In qemu_plugin_translate_vaddr() we have a workaround for not all
implementations of get_phys_addr_debug returning an exact physaddr
for the input virtual address: we OR back in the page offset to the
return value.
Now that we guarantee that get_phys_addr_debug returns the exact
physaddr for the input virtual address, we can drop this workaround.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-14-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-15-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:58 +0000 (10:37 +0100)]
monitor: hmp_gva2gpa: Don't page-align cpu_get_phys_addr_debug() arg and return
In hmp_gva2gpa() we currently have a workaround for not all implementations
of get_phys_addr_debug handling non-page-aligned addresses: we round the
input address from the user down to the target page boundary before the
call and then add the page offset back to the returned value.
Now that we guarantee that all implementations will return the correct
exact physaddr for a virtual address, we can drop this handling.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Dr. David Alan Gilbert <dave@treblig.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-13-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-14-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:57 +0000 (10:37 +0100)]
target/arm: Rename arm_cpu_get_phys_page()
The internal helper function arm_cpu_get_phys_page() is named that
way because of its use in the get_phys_page_attrs_debug method. Now
we've renamed the method, rename the helper to match, since it can
handle non-page-aligned addresses.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-12-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-13-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:56 +0000 (10:37 +0100)]
hw/core: Update docs for get_phys_addr_{attrs_, }debug
Update the documentation for the get_phys_addr_{attrs_,}debug methods
and wrapper functions to state that they can handle non-page aligned
addresses and will return the corresponding exact physaddr for them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-11-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-12-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:55 +0000 (10:37 +0100)]
target: Rename cpu_get_phys_page_{,attrs_}debug
Rename cpu_phys_page_debug() and cpu_phys_page_attrs_debug() to
cpu_phys_addr_debug() and cpu_phys_addr_attrs_debug().
Commit created with:
sed -i -e 's/cpu_get_phys_page_debug/cpu_get_phys_addr_debug/g;s/cpu_get_phys_page_attrs_debug/cpu_get_phys_addr_attrs_debug/g' $(git grep -l cpu_get_phys_page)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-10-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-11-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:54 +0000 (10:37 +0100)]
target: Rename get_phys_page_debug to get_phys_addr_debug
Now that we have ensured that all implementations of the get_phys_page_debug
method handle a non-page-aligned input and return the corresponding
non-page-aligned output, the name of the method is somewhat misleading.
Rename it to get_phys_addr_debug.
This commit was produced with the commands
sed -i -e 's/_cpu_get_phys_page_debug/_cpu_get_phys_addr_debug/g;s/\<get_phys_page_debug\>/get_phys_addr_debug/g' $(git grep -l get_phys_page_debug)
sed -i -e 's/_cpu_get_phys_page_attrs_debug/_cpu_get_phys_addr_attrs_debug/g;s/\<get_phys_page_attrs_debug\>/get_phys_addr_attrs_debug/g' $(git grep -l get_phys_page_attrs_debug)
which catches all references to the method name itself plus
the functions which each target uses as the method implementation,
but (deliberately) not the cpu_phys_get_page_debug() and
cpu_phys_get_page_attrs_debug() wrapper functions or their callers.
(We'll deal with those in the next commit.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-9-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-10-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:53 +0000 (10:37 +0100)]
target/ppc: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
The ppc_xlate() function can accept a non-page-aligned input but may
return a page-aligned output; we take the simple approach of ORing
the page offset back into the result address after calling it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-8-peter.maydell@linaro.org Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Message-ID: <20260430093810.2762539-9-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:52 +0000 (10:37 +0100)]
target/s390x: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
s390x already has an implementation of "give me the actual physical
address, not rounded down", in s390_get_phys_addr_debug(), so we can
use this for the SysemuCPUOps::get_phys_page_debug method, and merge
the s390_cpu_get_phys_page_debug() function into
s390_get_phys_addr_debug() which is now its only caller.
This leaves the function implementing the method with a name
that doesn't match the method name, but we will fix that shortly
by renaming the method to *_addr_* for all targets.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-7-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-8-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:51 +0000 (10:37 +0100)]
target/x86: Make get_phys_page_attrs_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
For x86 this is simple: we just need to stop rounding down the
input address to a TARGET_PAGE boundary when calculating the
result to return.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-6-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-7-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:50 +0000 (10:37 +0100)]
target/sparc: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
The sparc TLB lookup code can handle non-aligned input addresses but
will return page-aligned results. Rather than attempting to change
the internals of the lookup code, we take the simple approach of
ORing the page offset back into the phys_addr result.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-5-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-6-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:49 +0000 (10:37 +0100)]
target/microblaze: Make get_phys_page_attrs_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
For microblaze, we just need to remove the explicit rounding down to
the page boundary that we were doing in
mb_cpu_get_phys_page_attrs_debug() when calculating the output
physaddr from the results of the MMU lookup.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-4-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-5-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:48 +0000 (10:37 +0100)]
target/alpha: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
For alpha, the get_physical_address() function accepts arbitrary
input addresses but may return an output rounded down to a page
boundary, so in alpha_cpu_get_phys_page_debug() we OR the within-page
offset into it before returning it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-3-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:47 +0000 (10:37 +0100)]
target/riscv: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
The only thing in the riscv implementation that we need to fix
is the place where we explicitly round the return value down to
a page boundary before returning it. Drop that.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-2-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:46 +0000 (10:37 +0100)]
hw/i386/vapic: Cope with non-page-aligned return from cpu_get_phys_page_debug()
Currently the i386 implementation of get_phys_page_debug() always
returns an address aligned to a page boundary, and the vapic.c code
assumes this: it adds back in the page offset after the call. Change
this to OR in the page offset, so that it works whether
cpu_get_phys_page_debug() returns the page address or the exact
physical address. This will mean the code continues to work when
we change the semantics to standardize on "return exact
physical address".
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
After commit 0caed25cd171 vhost_vdpa_net_load_vlan() started seeing
VIRTIO_NET_F_CTRL_VLAN flag and making 4096 calls to the kernel with
VIRTIO_NET_CTRL_VLAN_ADD command. However, it forgot to convert the
16-bit VLAN IDs to LE format. On BE machine, the kernel calls failed
when they saw "VLAN IDs" greater than 4095, and QEMU then said:
"unable to start vhost net: 5: falling back on userspace virtio", and
VDPA became disabled.
Convert the VLAN ID to LE before putting it into virtio queue.
Fixes: 8f7e9967484d ("vdpa: Restore vlan filtering state") Signed-off-by: Konstantin Shkolnyy <kshk@linux.ibm.com> Acked-by: Jason Wang <jasowang@redhat.com> Acked-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260427144746.1498-1-kshk@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Christian Speich [Fri, 17 Apr 2026 09:51:40 +0000 (11:51 +0200)]
hw/sd: Update trace events for buf+len data
After switching sdbuf and sdcard over to use buf+len instead of single
byte operation, the trace events need to be updated.
This patch updates sdbus_{read,write} and sdcard_write_data to output the
buffer that is worked on.
sdcard_read_data is left unchanged, as it did not print the read byte
before anyways.
Signed-off-by: Christian Speich <c.speich@avm.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260417-sdcard-performance-b4-v4-7-119e66be10c2@avm.de> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Christian Speich [Fri, 17 Apr 2026 09:51:35 +0000 (11:51 +0200)]
hw/sd/sd: Allow multi-byte read/write for generic paths
Paths that use sd_generic_write/read_data can now write/read multiple
bytes with one call.
Signed-off-by: Christian Speich <c.speich@avm.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260417-sdcard-performance-b4-v4-2-119e66be10c2@avm.de>
[PMD: Access &sd->data[sd->data_offset] in sd_generic_read/write_data] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Document the QTEST_ environment variables. Only include the ones used
by QTest itself, don't document test-specific variables as they are
more prone to change.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260429003130.15164-4-farosas@suse.de
[picked rst-formatted version from Peter Maydell] Signed-off-by: Fabiano Rosas <farosas@suse.de>
Allow logging to be set for specific parts of QTest. Having a single
QTEST_LOG knob creates an output stream that is almost useless due to
spamming from some operations.
Add a backward-compatible way of selecting which parts will be made
verbose. Reuse the existing QTEST_LOG variable. The new options are:
QTEST_LOG=
fuzz - fuzz.c
qga - unit/test-qga.c
qmp - libqmp.c
qtest - QTest device, i.e. -qtest-log option
test - generic term for usage of all tests
E.g.:
QTEST_LOG=fuzz,qga,qmp,qtest,test
equivalent to QTEST_LOG=1
QTEST_LOG=qmp,qtest
enables logging of qmp operations from libqmp.c and logging of the
qtest device.
QTEST_LOG=test,qmp
enable test output and libqmp.c output.
QTEST_LOG=-qmp
enable all output, except for libqmp.c
Ashish Anand [Tue, 5 May 2026 13:40:02 +0000 (19:10 +0530)]
hw/i3c/dw-i3c: Fix BCR/DCR extraction and PID assembly during ENTDAA
The target_info union in dw_i3c_addr_assign_cmd() declares pid, bcr,
and dcr as separate union members, causing them to all alias b[0]
rather than their correct positions in the ENTDAA response buffer.
This results in dw_i3c_update_char_table() being called with BCR and
DCR both read from b[0] instead of b[6] and b[7] respectively,
corrupting the device characteristics table on every ENTDAA operation.
Fix by replacing the broken members with uint64_t d and extracting fields
per the I3C spec ENTDAA wire format.
Additionally, dw_i3c_update_char_table() incorrectly splits PID across
LOC1 and LOC2 at bit 32. Per the Linux kernel HCI driver
(drivers/i3c/master/mipi-i3c-hci/dct_v1.c), the DCT layout requires
LOC1 to hold pid[47:16] and LOC2 to hold pid[15:0]. Fix the split
accordingly.
Cédric Le Goater [Sun, 10 May 2026 16:57:04 +0000 (18:57 +0200)]
hw/arm: Remove fby35 machine
The fby35 machine was deprecated in QEMU 10.2 and is now removed in
QEMU 11.1.
This multi-SoC machine was added as an example of heterogeneous
systems, but the models never evolved and no public firmware is
available to boot it. Users needing multi-SoC emulation should use the
ast2700fc machine instead, which is based on newer AST2700 SoCs with
better support.
Cédric Le Goater [Sun, 10 May 2026 16:57:03 +0000 (18:57 +0200)]
hw/arm: Remove fp5280g2-bmc machine
The fp5280g2-bmc machine was deprecated in QEMU 10.2 and is now
removed in QEMU 11.1.
This Inspur FP5280G2 BMC board does not rely on specific device models
and can be replaced by the ast2500-evb machine with appropriate
fmc-model and I2C device configuration via command line.
Cédric Le Goater [Sun, 10 May 2026 16:57:02 +0000 (18:57 +0200)]
hw/arm: Remove qcom-dc-scm-v1-bmc and qcom-firework-bmc machines
The qcom-dc-scm-v1-bmc and qcom-firework-bmc machines were deprecated
in QEMU 10.2 and are now removed in QEMU 11.1.
These Qualcomm lab servers never entered production and do not rely on
specific device models. They can be replaced by the ast2600-evb
machine with appropriate fmc-model and I2C device configuration via
command line.
Cédric Le Goater [Sun, 10 May 2026 16:57:01 +0000 (18:57 +0200)]
hw/arm: Remove sonorapass-bmc machine
The sonorapass-bmc machine was deprecated in QEMU 10.2 and is now
removed in QEMU 11.1.
This OCP SonoraPass BMC lab server never entered production and can be
replaced by the ast2500-evb machine with appropriate fmc-model and I2C
device configuration via command line.
Kane Chen [Tue, 12 May 2026 06:50:04 +0000 (06:50 +0000)]
aspeed/hace: Fix mapped address may not be unmapped issue
In the do_hash_operation, the code may be returned earlier because
hash_prepare_sg_iov or hash_prepare_direct_iov may return a failure.
When this condition is happened, current code flow doesn't go through
later code segments. Finally, it causes the mapped address isn't
unmapped properly.
This change unmaps any mapped addresses when an error occurs,
preventing a resource leak.
In accumulate mode, total_req_len is incremented with plen (hwaddr)
for each hash request. Repeated additions can overflow total_req_len
(uint32_t) and potentially bypass validation checks in has_padding().
Add a helper function to detect overflow before incrementing
total_req_len and reject the request if overflow would occur.
aspeed/hace: Fix out-of-bounds read in has_padding()
The has_padding() function reads the last 8 bytes of a DMA buffer
without validating req_len. req_len is guest-controlled (via
R_HASH_SRC_LEN register or scatter-gather entries) and values less
than 8 cause integer underflow. This can result in an out-of-bounds
read of QEMU process memory.
Add a check to ensure req_len >= 8 before accessing the buffer.
Kane Chen [Tue, 28 Apr 2026 05:52:56 +0000 (05:52 +0000)]
hw/misc/aspeed_sbc: Add bounds checking for OTP write operations
There is a mismatch between the Aspeed OTP model and the Aspeed SBC
model in how the guest-provided address is handled.
aspeed_sbc_otp_prog() passes a word-indexed address directly
to address_space_write() without converting it to a byte offset,
whereas aspeed_otp_write() expects a byte offset and applies an
additional shift (otp_addr << 2). This double-shift confusion means
that an out-of-range word address can lead to a write beyond the
allocated storage.
Fix this by adding bounds checking on the word offset before
converting to byte offset and passing to address_space_write().
This matches the existing bounds check in aspeed_sbc_otp_read().
Cc: Kane-Chen-AS <kane_chen@aspeedtech.com> Cc: qemu-stable@nongnu.org Fixes: 1a00754ccf15 ("hw/misc: Add Aspeed Secure Boot Controller model")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3436 Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Kane-Chen-AS <kane_chen@aspeedtech.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Link: https://lore.kernel.org/qemu-devel/20260428055254.76581-2-kane_chen@aspeedtech.com
[ clg: Kept otp_addr in event logged in aspeed_sbc_otp_prog() ] Signed-off-by: Cédric Le Goater <clg@redhat.com>
Christian Speich [Fri, 17 Apr 2026 09:51:34 +0000 (11:51 +0200)]
hw/sd: Switch read/write primitive to buf+len
Currently, read/writes are broken down into individual bytes which result
in many function calls. This is quite bad for performance and since both
the layer below and above work with larger buffers, it should be
corrected.
This patch is the first that switches the corresponding interface over to
use a buf+len instead of a single byte. However, for most cases the
implementation still only reads one byte and is then called again with
the remaining buffer.
Optimizations taking advantage of this new interface are to follow in the
next commits.
Signed-off-by: Christian Speich <c.speich@avm.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260417-sdcard-performance-b4-v4-1-119e66be10c2@avm.de> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jan Kiszka [Wed, 15 Apr 2026 05:46:07 +0000 (07:46 +0200)]
hw/sd/sdcard: Add support for pre-setting the authentication key
In contrast to real eMMCs, we are not (yet) persisting the full state
of the device. This particularly includes the authentication key used
for RPMB access, complicating testing of firmware images which do not
support initial provisioning of the key.
One way to address this would be, e.g., extending the eMMC disk image
with a special sector to store further state. A simpler approach is used
here: Add another device property that allows to specify the
authentication key, bringing up the eMMC as if the key has already been
provisioned before.
This is how to tell qemu to use the OP-TEE test key:
For the "color expansion" subtype of raster operations, the source
pixel format is a monochrome bitmap, and the destination can be any
of 8, 16, 24 or 32bpp.
For these pattern operations, the GR2F register includes a field
which specifies how much to skip at the start of each scanline. In
the 8, 16 and 32 bit cases, this field is 3 bits and is a count of
pixels to skip. We get this case right. However, for the 24 bit
case, the field is 5 bits and is a count of destination bytes to
skip.
In commit ad81218e40e27 ("depth=24 write mask fix (Volker Ruppert)")
in 2005, we updated the code to (attempt to) handle the 5-bit mask
case. However, we don't do the right thing when the 5-bit mask
indicates that we need to skip more than 8 bits of the input bitmap:
we will right-shift the 0x80 constant completely off the right hand
side, and will be off-by-one for all the source bitmap loads.
Fix this by calculating the whole number of input bytes we need to
skip and the residual number of bits. In the 8/16/32bpp case the
bytes to skip is always zero.
Cc: qemu-stable@nongnu.org Fixes: ad81218e40e27 ("depth=24 write mask fix (Volker Ruppert)") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Junjie Cao <junjie.cao@intel.com> Tested-by: Junjie Cao <junjie.cao@intel.com>
Message-ID: <20260410183249.4046456-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The Cirrus Logic VGA card has "pattern fill" blit modes where it
repeatedly copies an 8x8 source pattern to the display. For the
"color expansion" subtype of these, the source pixel format is an 8x8
monochrome bitmap, and the destination can be any of 8, 16, 24 or
32bpp. We implemented these wrong for the 24bpp case, in a way that
results in a complaint from the undefined-behavior sanitizer about a
shift by a negative value.
For these pattern fills, the GR2F register includes a field which
specifies how much to skip at the start of each scanline. In the 8,
16 and 32 bit cases, this field is 3 bits and is a count of pixels to
skip. We get this case right. However, for the 24 bit case, the
field is 5 bits and is a count of destination bytes to skip. We
tried to add support for 24-bits in commit ad81218e40e27 ("depth=24
write mask fix (Volker Ruppert)") in 2005. However we got this
wrong, because when we need to skip, for example, 30 bytes in the
destination, this is 10 input pixels but the whole pattern is only 8
pixels wide, and we ended up with a negative bitpos for the first bit
to use in the pattern.
Fix the bug by masking srcskipleft in the 24-bit case so that it
correctly gives the first pixel to use in the pattern even if we skip
so many pixels that we have wrapped around to what would have been
the second copy of the pattern to the destination.
This patch was produced based on the information in the CL-GD5446
Technical Reference Manual, specifically sections 5.8 "GR2F: BLT
Destination Left-Side Clipping" and 9.4.8 "Pattern Fills".
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3377 Fixes: ad81218e40e27 ("depth=24 write mask fix (Volker Ruppert)") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Junjie Cao <junjie.cao@intel.com> Tested-by: Junjie Cao <junjie.cao@intel.com>
Message-ID: <20260410183249.4046456-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jeuk Kim [Mon, 11 May 2026 04:59:29 +0000 (13:59 +0900)]
hw/ufs: Zero reserved bytes in REPORT LUNS response header
ufs_emulate_report_luns() writes the 4-byte LUN list length into
outbuf[0..3] via stl_be_p() but leaves outbuf[4..7], the reserved
field, uninitialized. Those bytes are then DMA'd to guest memory,
leaking uninitialized QEMU stack data.
Fixes: 7708e298180 ("hw/ufs/lu: skip automatic zero-init of large array") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Jeuk Kim [Wed, 6 May 2026 04:50:49 +0000 (13:50 +0900)]
hw/ufs: Keep MCQ SQs alive while requests are outstanding
MCQ requests are allocated with their SQ, but can remain in flight on the
CQ list or in the SCSI layer after leaving the SQ free list.
Reject runtime SQ deletion while any request is still outstanding, and
use separate teardown helpers so device exit can still release MCQ
queues after child devices have been unrealized.
Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Jeuk Kim [Wed, 6 May 2026 04:50:34 +0000 (13:50 +0900)]
hw/ufs: Reject zero-depth MCQ queues
Reject SQATTR.SIZE and CQATTR.SIZE values that produce zero-entry MCQ
queues. Such queues can later trigger a divide-by-zero while advancing
queue pointers.
Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Jeuk Kim [Mon, 16 Mar 2026 05:39:04 +0000 (14:39 +0900)]
hw/ufs: Validate MCQ SQ references before use
A guest can program an out-of-range SQATTR.CQID value, or ring an
MCQ SQ doorbell before the submission queue exists.
Reject SQ creation when the referenced CQ is invalid, and ignore SQ
doorbells for queues that have not been created. This prevents a
guest-triggerable out-of-bounds read and NULL pointer dereference.
Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Reported-by: Rayhan Ramdhany Hanaputra <hanaputrarayhan@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
target/s390x: add gen-features.h dependency to s390x_system_ss
Commit 0b83acf2f05 moved gen_features_h from s390x_ss to
s390x_common_ss. However s390x_system_ss (containing ioinst.c) was left
without the dependency, causing a build race: it can be compiled before
gen-features.h is generated (via cpu.h -> cpu_models.h -> cpu_features.h
-> gen-features.h)
Add gen_features_h to s390x_system_ss to correct the build ordering.
Fixes: 0b83acf2f05 ("target/s390x: Introduce common system/user meson source set") Acked-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/riscv/virt: free flash devices and OEM strings on finalization
Add instance_finalize to free the two pflash devices (when unrealized)
and the OEM ID strings allocated during instance_init. Fixes leaks
found by ASan.
Fixes: 71eb522c4063 ("riscv/virt: Add the PFlash CFI01 device") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/ppc/pnv: drop extra ref on PHB after adding as child
object_new() returns an object with refcount 1, and
object_property_add_child() adds another reference. The initial
reference must be dropped so the parent becomes the sole owner,
otherwise the PHB objects leak when the chip is destroyed.
Fixes: 0d512c7120a2 ("ppc/pnv: turn chip8->phbs[] into a PnvPHB* array") Reviewed-by: Glenn Miles <milesg@linux.ibm.com> Reviewed-by: Aditya Gupta <adityag@linux.ibm.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/arm/virt: free flash devices and OEM strings on finalization
Flash devices created in instance_init via qdev_new() hold an extra
reference that is only dropped on sysbus_realize_and_unref(). When the
machine is destroyed before realization, the flash objects leak. Also,
the oem_id and oem_table_id strings from g_strndup() are never freed.
Fixes: 602b458201ff ("acpi: Permit OEM ID and OEM table ID fields to be changed") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/arm/sbsa-ref: free unrealized flash devices on finalization
Flash devices are created with qdev_new() in instance_init and added as
children, but the initial reference from qdev_new() is only dropped by
sysbus_realize_and_unref() during machine init. When the machine object
is destroyed before realization (e.g. during qtest device introspection),
the flash devices leak.
Fixes: e9fdf453240e ("hw/arm: Add arm SBSA reference machine, devices part") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/gpio/pca9552: fix state_str leak in pca955x_set_led
visit_type_str() allocates state_str, but the function never frees it
on any code path. Use g_autofree to ensure it is freed on return.
Fixes: a90d8f84674d ("misc/pca9552: Add qom set and get") Reviewed-by: Glenn Miles <milesg@linux.ibm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The OPBus instance_init initializes an AddressSpace, registering it in
the global address_spaces list. When a bare OPBus object is created
and destroyed (e.g. by qom-tests), there is no finalize to remove the
stale entry, leading to a heap-use-after-free when a subsequent
flatviews_reset iterates the list.
Move address_space_init to the bus realize callback and add the
corresponding address_space_destroy in unrealize, following the
NubusBus pattern. Also fix the memory_region_init owner from NULL to
the OPBus object, so the MR is properly parented instead of dangling
under the "unattached" container.
kvm_set_device allocates device via g_strdup, but no
instance_finalize existed for the KVM accelerator type.
Fixes: aef158b093b9 ("Add class property to configure KVM device node to use") Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
can_host_socketcan_set_if allocates ifname via g_strdup, but no
instance_finalize existed to free it.
Fixes: ea15ea8a7c67 ("net/can: support for connecting to Linux host SocketCAN interface.") Acked-by: Pavel Pisa <pisa@fel.cvut.cz> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/i386/x86: free oem_id and oem_table_id on finalization
x86_machine_initfn allocates oem_id and oem_table_id via g_strndup,
but no instance_finalize existed for x86_machine_info, so these
strings were never freed when the object was destroyed.
Add x86_machine_finalize to release both fields.
Fixes: d07b22863b8e ("acpi: Move setters/getters of oem fields to X86MachineState") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console: remove console from global list on finalization
This commit removes the QemuConsole from the global "consoles" list when
it is finalized, fixing use-after-free on throw-away objects.
Reproducer: QMP command qom-list-properties with typename
"qemu-text-console", "qemu-fixed-text-console" or
"qemu-graphic-console".
The assertions added ensure that `dcls`, `gl_block`, and the
`dump_queue` are empty before removal, confirming the console is in a
clean state. This is left to handle correctly in a future series for
hot-unplug case.
Reported-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Peter Xu [Thu, 23 Apr 2026 18:32:11 +0000 (14:32 -0400)]
system/ioport: Fix qom-list-properties crash on portio list obj
Currently qom-list-properties QMP command will crash when querying the
portio list MR object. It's because its finalize() assumes full
initialization done in portio_list_add_1().
Provide a simple fix for now to avoid the crash. There is chance for a
longer term fix, ideally MR should be initialized in instance_init().
However that'll need more work, and that should also be done with cleaning
the hard-coded MR operations in portio_list_add_1(). To be explored.
Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Link: https://lore.kernel.org/r/87a4uvw066.fsf@pond.sub.org Reported-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Peter Xu <peterx@redhat.com>
net/colo-compare: guard finalize against uninitialized state
colo_compare_finalize() assumes the object was fully set up by
colo_compare_complete(), but a bare object_new() followed by
object_unref() skips the complete callback entirely.
This causes two crashes:
- qemu_mutex_destroy on the static event_mtx which was never
initialized (colo_compare_active is false)
- qemu_bh_delete(NULL) and iothread dereference when s->iothread
is NULL
Guard the event_mtx teardown with colo_compare_active, and the
iothread-dependent cleanup with an s->iothread NULL check.
Fixes: 45942b79b9f8 ("net/colo-compare.c: Check that colo-compare is active") Cc: peterx@redhat.com Acked-by: Peter Xu <peterx@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The QIONetListener mutex is initialized in the convenience
constructor qio_net_listener_new() rather than in an instance_init.
This means a bare object_new(TYPE_QIO_NET_LISTENER) produces an
object with an uninitialized mutex, but instance_finalize
unconditionally calls qemu_mutex_destroy() on it, which aborts.
Move the mutex initialization to a proper instance_init so that init
and finalize are always paired regardless of how the object is
created.
Fixes: 9d86181874a ("qio: Protect NetListener callback with mutex") Cc: peterx@redhat.com Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
hw/remote: check visit return in vfu_object_set_socket
vfu_object_set_socket() dereferences o->socket without checking if
visit_type_SocketAddress() succeeded. On failure, o->socket remains
NULL, leading to a NULL dereference. Check the return value.
* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu: (33 commits)
qemu-options: document -chardev dbus
tools/qemu-vnc: add standalone VNC server over D-Bus
tests/qtest: drop DBUS_VMSTATE_TEST_TMPDIR
ui: extract common sources into a static library
ui/vnc: replace VNC_DEBUG with trace-events
ui/console: rename public API to use consistent qemu_console_ prefix
ui/console: add doc comment for qemu_console_{un}register_listener()
ui/console: simplify registering display/console change listener
ui/vnc: add vnc-system unit, to allow different implementations
ui/vnc: defer listener registration until the console is known
ui/vnc: clean up VNC displays on exit
ui/vnc: merge vnc_display_init() and vnc_display_open()
ui/vnc: vnc_display_init() and vnc_display_open() return bool
ui/vnc: make the worker thread per-VncDisplay
ui/console-vc: move VT100 emulation into separate unit
ui/console: remove console_ch_t typedef and console_write_ch()
ui/console-vc: extract vt100_init() and vt100_fini()
ui/console-vc: extract vt100_keysym() from qemu_text_console_handle_keysym()
ui/console-vc: extract vt100_input() from vc_chr_write()
ui/console-vc: move VT100 state machine and output FIFO into QemuVT100
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
tools/qemu-vnc: add standalone VNC server over D-Bus
Add a standalone VNC server binary that connects to a running QEMU
instance via the D-Bus display interface (org.qemu.Display1, via the bus
or directly p2p). This allows serving a VNC display without compiling
VNC support directly into the QEMU system emulator, and enables running
the VNC server as a separate process with independent lifecycle and
privilege domain.
Built only when both VNC and D-Bus display support are enabled.
If we wanted to have qemu -vnc disabled, and qemu-vnc built, we would
need to split CONFIG_VNC. This is left as a future exercise.
Current omissions include some QEMU VNC runtime features (better handled via
restart), legacy options, and Windows support.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Move clipboard, cursor, display-surface, input-keymap, kbd-state,
keymaps, vt100, and qemu-pixman into a separate static library 'qemuui'.
This allows these common UI sources to be linked by targets outside of
the system emulator build, such as standalone VNC or D-Bus display
binaries.
keymaps generation has to be moved earlier, so that header dependency
are resolved first.
The library objects are re-exported via a dependency so existing
system_ss consumers are unaffected.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console: rename public API to use consistent qemu_console_ prefix
Rename the display and graphic console public functions to follow a
consistent qemu_console_ (or qemu_graphic_console_) naming convention.
The previous API used a mix of prefixes: dpy_, graphic_hw_,
graphic_console_, console_has_, and update_displaychangelistener().
Unify them under a common qemu_console_ namespace for better
discoverability and consistency.
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
scsi: handle reservation changes across migration
scsi: register again after PREEMPT without reservation
scsi: always send valid PREEMPT TYPE field
scsi: adjust error_prepend() formatting
scsi: change buf_size to unsigned int in scsi_SG_IO()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'firmware-20260508-pull-request' of https://gitlab.com/kraxel/qemu:
hw/uefi: avoid possibly unaligned variable_auth_2 struct field access
hw/uefi: verify data size before accessing it in wrap_pkcs7
hw/uefi: add name_size check to uefi_vars_mm_lock_variable()
hw/uefi: fix ucs2 string helper functions
hw/uefi: verify pio_xfer_offset before calculating buffer checksum
hw/uefi: fix buffer overruns
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQTKRzxE1qCcGJoZP81FK5aFKyaCFgUCaf2HjwAKCRBFK5aFKyaC
# FnBgA/4rVzGrTcTvLIxceLpewgBsH+BsAxHvpOwaVWWPHWjTWL5BgYiudS4dukTO
# fllXZBAIejUded8h5YazdGqqN2nZYq3QAQD3TKgkqDaiS2qdbVHn1caTLyPg6oEK
# XKyZwzQpuZ3xjlYbnmNwDMTkChV1sxEKSpWZlSHwcgUNhuvFWQ==
# =Oze1
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 08 May 2026 02:49:51 EDT
# gpg: using RSA key CA473C44D6A09C189A193FCD452B96852B268216
# gpg: Good signature from "Song Gao <gaosong@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CA47 3C44 D6A0 9C18 9A19 3FCD 452B 9685 2B26 8216
* tag 'pull-loongarch-20260508-2' of https://github.com/gaosong715/qemu:
target/loongarch: Add support for dbar hint variants
hw/loongarch/virt: Define versioned virt machine
hw/loongarch/virt: Define virt machine type with type_init()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-target-arm-20260507' of https://gitlab.com/pm215/qemu: (67 commits)
hw/misc/bcm2835_rng: Specify valid memory access sizes
target/arm: Report IL=0 for Thumb 16-bit BKPT insn
hw/arm/virt: Allow user to select GICv5
hw/arm/virt: Enable GICv5 CPU interface when using GICv5
hw/arm/virt: Use correct interrupt type for GICv5 SPIs in the DTB
hw/arm/virt: Handle GICv5 in interrupt bindings for PPIs
hw/arm/virt: Advertise GICv5 in the DTB
hw/arm/virt: Create and connect GICv5
hw/arm/virt: Split GICv2 and GICv3/4 creation
hw/arm/virt: Pull "wire CPU interrupts" out of create_gic()
hw/arm/virt: Move MSI controller creation out of create_gic()
hw/arm/virt: Remember CPU phandles rather than looking them up by name
hw/intc/arm_gicv3_cpuif: Don't allow GICv3 if CPU has GICv5 cpuif
target/arm: Add has_gcie property to enable FEAT_GCIE
target/arm: Connect internal interrupt sources up as GICv5 PPIs
target/arm: GICv5 cpuif: Signal IRQ or FIQ
target/arm: GICv5 cpuif: Implement GIC CDDI
hw/intc/arm_gicv5: Implement Deactivate command
target/arm: GICv5 cpuif: Implement GIC CDEOI
target/arm: GICv5 cpuif: Implement GICR CDIA command
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Sat, 9 May 2026 11:36:20 +0000 (07:36 -0400)]
Merge tag 'bsd-user-2026-05-pull-request' of https://gitlab.com/bsdimp/qemu-from-official into staging
bsd-user May 2026 pull request
Three patch series were reviewed during the code freeze and are finally ready to
head into the tree.
(1) Use SPDX identifiers in most places. This makes it easier for me to upstream
since I can do almost all of the files in the forked tree and not have it be an
issue each time I add a new file.
(2) Per discussions in the review, copy thunk.c to bsd-user from linux-user. We
will use this in the third set of patches, ioctls. All that changed is the
copyright header. This file has style problems, but fixing them would be a worse
problem than the style issues since we share it with linux-user and want to
track changes there. In the future we may actually share, but for now this was
the compromise.
(3) All the ioctls that bsd-user supports in FreeBSD. This uses the thunk.c code
to translate back and forth between host and target. A number of pedantic
changes were made against the blitz branch upstream and were discovered or
highlighted by claude code.
I used claude to extract all the ioctl code from the blitz branch for
upstreaming. I had it review the code and fixed the problems it found (though
one was a false positive). I've not tagged these as Assisted-by: since that part
of our policy is in flux. No creative output of claude was applied here, though
it also suggested the commit messages (that I rewrote in large part, but
vestiges of the original remain). To be clear: Claude didn't write any of
the actual code.
# -----BEGIN PGP SIGNATURE-----
# Comment: GPGTools - https://gpgtools.org
#
# iQIzBAABCgAdFiEEIDX4lLAKo898zeG3bBzRKH2wEQAFAmn7+HkACgkQbBzRKH2w
# EQBseRAAn4RqHJDLLdFpyfspFPOr8Etjmq6MdJ3MXtDauyOWE2IIY1bBsr5a81Ko
# VjG3zpZ3kOE6eQsCKIHHUEljtrfej3kdrvfdMI5d0Qtk4YQSU3rN2Tz6CRNIQNRb
# xALkkvsKY0AxP1xzdldUMCR2oO0AT1u0NC7aPpiKbg8Z4wUujDcaPXnNkun6xoRw
# ysELRm3G1zyvIw0WX3LUrcxYel+O4cXoF1Fzi3ZLSyryeKOBXTQG/uA7+9YJUyLx
# wsrl++bACCDHwkwnuFiIvg+ZkBiMfkVHz6SLRcMfVjwmAfRuPukvjB8ZZBXRLT94
# zeG+R9t4zCRKC8Cka4AsYUyceHfgj/kdNkEd7u5rJHVHSUsfQAbWywRRhjOyO4Ad
# 3nzKOCJ68e4bu3FOc7ih2pcrS71/zxR1HWa2FgwPOntrDaagCbugfSepZ5bJewvW
# rBqujzgLV7B5fNDUAaYP+HnYr/qu6oaJZ4APalubBu+/Y++P1KBzfsiNSoFLHTzU
# XFsGB0ktMbVJtqMfQKNBJlsd8XrRguhRvrujwBAKJxUt1XIS7lJfYQIN1sn2pfBe
# evUsHsp978u1BR58rwEMRJeYxLIZe+Q6T3JJNXhwC+WsWZvjdLo2Xta78HcudC0R
# z1FnH99jlUFpgHiySQUMR/6FYPBxRMQ4dPa4hgLVKYOSyN4GguI=
# =L844
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 06 May 2026 22:27:05 EDT
# gpg: using RSA key 2035F894B00AA3CF7CCDE1B76C1CD1287DB01100
# gpg: Good signature from "Warner Losh <wlosh@netflix.com>" [unknown]
# gpg: aka "Warner Losh <imp@bsdimp.com>" [unknown]
# gpg: aka "Warner Losh <imp@freebsd.org>" [unknown]
# gpg: aka "Warner Losh <imp@village.org>" [unknown]
# gpg: aka "Warner Losh <wlosh@bsdimp.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2035 F894 B00A A3CF 7CCD E1B7 6C1C D128 7DB0 1100
* tag 'bsd-user-2026-05-pull-request' of https://gitlab.com/bsdimp/qemu-from-official: (25 commits)
bsd-user: Add call to do_bsd_ioctl and add bsd-ioctl.c to the build
bsd-user: Add init_bsd_ioctl function
bsd-user: Add do_bsd_ioctl main function
bsd-user: Add do_ioctl_in6_ifreq_sockaddr_int function
bsd-user: Add target_to_host_sockaddr_in6 function
bsd-user: Add do_ioctl_unsupported function
bsd-user: Add log_unsupported_ioctl function
bsd-user: Add bsd-ioctl.c infrastructure and termios conversion
bsd-user: Add target_sockaddr and safe_ioctl to syscall_defs.h
bsd-user: Add bsd-ioctl.h header
bsd-user: Add FreeBSD ioctl command table
bsd-user: Add FreeBSD ioctl type definitions
bsd-user: Add FreeBSD IPv6 ioctl definitions
bsd-user: Add FreeBSD disk ioctl definitions
bsd-user: Add FreeBSD cryptodev ioctl definitions
bsd-user: Add FreeBSD socket ioctl definitions
bsd-user: Add FreeBSD file I/O ioctl definitions
bsd-user: Add FreeBSD tty ioctl definitions
bsd-user: ioctl: add common definitions
bsd-user: Copy linux-user/thunk.c to bsd-user
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Introduce qemu_console_register_listener() which combines setting
dcl->con, dcl->ops and calling register_displaychangelistener() into a
single call. This removes repetitive boilerplate across all display
backends and makes it harder to forget setting one of the fields.
Also move the early-return check in unregister_displaychangelistener()
before the trace call, so that unregistering a never-registered listener
(e.g. on error paths) does not dereference a NULL ops pointer.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/vnc: defer listener registration until the console is known
Previously, the display change listener was registered early in
vnc_display_new() without a console, requiring vnc_display_open() to
conditionally unregister and re-register it when the actual console was
resolved. Since vnc_display_new() and vnc_display_open() were merged in
the previous commit, simply delay the registration and keyboard state
initialization to vnc_display_open(), after the console has been looked
up. This removes the conditional re-registration and simplifies the code.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Previously, VNC displays were never torn down on QEMU exit, leaking
resources and leaving connected clients with unclean disconnects.
Add vnc_cleanup() to free all VNC displays during qemu_cleanup().
Make vnc_display_close() initiate disconnection of active clients,
and have vnc_display_free() drain the main loop until all clients
have completed their teardown, instead of asserting the client list
is empty.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/vnc: merge vnc_display_init() and vnc_display_open()
Combine the two-step vnc_display_init()/vnc_display_open() sequence
into a single vnc_display_new() function that returns VncDisplay*.
This simplifies the API by making vnc_display_open() an
internal detail and will allow further code simplification.
vnc_display_new() is moved to vnc.h, since it returns VncDisplay* now.
Add vnc_display_free() for consistency, and it will be later used.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/vnc: vnc_display_init() and vnc_display_open() return bool
Use the QEMU-style error pattern returning "true" on success.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The VNC encoding worker thread was using a single global queue shared
across all VNC displays, with no way to stop it. This made it impossible
to properly clean up resources when a VncDisplay is freed.
Move the VncJobQueue from a file-scoped global to a per-VncDisplay
member, so each display owns its worker thread and queue. Add
vnc_stop_worker_thread() to perform an orderly shutdown: signal the
thread to exit, join it, and destroy the queue. The thread is now
created as QEMU_THREAD_JOINABLE instead of QEMU_THREAD_DETACHED.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: move VT100 emulation into separate unit
Move the VT100 terminal emulation code into dedicated ui/vt100.c and
ui/vt100.h files, completing the extraction from console-vc.c started
in the previous patches. This makes the VT100 layer a self-contained
module that can be reused independently of the chardev/console
infrastructure.
The code is moved as-is, with minor coding style fixes (adding missing
braces, fixing whitespace) applied during the move.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console: remove console_ch_t typedef and console_write_ch()
Since commit e2f82e924d05 ("console: purge curses bits from
console.h"), console_ch_t is a plain uint32_t typedef and
console_write_ch() is a trivial assignment (*dest = ch). These
abstractions were originally needed because console_ch_t was the
curses chtype when CONFIG_CURSES was enabled, and console_write_ch()
handled VGA-to-curses character translation. That commit moved the
curses logic into curses_update(), making the typedef and helper
dead abstractions.
Replace console_ch_t with uint32_t and console_write_ch() calls
with direct assignments.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: extract vt100_init() and vt100_fini()
Consolidate VT100 initialization and finalization into dedicated
functions, continuing the extraction of the VT100 layer from the
console/chardev code.
vt100_init() gathers the scattered setup (cursor timer, list insertion,
FIFO creation, default attributes, and image) that was previously spread
across vc_chr_open() and qemu_text_console_class_init().
vt100_fini() pairs with it by handling list removal, FIFO destruction,
and cells cleanup, replacing the open-coded QTAILQ_REMOVE in
qemu_text_console_finalize().
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: extract vt100_keysym() from qemu_text_console_handle_keysym()
Move the keysym handling logic out of qemu_text_console_handle_keysym()
into a new vt100_keysym() helper that operates on QemuVT100 directly,
continuing the effort to decouple the VT100 layer from the console layer.
The echo path is updated to call vt100_input() instead of
qemu_chr_write(), since the function no longer has direct access
to the chardev.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: extract vt100_input() from vc_chr_write()
Move the VT100 input processing logic out of vc_chr_write() into a new
vt100_input() function that operates on QemuVT100 directly, rather than
going through the Chardev/VCChardev layers. This continues the effort
to decouple the VT100 emulation from the chardev backend, making the
VT100 layer self-contained and reusable.
vc_chr_write() becomes a thin wrapper that extracts the QemuVT100 from
the chardev and delegates to vt100_input().
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console-vc: move VT100 state machine and output FIFO into QemuVT100
Move the terminal escape sequence parser state (TTYState, esc_params,
text attributes, saved cursor position) and the output FIFO from
VCChardev/QemuTextConsole into QemuVT100. Rename the corresponding
functions from vc_* to vt100_* to reflect they now operate on the VT100
layer directly, removing the indirection through vc->console->vt.
Add an out_flush callback to QemuVT100 so vt100_write() can flush
output without knowing about QemuTextConsole, and move FIFO/VT100
initialization from qemu_text_console_init() to vc_chr_open() where
the callback can be wired up.
This continues the decoupling of VT100 terminal emulation from the
chardev layer, making QemuVT100 a self-contained terminal emulator.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
ui/console-vc: add UTF-8 input decoding with CP437 rendering
The text console receives bytes that may be UTF-8 encoded (e.g. from
a guest running a modern distro), but currently treats each byte as a
raw character index into the VGA/CP437 font, producing garbled output
for any multi-byte sequence.
Add a UTF-8 decoder using Bjoern Hoehrmann's DFA. The DFA inherently
rejects overlong encodings, surrogates, and codepoints above U+10FFFF.
Completed codepoints are then mapped to CP437, unmappable characters are
displayed as '?'.
Note that QEMU has a "buffered" utf8 decoder in util/unicode.c, but
it is not a good fit for byte-per-byte decoding.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/dbus: expose vc encoding via D-Bus Chardev.VCEncoding interface
When a D-Bus VC chardev is instantiated, export an extra
org.qemu.Display1.Chardev.VCEncoding interface on the chardev
object. This lets D-Bus display clients discover the encoding
(cp437 or utf8) in use by the virtual console.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console: default vc encoding to cp437 for machine < 11.1
Add a QOM "encoding" enum property to some chardev-vc backends
(console-vc & dbus - gtk and spice don't make use of it) so that the
machine compat mechanism can override the default. For machine versions
prior to 11.1, the charset defaults to cp437 (raw 8-bit VGA) instead of
utf8, preserving the historical behaviour.
The following commits are going to wire this to VT100 emulation code and
an extra exported D-Bus property.
Note that GTK libvte uses utf8 unconditionally, and Spice doesn't have a
way to set the encoding, and typically just use libvte in client too.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
This is a small help, because in fact all combined chardev
options are accepted by qemu_chardev_opts[]. But given that a user may
legitimately want to use the size options with a VC backend, we can
report an error when we know the backend doesn't support it.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The -chardev vc documentation only mentioned the built-in console with
optional size parameters, but the actual behavior depends on the display
backend. Document the GTK (libvte), D-Bus and spice-app cases.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
projects / thirdparty / qemu.git / log
