Akihiko Odaki [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
target/arm/kvm: Cache host CPU probe failure
kvm_arm_set_cpu_features_from_host() does not properly handle host CPU
probe failure with caching. The current algorithm can be summarized as
follows:
If dtb_compatible is not cached:
If kvm_arm_create_scratch_host_vcpu() fails:
Report failure
Cache dtb_compatible
If getting register values fails:
Report failure
Report success
This algorithm has the following problems:
- If kvm_arm_create_scratch_host_vcpu() fails, probing may be repeated.
- If getting register values fails, later invocations incorrectly report
success.
Make two changes to fix them:
- Cache dtb_compatible whenever a probe is attempted.
- Record probe failure by assigning QEMU_KVM_ARM_TARGET_NONE to
arm_host_cpu_features.target.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260428-features-v1-1-1841b39da7e6@rsg.ci.i.u-tokyo.ac.jp Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
liugan1 [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
hw/intc/arm_gicv3: Fix NS write to ICC_AP1Rn_EL1 when prebits < 7
The existing code uses a blanket `regno < 2` check to make
ICC_AP1R0_EL1 and ICC_AP1R1_EL1 writes from Non-secure code WI
(Write Ignore) when EL3 is present. This is intended to prevent
NS code from claiming active interrupts in the Secure priority
range, which could block Secure interrupt delivery.
However, that check assumes prebits=7 (4 APR registers), where the
NS priority range (128..255) maps entirely to AP1R2/AP1R3. Since
commit 39f29e599355 ("hw/intc/arm_gicv3: Use correct number of
priority bits for the CPU", first in 7.1), all QEMU AArch64 CPUs
are initialised with gic_pribits=5 (one APR register), so NS
priorities map to AP1R0 bits [16:31]. Blanket WI of the entire
AP1R0 register prevents NS code from clearing its own NS active
priority bits. Machines using hw_compat_7_0 (e.g. virt-7.0) still
force pribits=8 via force-8-bit-prio and are therefore unaffected.
A concrete consequence observed in virtualisation scenarios: when
a guest VM acknowledges an SPI interrupt but does not perform EOI,
is force-killed and restarted, the new guest's attempt to clear
the residual active state by writing ICC_AP1R0_EL1=0 is silently
ignored. The running priority (RPR) remains stuck at the old
interrupt's priority, preventing all equal-or-lower priority
interrupts (including timer interrupts) from being delivered, and
hanging the guest.
Fix this by computing the exact Secure/NS boundary within the APR
bank based on prebits. For registers entirely in the Secure range,
keep the WI behaviour. For the register that straddles the
boundary, preserve only the Secure bits while allowing NS bits to
be modified. For registers entirely in the NS range, allow full
write access.
The new logic produces identical behaviour to the old code when
prebits=7, preserving existing behaviour for machines that use
force-8-bit-prio.
Fixes: 39f29e599355 ("hw/intc/arm_gicv3: Use correct number of priority bits for the CPU") Cc: qemu-stable@nongnu.org Signed-off-by: liugan1 <liugan1@lixiang.com>
Message-id: 20260428083119.1400110-1-gs_liugan@163.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
宋文武 [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
hw/net/allwinner-sun8i-emac: Flush queued packets when rx is enabled
The RX_CTL_0 register includes the RX_EN receive-enable bit,
which allwinner_sun8i_emac_can_receive() checks. That means that
if the guest sets it we need to call qemu_flush_queued_packets()
as we might now be able to handle them.
This fixes a bug where networking didn't work in u-boot on the
orangepi-pc machine.
Peter Maydell [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
docs/devel/decodetree: Fix formatting in "field examples" table
The rST syntax for a table uses ASCII art to draw the cell
boundaries; then inside each cell the text is treated as a body
element, so it is rendered the same way as text at the top level of a
document.
The "field examples" table was assuming a "literal document" format
for its cell bodies; this meant that the single line cells were being
rendered in plain text, not a fixed width font, and the multi line
cells were rendered as definition-lists because of their "second and
subsequent lines are indented" layout.
Fix this by consistently using inline-code markup for the left column
and literal blocks for the right column. (We want to be consistent
within each column because a literal block renders differently to
inline-code, with a green background.)
Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jim MacArthur [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
tests/tcg/aarch64/system/rme_gdi.c: Very basic test of GDI
Simply tests GDI's prerequisites; that if GDI is enabled then
so are FEAT_RME and FEAT_RME_GPC2.
Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260421-jmac-feat_rme_gdi-v3-4-ecd20c77eae1@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jim MacArthur [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
target/arm/ptw.c: Add GDI spaces to the granule protection case
System Agent, Non-secure Protected and two other GPI field encodings.
These are explicitly denied access for any processing element when
the relevant GPCCR bit is set, and reserved values when the relevant
GPCCR bit is zero.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org>
Message-id: 20260421-jmac-feat_rme_gdi-v3-3-ecd20c77eae1@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jim MacArthur [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
target/arm/cpu.h: New GPCCR fields
Add SA, NSP, NA6, NA7 for GDI and GPCBW for good measure.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org>
Message-id: 20260421-jmac-feat_rme_gdi-v3-2-ecd20c77eae1@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jim MacArthur [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
target/arm/cpu-features.c: New fields in AA64MMFR4
Added RMEGDI for FEAT_RME_GDI and other new fields.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org>
Message-id: 20260421-jmac-feat_rme_gdi-v3-1-ecd20c77eae1@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Pali Rohár [Tue, 5 May 2026 08:25:21 +0000 (09:25 +0100)]
qemu-options: Improve description for -smb option
Add #PRE and #NOFNR flags to LMHOSTS example line.
Include information about LMHOSTS path on Windows 3.x.
Windows NT 3.1 requires #NOFNR flag for successful hostname resolving as
described in MS article Q103765 because qemu/smbd does not respond to
netbios name verification queries. #PRE is suggested in that article too
and decrease delay on Windows 3.x for the first connection.
Signed-off-by: Pali Rohár <pali@kernel.org>
[PMM: Expand documentation to note what these flags do, and
clarify Windows LMHOSTS paths for different Windows versions,
based on discussion in patch review, fix existing grammar nit] Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The function regpairs_aligned is for extracting a 64-bit
quantity from a pair of 32-bit registers and does not
apply to AArch64.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260409035015.132370-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The callback has been introduced in commit 715ca691daca ("sysbus: add
irq_routing_notifier") for use in VFIO platform. Meanwhile, VFIO
platform has been removed via commit 762c85543948 ("vfio: Remove 'vfio-
platform'") which was its only user. Remove this unused code.
cc: Cédric Le Goater <clg@redhat.com> Signed-off-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: Cédric Le Goater <clg@redhat.com>
Message-id: 20260308203516.160103-6-shentey@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (58 commits)
whpx: i386: documentation update
whpx: i386: add SeparateSecurityDomain flag and make default
whpx: i386: add feature to intercept #GP MSR accesses
whpx: i386: update migration blocker message
whpx: i386: set APIC ID only when APIC present
whpx: xsave support
target/i386: add de/compaction to xsave_helper
target/i386: make xsave_buf present unconditionally
target/i386: emulate: use exception_payload for fault address
whpx: i386: Pause VM on fatal exception to be able to inspect state
whpx: i386: set WHvX64RegisterInitialApicId
whpx: i386: some x2APIC awareness
whpx: i386: add HV_X64_MSR_GUEST_IDLE when !kernel-irqchip
target: i386: HLT type that ignores EFLAGS.IF
whpx: i386: ignore vpassist when kernel-irqchip=off
whpx: i386: tighten APIC base validity check
target/i386: emulate, hvf: rdmsr/wrmsr GPF handling
whpx: i386: don't increment eip on MSR access raising GPF
whpx: i386: unknown MSR configurability
whpx: i386: enable GuestIdleReg enlightenment
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 1 May 2026 18:41:37 +0000 (14:41 -0400)]
Merge tag 's390x-20260430' of https://gitlab.com/cohuck/qemu into staging
First batch of s390x updates for 11.1:
- disable legacy virtio-pci from now on by default (did not work anyway)
- add a new boot test
- simplifications and cleanups
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQRpo7U29cv8ZSCAJsHeiLtWQd5mwQUCafN76BIcY29odWNrQHJl
# ZGhhdC5jb20ACgkQ3oi7VkHeZsF/wQD/e47lpTFAt0YPXQbQsAoDKKRXc5XKfxvn
# ToE/FECxBiUBALEqCh2xDaF8DVb5H18CcNocS/IEoAOV4/W3h4q+no4J
# =1KeS
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 30 Apr 2026 11:57:28 EDT
# gpg: using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1
# gpg: issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg: aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
# Subkey fingerprint: 69A3 B536 F5CB FC65 2080 26C1 DE88 BB56 41DE 66C1
* tag 's390x-20260430' of https://gitlab.com/cohuck/qemu:
tests/functional/s390x: Update expected virtio-pci IDs
hw/s390x/ccw: Disable legacy virtio-pci by default (v11.1+)
MAINTAINERS: Update s390 trees
target/s390x: Prefer MO_128 definition over magic value
tests/functional/s390x: Add test for booting from a disk with 4k sectors
configs/targets: Restrict the legacy ldst_phys() API on s390x target
target/s390x: Replace legacy ld/st_phys -> address_space_ld/st (kvm)
target/s390x: Replace legacy ld/st_phys -> address_space_ld/st (tcg)
target/s390x: Replace legacy ld/st_phys -> address_space_ld/st (mmu)
target/s390x: Replace legacy ld/st_phys -> address_space_ld/st (cpu)
target/s390x/kvm: Simplify the async pfault handling code
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Magnus Kulke [Wed, 22 Apr 2026 21:42:16 +0000 (23:42 +0200)]
target/i386: add de/compaction to xsave_helper
HyperV use XSAVES which stores extended state in compacted format in
which components are packed contiguously, while QEMU's internal XSAVE
representation use the standard format in which each component is places
at a fixed offset. Hence for this purpose we add two conversion fn's to
the xsave helper to roundtrip XSAVE state in a migration.
- decompact_xsave_area(): converts compacted format to standard.
XSTATE_BV is masked to host XCR0 since IA32_XSS is managed
by the hypervisor.
- compact_xsave_area(): converts standard format back to compacted
format. XCOMP_BV is set from the host's CPUID 0xD.0 rather than the
guest's XCR0, as this is what the hypervisor expects.
Both functions use the host's CPUID leaf 0xD subleaves to determine component
sizes, offsets, and alignment requirements.
There are situations when the host advertises features that we want to
disable for the guest, e.g. AMX TILE. In this case we cannot rely on the
host's xcr0, but instead we use the feature mask that has been generated
in as part of the CPU realization process (x86_cpu_expand_features).
Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
[Fixup: made xsave_offset a size_t to fix macOS and OpenBSD builds]
> A partition which possesses the AccessGuestIdleMsr privilege may trigger
> entry into the virtual processor idle sleep state through a read to the
> hypervisor-defined MSR HV_X64_MSR_GUEST_IDLE. The virtual processor will
> be woken when an interrupt arrives, regardless of whether the interrupt
> is enabled on the virtual processor or not.
Meanwhile, Windows 24H2+ calls this MSR anyway without the privilege being set.
Add the infrastructure to support it on the generic QEMU side.
Add x2apic emulation to WHPX for the kernel-irqchip=off case.
Unfortunately, it looks like there isn't a workaround available
for proper behavior of PIC interrupts when kernel-irqchip=on
for Windows 10. The OS is out of support outside of extended
security updates so this will not be addressed.
The performance boost is quite visible for multicore guests.
Jon Kohler [Mon, 30 Mar 2026 19:34:27 +0000 (12:34 -0700)]
target/i386: add new Intel models for MMIO/GDS/RFDS mitigation status
Add new bits to ARCH_CAPABILITIES MSR to enumerate the status of the
MMIO/GDS/RFDS mitigations on Cascade Lake, Ice Lake, Sapphire Rapids,
and Granite Rapids processors.
These have been advertised in Intel microcode updates for a while now,
but require user space to opt in to advertise them to guests.
New models are:
- Cascadelake-Server-v6
- Icelake-Server-v8
- SapphireRapids-v7 (note, already got MMIO fixes on commit [1])
- GraniteRapids-v6
[1] 3baf7ae63505 ("target/i386: Add few security fix bits in
ARCH_CAPABILITIES into SapphireRapids CPU model")
Jon Kohler [Mon, 30 Mar 2026 19:34:26 +0000 (12:34 -0700)]
target/i386: add new AMD EPYC models for GMET enablement
Add models to expose Guest Mode Execute Trap (GMET) support,
and add CPUID_SVM_GMET header definition so that future EPYC
models can easily add default support.
New models are:
AMD EPYC-Milan-v4
AMD EPYC-Genoa-v3
AMD EPYC-Turin-v2
Cc: Babu Moger <babu.moger@amd.com> Cc: Nikunj A Dadhania <nikunj@amd.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jon Kohler <jon@nutanix.com> Link: https://lore.kernel.org/r/20260330193428.1663253-2-jon@nutanix.com Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Alessandro Ratti [Sat, 21 Mar 2026 10:04:05 +0000 (11:04 +0100)]
hw/qdev: Consolidate qdev_get_printable_name() into qdev_get_human_name()
Rename qdev_get_printable_name() to qdev_get_human_name(), remove
the old qdev_get_human_name() implementation, and switch the three
qdev_get_printable_name() callers in hw/virtio/virtio.c.
qdev_get_printable_name() subsumes qdev_get_human_name(): both
return the device ID when set and fall back to the canonical QOM
path, but qdev_get_printable_name() also tries the bus-specific
path first, providing more informative output.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Alessandro Ratti <alessandro@0x65c.net> Reviewed-by: Markus Armbruster <armbru@redhat.com> Link: https://lore.kernel.org/r/20260321100405.1525059-4-alessandro@0x65c.net Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Alessandro Ratti [Sat, 21 Mar 2026 10:04:04 +0000 (11:04 +0100)]
hw/qdev: Prefix bus type in qdev_get_printable_name() device paths
Raw get_dev_path() output (e.g. "0000:00:04.0", "/1") is ambiguous
without knowing which bus produced it. Prefix the path with the bus
type name so error messages become self-describing.
Alessandro Ratti [Sat, 21 Mar 2026 10:04:03 +0000 (11:04 +0100)]
hw/qdev: Clarify fallback order in qdev_get_printable_name()
Replace the uninformative "<unknown device>" final fallback with the
canonical QOM path (e.g. /machine/peripheral-anon/device[0]).
Also clean up comments to accurately describe qdev_get_dev_path()
behavior, drop an unnecessary comment on the dev->id check, and rename
the @vdev parameter to @dev for consistency with surrounding code.
Update the doc comment in qdev.h to reflect the new fallback chain.
Jaehoon Kim [Mon, 20 Apr 2026 14:47:34 +0000 (09:47 -0500)]
hw/s390x/ccw: Disable legacy virtio-pci by default (v11.1+)
On the s390 Linux kernel, IO_SPACE_LIMIT has been 0 since the initial
zPCI implementation (commit cd24834130ac "s390/pci: base support"),
making I/O BARs unusable.
However, when virtio-pci devices operate in transitional mode, QEMU
unconditionally exposes the legacy interface via BAR0. This results in
firmware warnings during PCI enumeration, such as:
pci 0005:00:00.0: [Firmware Bug]: BAR 0: invalid; can't size
even though BAR0 is never usable on the s390 kernel.
Close this gap by disabling legacy virtio-pci support starting from
machine version 11.1. This effectively makes virtio-pci devices
non-transitional and prevents the creation of the unusable legacy I/O
BAR.
This introduces s390x-specific global compatibility properties that
set disable-legacy=on as the default for virtio-pci devices. Machine
versions v11.0 and earlier set disable-legacy=off to maintain their
original default behavior (legacy support enabled), ensuring VMs
created with those versions continue to work identically.
Users can override the default on the command line if needed:
- On v11.1+: -global virtio-pci.disable-legacy=off (to enable legacy)
- On v11.0-: -global virtio-pci.disable-legacy=on (to disable legacy)
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr> Reviewed-by: Halil Pasic <pasic@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260420144759.2970726-2-jhkim@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
target/s390x: Prefer MO_128 definition over magic value
The MO_128 definition was not existing when commit 6d841663be8
("s390x/tcg: Implement VECTOR GATHER ELEMENT") introduced the
ES_128 definition. It was added 2 years later in commit 4b473e0c60d
("tcg: Expand MO_SIZE to 3 bits"). Since it is now available,
replace the magic '4' by the more explicit 'MO_128'.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260415220358.93063-1-philmd@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Thomas Huth [Mon, 23 Mar 2026 17:14:23 +0000 (18:14 +0100)]
tests/functional/s390x: Add test for booting from a disk with 4k sectors
The DASD disks on s390x have a different sector size (4k) and use
a different layout of the boot loader data compared to the usual
"SCSI"-style disks with 512 sectors that are used with most modern
guests. To make sure that there are no regressions with 4k disk
booting, add a test case that uses a disk image with these 4k sectors
and check that we can successfully show the boot menu and and load the
right kernel in all supported cases.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260323171423.112205-1-thuth@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
configs/targets: Restrict the legacy ldst_phys() API on s390x target
The s390x target doesn't use the legacy ldst_phys() API anymore.
Set the TARGET_NOT_USING_LEGACY_LDST_PHYS_API variable to hide
the legacy API to the qemu-system-loongarch64 binary, avoiding
further API uses to creep in.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260319185203.11799-6-philmd@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.
This code however doesn't check for fault, so we simply inline
the calls (not specifying any memory transaction attribute nor
expecting transation result). No logical change intended.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260319185203.11799-5-philmd@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.
This code however doesn't check for fault, so we simply inline
the calls (not specifying any memory transaction attribute nor
expecting transation result). No logical change intended.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260319185203.11799-4-philmd@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.
This code however doesn't check for fault, so we simply inline
the calls (not specifying any memory transaction attribute nor
expecting transation result). No logical change intended.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260319185203.11799-3-philmd@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.
This code however doesn't check for fault, so we simply inline
the calls (not specifying any memory transaction attribute nor
expecting transation result). No logical change intended.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260319185203.11799-2-philmd@linaro.org> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Thomas Huth [Tue, 17 Mar 2026 13:45:31 +0000 (14:45 +0100)]
target/s390x/kvm: Simplify the async pfault handling code
Since commit 126e7f78036 ("kvm: require KVM_CAP_IOEVENTFD and
KVM_CAP_IOEVENTFD_ANY_LENGTH") we require at least kernel v4.4 to
be able to use KVM. KVM_CAP_ASYNC_PF is available in the kernel
since v3.15 and KVM_SYNC_PFAULT is available since kernel v3.18,
so we can assume now that they are available in all supported
kernels. Thus simplify the code a little bit by removing the
checks for these features.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Message-ID: <20260317134531.460141-1-thuth@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Stefan Hajnoczi [Thu, 30 Apr 2026 14:33:15 +0000 (10:33 -0400)]
Merge tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa into staging
Pull request for linux-user
Please pull 4 fixes for the linux-user target.
Two patches fix open bug reports regarding return error codes and allowed parameters.
One adds missing CDROM ioctls (and fixes a few), and the last patch is a leftover
from the previous pull request and helps flushing error strings at exit.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCafMCcAAKCRD3ErUQojoP
# XxaVAPsEXGQiK8DSTXx6h0FQ8wUkhCTOXCECVTjydYhk2kA0BwD+PXXBaODFLJwR
# b2Mtt0A7il8W5Iclvy/FCa6Pkm9vFw4=
# =zPZb
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 30 Apr 2026 03:19:12 EDT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa:
linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR
linux-user: Allow getsockopt() with NULL optval address
linux-user: Flush errors by using exit() instead of _exit() in error path
linux-user: Add missing CDROM ioctls
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 30 Apr 2026 14:32:40 +0000 (10:32 -0400)]
Merge tag 'pull-fpu-20260430' of https://gitlab.com/rth7680/qemu into staging
fpu: Drop PARTS_GENERIC_64_128{_256}
fpu: Drop FRAC_GENERIC_64_128{_256}
fpu: Constify frac{64,128,256}_* inputs
fpu: Return struct from *_unpack_canonical
fpu: Inline some *_unpack_raw into only caller
fpu: Change parts_float_to_float_narrow to parts128_to_parts64
fpu: Change parts_float_to_float_widen to parts64_to_parts128
* tag 'pull-fpu-20260430' of https://gitlab.com/rth7680/qemu: (48 commits)
fpu: Change parts_float_to_float_widen to parts64_to_parts128
fpu: Change parts_float_to_float_narrow to parts128_to_parts64
fpu: Return struct from float128_unpack_canonical
fpu: Return struct from float128_unpack_raw
fpu: Inline floatx80_unpack_raw into only caller
fpu: Return struct from float{32,64}_unpack_canonical
fpu: Inline float64_unpack_raw into callers
fpu: Inline float32_unpack_raw into callers
fpu: Return struct from bfloat16_unpack_canonical
fpu: Inline bfloat16_unpack_raw into callers
fpu: Return struct from float16_unpack_canonical
fpu: Return struct from float16a_unpack_canonical
fpu: Inline float16_unpack_raw into callers
fpu: Return struct from float8_e5m2_unpack_canonical
fpu: Return struct from float8_e4m3_unpack_canonical
fpu: Return struct from float4_e2m1_unpack_canonical
fpu: Return structure from unpack_raw64
fpu: Constify frac{64,128,256}_* inputs
fpu: Drop FRAC_GENERIC_64_128{_256}
fpu: Drop PARTS_GENERIC_64_128{_256}
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-tcg-20260430' of https://gitlab.com/rth7680/qemu:
tcg: Remove unused tcg_gen_vec_*_tl() API
tcg/aarch64/tcg-target.c.inc: Manual replace of I3310, I3313
tcg/aarch64/tcg-target.c.inc: Replacement of I3XXX names
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 30 Apr 2026 14:30:58 +0000 (10:30 -0400)]
Merge tag 'pull-ppc-for-11.1-20260429' of https://gitlab.com/harshpb/qemu into staging
PPC PR for 11.1
* MPIPL support for PowerNV
* ppc/pnv: Add a nest MMU model
* hw/ssi/pnv_spi: Fix fifo8 memory leak on unrealize
* hw/intc/xics: Add a check for an invalid server id
* tag 'pull-ppc-for-11.1-20260429' of https://gitlab.com/harshpb/qemu:
hw/intc/xics: Add a check for an invalid server id
ppc/pnv: Add a nest MMU model
hw/ssi/pnv_spi: Fix fifo8 memory leak on unrealize
MAINTAINERS: Add entry for MPIPL (PowerNV)
tests/functional: Add test for MPIPL in PowerNV
pnv/mpipl: Enable MPIPL support
pnv/mpipl: Write the preserved CPU and MDRT state
pnv/mpipl: Set thread entry size to be allocated by firmware
pnv/mpipl: Preserve CPU registers after crash
pnv/mpipl: Preserve memory regions as per MDST/MDDT tables
ppc/pnv: Handle stash command in PowerNV SBE
ppc/mpipl: Implement S0 SBE interrupt
ppc/pnv: Move SBE host doorbell function to top of file
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu:
qapi/iothread: introduce poll-weight parameter for aio-poll
aio-poll: refine iothread polling using weighted handler intervals
aio-poll: avoid unnecessary polling time computation
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Paolo Bonzini [Fri, 24 Apr 2026 08:08:34 +0000 (10:08 +0200)]
minikconf: move command-line assignment out of the parser
KconfigParser.do_assignment() only exists to handle CONFIG_FOO=y/n
arguments from the command line; it is never invoked while parsing
a Kconfig source file. Because main() called it on a parser that
had never been through parse_file(), a failing CONFIG_ check would
raise a KconfigParserError whose __init__ and location() touch
fields of "self" that do not exist yet. The regex in main()
currently shields this, but it is fragile.
Move the prefix-stripping assignment to KconfigData as
do_cmdline_assignment(), simplify KconfigParser.parse() to accept
an existing KconfigData, and call it from main() so the parser is
only used for actual file parsing.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Tue, 31 Mar 2026 08:22:12 +0000 (10:22 +0200)]
tests: add test for json-streamer.c error recovery
Before rewriting the error recovery code to work in a push parsing
setup, make sure that we have tests for it.
Cover various cases of invalid JSON, to check that structural
recovery based on balanced brackets and braces works; and
lexer-based recovery which documents "\f" as a sure fire
way to reset the lexer.
Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Tue, 31 Mar 2026 06:52:37 +0000 (08:52 +0200)]
target/i386/tcg: simplify decoding of 0F 38 F0...FF
These lines are shown in the manual with a weird representation that
confers a special meaning to 0x66 0xF2 prefixes. In reality, this is
just the CRC32 instruction (chosen by 0xF2) plus a data size override
prefix. All other instruction in the range that use the 0xF2 prefix
are VEX-encoded and therefore they do not support multiple prefixes.
Because of this, it is possible to handle the four prefixes normally
using decode_by_prefix; the 0x66 0xF2 combination for CRC32 is handled
naturally by the "v" operand size.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Scott J. Goldman [Mon, 27 Apr 2026 23:21:15 +0000 (16:21 -0700)]
target/arm/hvf, target/i386/hvf: Pass MR-relative offset to memory_region_set_dirty()
Both the arm and i386 hvf accelerators have the same bug in their
dirty-page logging path: the address fed to memory_region_set_dirty()
is computed as "<ipa,gpa>_page + xlat", but memory_region_set_dirty()
expects an offset relative to the start of the resolved MemoryRegion.
address_space_translate() already returns that offset in xlat, while
ipa_page / gpa_page is the guest-physical (system address space)
address.
Adding the two together produces a bogus offset that for any non-
trivial RAM size walks well past the end of the MemoryRegion's dirty
bitmap. With dirty logging active (e.g. live migration on a guest
with several GB of RAM), this triggers an out-of-bounds atomic write
inside bitmap_set_atomic() and crashes the source QEMU as soon as the
guest writes to RAM:
Thread .. 'CPU N/HVF', stop reason = EXC_BAD_ACCESS ...
bitmap_set_atomic at bitmap.c:213
physical_memory_set_dirty_range at physmem.c:1038
memory_region_set_dirty at memory.c:2191
hvf_handle_exception at hvf.c
Fix it by passing only the MR-relative offset xlat. ipa_page /
gpa_page is still the right argument to hvf_unprotect_dirty_range(),
which works on the guest-physical address space.
Prior to 1.11.0, build with rust didn't use link_args.
In QEMU case, it means that plugins could not work, since they rely on
link_args to expose symbols from QEMU binary.
linux-user: Translate errno in IP_RECVERR and IPV6_RECVERR
Translate host error codes of IP_RECVERR and IPV6_RECVERR control messages to
target error codes before returning to the caller.
For example, this is important for architectures (e.g. hppa, alpha, sparc,
mips) on which the value of ECONNREFUSED is different to the value on a x86_64
host.
linux-user: Allow getsockopt() with NULL optval address
Some programs test availability of socket options by asking for the
value with an NULL optval address, which currenrly always trigger an
EFAULT in qemu. Fix it by allowing a NULL address, in the same manner
as the Linux kernel on physical machines.
projects / thirdparty / qemu.git / log
