Branch: refs/heads/staging-10.0
Home: https://github.com/qemu/qemu
Commit: cae6ddfd7e6297d728ab6678d69e721fc38d345d
https://github.com/qemu/qemu/commit/cae6ddfd7e6297d728ab6678d69e721fc38d345d
Author: Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk>
Date: 2025-07-12 (Sat, 12 Jul 2025)
Changed paths:
M target/i386/tcg/translate.c
Log Message:
-----------
target/i386: fix TB exit logic in gen_movl_seg() when writing to SS
Before commit e54ef98c8a ("target/i386: do not trigger IRQ shadow for LSS"), any
write to SS in gen_movl_seg() would cause a TB exit. The changes introduced by
this commit were intended to restrict the DISAS_EOB_INHIBIT_IRQ exit to the case
where inhibit_irq is true, but missed that a DISAS_EOB_NEXT exit can still be
required when writing to SS and inhibit_irq is false.
Comparing the PE(s) && !VM86(s) section with the logic in x86_update_hflags(),
we
can see that the DISAS_EOB_NEXT exit is still required for the !CODE32 case when
writing to SS in gen_movl_seg() because any change to the SS flags can affect
hflags. Similarly we can see that the existing CODE32 case is still correct
since
a change to any of DS, ES and SS can affect hflags. Finally for the
gen_op_movl_seg_real() case an explicit TB exit is not needed because the
segment
register selector does not affect hflags.
Update the logic in gen_movl_seg() so that a write to SS with inhibit_irq set to
false where PE(s) && !VM86(s) will generate a DISAS_EOB_NEXT exit along with the
inline comment. This has the effect of allowing Win98SE to boot in QEMU once
again.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk>
Fixes: e54ef98c8a ("target/i386: do not trigger IRQ shadow for LSS")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2987
Link:
https://lore.kernel.org/r/20250611130315.383151-1-mark.cave-ayl...@ilande.co.uk
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 0f1d6606c28d0ae81a1b311972c5c54e5e867bf0)
Fixes: 0f1d6606c2 ("target/i386: do not trigger IRQ shadow for LSS" in 10.0.x)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: fe000c4648b37782f4981fc386fec670304404a9
https://github.com/qemu/qemu/commit/fe000c4648b37782f4981fc386fec670304404a9
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M target/arm/tcg/helper-a64.c
Log Message:
-----------
target/arm: Don't enforce NSE,NS check for EL3->EL3 returns
In the Arm ARM, rule R_TYTWB that defines illegal exception return cases
includes the case:
If FEAT_RME is implemented, then if SCR_EL3.{NSE, NS} is {1, 0}, an
exception return from EL3 to a lower Exception level
Our implementation of this check fails to check that the
return is to a lower exception level, so it will incorrectly fire on
EL3->EL3 exception returns.
Fix the check condition. This requires us to move it further
down in the function to a point where we know the new_el value.
Fixes: 35aa6715ddcd9 ("target/arm: Catch illegal-exception-return from EL3 with
bad NSE/NS")
Cc: qemu-sta...@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3016
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Message-id: 20250704165636.261888-1-peter.mayd...@linaro.org
(cherry picked from commit c563cd7e61d074f58eef413322144461dd243716)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 676bc0f4a726627598e6f1d5979ee863191b54ba
https://github.com/qemu/qemu/commit/676bc0f4a726627598e6f1d5979ee863191b54ba
Author: Bernhard Beschow <shen...@gmail.com>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M hw/arm/fsl-imx8mp.c
Log Message:
-----------
hw/arm/fsl-imx8mp: Wire VIRQ and VFIQ
Allows to run KVM guests inside the imx8mp-evk machine.
Fixes: a4eefc69b237 ("hw/arm: Add i.MX 8M Plus EVK board")
CC: qemu-stable
Signed-off-by: Bernhard Beschow <shen...@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
(cherry picked from commit 930180f3b9a292639eb894f1ca846683834ed4b7)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 1714828a56f150327cc05b242cabba4c3f891677
https://github.com/qemu/qemu/commit/1714828a56f150327cc05b242cabba4c3f891677
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Implement fchmodat2 syscall
The fchmodat2 syscall is new from Linux 6.6; it is like the
existing fchmodat syscall except that it takes a flags parameter.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3019
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-ID: <20250710113123.1109461-1-peter.mayd...@linaro.org>
(cherry picked from commit 6a3e132a1be8c9e649967a4eb341d00731be7f51)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 1759558915c5052f560737061ca6333a16a924f5
https://github.com/qemu/qemu/commit/1759558915c5052f560737061ca6333a16a924f5
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Check for EFAULT failure in nanosleep
target_to_host_timespec() returns an error if the memory the guest
passed us isn't actually readable. We check for this everywhere
except the callsite in the TARGET_NR_nanosleep case, so this mistake
was caught by a Coverity heuristic.
Add the missing error checks to the calls that convert between the
host and target timespec structs.
Coverity: CID 1507104
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-ID: <20250710164355.1296648-1-peter.mayd...@linaro.org>
(cherry picked from commit c4828cb8502d0b2adc39b9cde93df7d2886df897)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: a4e31f5d8ec90a16a250fc39d807f79ce9d99760
https://github.com/qemu/qemu/commit/a4e31f5d8ec90a16a250fc39d807f79ce9d99760
Author: Geoffrey Thomas <geo...@ldpreload.com>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M linux-user/fd-trans.h
M linux-user/main.c
Log Message:
-----------
linux-user: Hold the fd-trans lock across fork
If another thread is holding target_fd_trans_lock during a fork,
then the lock becomes permanently locked in the child and the
emulator deadlocks at the next interaction with the fd-trans table.
As with other locks, acquire the lock in fork_start() and release
it in fork_end().
Cc: qemu-sta...@nongnu.org
Signed-off-by: Geoffrey Thomas <geo...@ldpreload.com>
Fixes: c093364f4d91 "fd-trans: Fix race condition on reallocation of the
translation table."
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2846
Buglink: https://github.com/astral-sh/uv/issues/6105
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-ID: <20250314124742.4965-1-geo...@ldpreload.com>
(cherry picked from commit e4e839b2eeea5745c48ce47144c7842eb7cd455f)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: b4ead907261c0a7228e43feb087c3b543da3620f
https://github.com/qemu/qemu/commit/b4ead907261c0a7228e43feb087c3b543da3620f
Author: Chaney, Ben <bcha...@akamai.com>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M migration/ram.c
Log Message:
-----------
migration: Don't sync volatile memory after migration completes
Syncing volatile memory provides no benefit, instead it can cause
performance issues in some cases. Only sync memory that is marked as
non-volatile after migration completes on destination.
Signed-off-by: Ben Chaney <bcha...@akamai.com>
Fixes: bd108a44bc29 (migration: ram: Switch to ram block writeback)
Link: https://lore.kernel.org/r/1cc43f59-336f-4a12-84ad-db89e0a17...@akamai.com
Signed-off-by: Peter Xu <pet...@redhat.com>
(cherry picked from commit 983899eab4939dc4dff67fa4d822c5b4df7eae21)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: c49db93c360762587daf67a274a17749bc60ebe1
https://github.com/qemu/qemu/commit/c49db93c360762587daf67a274a17749bc60ebe1
Author: Peter Maydell <peter.mayd...@linaro.org>
Date: 2025-07-13 (Sun, 13 Jul 2025)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Use qemu_set_cloexec() to mark pidfd as FD_CLOEXEC
In the linux-user do_fork() function we try to set the FD_CLOEXEC
flag on a pidfd like this:
fcntl(pid_fd, F_SETFD, fcntl(pid_fd, F_GETFL) | FD_CLOEXEC);
This has two problems:
(1) it doesn't check errors, which Coverity complains about
(2) we use F_GETFL when we mean F_GETFD
Deal with both of these problems by using qemu_set_cloexec() instead.
That function will assert() if the fcntls fail, which is fine (we are
inside fork_start()/fork_end() so we know nothing can mess around
with our file descriptors here, and we just got this one from
pidfd_open()).
(As we are touching the if() statement here, we correct the
indentation.)
Coverity: CID 1508111
Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
Signed-off-by: Richard Henderson <richard.hender...@linaro.org>
Message-ID: <20250711141217.1429412-1-peter.mayd...@linaro.org>
(cherry picked from commit d6390204c61e148488f034d1f79be35cd3318d93)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: a655b6548fe2196031a3f325c5a4df7df65ff4cd
https://github.com/qemu/qemu/commit/a655b6548fe2196031a3f325c5a4df7df65ff4cd
Author: Thomas Huth <th...@redhat.com>
Date: 2025-07-15 (Tue, 15 Jul 2025)
Changed paths:
M accel/kvm/kvm-all.c
Log Message:
-----------
accel/kvm: Adjust the note about the minimum required kernel version
Since commit 126e7f78036 ("kvm: require KVM_CAP_IOEVENTFD and
KVM_CAP_IOEVENTFD_ANY_LENGTH") we require at least kernel 4.5 to
be able to use KVM. Adjust the upgrade_note accordingly.
While we're at it, remove the text about kvm-kmod and the
SourceForge URL since this is not actively maintained anymore.
Fixes: 126e7f78036 ("kvm: require KVM_CAP_IOEVENTFD and
KVM_CAP_IOEVENTFD_ANY_LENGTH")
Signed-off-by: Thomas Huth <th...@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Reviewed-by: Michael Tokarev <m...@tls.msk.ru>
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
(cherry picked from commit f180e367fce44b336105a11a62edf9610b6b2a06)
Commit: 6624ff39720c954081706822da15bc806ea4c318
https://github.com/qemu/qemu/commit/6624ff39720c954081706822da15bc806ea4c318
Author: Anastasia Belova <nabelov...@gmail.com>
Date: 2025-07-15 (Tue, 15 Jul 2025)
Changed paths:
M net/af-xdp.c
Log Message:
-----------
net: fix buffer overflow in af_xdp_umem_create()
s->pool has n_descs elements so maximum i should be
n_descs - 1. Fix the upper bound.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: cb039ef3d9 ("net: add initial support for AF_XDP network backend")
Cc: qemu-sta...@nongnu.org
Reviewed-by: Ilya Maximets <i.maxim...@ovn.org>
Signed-off-by: Anastasia Belova <nabelov...@gmail.com>
Signed-off-by: Jason Wang <jasow...@redhat.com>
(cherry picked from commit 110d0fa2d4d1f754242f6775baec43776a9adb35)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: f272f318c02a4e41a91f1c87d677c44427a2ed89
https://github.com/qemu/qemu/commit/f272f318c02a4e41a91f1c87d677c44427a2ed89
Author: Akihiko Odaki <akihiko.od...@daynix.com>
Date: 2025-07-15 (Tue, 15 Jul 2025)
Changed paths:
M hw/net/virtio-net.c
M hw/virtio/virtio.c
M include/hw/virtio/virtio.h
Log Message:
-----------
virtio-net: Add queues for RSS during migration
virtio_net_pre_load_queues() inspects vdev->guest_features to tell if
VIRTIO_NET_F_RSS or VIRTIO_NET_F_MQ is enabled to infer the required
number of queues. This works for VIRTIO_NET_F_MQ but it doesn't for
VIRTIO_NET_F_RSS because only the lowest 32 bits of vdev->guest_features
is set at the point and VIRTIO_NET_F_RSS uses bit 60 while
VIRTIO_NET_F_MQ uses bit 22.
Instead of inferring the required number of queues from
vdev->guest_features, use the number loaded from the vm state. This
change also has a nice side effect to remove a duplicate peer queue
pair change by circumventing virtio_net_set_multiqueue().
Also update the comment in include/hw/virtio/virtio.h to prevent an
implementation of pre_load_queues() from refering to any fields being
loaded during migration by accident in the future.
Fixes: 8c49756825da ("virtio-net: Add only one queue pair when realizing")
Tested-by: Lei Yang <leiy...@redhat.com>
Cc: qemu-sta...@nongnu.org
Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com>
Signed-off-by: Jason Wang <jasow...@redhat.com>
(cherry picked from commit adda0ad56bd28d5a809051cbd190fda5798ec4e4)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 10a9eedc2049ae977aadd77c973ef4f8522b01a2
https://github.com/qemu/qemu/commit/10a9eedc2049ae977aadd77c973ef4f8522b01a2
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Fix Miscellaneous Information Register 0 encoding
The definitions encoding the maximum Virtual, Physical, and Guest Virtual
Address sizes supported by the IOMMU are using incorrect offsets i.e. the
VASize and GVASize offsets are switched. The value in the GVAsize field is
also modified, since it was incorrectly encoded.
Cc: qemu-sta...@nongnu.org
Fixes: d29a09ca6842 ("hw/i386: Introduce AMD IOMMU")
Co-developed-by: Ethan MILON <ethan.mi...@eviden.com>
Signed-off-by: Ethan MILON <ethan.mi...@eviden.com>
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Message-Id: <20250617150427.20585-2-alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 091c7d7924f33781c2fb8e7297dc54971e0c3785)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 1ca9d2e0c2916174e50e6dd9fdce783ff1f33bdb
https://github.com/qemu/qemu/commit/1ca9d2e0c2916174e50e6dd9fdce783ff1f33bdb
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.c
Log Message:
-----------
amd_iommu: Fix Device ID decoding for INVALIDATE_IOTLB_PAGES command
The DeviceID bits are extracted using an incorrect offset in the call to
amdvi_iotlb_remove_page(). This field is read (correctly) earlier, so use
the value already retrieved for devid.
Cc: qemu-sta...@nongnu.org
Fixes: d29a09ca6842 ("hw/i386: Introduce AMD IOMMU")
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Message-Id: <20250617150427.20585-3-alejandro.j.jime...@oracle.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit c63b8d1425ba8b3b08ee4f7346457fd8a7f12a24)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: d1ea4a1b0effc5f6658688bc7a5c17a245b78fb5
https://github.com/qemu/qemu/commit/d1ea4a1b0effc5f6658688bc7a5c17a245b78fb5
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.c
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Update bitmasks representing DTE reserved fields
The DTE validation method verifies that all bits in reserved DTE fields are
unset. Update them according to the latest definition available in AMD I/O
Virtualization Technology (IOMMU) Specification - Section 2.2.2.1 Device
Table Entry Format. Remove the magic numbers and use a macro helper to
generate bitmasks covering the specified ranges for better legibility.
Note that some reserved fields specify that events are generated when they
contain non-zero bits, or checks are skipped under certain configurations.
This change only updates the reserved masks, checks for special conditions
are not yet implemented.
Cc: qemu-sta...@nongnu.org
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Message-Id: <20250617150427.20585-4-alejandro.j.jime...@oracle.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit ff3dcb3bf652912466dcc1cd10d3267f185c212e)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: caaa64850876a71c46ba0a3c9f5925e8cc49c600
https://github.com/qemu/qemu/commit/caaa64850876a71c46ba0a3c9f5925e8cc49c600
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Fix masks for various IOMMU MMIO Registers
Address various issues with definitions of the MMIO registers e.g. for the
Device Table Address Register, the size mask currently encompasses reserved
bits [11:9], so change it to only extract the bits [8:0] encoding size.
Convert masks to use GENMASK64 for consistency, and make unrelated
definitions independent.
Cc: qemu-sta...@nongnu.org
Fixes: d29a09ca6842 ("hw/i386: Introduce AMD IOMMU")
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Message-Id: <20250617150427.20585-5-alejandro.j.jime...@oracle.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 108e10ff69099c3ebe147f505246be7c2ad2a499)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 18e70a46c3171feac4f80a6a3d4748a519160616
https://github.com/qemu/qemu/commit/18e70a46c3171feac4f80a6a3d4748a519160616
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Fix mask to retrieve Interrupt Table Root Pointer from DTE
Fix an off-by-one error in the definition of AMDVI_IR_PHYS_ADDR_MASK. The
current definition masks off the most significant bit of the Interrupt Table
Root ptr i.e. it only generates a mask with bits [50:6] set. See the AMD I/O
Virtualization Technology (IOMMU) Specification for the Interrupt Table
Root Pointer[51:6] field in the Device Table Entry format.
Cc: qemu-sta...@nongnu.org
Fixes: b44159fe0078 ("x86_iommu/amd: Add interrupt remap support when VAPIC is
not enabled")
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Message-Id: <20250617150427.20585-6-alejandro.j.jime...@oracle.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 123cf4bdd378f746dfa2f5415ba084148dded3e3)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 90c635c926c13187aa13575af489dd76de737341
https://github.com/qemu/qemu/commit/90c635c926c13187aa13575af489dd76de737341
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.c
Log Message:
-----------
amd_iommu: Fix the calculation for Device Table size
Correctly calculate the Device Table size using the format encoded in the
Device Table Base Address Register (MMIO Offset 0000h).
Cc: qemu-sta...@nongnu.org
Fixes: d29a09ca6842 ("hw/i386: Introduce AMD IOMMU")
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Message-Id: <20250617150427.20585-7-alejandro.j.jime...@oracle.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 67d3077ee403472d45794399e97c9f329242fce9)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: fc1ad5124f5407437d0720fc51db6d88013add1a
https://github.com/qemu/qemu/commit/fc1ad5124f5407437d0720fc51db6d88013add1a
Author: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.h
Log Message:
-----------
amd_iommu: Remove duplicated definitions
No functional change.
Signed-off-by: Alejandro Jimenez <alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Message-Id: <20250617150427.20585-8-alejandro.j.jime...@oracle.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 5959b641c98b5ae9677e2c1d89902dac31b344d9)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 787a817cd5691802d9ad69aa1bd969df615b47a9
https://github.com/qemu/qemu/commit/787a817cd5691802d9ad69aa1bd969df615b47a9
Author: Ethan Milon <ethan.mi...@eviden.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/i386/amd_iommu.c
Log Message:
-----------
amd_iommu: Fix truncation of oldval in amdvi_writeq
The variable `oldval` was incorrectly declared as a 32-bit `uint32_t`.
This could lead to truncation and incorrect behavior where the upper
read-only 32 bits are significant.
Fix the type of `oldval` to match the return type of `ldq_le_p()`.
Cc: qemu-sta...@nongnu.org
Fixes: d29a09ca6842 ("hw/i386: Introduce AMD IOMMU")
Signed-off-by: Ethan Milon <ethan.mi...@eviden.com>
Message-Id: <20250617150427.20585-9-alejandro.j.jime...@oracle.com>
Reviewed-by: Vasant Hegde <vasant.he...@amd.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 5788929e05e18ed5f76dc8ade4210f022c9ba5a1)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: e50ca171e2889ef2653bbf566caf9263ed3b970a
https://github.com/qemu/qemu/commit/e50ca171e2889ef2653bbf566caf9263ed3b970a
Author: Kevin Wolf <kw...@redhat.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M block/file-posix.c
Log Message:
-----------
file-posix: Fix aio=threads performance regression after enablign FUA
For aio=threads, we're currently not implementing REQ_FUA in any useful
way, but just do a separate raw_co_flush_to_disk() call. This changes
behaviour compared to the old state, which used bdrv_co_flush() with its
optimisations. As a quick fix, call bdrv_co_flush() again like before.
Eventually, we can use pwritev2() to make use of RWF_DSYNC if available,
but we'll still have to keep this code path as a fallback, so this fix
is required either way.
While the fix itself is a one-liner, some new graph locking annotations
are needed to convince TSA that the locking is correct.
Cc: qemu-sta...@nongnu.org
Fixes: 984a32f17e8d ("file-posix: Support FUA writes")
Buglink: https://issues.redhat.com/browse/RHEL-96854
Reported-by: Tingting Mao <ti...@redhat.com>
Signed-off-by: Kevin Wolf <kw...@redhat.com>
Message-ID: <20250625085019.27735-1-kw...@redhat.com>
Reviewed-by: Eric Blake <ebl...@redhat.com>
Signed-off-by: Kevin Wolf <kw...@redhat.com>
(cherry picked from commit d402da1360c2240e81f0e5fc80ddbfc6238e0da8)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 2533500b4a0fa32737c90852103593f07fceeebf
https://github.com/qemu/qemu/commit/2533500b4a0fa32737c90852103593f07fceeebf
Author: Cole Robinson <crobi...@redhat.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M pc-bios/hppa-firmware.img
M pc-bios/hppa-firmware64.img
Log Message:
-----------
roms: re-remove execute bit from hppa-firmware*
This was fixed in c9d77526bddba0803a1fa982fb59ec98057150f9 for
9.2.0 but regressed in db34be329162cf6b06192703065e6c1010dbe3c5 in
10.0.0
When the bit is present, rpmbuild complains about missing ELF build-id
Signed-off-by: Cole Robinson <crobi...@redhat.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
Acked-by: Helge Deller <del...@gmx.de>
Message-ID:
<52d0edfbb9b2f63a866f0065a721f3a95da6f8ba.1747590860.git.crobi...@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
(cherry picked from commit a598090ebaeb930ce33c2df0d80d87da13be8848)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 12e88c0c6c9448ab383258f1e477c211cf407350
https://github.com/qemu/qemu/commit/12e88c0c6c9448ab383258f1e477c211cf407350
Author: David Hildenbrand <da...@redhat.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M hw/virtio/vhost.c
Log Message:
-----------
vhost: Fix used memslot tracking when destroying a vhost device
When we unplug a vhost device, we end up calling vhost_dev_cleanup()
where we do a memory_listener_unregister().
This memory_listener_unregister() call will end up disconnecting the
listener from the address space through listener_del_address_space().
In that process, we effectively communicate the removal of all memory
regions from that listener, resulting in region_del() + commit()
callbacks getting triggered.
So in case of vhost, we end up calling vhost_commit() with no remaining
memory slots (0).
In vhost_commit() we end up overwriting the global variables
used_memslots / used_shared_memslots, used for detecting the number
of free memslots. With used_memslots / used_shared_memslots set to 0
by vhost_commit() during device removal, we'll later assume that the
other vhost devices still have plenty of memslots left when calling
vhost_get_free_memslots().
Let's fix it by simply removing the global variables and depending
only on the actual per-device count.
Easy to reproduce by adding two vhost-user devices to a VM and then
hot-unplugging one of them.
While at it, detect unexpected underflows in vhost_get_free_memslots()
and issue a warning.
Reported-by: yuanminghao <yuanm...@chinatelecom.cn>
Link:
https://lore.kernel.org/qemu-devel/20241121060755.164310-1-yuanm...@chinatelecom.cn/
Fixes: 2ce68e4cf5be ("vhost: add vhost_has_free_slot() interface")
Cc: Igor Mammedov <imamm...@redhat.com>
Cc: Michael S. Tsirkin <m...@redhat.com>
Cc: Stefano Garzarella <sgarz...@redhat.com>
Signed-off-by: David Hildenbrand <da...@redhat.com>
Message-Id: <20250603111336.1858888-1-da...@redhat.com>
Reviewed-by: Igor Mammedov <imamm...@redhat.com>
Reviewed-by: Michael S. Tsirkin <m...@redhat.com>
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
(cherry picked from commit 9f749129e2629b19f424df106c92c5a5647e396c)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 2df7954daa523748e1067713d52a6baa334d3dc6
https://github.com/qemu/qemu/commit/2df7954daa523748e1067713d52a6baa334d3dc6
Author: Akihiko Odaki <od...@rsg.ci.i.u-tokyo.ac.jp>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M ui/vnc-enc-zlib.c
M ui/vnc.c
M ui/vnc.h
Log Message:
-----------
ui/vnc: Do not copy z_stream
vnc_worker_thread_loop() copies z_stream stored in its local VncState to
the persistent VncState, and the copied one is freed with deflateEnd()
later. However, deflateEnd() refuses to operate with a copied z_stream
and returns Z_STREAM_ERROR, leaking the allocated memory.
Avoid copying the zlib state to fix the memory leak.
Fixes: bd023f953e5e ("vnc: threaded VNC server")
Signed-off-by: Akihiko Odaki <od...@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org>
Message-Id: <20250603-zlib-v3-1-20b857bd8...@rsg.ci.i.u-tokyo.ac.jp>
(cherry picked from commit aef22331b5a4670f42638a5f63a26e93bf779aae)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: d0975531586742ec2eff8796b7ba93bc4858e63d
https://github.com/qemu/qemu/commit/d0975531586742ec2eff8796b7ba93bc4858e63d
Author: Michael Tokarev <m...@tls.msk.ru>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
i386/cpu: Fix cpu number overflow in CPUID.01H.EBX[23:16]
The legacy topology enumerated by CPUID.1.EBX[23:16] is defined in SDM
Vol2:
Bits 23-16: Maximum number of addressable IDs for logical processors in
this physical package.
When threads_per_socket > 255, it will 1) overwrite bits[31:24] which is
apic_id, 2) bits [23:16] get truncated.
Specifically, if launching the VM with -smp 256, the value written to
EBX[23:16] is 0 because of data overflow. If the guest only supports
legacy topology, without V2 Extended Topology enumerated by CPUID.0x1f
or Extended Topology enumerated by CPUID.0x0b to support over 255 CPUs,
the return of the kernel invoking cpu_smt_allowed() is false and APs
(application processors) will fail to bring up. Then only CPU 0 is online,
and others are offline.
For example, launch VM via:
qemu-system-x86_64 -M q35,accel=kvm,kernel-irqchip=split \
-cpu qemu64,cpuid-0xb=off -smp 256 -m 32G \
-drive file=guest.img,if=none,id=virtio-disk0,format=raw \
-device virtio-blk-pci,drive=virtio-disk0,bootindex=1 --nographic
The guest shows:
CPU(s): 256
On-line CPU(s) list: 0
Off-line CPU(s) list: 1-255
To avoid this issue caused by overflow, limit the max value written to
EBX[23:16] to 255 as the HW does.
Cc: qemu-sta...@nongnu.org
Reviewed-by: Xiaoyao Li <xiaoyao...@intel.com>
Signed-off-by: Qian Wen <qian....@intel.com>
Signed-off-by: Zhao Liu <zhao1....@intel.com>
Link: https://lore.kernel.org/r/20250714080859.1960104-6-zhao1....@intel.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit a62fef58299562aae6667b8d8552247423e886b3)
(Mjt: fixup for 10.0.x series due to missing v10.0.0-2217-gf985a1195b
"i386/cpu: Fix number of addressable IDs field for CPUID.01H.EBX[23:16]")
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 18224789994e0276a626a4e4e5554695857bd998
https://github.com/qemu/qemu/commit/18224789994e0276a626a4e4e5554695857bd998
Author: Qian Wen <qian....@intel.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
i386/cpu: Fix overflow of cache topology fields in CPUID.04H
According to SDM, CPUID.0x4:EAX[31:26] indicates the Maximum number of
addressable IDs for processor cores in the physical package. If we
launch over 64 cores VM, the 6-bit field will overflow, and the wrong
core_id number will be reported.
Since the HW reports 0x3f when the intel processor has over 64 cores,
limit the max value written to EAX[31:26] to 63, so max num_cores should
be 64.
For EAX[14:25], though at present Q35 supports up to 4096 CPUs, by
constructing a specific topology, the width of the APIC ID can be
extended beyond 12 bits. For example, using `-smp threads=33,cores=9,
modules=9` results in a die level offset of 6 + 4 + 4 = 14 bits, which
can also cause overflow. check and honor the maximum value for
EAX[14:25] as well.
In addition, for host-cache-info case, also apply the same checks and
fixes.
Reviewed-by: Xiaoyao Li <xiaoyao...@intel.com>
Signed-off-by: Qian Wen <qian....@intel.com>
Signed-off-by: Zhao Liu <zhao1....@intel.com>
Link: https://lore.kernel.org/r/20250714080859.1960104-7-zhao1....@intel.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 3e86124e7cb9b66e07fb992667865a308f16fcf2)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Commit: 82517381c54d87985994ad597d274e3f2e18a484
https://github.com/qemu/qemu/commit/82517381c54d87985994ad597d274e3f2e18a484
Author: Zhao Liu <zhao1....@intel.com>
Date: 2025-07-17 (Thu, 17 Jul 2025)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
i386/cpu: Honor maximum value for CPUID.8000001DH.EAX[25:14]
CPUID.8000001DH:EAX[25:14] is "NumSharingCache", and the number of
logical processors sharing this cache is the value of this field
incremented by 1. Because of its width limitation, the maximum value
currently supported is 4095.
Though at present Q35 supports up to 4096 CPUs, by constructing a
specific topology, the width of the APIC ID can be extended beyond 12
bits. For example, using `-smp threads=33,cores=9,modules=9` results in
a die level offset of 6 + 4 + 4 = 14 bits, which can also cause
overflow. Check and honor the maximum value as CPUID.04H did.
Cc: Babu Moger <babu.mo...@amd.com>
Signed-off-by: Zhao Liu <zhao1....@intel.com>
Link: https://lore.kernel.org/r/20250714080859.1960104-8-zhao1....@intel.com
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit 5d21ee453ad8e3f95f75e542cb3b35c5bb7cf23a)
Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
Compare: https://github.com/qemu/qemu/compare/005184da9d95...82517381c54d
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
