: J. Neuschäfer <j.neuschaefer@9elements.com> Tested-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Link: https://lore.kernel.org/qemu-devel/20260513-error-v1-1-49fa04bc5c22@9elements.com Signed-off-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Stefan Hajnoczi [Wed, 13 May 2026 17:51:01 +0000 (13:51 -0400)]
Merge tag 'pull-ufs-20260512-2' of https://gitlab.com/jeuk20.kim/qemu into staging
ufs mcq bug fix
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEUBfYMVl8eKPZB+73EuIgTA5dtgIFAmoCrhEACgkQEuIgTA5d
# tgL3oQ//Zjxf9360b7xJ+IB6x9WkKobW2qUB23FC9ZAEZJFQTovbu0jVS/iyKLrs
# zFeLZTPTTczTzi5awIj8qPDwcnYqxw9rTl1FkWuud0ol9sG19cWtYz6rquMssm+X
# lYhw9a+LSZXAuVBwtd3SrhkYF+ZRXQaxGHBC9jZsA41KZkEXfWtylytFtbqyApS3
# AYgN9d9xts/0s8j1xdVnzHWVAmHyAxuvdI0e0OySUjzJTDrON83orIQhLcgfK2mo
# agign40eO85GpYjXdiGHWTbKQGGmjsYjeBsf7gENjwWerMjZFt8YxqzvTGRQrXML
# ECL/dvONYfelxFe8VCefADbx46jKIgSYDAV+87mnUWrOhNmveP6vvYhfyA4Vo+eg
# NQh5hR5h5JGa5uOqHZTjaBSO7mZP3iqKFmKY+qBAMNtR9ECdZfrGF9tuC6YGnWOm
# XqHOjyR1jg03EW6o8uK/ygtiMXMbI9vcueIWt1xzWfT94ePS4fiLSIRVH+2Qldzk
# gujHDkqRu8iRLIIl5wMooaDOpXiUAvhjwwQ7fM7pkTgFuZCL3dHQfdZ0CYIalS0+
# nfAXnYZqqd0pbfKW6yC6CFsz+PSVQGiempry5dfenXFS6N0daANvK6obKLXz1GvB
# DzZZV7ptoV/xPKVqs5tpoqjE8c5qsfxmNhjfPBra5lbSsGoMnU0=
# =w+9k
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 May 2026 00:35:29 EDT
# gpg: using RSA key 5017D831597C78A3D907EEF712E2204C0E5DB602
# gpg: Good signature from "Jeuk Kim <jeuk20.kim@samsung.com>" [unknown]
# gpg: aka "Jeuk Kim <jeuk20.kim@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 5017 D831 597C 78A3 D907 EEF7 12E2 204C 0E5D B602
* tag 'pull-ufs-20260512-2' of https://gitlab.com/jeuk20.kim/qemu:
hw/ufs: Zero reserved bytes in REPORT LUNS response header
hw/ufs: Keep MCQ SQs alive while requests are outstanding
hw/ufs: Reject zero-depth MCQ queues
hw/ufs: Guard MCQ CQ accesses against missing queues
hw/ufs: Validate MCQ SQ references before use
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Chao Liu [Wed, 13 May 2026 07:08:30 +0000 (15:08 +0800)]
MAINTAINERS: Add myself as a reviewer for Checkpatch
Add myself as a reviewer for the Checkpatch module, so I can help
review related patches and continue maintaining it.
Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260513070830.851842-1-chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Peter Xu [Mon, 11 May 2026 14:30:26 +0000 (10:30 -0400)]
MAINTAINERS: Update RDMA migration entry with M:
We wanted to remove RDMA migration once but that didn't go further. In
reality, with the help of Zhijian it's in Odd Fixes stage, even if we just
merged one new parameter for it, for performance improvements.
Markus pointed out we'd better have at least one M: for it to match
anything that is not orphaned.
Remove the X: for Migration entry for RDMA files, then it'll start to cover
RDMA migration again. Keep the separate entry so Zhijian can keep getting
copied, and copy the M:s over to say someone is collecting patches.
Logically these M:s aren't needed after removing X:, but make it clearer.
Link: https://lore.kernel.org/r/5326b854-fcea-4af6-a479-792888a94a4d@fujitsu.com Cc: Zhijian Li (Fujitsu) <lizhijian@fujitsu.com> Cc: Markus Armbruster <armbru@redhat.com> Signed-off-by: Peter Xu <peterx@redhat.com>
Message-ID: <20260511143026.1296485-1-peterx@redhat.com> Acked-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Markus Armbruster <armbru@redhat.com> Acked-by: Li Zhijian <lizhijian@fujitsu.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Peter Maydell [Thu, 7 May 2026 14:48:31 +0000 (15:48 +0100)]
tests/qtest/iommu-smmuv3-test: Skip if no TCG GICv3 device present
On a KVM-only (--disable-tcg) build, the iommu-smmuv3 qtest fails:
qemu-system-aarch64: QTest does not support GICv3 emulation
Broken pipe
../../tests/qtest/libqtest.c:201: kill_qemu() tried to terminate QEMU process but encountered exit status 1 (expected 0)
This is because the test runs the virt board with the qtest
accelerator and gic-version=3. In the virt board this selects the
TCG (emulated) GICv3, but in a --disable-tcg build we don't compile
that device, only the KVM GICv3 (which isn't usable with qtest).
Add a check to the test so we skip it if the arm-gicv3 device isn't
in the QEMU binary.
Cc: qemu-stable@nongnu.org Fixes: d8d19c31b220142641 ("tests/qtest: Add SMMUv3 bare-metal test using iommu-testdev") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de>
scripts: strip leading './' when searching MAINTAINERS file
The following two uses of get_maintainer.pl should return the
same results, but do not:
$ ./scripts/get_maintainer.pl -f ./hw/net/vmxnet3.c
get_maintainer.pl: No maintainers found, printing recent contributors.
get_maintainer.pl: Do not blindly cc: them on patches! Use common sense.
"Philippe Mathieu-Daudé" <philmd@linaro.org> (commit_signer:4/7=57%)
"Michael S. Tsirkin" <mst@redhat.com> (commit_signer:4/7=57%)
Xiaoyao Li <xiaoyao.li@intel.com> (commit_signer:3/7=43%)
Thomas Huth <thuth@redhat.com> (commit_signer:3/7=43%)
Zhao Liu <zhao1.liu@intel.com> (commit_signer:3/7=43%)
qemu-devel@nongnu.org (open list:All patches CC here)
$ ./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
Dmitry Fleytman <dmitry.fleytman@gmail.com> (maintainer:VMware)
Jason Wang <jasowang@redhat.com> (odd fixer:Network devices)
qemu-devel@nongnu.org (open list:All patches CC here)
In the former case, the leading "./" needs to be removed before
trying to find a filename match.
Blindly stripping the "./" is valid because the script already
enforces that it is run from the QEMU git root directory, so
canonicalizing the filename vs $CWD is not required.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260511093858.82753-1-berrange@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Wed, 6 May 2026 15:39:20 +0000 (17:39 +0200)]
ati-vga: fix ati_set_dirty address calculation
This fixes three bugs with the ati_set_dirty address calculation.
First, vbe_start_addr is a word offset. All other values in the
calculation are byte offsets. It must be converted to bytes.
Second, when setting the dirty region with memory_region_set_dirty
the vbe_start_addr is used to calculate the start of the dirty region.
This is a problem because the vbe_start_addr is the offset at which scan out
begins. This puts it in the visible screen coordinate system. The dirty
region however is in the virtual screen coordinate system. This can cause both
overmarking and missed updates. This is removed from the calculation.
Third, when the start address of a blit is outside of the bounds check
the entire blit is missed and not set to dirty. This happens even if the
blit does partially overlap with the visible screen. The fix here is to
find the intersection of the visible screen and the blit and mark only
that region as dirty.
This does not attempt to apply clipping to the blit. So there will be
overmarking in some cases.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz>
[balaton: drop excess parenthesis, use offsets instead of pointers] Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <20260506153920.C6B27596978@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Tue, 5 May 2026 20:13:24 +0000 (21:13 +0100)]
net: mark struct ip6_header as QEMU_PACKED
The ip6_header is often used by network devices to examine structures in
packet data, and it's not guaranteed to be aligned. This manifests as
errors from the clang sanitizer like this one:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/net/rocker/rocker_of_dpa.c:321:37
../../hw/net/rocker/rocker_of_dpa.c:730:33: runtime error: member access within misaligned address 0x742970fe7ecd for type 'struct ip6_header', which requires 4 byte alignment
0x742970fe7ecd: note: pointer points here
00 00 02 81 00 60 00 00 00 00 38 3a ff fe 80 00 00 00 00 00 00 00 00 00 00 00 00 00 02 ff 02 00
^
Fix this by marking the ip6_header struct as QEMU_PACKED, the way we
have done to handle similar problems involving tcp_header, ip_header,
etc.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260505201324.932323-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Fri, 1 May 2026 16:26:34 +0000 (17:26 +0100)]
hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]
If the guest tries to read more bytes from our fake stub I2C device
than we have provided, we incorrectly read one byte beyond the end of
this array. Avoid this, and instead keep reporting the RXD register
as containing the last byte of the "data transfer".
Cc: qemu-stable@nongnu.org Fixes: 9d68bf564ec ("arm: Stub out NRF51 TWI magnetometer/accelerometer detection")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3408 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260501162634.4092394-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:10 +0000 (10:38 +0100)]
Remove cpu_get_phys_addr_debug() and cpu_get_phys_addr_attrs_debug()
All the callers of cpu_get_phys_addr_debug() and
cpu_get_phys_addr_attrs_debug() have now been updated to use
cpu_translate_for_debug(), so we can remove them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-26-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:09 +0000 (10:38 +0100)]
plugins/api.c: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
plugin code to use cpu_translate_for_debug() instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-25-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:08 +0000 (10:38 +0100)]
monitor/hmp-cmds: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
HMP gva2gpa command implementation to use cpu_translate_for_debug()
instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-24-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:07 +0000 (10:38 +0100)]
target/xtensa/xtensa-semi: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
xtensa semihosting code to use cpu_translate_for_debug() instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-23-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:06 +0000 (10:38 +0100)]
hw/xtensa: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
xtensa boards to use cpu_translate_for_debug() instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-22-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:05 +0000 (10:38 +0100)]
target/sparc: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
sparc dump_mmu() function to use cpu_translate_for_debug() instead.
The "mmu_probe succeeds but debug translate fails" cases are probably
not possible in practice; since cpu_get_phys_addr_debug() would
return -1 in that situation we make this conversion retain that
behaviour.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-21-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:04 +0000 (10:38 +0100)]
hw/i386/vapic.c: Use cpu_translate_for_debug()
We would like to remove the cpu_get_phys_addr_debug() function, by
moving all callers to cpu_translate_for_debug(). Update the callsites
in vapic.c.
In the process we can drop the old "OR the page offset back in"
workaround that we had for when cpu_get_phys_page_addr() returned
the physaddr of the page base rather than the exact physaddr of
the input virtual address.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-20-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:03 +0000 (10:38 +0100)]
system/physmem: Use translate_for_debug() in cpu_memory_rw_debug()
Currently cpu_memory_rw_debug() assumes page-granularity for translations,
and it works in a loop where each iteration translates for the vaddr
rounded down to a page boundary and then copies up to the end of the
page boundary.
Rewrite it to use the new cpu_translate_for_debug(): we no longer want
to round down the input address, and the boundary we copy up to is now
determined by the lg_page_size it returns rather than being assumed
to be page-sized.
This, together with the implementation of translate_for_debug for
Arm targets, fixes the bug where semihosting would incorrectly
fail to access parameter blocks that were in memory where the
start of the 4K region they were in was inaccessible due to MPU
region settings, even if the parameter block itself was readable.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3292 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260417173105.1648172-18-peter.maydell@linaro.org Acked-by: Peter Xu <peterx@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-19-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:02 +0000 (10:38 +0100)]
target/arm: Implement translate_for_debug
Implement the translate_for_debug method instead of the
get_phys_addr_attrs_debug one. This allows us to pass the caller the
lg_page_size from our internal GetPhysAddrResult struct.
Awkwardly, translate_for_debug's "true on success" convention
is the opposite of the one we use internally in ptw.c, so
we have to be careful about the sense of the return values.
This corresponds to the way that arm_cpu_tlb_fill_align()
also has to return true when get_phys_addr() returns false.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-17-peter.maydell@linaro.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-18-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:01 +0000 (10:38 +0100)]
hw/core: Implement cpu_get_phys_addr_attrs_debug() with cpu_translate_for_debug()
Implement cpu_get_phys_addr_attrs_debug() with
cpu_translate_for_debug(), so that CPUs can implement only the
translate_for_debug method and have all of the wrapper functions
cpu_translate_for_debug(), cpu_get_phys_addr_attrs_debug() and
cpu_get_phys_addr_debug() work.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-17-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:00 +0000 (10:38 +0100)]
hw/core: Implement new cpu_translate_for_debug()
In cpu_memory_rw_debug() we need to do a virtual-to-physical address
translation for debug access. Currently we assume that the
translation is valid for an entire guest page, but this may not be
true if the target implements some protection regions that have
sub-page granularity. (Currently the only such target is the Arm
CPUs when using an MPU, as in R-profile and M-profile.)
For TCG's emulated accesses, we handle sub-page granularity by the
CPU filling in the lg_page_size field of the CPUTLBEntryFull struct
to tell us how large the region covered by the result is. But we
didn't extend this to the debug-access code path, with the result
that debug accesses might incorrectly fail because they are looking
at the mapping for the address rounded down to a page boundary.
Provide a cpu_translate_for_debug() function which reports to the
caller not just the physical address and attributes of the
translation but also the lg_page_size for which it is valid. The
fallback implementation calls cpu_get_phys_addr_attrs_debug() and
assumes target-page-sized validity.
NB: the "return true on valid access, false on failure" follows
the same convention as TCGCPUOps::tlb_fill_align() (though it
is the opposite of what we use in some other places, e.g.
in target/arm's get_phys_addr_* functions).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-15-peter.maydell@linaro.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-16-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
projects / thirdparty / qemu.git / log
