Stefan Hajnoczi [Tue, 2 Jun 2026 16:24:54 +0000 (12:24 -0400)]
gitlab: remove x64-freebsd-14-build Cirrus job
Cirrus has shut down and the x64-freebsd-14-build is failing:
https://gitlab.com/qemu-project/qemu/-/jobs/14656732122
Remove the x64-freebsd-14-build job to get the CI pipeline passing
again. The next commit will be to remove Cirrus integration from the
GitLab YAML and lcitool since it is no longer used.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
Message-id: 20260602162457.828969-2-stefanha@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 21:26:28 +0000 (23:26 +0200)]
tests/unit: add test-envlist covering setenv/unsetenv name matching
util/envlist had no test coverage. Add tests/unit/test-envlist
exercising the public envlist API and pinning down the prefix-match
hazard fixed in the previous commit:
- envlist_unsetenv("FOO") must not remove an entry named "FOOBAR";
- envlist_setenv("FOO=...") must not replace an existing "FOOBAR=..."
entry placed earlier in the list (envlist_setenv() inserts at the
head, so the first prefix match wins under the old strncmp rule).
Also cover the rest of the contract: head-insertion order observed
through envlist_to_environ(), replacement of an existing variable,
the count argument of envlist_to_environ(), and the documented EINVAL
paths (NULL inputs, setenv without '=', unsetenv with '=').
Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20260520212628.479772-3-den@openvz.org Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Denis V. Lunev [Wed, 20 May 2026 21:26:27 +0000 (23:26 +0200)]
util/envlist: fix prefix-match in envlist_unsetenv() name lookup
envlist_unsetenv() looked up the entry to remove with
strncmp(entry->ev_var, env, strlen(env)). The comparison length is
the requested name's length, so any stored entry whose name *starts*
with that name compares equal. envlist_setenv() inserts at the head
of the list, so the first hit wins: with FOO=... stored first and
FOOBAR=... stored afterward, envlist_unsetenv("FOO") iterates from
the head, matches FOOBAR=... on the prefix, and drops it instead of
FOO=...
linux-user and bsd-user reach this code via the -U command-line
switch, so the bug is reachable from a normal qemu-user invocation.
envlist_setenv() used the same strncmp pattern but with
envname_len = (eq_sign - env + 1), so the '=' byte sat inside the
compared window and acted as an implicit boundary. setenv was
therefore not buggy -- but the safety lived in the byte layout of
ev_var rather than in the entry, so a future edit could easily
drift the two sites apart again.
Store the name length on each entry at insertion time and compare
with explicit length equality plus memcmp via a small helper. Use
the helper at both lookup sites so the boundary becomes a
structural property of the entry: envlist_unsetenv() stops
prefix-matching, and envlist_setenv()'s self-search no longer
depends on the '=' byte serving as a sentinel.
Fixes: 04a6dfebb6b5 ("linux-user: Add generic env variable handling") Signed-off-by: Denis V. Lunev <den@openvz.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20260520212628.479772-2-den@openvz.org Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Tue, 2 Jun 2026 15:34:55 +0000 (11:34 -0400)]
Merge tag 'pull-tpm-2026-06-01-1' of https://github.com/stefanberger/qemu-tpm into staging
Merge tpm 2026/06/01 v1
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEuBi5yt+QicLVzsZrda1lgCoLQhEFAmod/1EACgkQda1lgCoL
# QhGFmwf/SDA8DQGekVksB+TiDV11a+2I8FzBHJmQ2RhKbSGxY77ZbWei+Z45fU9/
# 2e0aDizw7GDRPGthKChjOYA5SAVf7gwUaSkhv21xDNgsddcdCr05y1RljOfShtbw
# S55XOk6Tx2zX/00nTqskyw9bqz2YwnAh5vPjfDWy6TV5k7Q3BlMyooFeJu/19pU7
# RnMLfHdJHlYSQ2Bn4ZT6agXsoQIvnJK51Poq0TJQo0PW8kWFwcp13Ic+uyvRfkF3
# U6JdTGBXJxCHMgIkO4EG4o5PT7Dy8miKFepJCUgyjHesi7iFYQlIAnsJth9anMjL
# zoqnMVNN1jVrcuzVLG9oNHB7+hZ/Eg==
# =Wlez
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 01 Jun 2026 17:53:21 EDT
# gpg: using RSA key B818B9CADF9089C2D5CEC66B75AD65802A0B4211
# gpg: Good signature from "Stefan Berger <stefanb@linux.vnet.ibm.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B818 B9CA DF90 89C2 D5CE C66B 75AD 6580 2A0B 4211
* tag 'pull-tpm-2026-06-01-1' of https://github.com/stefanberger/qemu-tpm:
tpm_emulator: Disconnect if response exceeds negotiated buffer size
tpm_emulator: Reject a buffer size different than what was requested
hw/tpm: Add support for VM migration with TPM CRB chunking
test/qtest: Add test for tpm crb chunking
hw/tpm: Implement TPM CRB chunking logic
hw/tpm: Add internal buffer state for chunking
hw/tpm: Refactor CRB_CTRL_START register access
hw/tpm: Add TPM CRB chunking fields
ui/vdagent: Use VMSTATE_GBYTEARRAY to safely migrate outbuf
migration/vmstate: Add VMState support for GByteArray
tests: Add a TPM TIS I2C swtpm test
tests: Check whether the I2C master flag is set
tests: Rename id of tpmdev to tpm0
tests: Convert string arrays to byte arrays
tests: Have TPM I2C read/write functions take QTestState as first parameter
tests: Move TPM I2C bus read/write functions to common files
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Tue, 2 Jun 2026 15:34:42 +0000 (11:34 -0400)]
Merge tag 'pull-11.1-testing-hotfix-010626-1' of https://gitlab.com/stsquad/qemu into staging
testing updates:
- revert test/Makefile.include move due to regression
- work-around move with explicit targets for MacOS gitlab
- use debian-all-test-cross for MIPS TCG tests
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmodsKwACgkQ+9DbCVqe
# KkQ8jQf/Xydd5C6H5WOjLMk0i+fbiiFeZUVZ0uIwWrWEjDNGVdbT575/bS39PKeh
# 2UTANzcePKP3VLsWYw8E/8fWSkdUFi47lGRZHjQN6cbPo7cC3NskkOTkumvE9Fr9
# NuGmbw2FVFnmn6xkZCYSHdj2MQeGf9dy9hyGlivTfsmj8ypw92uMzp1/vvfC5wH1
# la1RIPDRUngQmHK+PUQQTVdWgpWETier7QGqCyBWbk6Gc26O8L9xeiwR8Dhi+dPv
# 1cY8BvAWC+nOvDtCClahmEpTfiWALKtE8c+/EqP3QLCWDdAcUg7XGtTlX3iYIy+u
# 8nCt/HOpKynpuuxHrIoUs9q8FE9OuA==
# =SUZJ
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 01 Jun 2026 12:17:48 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.1-testing-hotfix-010626-1' of https://gitlab.com/stsquad/qemu:
configure: use debian-all-test-cross for mipsel tcg tests
gitlab: work around the inability to build targets for MacOS
Revert "Makefile: include tests/Makefile.include before ninja calculation"
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Berger [Mon, 11 May 2026 14:22:18 +0000 (14:22 +0000)]
tpm_emulator: Disconnect if response exceeds negotiated buffer size
Disconnect from the emulator if a response was to exceed the negotiated
buffer size.
The TPM TIS and SPAPR use 4096 bytes and the CRB 3968 bytes. There are
currently no TPM 2 responses using this size of a buffer and therefore
no response will be sent that is exceeding this size.
Stefan Berger [Mon, 11 May 2026 14:22:17 +0000 (14:22 +0000)]
tpm_emulator: Reject a buffer size different than what was requested
When the TIS, SPAPR, or CRB frontends negotiate a buffer size with the
TPM backend, then the tpm_emulator (swtpm) could still adjust this size
of the buffer to within bounds supported by swtpm+libtpms if the chosen
size was outside the acceptable range. This could theoretically lead to
the TPM 2 using a bigger buffer than what was requested and memory
allocated for. In practice this would not happend since the requested size
of 4096 bytes for TIS and SPAPR and 3968 bytes for CRB happen in the
(currently) supported range of ~2.5kb to 4096 bytes. With PQC support
the range will have an upper bound of 8kb and a lower bound that will
support the (pre-PQC) CRB with 3968 bytes.
Arun Menon [Wed, 6 May 2026 07:58:13 +0000 (13:28 +0530)]
hw/tpm: Add support for VM migration with TPM CRB chunking
- Add subsection in VMState for TPM CRB with the newly introduced
command and response buffer GByteArrays, along with a needed callback,
so that newer QEMU only sends the buffers if it is necessary.
- Implement a migration blocker to prevent migration of the VM if the
user manually enables chunking capability, cap-chunk, but the machine
type does not support it, using a new hw_compat property called
allow_chunk_migration.
- Add a post_load_errp hook so that during a migration, the buffers are
validated before destination VM is started.
Arun Menon [Wed, 6 May 2026 07:58:12 +0000 (13:28 +0530)]
test/qtest: Add test for tpm crb chunking
- New test case added to the swtpm test. Data is written and read from
the buffer in chunks.
- The chunk size is dynamically calculated by reading the
CRB_CTRL_CMD_SIZE address. This can be changed manually to test.
- Add a helper function tpm_wait_till_bit_clear()
- Note that this commit does not yet exercise the chunked read/write
logic, as current transfer sizes remain small. Testing for large
transfers is introduced in a subsequent patch: 'tests: Use ML-DSA-87
operations to cause large TPM transfers with CRB'
Arun Menon [Wed, 6 May 2026 07:58:11 +0000 (13:28 +0530)]
hw/tpm: Implement TPM CRB chunking logic
- Add logic to populate internal TPM command request and response
buffers and to toggle the control registers after each operation.
- The chunk size is limited to CRB_CTRL_CMD_SIZE which is
(TPM_CRB_ADDR_SIZE - A_CRB_DATA_BUFFER). This comes out as 3968 bytes
(4096 - 128 or 0x1000 - 0x80), because 128 bytes are reserved for
control and status registers. In other words, only 3968 bytes are
available for the TPM data.
- With this feature, guests can send commands larger than 3968 bytes.
- Refer section 6.5.3.9 of [1] for implementation details.
Arun Menon [Wed, 6 May 2026 07:58:08 +0000 (13:28 +0530)]
hw/tpm: Add TPM CRB chunking fields
- Add new fields to the CRB Interface Identifier and the CRB
Control Start registers.
- CRB_CTRL_START now has 2 new settings, that can be toggled using the
nextChunk and crbRspRetry bits.
- CapCRBChunk bit (10) was Reserved1 previously. The field is reused in
this revision of the specification. Refer to section 6.4.2.2 of [1]
- Add hw_compat global property called cap-chunk because the chunking
feature is only supported for machine type 11.1 and higher.
ui/vdagent: Use VMSTATE_GBYTEARRAY to safely migrate outbuf
Migrating a GLib GByteArray is now possible directly using the newly
introduced VMSTATE_GBYTEARRAY. It uses the standard GLib API calls to
create the array, or resize it.
This is safer than implementing a C struct and manually updating the
data and len fields. This commit uses the VMSTATE_GBYTEARRAY in vdagent
to store the outbuf variable.
migration/vmstate: Add VMState support for GByteArray
In GLib, GByteArray is an object managed by the library. Currently,
migrating a GByteArray requires treating it as a raw C struct and using
VMSTATE_VBUFFER_ALLOC_UINT32. For example, see vmstate_vdba in
ui/vdagent.c
QEMU cannot pretend that GByteArray is a C struct and simply use
VMS_ALLOC to g_malloc() the buffer. This is because, VMS_ALLOC blindly
overwrites the data pointer with a newly allocated buffer, thereby
leaking the previous memory. Besides, GLib tracks the array's capacity
in a hidden alloc field. Bypassing GLib APIs leave this capacity out of
sync with the newly allocated buffer, potentially leading to heap buffer
overflows during subsequent g_byte_array_append() calls.
This commit introduces VMSTATE_GBYTEARRAY which uses specific library
API calls (g_byte_array_set_size()) to safely resize and populate the
buffer.
Alex Bennée [Mon, 1 Jun 2026 14:31:29 +0000 (15:31 +0100)]
configure: use debian-all-test-cross for mipsel tcg tests
Although we have had the mips compilers in all-test-cross for a while
we had been surviving using the mipsel cross compiler image. However
when that was removed we missed updating the container to use.
Fixes: 366bb88e785 (buildsys: Remove MIPS cross containers) Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Tested-by: Cornelia Huck <cohuck@redhat.com> # running tests on an s390x
Message-ID: <20260601143129.144786-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Mon, 1 Jun 2026 14:31:28 +0000 (15:31 +0100)]
gitlab: work around the inability to build targets for MacOS
Unfortunately a previous fix to ensure .ninja-goals was set for the
TCG tests broken the ability to run check-functional-FOO. As we have
now reverted we need a solution for the MacOS gitlab run. The simplest
is to add an explicit make invocation to build the signed binaries
before we run the tests.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Tested-by: Cornelia Huck <cohuck@redhat.com> # running tests on an s390x
Message-ID: <20260601143129.144786-3-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
* tag 'pull-9p-20260601' of https://github.com/cschoenebeck/qemu:
9pfs: fix missing rename lock in v9fs_co_readdir_many (CVE-2026-48004)
tests/9pfs: add deep absolute path test
tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors
hw/9pfs: add error handling to v9fs_fix_path()
hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type
hw/9pfs: add NULL check in v9fs_path_is_ancestor()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQTKRzxE1qCcGJoZP81FK5aFKyaCFgUCah0tmwAKCRBFK5aFKyaC
# Fht2BACdtjM7Kod8mgVJVOsJ5M9jRR4DiOfHuo60MNlQ4xE8oYk/g50FMrquoGFt
# lq7KsiWV2CAv0ERi2KDtOtZdfUODdmgI2qOsXEtTwkGIe1Kx4NqEqwAasiiQMTcz
# WwAd9mCsK+Cezs4TJUzeir4xoek/T6mSITUTmjHKUoVe81ZDEQ==
# =Mq/l
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 01 Jun 2026 02:58:35 EDT
# gpg: using RSA key CA473C44D6A09C189A193FCD452B96852B268216
# gpg: Good signature from "Song Gao <gaosong@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CA47 3C44 D6A0 9C18 9A19 3FCD 452B 9685 2B26 8216
* tag 'pull-loongarch-20260601' of https://github.com/gaosong715/qemu:
target/loongarch/kvm: Include missing exec/target_long.h header
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Mon, 1 Jun 2026 12:43:24 +0000 (08:43 -0400)]
Merge tag 'pull-hex-20260529' of https://github.com/qualcomm/qemu into staging
Hexagon cross-toolchain container update
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEPWaq5HRZSCTIjOD4GlSvuOVkbDIFAmoaJP8ACgkQGlSvuOVk
# bDKJ2g/+MTJnhD/YLM7q6sYpRuQJv0kJd3cIuQ1HbFskJo2sJFPdNLTAhWmfggST
# J8OvnQwsWg3QCLQ92YaYZ/jYSVsmF3S8cbQW4fKG18FgCRQkARGmOZmoQM+POCvP
# Tjfw9m8d4uQUCUV8yByK0nosY+0Iy+rXHVoJMBsKeRK1zLtKKLPe1hRkcpN7anaB
# Nskce1nKmI6T/CU1RPPPBDJkzse/+l4BUTmnVIu6Brir3f2/6TbAIceP9pybYjDw
# i+LchG04MWVXZcfe4D0/ihazDWoy8xWjBixLON+aw9zSjLGznRHj8IEZojmW018G
# 2ifqUHkRPw6LBtUf1JGs+2ldonwRaerE4ik2yc48N73oOn5nNNcV5/kVdMsxfRYS
# O/FCihJzNoZQJ64KvL5vVxrx6x4kgI3bZi1k5sIYAKzSg6LUfxE6NW3bUVihrO5a
# s9qV+cofc03Sv1a7A4jrUvdvwQILblUTB2GQrYnREioVEm/X4eK4I5xUaqd1p00t
# IH9VpzDX+O2q72HjQ224OnTnPsUkuHiOfZj+X2Zqy1647WwGd+DYjbu9P8ht78W2
# klWPhD0gsEluZu/PV4AdxjajH1V/KtMIDZcYZWjclf1/M0RV1Y2OLGeDIjld7PQi
# HdSBRrKQanyQu97/qa3TEKo6ot1aIiI13SX24cpOx70hspcyIJo=
# =/CUP
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 19:45:03 EDT
# gpg: using RSA key 3D66AAE474594824C88CE0F81A54AFB8E5646C32
# gpg: Good signature from "Brian Cain (OSS Qualcomm) <brian.cain@oss.qualcomm.com>" [unknown]
# gpg: aka "Brian Cain <bcain@kernel.org>" [unknown]
# gpg: aka "Brian Cain (QuIC) <bcain@quicinc.com>" [unknown]
# gpg: aka "Brian Cain (CAF) <bcain@codeaurora.org>" [unknown]
# gpg: aka "bcain" [unknown]
# gpg: aka "Brian Cain (QUIC) <quic_bcain@quicinc.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6350 20F9 67A7 7164 79EF 49E0 175C 464E 541B 6D47
# Subkey fingerprint: 3D66 AAE4 7459 4824 C88C E0F8 1A54 AFB8 E564 6C32
* tag 'pull-hex-20260529' of https://github.com/qualcomm/qemu:
tests/docker: Update hexagon cross toolchain to 22.1.0
tests/tcg/hexagon: fix check_rev_gating with newer toolchain
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Mon, 1 Jun 2026 12:43:12 +0000 (08:43 -0400)]
Merge tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa into staging
linux user patches
A series of patches for linux-user, specifically many FPU fixes in signal
handling code for sh4, mips, ppc and s390x (from Matt Turner), a madvise()
improvement (from me), and qemu header cleanups (from Peter Maydell).
---
v3: Fix build failure due to unknown MADV_COLLAPSE constant in madivise() patch
v2: Dropped the "ARM cortex-m55 program loading fix" and the FPU alpha patch
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCahoKTQAKCRD3ErUQojoP
# XxTMAPwP1hvkA5oV+NCS4y15eTTwycxsEKiSBV0cysz6pkgVGgEA3njxgnnH9iqM
# AxeLtQWJAb3WHNyfDpnj+RLo/xUehQY=
# =jFvz
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 17:51:09 EDT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa:
linux-user: Move cpu_copy() to user-internals.h
linux-user: Move init_main_thread() prototype to user-internals.h
linux-user: Fix typo in function documentation for pgb_addr_set()
linux-user: Implement finer grained madivse() syscall
linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
target/sh4: sync fp_status when gdb writes FPSCR
linux-user/sh4: restore FP rounding mode on sigreturn
linux-user/sh4: preserve T/M/Q bits across signal delivery
linux-user/mips: save/restore FCSR across signal delivery
linux-user/ppc: restore fp_status from FPSCR on sigreturn
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-tcg-20260529' of https://gitlab.com/rth7680/qemu:
tcg: Optimize INDEX_op_mul[us]2 for 0 and 1
tcg: Massage fold_multiply2()
docs/devel/tcg-ops: Fix reStructuredText format
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
sin99xx [Wed, 20 May 2026 17:11:25 +0000 (19:11 +0200)]
9pfs: fix missing rename lock in v9fs_co_readdir_many (CVE-2026-48004)
v9fs_co_readdir_many() dispatches do_readdir_many() to a worker thread
that reads V9fsFidState's path.data without holding a rename lock.
A concurrent rename request, e.g. of its parent dir, causes the FID's
absolute path to be altered by freeing the old path string and
assigning a new one. This causes a heap-use-after-free race condition
while do_readdir_many() is still accessing the old object.
This allows a DoS by an unprivileged guest user.
Fix this by wrapping the worker thread dispatch block within a pair of
v9fs_path_read_lock() and v9fs_path_unlock() calls, like it's done at
other places.
Fixes: 2149675b195f ("9pfs: add new function v9fs_co_readdir_many()") Fixes: CVE-2026-48004 Reported-by: sin99xx <sin99xx@proton.me> Signed-off-by: sin99xx <sin99xx@proton.me>
[Christian Schoenebeck: add commit log message] Link: https://lore.kernel.org/qemu-devel/E1wPkYi-000adH-4E@kylie.crudebyte.com Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Add fs_deep_absolute_path test that creates a deep directory
structure with an absolute path length exceeding 16-bit range
(i.e. >65536) to verify the previous buffer overflow fix.
This is a slow test (may take several seconds) and therefore
registered as "slow" test and not running by default.
tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
Add a function to reset the virtqueue descriptor pool state without
reinitializing the device. This is useful for tests that issue a high
number of requests and are limited by the simplified virtio test
driver's descriptor tracking, which decrements num_free but never
increments it back.
The function is safe for synchronous test code where requests are
sent and completed before the next request is issued.
hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors
This patch mitigates issues with very large absolute paths.
- Add error handling to all v9fs_path_sprintf() calls in
local_name_to_path()
- Update callers of v9fs_fix_path() to check return values.
- When path formatting fails, clunk the affected FIDs to prevent use of
invalid paths.
- Use g_autofree for temporary variables to simplify code.
Even though paths are usually limited to PATH_MAX (typically 4k) on guest,
this limitation can be circumvented by using *at() functions on guest and
creating very deep directory structures. This was a problem for QEMU 9p
server, as it currently tracks the absolute path for each FID internally
that always requires assembly of a (potentially ver large) absolute path.
A true long-term fix would be getting rid of storing an absolute path for
each FID internally. However that would likely be a massive change with
uncertain implications.
This patch therefore just mitigates the problem by immediately clunking
(i.e. closing) all FIDs whose path exceed a limit that we could handle.
As this only accounts to very unusual large absolute paths not ever been
reported on (sane) production machines, this is currently considered an
acceptable mitigation that should only (counter)affect malicious attempts.
hw/9pfs: add NULL check in v9fs_path_is_ancestor()
Add NULL check for s1->data and s2->data before using them in
string operations. This prevents potential crashes when dealing
with uninitialized paths.
This is just a defensive measure. We are currently never passing
NULL to this function.
Qiang Ma [Mon, 1 Jun 2026 01:46:01 +0000 (09:46 +0800)]
target/loongarch/kvm: Include missing exec/target_long.h header
After commit 71cab1a42d2 removed the indirect include of
exec/cpu-defs.h from target/loongarch/cpu.h, the TARGET_FMT_lx
macro is no longer visible in kvm.c, causing build failures:
error: expected ')' before TARGET_FMT_lx
Add the missing exec/target_long.h to fix it.
Cc: qemu-stable@nongnu.org Fixes: 71cab1a42d2 ("target/cpu: Do not include 'exec/cpu-defs.h' anymore") Signed-off-by: Qiang Ma <maqianga@uniontech.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260601014601.4047201-1-gaosong@loongson.cn> Signed-off-by: Song Gao <gaosong@loongson.cn>
Brian Cain [Wed, 20 May 2026 16:27:27 +0000 (09:27 -0700)]
tests/docker: Update hexagon cross toolchain to 22.1.0
Update the hexagon cross-compiler Docker container to use toolchain
version 22.1.0, replacing the previous 12.Dec.2023 release.
Changes to accommodate the new toolchain:
- Add libc++1, libc++abi1, libunwind-19 runtime deps for the new
LLVM-based toolchain
- Add zstd for the new .tar.zst archive format
- Update artifact URL domain to artifacts.codelinaro.org
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Brian Cain [Wed, 20 May 2026 16:27:23 +0000 (09:27 -0700)]
tests/tcg/hexagon: fix check_rev_gating with newer toolchain
The check_rev_gating test is compiled with -mv66, but the final linkage
step does not specify the CPU version. The v22.1.0 toolchain contains a
crt1.o compiled for v68, so the linker resolves the v66 + v68 linkage by
selecting the highest version. The resulting binary then executes v68
instructions without gating, leading to a segfault.
Fix this by passing -cpu v66 to QEMU when running the test, so that the
emulated CPU matches the intended v66 target and the revision gating
mechanism works as expected.
Peter Maydell [Tue, 26 May 2026 15:17:57 +0000 (16:17 +0100)]
linux-user: Move cpu_copy() to user-internals.h
We only use cpu_copy() inside linux-user, so we don't need to have
the prototype in qemu.h available to code outside linux-user; move it
to user-internals.h.
Peter Maydell [Tue, 26 May 2026 15:17:56 +0000 (16:17 +0100)]
linux-user: Move init_main_thread() prototype to user-internals.h
The init_main_thread() prototype is needed only by code internal to
linux-user/, so it doesn't need to be in qemu.h (which is also pulled
in by various files outside linux-user/).
Move the prototype to user-internals.h, and give it a documentation
comment.
Although most madvise() values are hints, some are important and are
checked by userspace, especially by security-relevant applications like
BoringSLL. So, return -EINVAL for those functions which we don't emulate.
Matt Turner [Tue, 26 May 2026 15:05:33 +0000 (11:05 -0400)]
linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
QEMU keeps the s390x floating-point control register (FPC) in env->fpc.
The rounding mode bits [2:0] of FPC are reflected into the derived
env->fpu_status via set_float_rounding_mode(); every architectural
write to FPC goes through HELPER(sfpc) which keeps the two in sync.
restore_sigregs() restored FPC with a direct assignment:
__get_user(env->fpc, &sc->fpregs.fpc);
This wrote env->fpc correctly but never updated env->fpu_status, so on
sigreturn the interrupted code resumed with whatever rounding mode the
signal handler last installed in fpu_status.
Factor the two-step "write fpc + sync fpu_status" logic out of
HELPER(sfpc) into cpu_s390x_load_fpc(), declare it in cpu.h, and call
it from restore_sigregs() in place of the direct assignment.
cpu_s390x_load_fpc() partially reuses the sanity check from
HELPER(sfpc): if the FPC value has an invalid rounding mode or reserved
bits set, it falls back to 0, matching the kernel's fpu_lfpc_safe()
behavior where a corrupt signal frame value causes a specification
exception and 0 is used instead.
HELPER(sfpc) now calls cpu_s390x_load_fpc() after its full
specification-exception check, including the FEAT_FLOATING_POINT_EXT
test that is not needed for the signal restore path.
Fixes: 2941e0fa05 ("linux-user/s390x: Save/restore fpc when handling a signal") Cc: qemu-stable@nongnu.org Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:42 +0000 (11:26 -0400)]
target/sh4: sync fp_status when gdb writes FPSCR
sh4_cpu_gdb_write_register() wrote the incoming FPSCR value straight
into env->fpscr, leaving the derived env->fp_status (rounding mode and
flush-to-zero) stale, so a gdb-initiated FPSCR change did not take
effect for subsequent FP operations. Use cpu_load_fpscr() instead, the
same way the adjacent case already uses cpu_write_sr() for SR.
Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:41 +0000 (11:26 -0400)]
linux-user/sh4: restore FP rounding mode on sigreturn
The SH4 FPSCR rounding-mode (RM) and denormal (DN) bits are not held
only in env->fpscr: they are also reflected into the derived
env->fp_status via set_float_rounding_mode()/set_flush_to_zero(). The
guest keeps the two in sync by routing every write to FPSCR through
helper_ld_fpscr().
restore_sigcontext() wrote the saved value straight into env->fpscr and
never touched env->fp_status, so on sigreturn the interrupted code
resumed with whatever FP rounding mode and flush-to-zero setting the
signal handler last installed. (regs->flags = 0 forces the FR/SZ/PR TB
flags to be recomputed, but fp_status is runtime float state, not a TB
flag, so it was left stale.) This is the FP analogue of the T/M/Q bit
problem just fixed for the integer status register.
Factor the FPSCR -> fp_status synchronisation out of helper_ld_fpscr()
into cpu_load_fpscr() and use it from restore_sigcontext() so the
rounding mode round-trips correctly across signal delivery.
Fixes: c3b5bc8ab3 ("SH4: Signal handling for the user space emulator, by Magnus Damm.") Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:40 +0000 (11:26 -0400)]
linux-user/sh4: preserve T/M/Q bits across signal delivery
QEMU keeps the SH4 T, M and Q status-register bits outside env->sr, in
the dedicated env->sr_t, env->sr_m and env->sr_q fields; cpu_read_sr()
folds them back into the architectural SR value and cpu_write_sr()
splits them back out.
setup_sigcontext() saved the bare env->sr (so the T/M/Q bits were always
zero in the signal frame) and restore_sigcontext() wrote the value
straight back into env->sr without updating sr_t/sr_m/sr_q. As a result
the T bit was never preserved across signal delivery: on sigreturn the
interrupted code resumed with whatever T value the signal handler last
left behind. Any conditional branch (or addc/subc/rotcl/div1, etc.)
immediately following the interrupted instruction could then take the
wrong path.
This is the cause of the long-standing intermittent failures of the
tests/tcg/multiarch/signals.c test on sh4, which was marked BROKEN. With
a SIGRTMIN timer firing every millisecond across many threads, the race
was hit a few percent of the time and corrupted the guest heap, surfacing
as a SIGSEGV in memset, a malloc assertion, or an rseq registration abort.
Traced on a deterministic rr recording: a cmp/hi set T=0, the timer
signal interrupted the very next instruction (a bf), the handler left
T=1, and the resumed bf took glibc calloc's MORECORE_CLEARS branch,
using the old top-chunk size as the clear length for a freshly split
small chunk and running memset off the end of the heap.
Fix setup_sigcontext()/restore_sigcontext() to use cpu_read_sr() and
cpu_write_sr() so the T, M and Q bits round-trip correctly, and drop the
BROKEN annotation on the sh4 signals test.
Fixes: c3b5bc8ab3 ("SH4: Signal handling for the user space emulator, by Magnus Damm.") Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:24:27 +0000 (11:24 -0400)]
linux-user/mips: save/restore FCSR across signal delivery
QEMU keeps the MIPS FPU control/status register (FCSR, fcr31) in
env->active_fpu.fcr31. The rounding mode, flush-to-zero (FS), and
NaN-2008 mode bits in fcr31 are reflected into the derived
env->active_fpu.fp_status via set_float_rounding_mode() and friends;
every architectural write to FCSR goes through helper_ctc1() which
calls restore_fp_status() to keep the two in sync.
Both target_sigcontext variants (O32 and N32/N64) have an sc_fpc_csr
field that holds FCSR, but setup_sigcontext() never wrote it and
restore_sigcontext() never read it. As a result:
- The signal frame always delivered sc_fpc_csr == 0 to the handler,
so sigaction(SA_SIGINFO) handlers that inspect the interrupted
context see the wrong FCSR.
- On sigreturn, active_fpu.fcr31 retained whatever value the signal
handler last installed (if any), and active_fpu.fp_status was
never resynced. Interrupted code resumed with the wrong rounding
mode, FS flag, and NaN-2008 semantics.
Fix setup_sigcontext() to save fcr31 into sc_fpc_csr. Fix
restore_sigcontext() to read it back (masked to fcr31_rw_bitmask as
the kernel does) and call cpu_mips_restore_fp_status() to resync
fp_status from the restored fcr31.
Add cpu_mips_restore_fp_status() in target/mips/fpu.c (which already
defines ieee_rm and includes fpu_helper.h), and declare it in cpu.h.
Fixes: 084d0497a0 ("mips-linux-user: Save and restore fpu and dsp from sigcontext") Cc: qemu-stable@nongnu.org Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:23:12 +0000 (11:23 -0400)]
linux-user/ppc: restore fp_status from FPSCR on sigreturn
restore_user_regs() restores the PPC FPSCR with a direct assignment:
env->fpscr = (uint32_t) fpscr;
ppc_store_fpscr() exists precisely to write FPSCR and keep the derived
env->fp_status in sync: it calls fpscr_set_rounding_mode() to update
the softfloat rounding mode, and set_float_rebias_overflow/underflow()
to reflect the FP_OE/FP_UE enable bits. The direct assignment bypasses
all of this.
On sigreturn, interrupted code resumes with whatever rounding mode and
overflow/underflow-rebias state the signal handler last installed in
fp_status, rather than the state that was saved at signal delivery.
Replace the direct assign with ppc_store_fpscr(). The FPSCR_MTFS_MASK
applied inside ppc_store_fpscr() only excludes the computed FP_FEX and
FP_VX bits, which it re-derives correctly from the exception and enable
bits in the restored value.
Fixes: bcd4933a23 ("linux-user: ppc signal handling") Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Zero operands produce a zero high and low product. One operands produce
a copy of the other operand and a zero or sign extension in the high
half.
Fold those cases during TCG optimization so wide-multiply idioms used by
target translators can collapse before code generation.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260520125139.13352-3-philmd@linaro.org>
In order to ease next commit review, check arg2 constness
in the inner loop.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260520125139.13352-2-philmd@linaro.org>
In the standard reStructuredText inline markup, italic
text is surrounded by one asterisk.
Fix incomplete style from commits 5e97a28a8b9 ("tcg: convert
tcg/README to rst") and 76f42780292 ("tcg: Add add/sub with
carry opcodes and infrastructure").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260519210019.11665-1-philmd@linaro.org>
* tag 'pull-target-arm-20260529' of https://gitlab.com/pm215/qemu: (21 commits)
hw/dma/omap_dma: Fix indentation after ifdef removal
hw/dma/omap_dma: Fix coding style in omap_dma_transfer_setup()
hw/dma/omap_dma: Remove unused ifdeffed out code
target/arm: advertise FEAT_RNG_TRAP on cortex-max
target/arm: implement FEAT_RNG_TRAP for RNDR/RNDRRS
target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
target/arm: Enable FEAT_CMPBR for -cpu max
target/arm: Implement CB (immediate)
target/arm: Implement CB, CBB, CBH
target/arm: Add feature predicate for FEAT_CMPBR
hw/arm/xilinx_zynq: Split xilinx_zynq into header and implementation files
hw/block/m25p80: Add HAS_SR_TB flag for is25lp016d
hw/misc/zynq_slcr: Add logic for DCI configuration
hw/misc: Add dummy ZYNQ DDR controller
hw/dma/zynq-devcfg: Indicate power-up status of PL
hw/dma/zynq-devcfg: Simulate dummy PL reset
hw/dma/zynq: Ensure PCFG_DONE bit remains set to indicate PL is in user mode
hw/arm/zynq-devcfg: Prevent unintended unlock during initialization
hw/dma/zynq-devcfg: Handle bitstream loading via DMA to 0xffffffff
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 29 May 2026 16:58:13 +0000 (12:58 -0400)]
Merge tag 'pull-11.1-testing-macos-and-misc-280526-1' of https://gitlab.com/stsquad/qemu into staging
testing updates (gitlab, MacOS, MAINTAINERS)
- move tests/Makefile.include earlier in order
- add binary deps to .ninja-goals.run-tcg-tests-FOO
- clean-up jit locking around do_tb_phys_invalidate
- drop deprecated cirrus MacOS builds
- add gitlab MacOS builds
- update the gitlab issue template around binary test cases
- fix-up MAINTAINERS for dockerfiles
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmoYp8EACgkQ+9DbCVqe
# KkRL3wf+LmazWrTWC0hkP0KcFEvBVYNin87BnYFEcXYfo/dkNEXMQeHNHpkEGm1J
# dTwWrmlDLIuvSowrCT5J597t9ssmsy8e2djo7yYx2aKBZvjyfVF/AadA4xSYz7XV
# P0EaxYlGcN7CRyCSRMswFUJB7UwCopwjgaitITCGR6tb80nQRnbzzVTd/13Ne8qd
# E1qeOT3G/+10uL0iOAGBUXgxT4tTsbdwrm0hk6vvEX4oGGwg11WpTZFAKVUwm3kK
# 5CTUF4sJTy2Y2yht0AqSMteuUoTbvp5xKKJQ1yuDYFByma0d0K2MRtcdxSmdx7eO
# rp4gGzXafPY/sXF2QYCXv/8VaCXEoA==
# =p5gv
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 28 May 2026 16:38:25 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.1-testing-macos-and-misc-280526-1' of https://gitlab.com/stsquad/qemu:
MAINTAINERS: Cover python.docker with Python library section
MAINTAINERS: Cover debian-tricore-cross.docker with TriCore section
MAINTAINERS: Cover debian-xtensa-cross.docker with Xtensa section
MAINTAINERS: Cover debian-loongarch-cross.docker with LoongArch section
MAINTAINERS: Fix docker/dockerfiles/debian-hexagon-cross.docker path
gitlab: update issue template for binary test cases
gitlab: add MacOS 26 job on gitlab runner
gitlab: add initial MacOS 15 on gitlab runner
ci: drop cirrus MacOS build
accel/tcg: move jit thread manipulation into do_tb_phys_invalidate
tests/Makefile.include: add binary dependency to run-tcg-tests-% rules
tests/Makefile.include: fix typo in comment
Makefile: include tests/Makefile.include before ninja calculation
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 29 May 2026 16:58:03 +0000 (12:58 -0400)]
Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmoZHBQACgkQ7wSWWzmN
# YhH7ywf/WZdieTiWCoi1XI2rZ6XCjdJRqTSmp+WENDDQt4tBnXXJ6PxyitFqZh7g
# oZnN1+WXgIAO0SZRPbzjspe9mFsXrFkE/7y9XijOF4F/bhbWPA/AL8SICxnjoyaC
# nOs1QU2hE7yhOqgnUHweUjNbgpUO8mIgLdSIbKYDgZq1vRFsXy2kkKbeiJkbPCfe
# 0ILqltFjS5MeCl2fV0WwUquWr7VXEXb0vGPQKAzRbygmbDC+qYRF100cTrSCxnOe
# LSW8c1nf2AHZkQJmj2HWc2DUwxynAr8N8jSRPgp4JSC6B2caSQygKHGtKe19Y/Be
# u4hm+k5+HB25xkA4czheMcNvefnzoQ==
# =JjfR
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 00:54:44 EDT
# gpg: using RSA key 215D46F48246689EC77F3562EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [full]
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* tag 'net-pull-request' of https://github.com/jasowang/qemu:
hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
net/tap: check that user tries to define zero queues
net/tap: net_init_tap(): relax QEMU hubs check
net/tap: net_init_tap(): merge fd=, fds= and helper= cases into one
net/tap: fix vhostfds/vhostfd parameters API
net/tap: move fds parameters handling to separate functions
net: introduce net_parse_fds()
net/tap: net_init_tap_one(): drop model parameter
net/tap: net_init_tap_one() refactor to get vhostfd param
net/tap: net_init_tap(): common fail label
net/tap: net_init_tap(): refactor parameter checking
net/tap: net_init_tap(): drop extra vhostfdname variable
net/tap: net_init_tap_one(): add return value
net/af-xdp: fix type overflow
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'single-binary-20260528' of https://github.com/philmd/qemu: (22 commits)
hw/core: Remove SysemuCPUOps::get_phys_addr_attrs_debug
target/i386: Convert to translate_for_debug
target/microblaze: Convert to translate_for_debug
accel/common: Remove last bit of target-specific code
hw/tpm/tpm_tis_sysbus: defer resource allocation to realize
mailmap: Update email addresses for Andrew Jones
mailmap: Update email addresses for Daniel Henrique Barboza
hw/vfio: use stub_ss for iommufd-stubs.c
hw/net: use stub_ss for vhost_net-stub.c
net: use stub_ss for vhost-user-stub.c and vhost-vdpa-stub.c
migration: use stub_ss for vfio-stub.c
target/arm: move whpx-stub to arm_stubs_ss
target/arm: move kvm-stub to arm_stubs_ss
meson.build: move some subdir before system lib creation
meson: fix close_range detection on older glibc
system/qtest: Fix length parameter in the b64write code
system/vl: Free allocate memory for pid file name in case realpath() failed
docs/devel/tcg-ops: List more vector opcodes
docs/devel/tcg-ops: Stop listing dup2_vec()
monitor: fix missing spaces in screendump help text
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
No targets use the SysemuCPUOps::get_phys_addr_attrs_debug method
any more, so we can remove it, together with the handling of it
in cpu_translate_for_debug().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528161450.3564396-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 16:14:49 +0000 (17:14 +0100)]
target/i386: Convert to translate_for_debug
The get_phys_addr_attrs_debug method of SysemuCPUOps is used only by
x86 and microblaze. Convert x86 to the newer translate_for_debug
method, as a step towards being able to remove
get_phys_addr_attrs_debug.
The new API allows us to tell the caller the actual size of the
mapping via lg_page_size, so we do that, although no caller will care
since it's always at least TARGET_PAGE_BITS.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528161450.3564396-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 16:14:48 +0000 (17:14 +0100)]
target/microblaze: Convert to translate_for_debug
The get_phys_addr_attrs_debug method of SysemuCPUOps is used only by
x86 and microblaze. Convert microblaze to the newer
translate_for_debug method, as a step towards being able to remove
get_phys_addr_attrs_debug.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260528161450.3564396-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
accel/common: Remove last bit of target-specific code
Initialize the TypeInfo structure at runtime using the TargetInfo
API to resolve TYPE_ACCEL_CPU, replacing CPU_RESOLVING_TYPE by
target_cpu_type(). Since the code is no more target-specific, move
it to accel-common.c, removing the need for accel-target.c.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-Id: <20260528140857.44130-1-philmd@linaro.org>
hw/tpm/tpm_tis_sysbus: defer resource allocation to realize
Calling memory_region_init_ram_device_ptr() and
memory_region_init_io() from tpm_tis_sysbus_initfn() crashes
when the device is introspected without being realized, because
the memory subsystem has not been initialized at that point.
So running:
$ qemu-system-aarch64 -device tpm-tis-device,help
triggers qdev_device_help() which creates the device object
to list its properties, calling instance_init, but never
realizefn. The memory region calls in instance_init then hit
uninitialized subsystems:
With CONFIG_DEBUG_TCG:
Assertion 'target_page.decided' failed. (physmem.c:2524)
Without CONFIG_DEBUG_TCG:
Assertion 'mutex->initialized' failed. (qemu-thread-posix.c:107)
Since realizefn is only called when the device is actually
used in a running VM, moving resource allocation there avoids
the crash without breaking introspection.
This also fixes a memory leak that is reported by the address
sanitizer during 'make check', because we currently allocate
ppi.buf during instance_init and never free it. "Allocate in
realize and never free" is less bad, because we don't currently
support "unrealize and destroy a sysbus device".
Fixes: 46cd2c1050f ("hw/tpm: add PPI support to tpm-tis-device for ARM64 virt") Signed-off-by: Mohammadfaiz Bawa <mbawa@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528093123.55403-1-mbawa@redhat.com>
Message-ID: <CAFEAcA8fEYODmPhbh1W=oPGvju-P=qWvN_dyWrPqAr-E9FK7UA@mail.gmail.com>
[PMD: Amend Peter comment from previous mail in description] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 15:28:52 +0000 (16:28 +0100)]
hw/dma/omap_dma: Fix indentation after ifdef removal
Some of the ifdefs in omap_dma_transfer_setup() which we just
removed had if() blocks in them. Now that the code inside them
is always unconditional it has an extra unnecessary layer of
indentation; fix this, as a whitespace only change.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260528152852.3349928-4-peter.maydell@linaro.org
Peter Maydell [Thu, 28 May 2026 15:28:51 +0000 (16:28 +0100)]
hw/dma/omap_dma: Fix coding style in omap_dma_transfer_setup()
We're about to fix indent in a section of the
omap_dma_transfer_setup() function, which will make checkpatch
complain. Since we're touching the code anyway, fix the uses of if()
with no braces and wrongly formatted multiline comments.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260528152852.3349928-3-peter.maydell@linaro.org
Peter Maydell [Thu, 28 May 2026 15:28:50 +0000 (16:28 +0100)]
hw/dma/omap_dma: Remove unused ifdeffed out code
The OMAP DMA device includes a lot of code which has been disabled
via ifdefs for over a decade. Whatever this unfinished development
work was, all knowledge of it is long gone, and we're unlikely to
be doing any serious work on this device model in future. If we
did, we'd likely have to start from scratch.
Remove all the ifdeffed out code. We will fix up the indentation
in a followup commit that has only whitespace changes.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260528152852.3349928-2-peter.maydell@linaro.org
Jason Wright [Thu, 28 May 2026 18:19:25 +0000 (18:19 +0000)]
target/arm: advertise FEAT_RNG_TRAP on cortex-max
Set ID_AA64PFR1.RNDR_TRAP=1 on the max CPU model so guests and
firmware detect FEAT_RNG_TRAP, per the Arm Architecture Reference
Manual for A-profile architecture (DDI 0487), and document the feature
as emulated in docs/system/arm/emulation.rst.
Signed-off-by: Jason Wright <wrigjl@proton.me> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jason Wright [Thu, 28 May 2026 18:19:19 +0000 (18:19 +0000)]
target/arm: implement FEAT_RNG_TRAP for RNDR/RNDRRS
Add an .accessfn to the RNDR and RNDRRS system registers that traps
reads to EL3 when SCR_EL3.TRNDR is set, as required by FEAT_RNG_TRAP.
Mark SCR_EL3.TRNDR (bit 40) as a writable field in scr_write() when
the CPU advertises the feature. The pseudocode in DDI0487 revision M.b
shows the trap firing from EL0, EL1, EL2, and EL3, so there is no
check of arm_current_el().
When FEAT_RNG_TRAP is implemented without FEAT_RNG, an RNDR/RNDRRS read
with SCR_EL3.TRNDR=0 should UNDEF rather than succeed; handle that case
in access_rndr(). Register the rndr_reginfo CP reg entries whenever either
FEAT_RNG or FEAT_RNG_TRAP is implemented, so the accessfn fires even on a
FEAT_RNG_TRAP-only CPU.
When SCR_EL3.TRNDR is set, ID_AA64ISAR0_EL1.RNDR reads as 1 regardless
of whether FEAT_RNG is implemented; give ID_AA64ISAR0_EL1 a readfn so it
reports this at runtime, as we already do for ID_AA64PFR0_EL1.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wright <wrigjl@proton.me> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 5 May 2026 18:51:57 +0000 (19:51 +0100)]
hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
_of_dpa_flow_match() tries to do masked comparisons of OfDpaFlowkey
structs by casting pointers to them to uint64_t* and then doing the
memory accesses as 64-bit. This is undefined behaviour because the
pointers might not be 64-bit aligned, and the UB sanitizer spots this:
We do know that OfDpaFlowKey structs must be at least aligned enough
for uint32_t accesses, because that's the type of the first field.
Switch to using uint32_t accesses in the loop.
Because the "width" field is always set via the FLOW_KEY_WIDTH macro
and not exposed to the guest, we can adjust the macro to store the
number of uint32_t to be checked rather than needing to change the
loop boundary in the match function.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Peter Maydell [Tue, 5 May 2026 18:51:56 +0000 (19:51 +0100)]
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
In of_dpa_cmd_add_l2_flood(), we use rocker_tlv_parse_nested()
to fill in a tlvs[] array. If the guest command is valid then
the entries should be pointers to TLV data items with group IDs.
However, if the guest gives us bogus data then rocker_tlv_parse_nested()
indicates this by leaving the tlvs[] entries NULL. In the other
places that use this function, we check for this before using
the value, but here we forgot, and the result is that QEMU can
crash:
#0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:331
#1 0x00005555574f7137 in __asan_memcpy ()
#2 0x0000555558106792 in ldl_he_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:278
#3 0x0000555558106755 in ldl_le_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:311
#4 0x00005555580f85ed in rocker_tlv_get_le32 (tlv=0x0) at ../../hw/net/rocker/rocker_tlv.h:114
#5 0x000055555810a8ad in of_dpa_cmd_add_l2_flood (of_dpa=0x506000082e38, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2032
#6 0x0000555558108a74 in of_dpa_cmd_group_do (of_dpa=0x506000082e38, group_id=1073741824, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2115
#7 0x0000555558108730 in of_dpa_cmd_group_add (of_dpa=0x506000082e38, group_id=1073741824, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2135
#8 0x00005555580f66ec in of_dpa_group_cmd
(of_dpa=0x506000082e38, info=0x514000072e40, buf=0x5070002356c0 "\001", cmd=7, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2194
Check for NULL values and return an error.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/1851 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Alex Bennée [Tue, 26 May 2026 11:02:36 +0000 (12:02 +0100)]
gitlab: update issue template for binary test cases
Binary test cases are sketchy because they can be vectors for phishing
and other malware. Lets strongly hint that source bases tests are
preferred and binaries should have their provenance declared.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260526110243.470002-9-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:34 +0000 (12:02 +0100)]
gitlab: add initial MacOS 15 on gitlab runner
The gitlab runners are currently in beta but available to projects on
the Premium and Ultimate plans (which QEMU is via the Open Source
program).
We install some compilers via brew so we can run some of the check-tcg
softmmu test cases.
We disable rust as the version is too old.
We disable plugins because we haven't taught the test harness about
.dynlib vs .so yet.
There is a discrepancy between the vars and version of MacOS because
lcitool needs teaching about other versions (although I don't think it
matters as brew is shared across versions).
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260526110243.470002-7-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:32 +0000 (12:02 +0100)]
accel/tcg: move jit thread manipulation into do_tb_phys_invalidate
To invalidate a TB on MacOS we need to enable write access to the JIT
buffer. We were doing this for tb_phys_invalidate__locked but that is
not the only path into do_tb_phys_invalidate. Move the manipulation
into the shared function that does the work.
As a result we can drop the tb_phys_invalidate__locked function and
update the calls directly.
This enables watchpoints to work in MacOS TCG guests.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3444 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260526110243.470002-5-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:31 +0000 (12:02 +0100)]
tests/Makefile.include: add binary dependency to run-tcg-tests-% rules
Explicitly set the appropriate QEMU binary as a dependency so we can
ensure they get built. This is especially important for MacOS which
otherwise only builds the unsigned binaries on a normal "make all"
run.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260526110243.470002-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-Id: <20260528083920.33105-1-philmd@linaro.org>
Peter Maydell [Thu, 21 May 2026 18:08:54 +0000 (19:08 +0100)]
target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
The Arm ARM A1.5.10 notes that some instructions have "Alternate
Bfloat16 behaviors" when FPCR.AH == 1. We implement these using the
FPST_AH and FPST_AH_F16 fp_status words. The list includes the SME
BFVCT (single-precision to BFloat16) and BFCVTN, but we forgot to
make those use FPST_AH_F16 when we implemented them. (We get the
ASIMD and SVE insns on the list right.)
Peter Maydell [Thu, 28 May 2026 16:24:12 +0000 (17:24 +0100)]
target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
The Domain fault type can only happen for 32-bit short-format
descriptors. This means that it almost never needs to be encoded in
a long-format fault status code. However, there is one corner case
where we do need to report it as a long-format FSC: if a 64-bit EL2
does an AT insn on an AArch32 EL1&0 translation regime that is using
short-descriptors and that translation operation hits a Domain fault,
then this is reported in the PAR_EL1 in long-format.
The PAR_EL1 register description defines that this should be reported
as 0b111101 for a level 1 Domain fault or 0b111110 for a level 2
Domain fault.
The Arm ARM pseudocode special cases this in the function
AArch64_PARFaultStatus() (because no other "fault to LFSC" code path
can be a Domain fault). For QEMU, implement it in arm_fi_to_lfsc().
Cc: qemu-stable@nongnu.org Fixes: 1fa498fe0de97 ("target/arm: Provide fault type enum and FSR conversion functions")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3512 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260526174155.2491217-1-peter.maydell@linaro.org
Quan Sun [Fri, 22 May 2026 20:18:50 +0000 (13:18 -0700)]
meson: fix close_range detection on older glibc
The has_function('close_range') check succeeds at link time on hosts
with kernel >= 5.9 even when glibc does not declare the function
(glibc < 2.34, e.g. AlmaLinux 8 / CentOS 8 with glibc 2.28). This
causes CONFIG_CLOSE_RANGE to be set, but compilation then fails with:
error: implicit declaration of function 'close_range'
Fix by adding a prefix that includes <unistd.h>, so the meson check
only succeeds when the C library actually declares close_range() in
its headers.
Signed-off-by: Quan Sun <Quan.Sun@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260522201850.1342167-1-Quan.Sun@windriver.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thomas Huth [Mon, 18 May 2026 13:40:20 +0000 (15:40 +0200)]
system/qtest: Fix length parameter in the b64write code
The b64write code has a sanity check that the given lengths matches
the real length of the given data, and calculates the minimum of the
two values to be on the safe side. However, the address_space_write()
then uses the original value and ignores the calculated minimum. Use
out_len here to fix the problem.
Fixes: 70da30483e7 ("qtest: Use cpu address space instead of system memory") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-ID: <20260518134020.1420932-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thomas Huth [Mon, 18 May 2026 11:45:14 +0000 (13:45 +0200)]
system/vl: Free allocate memory for pid file name in case realpath() failed
In case realpath() fails, the code returns early in the function
qemu_maybe_daemonize(), without freeing the allocated memory. Add
a g_free() here to fix it.
And while we're at it, also free the memory in the qemu_unlink_pidfile()
function - it's not that important since QEMU is going to terminate anyway,
but some malloc sanitizers might still complain if we don't free it.
Fixes: dee2a4d4d2f ("vl: defuse PID file path resolve error") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260518114514.684401-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
projects / thirdparty / qemu.git / log
