Branch: refs/heads/stable-10.1
Home: https://github.com/qemu/qemu
Commit: a854320fde4061f3091a10a6dfd9365093bf8ba2
https://github.com/qemu/qemu/commit/a854320fde4061f3091a10a6dfd9365093bf8ba2
Author: Paolo Bonzini <[email protected]>
Date: 2025-08-29 (Fri, 29 Aug 2025)
Changed paths:
M python/scripts/mkvenv.py
Log Message:
-----------
python: mkvenv: fix messages printed by mkvenv
The new Matcher class does not have a __str__ implementation, and therefore
it prints the debugging representation of the internal object:
$ ../configure --enable-rust && make qemu-system-arm --enable-download
python determined to be '/usr/bin/python3'
python version: Python 3.13.6
mkvenv: Creating non-isolated virtual environment at 'pyvenv'
mkvenv: checking for LegacyMatcher('meson>=1.5.0')
mkvenv: checking for LegacyMatcher('pycotap>=1.1.0')
Add the method to print the nicer
mkvenv: checking for meson>=1.5.0
mkvenv: checking for pycotap>=1.1.0
Cc: [email protected]
Cc: John Snow <[email protected]>
Reviewed-by: Manos Pitsidianakis <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit ab85146ac4c6527d6d975afbd3157488cb42147f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 408eeeacb301c1685126b4caf2078211849fc2a1
https://github.com/qemu/qemu/commit/408eeeacb301c1685126b4caf2078211849fc2a1
Author: Zero Tang <[email protected]>
Date: 2025-08-29 (Fri, 29 Aug 2025)
Changed paths:
M target/i386/tcg/system/svm_helper.c
Log Message:
-----------
i386/tcg/svm: fix incorrect canonicalization
For all 32-bit systems and 64-bit Windows systems, "long" is 4 bytes long.
Due to using "long" for a linear address, svm_canonicalization would
set all high bits to 1 when (assuming 48-bit linear address) the segment
base is bigger than 0x7FFF.
This fixes booting guests under TCG when the guest IDT and GDT bases are
above 0x7FFF, thereby resulting in incorrect bases. When an interrupt
arrives, it would trigger a #PF exception; the #PF would trigger again,
resulting in a #DF exception; the #PF would trigger for the third time,
resulting in triple-fault, and eventually causes a shutdown VM-Exit to
the hypervisor right after guest boot.
Cc: [email protected]
Signed-off-by: Zero Tang <[email protected]>
(cherry picked from commit c12cbaa007c9da97a11e74119ea3aed9fcc3ac4c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 673d54cabfcfc3191a8e086189ccf0b2e83e40c8
https://github.com/qemu/qemu/commit/673d54cabfcfc3191a8e086189ccf0b2e83e40c8
Author: Joel Stanley <[email protected]>
Date: 2025-08-29 (Fri, 29 Aug 2025)
Changed paths:
M linux-user/strace.list
Log Message:
-----------
linux-user: Add strace for rseq
build/qemu-riscv64 -cpu rv64,v=on -d strace
build/tests/tcg/riscv64-linux-user/test-vstart-overflow
1118081 riscv_hwprobe(0xffffbc038200,1,0,0,0,0) = 0
1118081 brk(NULL) = 0x0000000000085000
1118081 brk(0x0000000000085b00) = 0x0000000000085b00
1118081 set_tid_address(0x850f0) = 1118081
1118081 set_robust_list(0x85100,24) = -1 errno=38 (Function not implemented)
1118081 rseq(0x857c0,32,0,0xf1401073) = -1 errno=38 (Function not implemented)
Signed-off-by: Joel Stanley <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit f91563d011a0439cd6709e169cdfac268779d562)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2cba99e9f8eeee00a4231e6e65dd295a764855e7
https://github.com/qemu/qemu/commit/2cba99e9f8eeee00a4231e6e65dd295a764855e7
Author: Gustavo Romero <[email protected]>
Date: 2025-08-29 (Fri, 29 Aug 2025)
Changed paths:
M tests/functional/test_aarch64_reverse_debug.py
Log Message:
-----------
tests/functional: Fix reverse_debugging asset precaching
This commit fixes the asset precaching in the reverse_debugging test on
aarch64.
QemuBaseTest.main() precaches assets (kernel, rootfs, DT blobs, etc.)
that are defined in variables with the ASSET_ prefix. This works because
it ultimately calls Asset.precache_test(), which relies on introspection
to locate these variables.
If an asset variable is not named with the ASSET_ prefix, precache_test
cannot find the asset and precaching silently fails. Hence, fix the
asset precaching by fixing the asset variable name.
Signed-off-by: Gustavo Romero <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: Manos Pitsidianakis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit 36fb9796662e8d1f8626b1cacb1a6d5e35a8bd00)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 9084479e3b81c149d074e179e6acb236b7b587b3
https://github.com/qemu/qemu/commit/9084479e3b81c149d074e179e6acb236b7b587b3
Author: Steve Sistare <[email protected]>
Date: 2025-08-31 (Sun, 31 Aug 2025)
Changed paths:
M hw/intc/arm_gicv3_kvm.c
M include/hw/intc/arm_gicv3_common.h
Log Message:
-----------
hw/intc/arm_gicv3_kvm: preserve pending interrupts during cpr
Close a race condition that causes cpr-transfer to lose VFIO
interrupts on ARM.
CPR stops VCPUs but does not disable VFIO interrupts, which may continue
to arrive throughout the transition to new QEMU.
CPR calls kvm_irqchip_remove_irqfd_notifier_gsi in old QEMU to force
future interrupts to the producer eventfd, where they are preserved.
Old QEMU then destroys the old KVM instance. However, interrupts may
already be pending in KVM state. To preserve them, call ioctl
KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES to flush them to guest RAM, where
they will be picked up when the new KVM+VCPU instance is created.
Cc: [email protected]
Signed-off-by: Steve Sistare <[email protected]>
Reviewed-by: Fabiano Rosas <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 376cdd7e9c94f1e03b2c58e068e8ebfe78b49514)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a4f01a08787f261dda11c4cd27f9ef00c1684077
https://github.com/qemu/qemu/commit/a4f01a08787f261dda11c4cd27f9ef00c1684077
Author: Smail AIDER <[email protected]>
Date: 2025-08-31 (Sun, 31 Aug 2025)
Changed paths:
M target/arm/cpregs-pmu.c
Log Message:
-----------
target/arm: Trap PMCR when MDCR_EL2.TPMCR is set
Trap PMCR_EL0 or PMCR accesses to EL2 when MDCR_EL2.TPMCR is set.
Similar to MDCR_EL2.TPM, MDCR_EL2.TPMCR allows trapping EL0 and EL1
accesses to the PMCR register to EL2.
Cc: [email protected]
Signed-off-by: Smail AIDER <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]
Message-Id: <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 186db6a73bc5c01026bb9f4f4a59e442c0156841)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 067af4f7848602470e9549839f5f92c9d17549aa
https://github.com/qemu/qemu/commit/067af4f7848602470e9549839f5f92c9d17549aa
Author: Peter Maydell <[email protected]>
Date: 2025-08-31 (Sun, 31 Aug 2025)
Changed paths:
M scripts/kernel-doc
Log Message:
-----------
scripts/kernel-doc: Avoid new Perl precedence warning
Newer versions of Perl (5.41.x and up) emit a warning for code in
kernel-doc:
Possible precedence problem between ! and pattern match (m//) at
/scripts/kernel-doc line 1597.
This is because the code does:
if (!$param =~ /\w\.\.\.$/) {
In Perl, the ! operator has higher precedence than the =~
pattern-match binding, so the effect of this condition is to first
logically-negate the string $param into a true-or-false value and
then try to pattern match it against the regex, which in this case
will always fail. This is almost certainly not what the author
intended.
In the new Python version of kernel-doc in the Linux kernel,
the equivalent code is written:
if KernRe(r'\w\.\.\.$').search(param):
# For named variable parameters of the form `x...`,
# remove the dots
param = param[:-3]
else:
# Handles unnamed variable parameters
param = "..."
which is a more sensible way of writing the behaviour you would
get if you put in brackets to make the regex match first and
then negate the result.
Take this as the intended behaviour, and update the Perl to match.
For QEMU, this produces no change in output, presumably because we
never used the "unnamed variable parameters" syntax.
Cc: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Mauro Carvalho Chehab <[email protected]>
Message-id: [email protected]
(cherry picked from commit 5ffd387e9e0f787744fadaad35e1bf92224b0642)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 28682949f2350551cb5f3dda233e7aee202a9e0b
https://github.com/qemu/qemu/commit/28682949f2350551cb5f3dda233e7aee202a9e0b
Author: Richard Henderson <[email protected]>
Date: 2025-08-31 (Sun, 31 Aug 2025)
Changed paths:
R host/include/aarch64/host/atomic128-cas.h
A host/include/aarch64/host/atomic128-cas.h.inc
Log Message:
-----------
qemu/atomic: Finish renaming atomic128-cas.h headers
The aarch64 header was not renamed with the others, meaning it
was skipped in favor of the generic version.
Cc: [email protected]
Fixes: 15606965400b ("qemu/atomic: Rename atomic128-cas.h headers using .h.inc
suffix")
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 1748c0d59228c7790940d8be381df1c3108022b1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b6fdef9c9965cccc4f1cfae1a7d006f5bdf35bb7
https://github.com/qemu/qemu/commit/b6fdef9c9965cccc4f1cfae1a7d006f5bdf35bb7
Author: Peter Maydell <[email protected]>
Date: 2025-08-31 (Sun, 31 Aug 2025)
Changed paths:
M hw/arm/stm32f205_soc.c
M include/hw/arm/stm32f205_soc.h
Log Message:
-----------
hw/arm/stm32f205_soc: Don't leak TYPE_OR_IRQ objects
In stm32f250_soc_initfn() we mostly use the standard pattern
for child objects of calling object_initialize_child(). However
for s->adc_irqs we call object_new() and then later qdev_realize(),
and we never unref the object on deinit. This causes a leak,
detected by ASAN on the device-introspect-test:
Indirect leak of 10 byte(s) in 1 object(s) allocated from:
#0 0x5b9fc4789de3 in malloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-arm+0x21f1de3)
(BuildId: 267a2619a026ed91c78a07b1eb2ef15381538efe)
#1 0x740de3f28b09 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId:
1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x740de3f3e4d8 in g_strdup
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x784d8) (BuildId:
1eb6131419edb83b2178b682829a6913cf682d75)
#3 0x5b9fc70159e1 in g_strdup_inline
/usr/include/glib-2.0/glib/gstrfuncs.h:321:10
#4 0x5b9fc70159e1 in object_property_try_add
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:1276:18
#5 0x5b9fc7015f94 in object_property_add
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:1294:12
#6 0x5b9fc701b900 in object_add_link_prop
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:2021:10
#7 0x5b9fc701b3fc in object_property_add_link
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:2037:12
#8 0x5b9fc4c299fb in qdev_init_gpio_out_named
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/core/gpio.c:90:9
#9 0x5b9fc4c29b26 in qdev_init_gpio_out
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/core/gpio.c:101:5
#10 0x5b9fc4c0f77a in or_irq_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/core/or-irq.c:70:5
#11 0x5b9fc70257e1 in object_init_with_type
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:428:9
#12 0x5b9fc700cd4b in object_initialize_with_type
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:570:5
#13 0x5b9fc700e66d in object_new_with_type
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:774:5
#14 0x5b9fc700e750 in object_new
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:789:12
#15 0x5b9fc68b2162 in stm32f205_soc_initfn
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/arm/stm32f205_soc.c:69:26
Switch to using object_initialize_child() like all our
other child objects for this SoC object.
Cc: [email protected]
Fixes: b63041c8f6b ("STM32F205: Connect the ADC devices")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
(cherry picked from commit 2e27650bddd35477d994a795a3b1cb57c8ed5c76)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f13211227388044a9512c4ae68ba95e5d4418148
https://github.com/qemu/qemu/commit/f13211227388044a9512c4ae68ba95e5d4418148
Author: Kostiantyn Kostiuk <[email protected]>
Date: 2025-09-03 (Wed, 03 Sep 2025)
Changed paths:
M qga/installer/qemu-ga.wxs
Log Message:
-----------
qga/installer: Remove QGA VSS if QGA installation failed
When QGA Installer failed to install QGA service but install
QGA VSS provider, provider should be removed before installer
exits. Otherwise QGA VSS will has broken infomation and
prevent QGA installation in next run.
Reviewed-by: Yan Vugenfirer <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Kostiantyn Kostiuk <[email protected]>
(cherry picked from commit 85ff0e956bf26a93c92e4dca8f6257613269a0cf)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7f730ad7856c907870f439a59f092d778ee2bb65
https://github.com/qemu/qemu/commit/7f730ad7856c907870f439a59f092d778ee2bb65
Author: Kostiantyn Kostiuk <[email protected]>
Date: 2025-09-03 (Wed, 03 Sep 2025)
Changed paths:
M qga/vss-win32/requester.cpp
Log Message:
-----------
qga-vss: Write hex value of error in log
QGA-VSS writes error using error_setg_win32_internal,
which call g_win32_error_message.
g_win32_error_message - translate a Win32 error code
(as returned by GetLastError()) into the corresponding message.
In the same time, we call error_setg_win32_internal with
error codes from different Windows componets like VSS or
Performance monitor that provides different codes and
can't be converted with g_win32_error_message. In this
case, the empty suffix will be returned so error will be
masked.
This commit directly add hex value of error code.
Reproduce:
- Run QGA command: {"execute": "guest-fsfreeze-freeze-list", "arguments":
{"mountpoints": ["D:"]}}
QGA error example:
- before changes:
{"error": {"class": "GenericError", "desc": "failed to add D: to snapshot
set: "}}
- after changes:
{"error": {"class": "GenericError", "desc": "failed to add D: to snapshot
set: Windows error 0x8004230e: "}}
Reviewed-by: Yan Vugenfirer <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Kostiantyn Kostiuk <[email protected]>
(cherry picked from commit edf3780a7dad4658ab7b72ea37e310a2be9b16d3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b4048a3d25f36b857ee5fbb7020b321f9fb001c4
https://github.com/qemu/qemu/commit/b4048a3d25f36b857ee5fbb7020b321f9fb001c4
Author: minglei.liu <[email protected]>
Date: 2025-09-03 (Wed, 03 Sep 2025)
Changed paths:
M qga/commands.c
Log Message:
-----------
qga: Fix truncated output handling in guest-exec status reporting
Signed-off-by: minglei.liu <[email protected]>
Fixes: a1853dca743
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Kostiantyn Kostiuk <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Kostiantyn Kostiuk <[email protected]>
(cherry picked from commit 28c5d27dd4dc4100a96ff4c9e5871dd23c6b02ec)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2a2b6ae09764ce424185021ab1bac4f109681e81
https://github.com/qemu/qemu/commit/2a2b6ae09764ce424185021ab1bac4f109681e81
Author: Markus Armbruster <[email protected]>
Date: 2025-09-03 (Wed, 03 Sep 2025)
Changed paths:
M target/i386/kvm/vmsr_energy.c
Log Message:
-----------
i386/kvm/vmsr_energy: Plug memory leak on failure to connect socket
vmsr_open_socket() leaks the Error set by
qio_channel_socket_connect_sync(). Plug the leak by not creating the
Error.
Fixes: 0418f90809ae (Add support for RAPL MSRs in KVM/Qemu)
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Zhao Liu <[email protected]>
(cherry picked from commit b2e4534a2c9ce3d20ba44d855f1e2b71cc53c3a3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2dd52baff298ca02ca7e75934a97616ae38aafea
https://github.com/qemu/qemu/commit/2dd52baff298ca02ca7e75934a97616ae38aafea
Author: Markus Armbruster <[email protected]>
Date: 2025-09-03 (Wed, 03 Sep 2025)
Changed paths:
M hw/vfio-user/proxy.c
M scsi/pr-manager-helper.c
M ui/input-barrier.c
Log Message:
-----------
vfio scsi ui: Error-check qio_channel_socket_connect_sync() the same way
qio_channel_socket_connect_sync() returns 0 on success, and -1 on
failure, with errp set. Some callers check the return value, and some
check whether errp was set.
For consistency, always check the return value, and always check it's
negative.
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Zhao Liu <[email protected]>
(cherry picked from commit ec14a3de622ae30a8afa78b6f564bc743b753ee1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b7f2bff3ffec4e00d015e6d0e66851201571010c
https://github.com/qemu/qemu/commit/b7f2bff3ffec4e00d015e6d0e66851201571010c
Author: Markus Armbruster <[email protected]>
Date: 2025-09-03 (Wed, 03 Sep 2025)
Changed paths:
M tests/qtest/qos-test.c
M tests/qtest/vhost-user-test.c
Log Message:
-----------
Revert "tests/qtest: use qos_printf instead of g_test_message"
This reverts commit 30ea13e9d97dcbd4ea541ddf9e8857fa1d5cb30f.
Also rewrites qos_printf() calls added later.
"make check" prints many lines like
stdout: 138: UNKNOWN: # # qos_test running single test in subprocess
stdout: 139: UNKNOWN: # # set_protocol_features: 0x42
stdout: 140: UNKNOWN: # # set_owner: start of session
stdout: 141: UNKNOWN: # # vhost-user: un-handled message: 14
stdout: 142: UNKNOWN: # # vhost-user: un-handled message: 14
stdout: 143: UNKNOWN: # # set_vring(0)=enabled
stdout: 144: UNKNOWN: # # set_vring(1)=enabled
stdout: 145: UNKNOWN: # # set_vring(0)=enabled
stdout: 146: UNKNOWN: # # set_vring(1)=enabled
stdout: 147: UNKNOWN: # # set_vring(0)=enabled
stdout: 148: UNKNOWN: # # set_vring(1)=enabled
stdout: 149: UNKNOWN: # # set_vring(0)=enabled
stdout: 150: UNKNOWN: # # set_vring(1)=enabled
stdout: 151: UNKNOWN: # # set_vring(0)=enabled
stdout: 152: UNKNOWN: # # set_vring(1)=enabled
stdout: 153: UNKNOWN: # # set_vring_num: 0/256
stdout: 154: UNKNOWN: # # set_vring_addr:
0x7f9060000000/0x7f905ffff000/0x7f9060001000
Turns out this is qos-test, and the culprit is a commit meant to ease
debugging. Revert it until a better solution is found.
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
[Commit message clarified]
(cherry picked from commit c9a1ea9c52e6462ad5c7814f3abd65baa69dc4ce)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a84e2e04e8b03c47ee9304d9b5158b212d11183a
https://github.com/qemu/qemu/commit/a84e2e04e8b03c47ee9304d9b5158b212d11183a
Author: Laurent Vivier <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M hw/net/e1000e_core.c
Log Message:
-----------
e1000e: Prevent crash from legacy interrupt firing after MSI-X enable
A race condition between guest driver actions and QEMU timers can lead
to an assertion failure when the guest switches the e1000e from legacy
interrupt mode to MSI-X. If a legacy interrupt delay timer (TIDV or
RDTR) is active, but the guest enables MSI-X before the timer fires,
the pending interrupt cause can trigger an assert in
e1000e_intmgr_collect_delayed_causes().
This patch removes the assertion and executes the code that clears the
pending legacy causes. This change is safe and introduces no unintended
behavioral side effects, as it only alters a state that previously led
to termination.
- when core->delayed_causes == 0 the function was already a no-op and
remains so.
- when core->delayed_causes != 0 the function would previously
crash due to the assertion failure. The patch now defines a safe
outcome by clearing the cause and returning. Since behavior after
the assertion never existed, this simply corrects the crash.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1863
Suggested-by: Akihiko Odaki <[email protected]>
Signed-off-by: Laurent Vivier <[email protected]>
Acked-by: Jason Wang <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 8e4649cac9bcddc050d2df07908075e9e69bccc7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0bb9ee4750d63e2e7b1d226546e83ead161952ca
https://github.com/qemu/qemu/commit/0bb9ee4750d63e2e7b1d226546e83ead161952ca
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M include/elf.h
Log Message:
-----------
elf: Add EF_MIPS_ARCH_ASE definitions
Include MIPS ASE ELF definitions from binutils:
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=include/elf/mips.h;h=4fc190f404d828ded84e621bfcece5fa9f9c23c8;hb=HEAD#l210
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 14ab44b96d5bf761af81cc723314ef5ecf73ed17)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a490b66ae4b61ed153f38da642490ac072146310
https://github.com/qemu/qemu/commit/a490b66ae4b61ed153f38da642490ac072146310
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M linux-user/mips/target_elf.h
Log Message:
-----------
linux-user/mips: Select 74Kf CPU to run MIPS16e binaries
The 74Kf is our latest CPU supporting MIPS16e ASE.
Note, currently QEMU doesn't have 64-bit CPU supporting MIPS16e ASE.
Cc: [email protected]
Fixes: 6ea219d0196..d19954f46df ("target-mips: MIPS16 support")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3054
Reported-by: Justin Applegate <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 7a09b3cc70ab6d717b18dec5c5995f7a06af4593)
(Mjt: in 10.1 and before the code is in linux-user/mips/target_elf.h)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 046f1ae6fd7a0c7d4ce13b1837be2f5ae9b208c5
https://github.com/qemu/qemu/commit/046f1ae6fd7a0c7d4ce13b1837be2f5ae9b208c5
Author: Philippe Mathieu-Daudé <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M linux-user/mips/target_elf.h
Log Message:
-----------
linux-user/mips: Select M14Kc CPU to run microMIPS binaries
The M14Kc is our latest CPU supporting the microMIPS ASE.
Note, currently QEMU doesn't have 64-bit CPU supporting microMIPS ASE.
Cc: [email protected]
Fixes: 3c824109da0 ("target-mips: microMIPS ASE support")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3054
Reported-by: Justin Applegate <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 51c3aebfda6489b49cebef593a1ceb597cb97a7e)
(Mjt: in 10.1 and before, the code is in linux-user/mips/target_elf.h)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 63bfc916deb0d54bfa8151908fa47ab278ac28e5
https://github.com/qemu/qemu/commit/63bfc916deb0d54bfa8151908fa47ab278ac28e5
Author: Denis Rastyogin <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M target/mips/tcg/system/tlb_helper.c
Log Message:
-----------
target/mips: fix TLB huge page check to use 64-bit shift
Use extract64(entry, psn, 1) instead of (entry & (1 << psn)) to avoid
undefined behavior for shifts by 32–63 and to make bit extraction intent
explicit.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Denis Rastyogin <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 1f82ca723478f44823a18e7151e487d58da03659)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4715a0e9e6ced361a6b7a12c99ca78e99be2aca1
https://github.com/qemu/qemu/commit/4715a0e9e6ced361a6b7a12c99ca78e99be2aca1
Author: Aditya Gupta <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M hw/ppc/pnv.c
M target/ppc/cpu.h
M target/ppc/misc_helper.c
Log Message:
-----------
hw/ppc: Fix build error with CONFIG_POWERNV disabled
Currently when CONFIG_POWERNV is not enabled, the build fails, such as
with --without-default-devices:
$ ./configure --without-default-devices
$ make
[281/283] Linking target qemu-system-ppc64
FAILED: qemu-system-ppc64
cc -m64 @qemu-system-ppc64.rsp
/usr/bin/ld: libqemu-ppc64-softmmu.a.p/target_ppc_misc_helper.c.o: in
function `helper_load_sprd':
.../target/ppc/misc_helper.c:335:(.text+0xcdc): undefined reference to
`pnv_chip_find_core'
/usr/bin/ld: libqemu-ppc64-softmmu.a.p/target_ppc_misc_helper.c.o: in
function `helper_store_sprd':
.../target/ppc/misc_helper.c:375:(.text+0xdf4): undefined reference to
`pnv_chip_find_core'
collect2: error: ld returned 1 exit status
...
This is since target/ppc/misc_helper.c references PowerNV specific
'pnv_chip_find_core' call.
Split the PowerNV specific SPRD code out of the generic PowerPC code, by
moving the SPRD code to pnv.c
Fixes: 9808ce6d5cb ("target/ppc: Big-core scratch register fix")
Cc: Philippe Mathieu-Daudé <[email protected]>
Reported-by: Thomas Huth <[email protected]>
Suggested-by: Cédric Le Goater <[email protected]>
Signed-off-by: Aditya Gupta <[email protected]>
Acked-by: Cédric Le Goater <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 46d03bb23dde86513465724760d85f42eb17539e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: d1d60d758824a56ddfd8a7962166c082237b5e16
https://github.com/qemu/qemu/commit/d1d60d758824a56ddfd8a7962166c082237b5e16
Author: Peter Maydell <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M hw/gpio/pca9554.c
Log Message:
-----------
hw/gpio/pca9554: Avoid leak in pca9554_set_pin()
In pca9554_set_pin() we have a string property which we parse in
order to set some non-string fields in the device state. So we call
visit_type_str(), passing it the address of the local variable
state_str.
visit_type_str() will allocate a new copy of the string; we
never free this string, so the result is a memory leak, detected
by ASAN during a "make check" run:
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x5d605212ede3 in malloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-arm+0x21f1de3)
(
BuildId: 3d5373c89317f58bfcd191a33988c7347714be14)
#1 0x7f7edea57b09 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId:
1eb6131419edb83b2178b68282
9a6913cf682d75)
#2 0x7f7edea6d4d8 in g_strdup
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x784d8) (BuildId:
1eb6131419edb83b2178b68282
9a6913cf682d75)
#3 0x5d6055289a91 in g_strdup_inline
/usr/include/glib-2.0/glib/gstrfuncs.h:321:10
#4 0x5d6055289a91 in qobject_input_type_str
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qapi/qo
bject-input-visitor.c:542:12
#5 0x5d605528479c in visit_type_str
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qapi/qapi-visit
-core.c:349:10
#6 0x5d60528bdd87 in pca9554_set_pin
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/gpio/pca9554.c:179:10
#7 0x5d60549bcbbb in object_property_set
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:1450:5
#8 0x5d60549d2055 in object_property_set_qobject
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/qom-qobject.c:28:10
#9 0x5d60549bcdf1 in object_property_set_str
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../qom/object.c:1458:15
#10 0x5d605439d077 in gb200nvl_bmc_i2c_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/arm/aspeed.c:1267:5
#11 0x5d60543a3bbc in aspeed_machine_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/arm/aspeed.c:493:9
Make the state_str g_autofree, so that we will always free
it, on both error-exit and success codepaths.
Cc: [email protected]
Fixes: de0c7d543bca ("misc: Add a pca9554 GPIO device model")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit 3284d1c07cfd8d42aa27d1cf83d3e65fcd62e35e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7527e29c06ca33e5a5a6b1499fc961ea8b06e501
https://github.com/qemu/qemu/commit/7527e29c06ca33e5a5a6b1499fc961ea8b06e501
Author: Peter Maydell <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M hw/char/max78000_uart.c
Log Message:
-----------
hw/char/max78000_uart: Destroy FIFO on deinit
In the max78000_uart we create a FIFO in the instance_init function,
but we don't destroy it on deinit, so ASAN reports a leak in the
device-introspect-test:
#0 0x561cc92d5de3 in malloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/qemu-system-arm+0x21f1de3)
(BuildId: 98fdf9fc85c3beaeca8eda0be8412f1e11b9c6ad)
#1 0x70cbf2afab09 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId:
1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x561ccc4c884d in fifo8_create
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../util/fifo8.c:27:18
#3 0x561cc9744ec9 in max78000_uart_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/arm-asan/../../hw/char/max78000_uart.c:241:5
Add an instance_finalize method to destroy the FIFO.
Cc: [email protected]
Fixes: d447e4b70295 ("MAX78000: UART Implementation")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
(cherry picked from commit ac6b124180f7698084ef2a59282e8fa65a45f23b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1b1d46fef83f379ddb98621f8bec2fc28d2facfb
https://github.com/qemu/qemu/commit/1b1d46fef83f379ddb98621f8bec2fc28d2facfb
Author: Michael Tokarev <[email protected]>
Date: 2025-09-04 (Thu, 04 Sep 2025)
Changed paths:
M block/curl.c
Log Message:
-----------
block/curl: fix curl internal handles handling
block/curl.c uses CURLMOPT_SOCKETFUNCTION to register a socket callback.
According to the documentation, this callback is called not just with
application-created sockets but also with internal curl sockets, - and
for such sockets, user data pointer is not set by the application, so
the result qemu crashing.
Pass BDRVCURLState directly to the callback function as user pointer,
instead of relying on CURLINFO_PRIVATE.
This problem started happening with update of libcurl from 8.9 to 8.10 --
apparently with this change curl started using private handles more.
(CURLINFO_PRIVATE is used in one more place, in curl_multi_check_completion() -
it might need a similar fix too)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3081
Cc: [email protected]
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
(cherry picked from commit 606978500c3d18fb89a49844f253097b17f757de)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 95de88feac96e113b44fc691c63458d3900a15de
https://github.com/qemu/qemu/commit/95de88feac96e113b44fc691c63458d3900a15de
Author: WANG Rui <[email protected]>
Date: 2025-09-11 (Thu, 11 Sep 2025)
Changed paths:
M target/loongarch/tcg/insn_trans/trans_atomic.c.inc
M target/loongarch/tcg/insn_trans/trans_extra.c.inc
M target/loongarch/tcg/insn_trans/trans_farith.c.inc
M target/loongarch/tcg/insn_trans/trans_fcnv.c.inc
M target/loongarch/tcg/insn_trans/trans_fmemory.c.inc
M target/loongarch/tcg/insn_trans/trans_privileged.c.inc
M target/loongarch/tcg/insn_trans/trans_shift.c.inc
M target/loongarch/translate.h
Log Message:
-----------
target/loongarch: Guard 64-bit-only insn translation with TRANS64 macro
This patch replaces uses of the generic TRANS macro with TRANS64 for
instructions that are only valid when 64-bit support is available.
This improves correctness and avoids potential assertion failures or
undefined behavior during translation on 32-bit-only configurations.
Signed-off-by: WANG Rui <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Reviewed-by: Song Gao <[email protected]>
Signed-off-by: Song Gao <[email protected]>
(cherry picked from commit 96e7448c1f820c56caea8447c01f5227b0c95c79)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c03d5e11eed6ab7b5055cdaaaf11df1ebcd60980
https://github.com/qemu/qemu/commit/c03d5e11eed6ab7b5055cdaaaf11df1ebcd60980
Author: Thomas Huth <[email protected]>
Date: 2025-09-11 (Thu, 11 Sep 2025)
Changed paths:
M hw/intc/loongarch_pch_pic.c
Log Message:
-----------
hw/intc/loongarch_pch_pic: Fix ubsan warning and endianness issue
When booting the Linux kernel from tests/functional/test_loongarch64_virt.py
with a QEMU that has been compiled with --enable-ubsan, there is
a warning like this:
.../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of
bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
.../hw/intc/loongarch_pch_pic.c:171:46
.../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of
bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
.../hw/intc/loongarch_pch_pic.c:175:45
It happens because "addr" is added first before substracting the base
(PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY).
Additionally, this code looks like it is not endianness safe, since
it uses a 64-bit pointer to write values into an array of 8-bit values.
Thus rework the code to use the stq_le_p / ldq_le_p helpers here
and make sure that we do not create pointers with undefined behavior
by accident.
Signed-off-by: Thomas Huth <[email protected]>
Reviewed-by: Bibo Mao <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Song Gao <[email protected]>
Signed-off-by: Song Gao <[email protected]>
(cherry picked from commit 86bca40402316891b8b9a920c2e3bf8cf37ba9a4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4709ca196f0085e74e6cbaaaabc9ded0e20dc86b
https://github.com/qemu/qemu/commit/4709ca196f0085e74e6cbaaaabc9ded0e20dc86b
Author: John Levon <[email protected]>
Date: 2025-09-11 (Thu, 11 Sep 2025)
Changed paths:
M hw/vfio-user/pci.c
Log Message:
-----------
hw/vfio-user: add x-pci-class-code
This new option was not added to vfio_user_pci_dev_properties, which
caused an incorrect class code for vfio-user devices.
Fixes: a59d06305fff ("vfio/pci: Introduce x-pci-class-code option")
Signed-off-by: John Levon <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>
(cherry picked from commit 1b50621881241ac5bc75ae7f8aa4c278ada8a668)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 571a7414e7031e1b646250b904f7babe1e8c526f
https://github.com/qemu/qemu/commit/571a7414e7031e1b646250b904f7babe1e8c526f
Author: Thomas Huth <[email protected]>
Date: 2025-09-11 (Thu, 11 Sep 2025)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: Fix crash when specifying [vnc] without id in the config file
QEMU currently crashes when there is a [vnc] section in the config
file that does not have an "id = ..." line:
$ echo "[vnc]" > /tmp/qemu.conf
$ ./qemu-system-x86_64 -readconfig /tmp/qemu.conf
qemu-system-x86_64: ../../devel/qemu/ui/vnc.c:4347: vnc_init_func:
Assertion `id' failed.
Aborted (core dumped)
The required "id" is only set up automatically while parsing the command
line, but not when reading the options from the config file.
Thus let's move code that automatically adds the id (if it does not
exist yet) to the init function that needs the id for the first time,
replacing the assert() statement there.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2836
Reviewed-by: Marc-André Lureau <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 38dd513263d814dc3cf554b899c118a46ca77577)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e2826959a8916abd460928866e6c6973bff7e926
https://github.com/qemu/qemu/commit/e2826959a8916abd460928866e6c6973bff7e926
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/legacy.py
Log Message:
-----------
python: backport 'kick event queue on legacy event_pull()'
This corrects an oversight in qmp-shell operation where new events will
not accumulate in the event queue when pressing "enter" with an empty
command buffer, so no new events show up.
Reported-by: Jag Raman <[email protected]>
Signed-off-by: John Snow <[email protected]>
cherry picked from commit
python-qemu-qmp@0443582d16cf9efd52b2c41a7b5be7af42c856cd
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 1e343714bfc06cc982e68a290f3809117d6dfcd0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f246e6efc7684c8b3902b933d91594c62d2e361b
https://github.com/qemu/qemu/commit/f246e6efc7684c8b3902b933d91594c62d2e361b
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/protocol.py
M python/qemu/qmp/qmp_tui.py
M python/qemu/qmp/util.py
M python/tests/protocol.py
Log Message:
-----------
python: backport 'drop Python3.6 workarounds'
Now that the minimum version is 3.7, drop some of the 3.6-specific hacks
we've been carrying. A single remaining compatibility hack concerning
3.6's lack of @asynccontextmanager is addressed in the following commit.
Signed-off-by: John Snow <[email protected]>
cherry picked from commit
python-qemu-qmp@3e8e34e594cfc6b707e6f67959166acde4b421b8
Signed-off-by: John Snow <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit f9d2e0a3bd7ba2a693a892881f91cf53fa90cc71)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 5f395651030caef5b81ca302a1e812196fb4ab93
https://github.com/qemu/qemu/commit/5f395651030caef5b81ca302a1e812196fb4ab93
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/protocol.py
Log Message:
-----------
python: backport 'Use @asynciocontextmanager'
This removes a non-idiomatic use of a "coroutine callback" in favor of
something a bit more standardized.
Signed-off-by: John Snow <[email protected]>
cherry picked from commit python-qemu-qmp@commit
97f7ffa3be17a50544b52767d14b6fd478c07b9e
Signed-off-by: John Snow <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 0408b8d7a086486f5c1887798be744b2d73bcda9)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 677a4e9d541ea2851bcc3a3d7c77042c4c572436
https://github.com/qemu/qemu/commit/677a4e9d541ea2851bcc3a3d7c77042c4c572436
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/qmp_shell.py
Log Message:
-----------
python: backport 'qmp-shell-wrap: handle missing binary gracefully'
Signed-off-by: John Snow <[email protected]>
cherry picked from commit
python-qemu-qmp@9c889dcbd58817b0c917a9d2dd16161f48ac8203
Signed-off-by: John Snow <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit fcaeeb7653d2c6f38183170e1cae5729adb7875c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 67d93471944d68e5a4c5d5e68e2704d50e24a1ce
https://github.com/qemu/qemu/commit/67d93471944d68e5a4c5d5e68e2704d50e24a1ce
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/qmp_tui.py
Log Message:
-----------
python: backport 'qmp-tui: Do not crash if optional dependencies are not met'
Based on the discussion at https://github.com/pypa/pip/issues/9726 -
even though the setuptools documentation implies that it is possible to
guard script execution with optional dependency groups, this is not true
in practice with the scripts generated by pip.
Just do the simple thing and guard the import statements.
Signed-off-by: John Snow <[email protected]>
cherry picked from commit
python-qemu-qmp@df520dcacf9a75dd4c82ab1129768de4128b554c
Signed-off-by: John Snow <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit fd0ed46d4effbf2700804657bad9c6db086527c4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 1034cd169cfa55d7abf68a9de468e14ae15fd9f5
https://github.com/qemu/qemu/commit/1034cd169cfa55d7abf68a9de468e14ae15fd9f5
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/legacy.py
M python/qemu/qmp/qmp_tui.py
M python/tests/protocol.py
Log Message:
-----------
python: backport 'Remove deprecated get_event_loop calls'
This method was deprecated in 3.12 because it ordinarily should not be
used from coroutines; if there is not a currently running event loop,
this automatically creates a new event loop - which is usually not what
you want from code that would ever run in the bottom half.
In our case, we do want this behavior in two places:
(1) The synchronous shim, for convenience: this allows fully sync
programs to use QEMUMonitorProtocol() without needing to set up an event
loop beforehand. This is intentional to fully box in the async
complexities into the legacy sync shim.
(2) The qmp_tui shell; instead of relying on asyncio.run to create and
run an asyncio program, we need to be able to pass the current asyncio
loop to urwid setup functions. For convenience, again, we create one if
one is not present to simplify the creation of the TUI appliance.
The remaining user of get_event_loop() was in fact one of the erroneous
users that should not have been using this function: if there's no
running event loop inside of a coroutine, you're in big trouble :)
Signed-off-by: John Snow <[email protected]>
cherry picked from commit
python-qemu-qmp@aa1ff9907603a3033296027e1bd021133df86ef1
Signed-off-by: John Snow <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 5d99044d09db0fa8c2b3294e301927118f9effc9)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7c9d65f9e48fe5ff27563d5415a3ec5aade7a12b
https://github.com/qemu/qemu/commit/7c9d65f9e48fe5ff27563d5415a3ec5aade7a12b
Author: John Snow <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/qmp/legacy.py
M python/qemu/qmp/qmp_tui.py
M python/qemu/qmp/util.py
Log Message:
-----------
python: backport 'avoid creating additional event loops per thread'
This commit is two backports squashed into one to avoid regressions.
python: *really* remove get_event_loop
A prior commit, aa1ff990, switched away from using get_event_loop *by
default*, but this is not good enough to avoid deprecation warnings as
`asyncio.get_event_loop_policy().get_event_loop()` is *also*
deprecated. Replace this mechanism with explicit calls to
asyncio.get_new_loop() and revise the cleanup mechanisms in __del__ to
match.
python: avoid creating additional event loops per thread
"Too hasty by far!", commit 21ce2ee4 attempted to avoid deprecated
behavior altogether by calling new_event_loop() directly if there was no
loop currently running, but this has the unfortunate side effect of
potentially creating multiple event loops per thread if tests
instantiate multiple QMP connections in a single thread. This behavior
is apparently not well-defined and causes problems in some, but not all,
combinations of Python interpreter version and platform environment.
Partially revert to Daniel Berrange's original patch, which calls
get_event_loop and simply suppresses the deprecation warning in
Python<=3.13. This time, however, additionally register new loops
created with new_event_loop() so that future calls to get_event_loop()
will return the loop already created.
Reported-by: Richard W.M. Jones <[email protected]>
Reported-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: John Snow <[email protected]>
cherry picked from commit
python-qemu-qmp@21ce2ee4f2df87efe84a27b9c5112487f4670622
cherry picked from commit
python-qemu-qmp@c08fb82b38212956ccffc03fc6d015c3979f42fe
Signed-off-by: John Snow <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 85f223e5b031eb8ab63fbca314a4fb296a3a2632)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 8d7385b2a7475282530246cd99e39c86e8f55f6c
https://github.com/qemu/qemu/commit/8d7385b2a7475282530246cd99e39c86e8f55f6c
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M tests/qemu-iotests/testenv.py
M tests/qemu-iotests/testrunner.py
Log Message:
-----------
iotests: drop compat for old version context manager
Our minimum python is now 3.9, so back compat with prior
python versions is no longer required.
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 82c7cb93c750196f513a1b11cb85e0328bad444f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6a59e3c5b0feb3fc2066ca0196ce643b35211e7a
https://github.com/qemu/qemu/commit/6a59e3c5b0feb3fc2066ca0196ce643b35211e7a
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M python/qemu/machine/qtest.py
Log Message:
-----------
python: ensure QEMUQtestProtocol closes its socket
While QEMUQtestMachine closes the socket that was passed to
QEMUQtestProtocol, the python resource leak manager still
believes that the copy QEMUQtestProtocol holds is open. We
must explicitly call close to avoid this leak warnnig.
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 6ccb48ffc19fe25511313a246d4a8bad51114ea9)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: de9b387a5b95adbf1b865f538b6eb59dfd298b86
https://github.com/qemu/qemu/commit/de9b387a5b95adbf1b865f538b6eb59dfd298b86
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M tests/qemu-iotests/147
Log Message:
-----------
iotests/147: ensure temporary sockets are closed before exiting
This avoids the python resource leak detector from issuing warnings
in the iotests.
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit d4d0ebfcc926c11d16320d0d5accf22e3441c115)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: a1e094db8b13b0855c2d7dbf298d00a89481c3b3
https://github.com/qemu/qemu/commit/a1e094db8b13b0855c2d7dbf298d00a89481c3b3
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M tests/qemu-iotests/151
Log Message:
-----------
iotests/151: ensure subprocesses are cleaned up
The iotest 151 creates a bunch of subprocesses, with their stdout
connected to a pipe but never reads any data from them and does
not gurantee the processes are killed on cleanup.
This triggers resource leak warnings from python when the
subprocess.Popen object is garbage collected.
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 2b2fb25c2aaf5b2e8172d845db39cc50a951a12e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: dd6c96219cd7aa957479169e772b1c68983a9419
https://github.com/qemu/qemu/commit/dd6c96219cd7aa957479169e772b1c68983a9419
Author: Daniel P. Berrangé <[email protected]>
Date: 2025-09-16 (Tue, 16 Sep 2025)
Changed paths:
M tests/qemu-iotests/check
Log Message:
-----------
iotests/check: always enable all python warnings
Of most importance is that this gives us a heads-up if anything
we rely on has been deprecated. The default python behaviour
only emits a warning if triggered from __main__ which is very
limited.
Setting the env variable further ensures that any python child
processes will also display warnings.
Signed-off-by: Daniel P. Berrangé <[email protected]>
(cherry picked from commit 9a494d83538680651197651031375c2b6fa2490b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: dfaeca306b34e764757115417fa086d0c516a509
https://github.com/qemu/qemu/commit/dfaeca306b34e764757115417fa086d0c516a509
Author: Alex Bennée <[email protected]>
Date: 2025-09-17 (Wed, 17 Sep 2025)
Changed paths:
M .gitmodules
Log Message:
-----------
.gitmodules: move u-boot mirrors to qemu-project-mirrors
To continue our GitLab Open Source Program license we need to pass an
automated license check for all repos under qemu-project. While U-Boot
is clearly GPLv2 rather than fight with the automated validation
script just move the mirror across to a separate project.
Signed-off-by: Alex Bennée <[email protected]>
Suggested-by: Daniel P. Berrangé <[email protected]>
Cc: [email protected]
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a11d1847d5ef8a7db58e6d4e44f36fec708f0981)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 88006572b4982aaaace7410644121434c8aa0522
https://github.com/qemu/qemu/commit/88006572b4982aaaace7410644121434c8aa0522
Author: Stéphane Graber <[email protected]>
Date: 2025-09-17 (Wed, 17 Sep 2025)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
hw/usb/network: Remove hardcoded 0x40 prefix in STRING_ETHADDR response
USB NICs have a "40:" prefix hardcoded for all MAC addresses when we
return the guest the MAC address if it queries the STRING_ETHADDR USB
string property. This doesn't match what we use for the
OID_802_3_PERMANENT_ADDRESS or OID_802_3_CURRENT_ADDRESS OIDs for
NDIS, or the MAC address we actually use in the QEMU networking code
to send/receive packets for this device, or the NIC info string we
print for users. In all those other places we directly use
s->conf.macaddr.a, which is the full thing the user asks for.
This overrides user-provided configuration and leads to an inconsistent
experience.
I couldn't find any documented reason (comment or git commits) for
this behavior. It seems like everyone is just expecting the MAC
address to be fully passed through to the guest, but it isn't.
This may have been a debugging hack that accidentally made it through
to the accepted patch: it has been in the code since it was originally
added back in 2008.
This is also particularly problematic as the "40:" prefix isn't a
reserved prefix for MAC addresses (IEEE OUI). There are a number of
valid allocations out there which use this prefix, meaning that QEMU
may be causing MAC address conflicts.
Cc: [email protected]
Fixes: 6c9f886ceae5b ("Add CDC-Ethernet usb NIC (original patch from Thomas
Sailer)"
Signed-off-by: Stéphane Graber <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2951
Reviewed-by: Daniel P. Berrangé <[email protected]>
[PMM: beef up commit message based on mailing list discussion]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit aaf042299acf83919862c7d7dd5fc36acf4e0671)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 6130ab24d03e4df9dc4a2c94dce2582d2971c647
https://github.com/qemu/qemu/commit/6130ab24d03e4df9dc4a2c94dce2582d2971c647
Author: Xiaoyao Li <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M system/physmem.c
M target/i386/kvm/kvm-cpu.c
M target/i386/kvm/kvm.c
Log Message:
-----------
i386/cpu: Enable SMM cpu address space under KVM
Kirill Martynov reported assertation in cpu_asidx_from_attrs() being hit
when x86_cpu_dump_state() is called to dump the CPU state[*]. It happens
when the CPU is in SMM and KVM emulation failure due to misbehaving
guest.
The root cause is that QEMU i386 never enables the SMM address space for
cpu since KVM SMM support has been added.
Enable the SMM cpu address space under KVM when the SMM is enabled for
the x86machine.
[*]
https://lore.kernel.org/qemu-devel/[email protected]/
Reported-by: Kirill Martynov <[email protected]>
Reviewed-by: Zhao Liu <[email protected]>
Tested-by: Kirill Martynov <[email protected]>
Signed-off-by: Xiaoyao Li <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 0516f4b70264b9710a25718d21bd35ef463c875e)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 46cda5823bb162276fdda1cd6d124f2946e40cf0
https://github.com/qemu/qemu/commit/46cda5823bb162276fdda1cd6d124f2946e40cf0
Author: Xiaoyao Li <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M target/i386/cpu.h
M target/i386/kvm/kvm-cpu.c
M target/i386/kvm/kvm.c
M target/i386/tcg/system/tcg-cpu.c
Log Message:
-----------
target/i386: Define enum X86ASIdx for x86's address spaces
Define X86ASIdx as enum, like ARM's ARMASIdx, so that it's clear index 0
is for memory and index 1 is for SMM.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Zhao Liu <[email protected]>
Tested-By: Kirill Martynov <[email protected]>
Signed-off-by: Xiaoyao Li <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 591f817d819f5511fd9001dc863a326d23088811)
(Mjt: pick this change for completness with the previous one)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e460ac0c14f5bb2b9a2cd45e564edf68ea950f64
https://github.com/qemu/qemu/commit/e460ac0c14f5bb2b9a2cd45e564edf68ea950f64
Author: Xiaoyao Li <[email protected]>
Date: 2025-09-18 (Thu, 18 Sep 2025)
Changed paths:
M pc-bios/multiboot_dma.bin
M pc-bios/optionrom/multiboot.S
Log Message:
-----------
multiboot: Fix the split lock
While running the kvm-unit-tests on Intel platforms with "split lock
disable" feature, every test triggers a kernel warning of
x86/split lock detection: #AC: qemu-system-x86_64/373232 took a split_lock
trap at address: 0x1e3
Hack KVM by exiting to QEMU on split lock #AC, we get
KVM: exception 17 exit (error code 0x0)
EAX=00000001 EBX=00000000 ECX=00000014 EDX=0001fb80
ESI=00000000 EDI=000000a8 EBP=00000000 ESP=00006f10
EIP=000001e3 EFL=00010002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0900 00009000 0000ffff 00009300 DPL=0 DS16 [-WA]
CS =c000 000c0000 0000ffff 00009b00 DPL=0 CS16 [-RA]
SS =0000 00000000 0000ffff 00009300 DPL=0 DS16 [-WA]
DS =c000 000c0000 0000ffff 00009300 DPL=0 DS16 [-WA]
FS =0950 00009500 0000ffff 00009300 DPL=0 DS16 [-WA]
GS =06f2 00006f20 0000ffff 00009300 DPL=0 DS16 [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT= 000c02b4 00000027
IDT= 00000000 000003ff
CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000
DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000000
Code=89 16 08 00 65 66 0f 01 16 06 00 66 b8 01 00 00 00 0f 22 c0 <65> 66 ff 2e
00 00 b8 10 00 00 00 8e d0 8e d8 8e c0 8e e0 8e e8 66 b8 08 00 66 ba 10 05 66
And it matches with what disassembled from multiboo_dma.bin:
#objdump -b binary -m i386 -D pc-bios/multiboot_dma.bin
1d1: 08 00 or %al,(%eax)
1d3: 65 66 0f 01 16 lgdtw %gs:(%esi)
1d8: 06 push %es
1d9: 00 66 b8 add %ah,-0x48(%esi)
1dc: 01 00 add %eax,(%eax)
1de: 00 00 add %al,(%eax)
1e0: 0f 22 c0 mov %eax,%cr0
> 1e3: 65 66 ff 2e ljmpw *%gs:(%esi)
1e7: 00 00 add %al,(%eax)
1e9: b8 10 00 00 00 mov $0x10,%eax
1ee: 8e d0 mov %eax,%ss
1f0: 8e d8 mov %eax,%ds
1f2: 8e c0 mov %eax,%es
1f4: 8e e0 mov %eax,%fs
1f6: 8e e8 mov %eax,%gs
1f8: 66 b8 08 00 mov $0x8,%ax
1fc: 66 ba 10 05 mov $0x510,%dx
We can see that the instruction at 0x1e3 is a far jmp through the GDT.
However, the GDT is not 8 byte aligned, the base is 0xc02b4.
Intel processors follow the LOCK semantics to set the accessed flag of the
segment descriptor when loading a segment descriptor. If the the segment
descriptor crosses two cache line, it causes split lock.
Fix it by aligning the GDT on 8 bytes, so that segment descriptor cannot
span two cache lines.
Signed-off-by: Xiaoyao Li <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit 4c8f69b94839f72314c69902312068d0b9b05a34)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 4e95da030501d32183bb3c695e30a2c7c14c604a
https://github.com/qemu/qemu/commit/4e95da030501d32183bb3c695e30a2c7c14c604a
Author: Paolo Bonzini <[email protected]>
Date: 2025-09-25 (Thu, 25 Sep 2025)
Changed paths:
M linux-user/strace.c
Log Message:
-----------
linux-user: avoid -Werror=int-in-bool-context
linux-user is failing to compile on Fedora 43:
../linux-user/strace.c:57:66: error: enum constant in boolean context
[-Werror=int-in-bool-context]
57 | #define FLAG_BASIC(V, M, N) { V, M | QEMU_BUILD_BUG_ON_ZERO(!(M)),
N }
The warning does not seem to be too useful and we could even disable it,
but the workaround is simple in this case.
Cc: [email protected]
Cc: Richard Henderson <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit db05b0d21ec1e0532cf5f5103ae6520a838d96f9)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 307f5bb43f9ed7dce7574e5765aa0713d3ffd167
https://github.com/qemu/qemu/commit/307f5bb43f9ed7dce7574e5765aa0713d3ffd167
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/translate.c
Log Message:
-----------
target/sparc: Allow TRANS macro with no extra arguments
Use ## to drop the preceding comma if __VA_ARGS__ is empty.
Reviewed-by: Mark Cave-Ayland <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit b7cd0a1821adf9906c5edb248394bb2a95482656)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: dd93f80d0211972c3aaa3d5a37e3695404152937
https://github.com/qemu/qemu/commit/dd93f80d0211972c3aaa3d5a37e3695404152937
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/insns.decode
M target/sparc/translate.c
Log Message:
-----------
target/sparc: Loosen decode of STBAR for v8
Solaris 8 appears to have a bug whereby it executes v9 MEMBAR
instructions when booting a freshly installed image. According
to the SPARC v8 architecture manual, whilst bits 13 and bits 12-0
of the "Read State Register Instructions" are notionally zero,
they are marked as unused (i.e. ignored).
Fixes: af25071c1d ("target/sparc: Move RDASR, STBAR, MEMBAR to decodetree")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3097
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Tested-by: Mark Cave-Ayland <[email protected]>
(cherry picked from commit b6cdd6c6050567c02a3b3cd428f85bb79d7455aa)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7c48b47055b1abc6eb3f80d5d05207e86462096a
https://github.com/qemu/qemu/commit/7c48b47055b1abc6eb3f80d5d05207e86462096a
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/insns.decode
M target/sparc/translate.c
Log Message:
-----------
target/sparc: Loosen decode of RDY for v7
Bits [18:0] are not decoded with v7, and for v8 unused values
of rs1 simply produce undefined results.
Fixes: af25071c1d ("target/sparc: Move RDASR, STBAR, MEMBAR to decodetree")
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Mark Cave-Ayland <[email protected]>
Tested-by: Mark Cave-Ayland <[email protected]>
(cherry picked from commit 49d669ccf33a772e3baf3fe4ebb996dc015f46c1)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ba5f5ae5b2d9f73b356192827abe59bc9c58be59
https://github.com/qemu/qemu/commit/ba5f5ae5b2d9f73b356192827abe59bc9c58be59
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/insns.decode
Log Message:
-----------
target/sparc: Loosen decode of RDPSR for v7
For v7, bits [18:0] are ignored.
For v8, bits [18:14] are reserved and bits [13:0] are ignored.
Fixes: 668bb9b755e ("target/sparc: Move RDPSR, RDHPR to decodetree")
Reviewed-by: Mark Cave-Ayland <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit a0345f628394fbd001276c80fd02c8ad0d1b7ee2)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e574af4a5a736ed06bc22088edf8d0c2d1f22037
https://github.com/qemu/qemu/commit/e574af4a5a736ed06bc22088edf8d0c2d1f22037
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/insns.decode
Log Message:
-----------
target/sparc: Loosen decode of RDWIM for v7
For v7, bits [18:0] are ignored.
For v8, bits [18:14] are reserved and bits [13:0] are ignored.
Fixes: 5d617bfba07 ("target/sparc: Move RDWIM, RDPR to decodetree")
Reviewed-by: Mark Cave-Ayland <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit dc9678cc9725d6c3053c6f110f162d956eb9d48f)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 5f51aa7f603a7ef0c3aaee77da868419db02b8dd
https://github.com/qemu/qemu/commit/5f51aa7f603a7ef0c3aaee77da868419db02b8dd
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/insns.decode
Log Message:
-----------
target/sparc: Loosen decode of RDTBR for v7
For v7, bits [18:0] are ignored.
For v8, bits [18:14] are reserved and bits [13:0] are ignored.
Fixes: e8325dc02d0 ("target/sparc: Move RDTBR, FLUSHW to decodetree")
Reviewed-by: Mark Cave-Ayland <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit 6ff52f9dee064d3c2138426834320f5877863d9b)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 431d064c8eeb30947b40f71c2ec1214ce378643f
https://github.com/qemu/qemu/commit/431d064c8eeb30947b40f71c2ec1214ce378643f
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M target/sparc/translate.c
Log Message:
-----------
target/sparc: Relax decode of rs2_or_imm for v7
For v7, bits [12:5] are ignored for !imm.
For v8, those same bits are reserved, but are not trapped.
Reviewed-by: Mark Cave-Ayland <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit df663ac0a4e5d916b6b3e77552a925fec02bced4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 975d8f329e872a29fb34e4b6050d86456b483f11
https://github.com/qemu/qemu/commit/975d8f329e872a29fb34e4b6050d86456b483f11
Author: Peter Maydell <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M hw/pci-host/dino.c
Log Message:
-----------
hw/pci-host/dino: Don't call pci_register_root_bus() in init
In the dino PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
* the PCI bridge is then available to the rest of the simulation
(e.g. via pci_qdev_find_device()), even though it hasn't
yet been realized
* we do not attempt to unregister in an instance_deinit,
which means that if you go through an instance_init -> deinit
lifecycle the freed memory for the host-bridge device is
left on the pci_host_bridges list
ASAN reports the resulting use-after-free:
==1771223==ERROR: AddressSanitizer: heap-use-after-free on address
0x527000018f80 at pc 0x5b4b9d3369b5 bp 0x7ffd01929980 sp 0x7ffd01929978
WRITE of size 8 at 0x527000018f80 thread T0
#0 0x5b4b9d3369b4 in pci_host_bus_register
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
#1 0x5b4b9d321566 in pci_root_bus_internal_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
#2 0x5b4b9d3215e0 in pci_root_bus_new
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
#3 0x5b4b9d321fe5 in pci_register_root_bus
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
#4 0x5b4b9d390521 in dino_pcihost_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/dino.c:473:16
0x527000018f80 is located 1664 bytes inside of 12384-byte region
[0x527000018900,0x52700001b960)
freed by thread T0 here:
#0 0x5b4b9cab185a in free
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a)
(BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
#1 0x5b4b9e3ee723 in object_finalize
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
#2 0x5b4b9e3e69db in object_unref
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
#3 0x5b4b9ea6173c in qmp_device_list_properties
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5
#4 0x5b4b9ec4e0f3 in qmp_marshal_device_list_properties
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qapi/qapi-commands-qdev.c:65:14
previously allocated by thread T0 here:
#0 0x5b4b9cab1af3 in malloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3)
(BuildId: ca496bb2e4fc750ebd289b448bad8d99c0ecd140)
#1 0x799d8270eb09 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId:
1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b4b9e3e75fc in object_new_with_type
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
#3 0x5b4b9e3e7409 in object_new_with_class
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
#4 0x5b4b9ea609a5 in qmp_device_list_properties
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
where we allocated one instance of the dino device, put it on the
list, freed it, and then trying to allocate a second instance touches
the freed memory on the pci_host_bridges list.
Fix this by deferring all the setup of memory regions and registering
the PCI bridge to the device's realize method. This brings it into
line with almost all other PCI host bridges, which call
pci_register_root_bus() in realize.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118
Fixes: 63901b6cc4d8b4 ("dino: move PCI bus initialisation to
dino_pcihost_init()")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit e4a1b308b27cd77338b8f05d3a31e6b38eb717c7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: bbb31acea94a4d6b21fd02a7411408a04a3083d9
https://github.com/qemu/qemu/commit/bbb31acea94a4d6b21fd02a7411408a04a3083d9
Author: Peter Maydell <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M hw/pci-host/astro.c
Log Message:
-----------
hw/pci-host/astro: Don't call pci_regsiter_root_bus() in init
In the astro PCI host bridge device, we call pci_register_root_bus()
in the device's instance_init. This is a problem for two reasons
* the PCI bridge is then available to the rest of the simulation
(e.g. via pci_qdev_find_device()), even though it hasn't
yet been realized
* we do not attempt to unregister in an instance_deinit,
which means that if you go through an instance_init -> deinit
lifecycle the freed memory for the host-bridge device is
left on the pci_host_bridges list
ASAN reports the resulting use-after-free:
==1776584==ERROR: AddressSanitizer: heap-use-after-free on address
0x51f00000cb00 at pc 0x5b2d460a89b5 bp 0x7ffef7617f50 sp 0x7ffef7617f48
WRITE of size 8 at 0x51f00000cb00 thread T0
#0 0x5b2d460a89b4 in pci_host_bus_register
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:608:5
#1 0x5b2d46093566 in pci_root_bus_internal_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:677:5
#2 0x5b2d460935e0 in pci_root_bus_new
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:706:5
#3 0x5b2d46093fe5 in pci_register_root_bus
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci/pci.c:751:11
#4 0x5b2d46fe2335 in elroy_pcihost_init
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../hw/pci-host/astro.c:455:16
0x51f00000cb00 is located 1664 bytes inside of 3456-byte region
[0x51f00000c480,0x51f00000d200)
freed by thread T0 here:
#0 0x5b2d4582385a in free
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17ad85a)
(BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
#1 0x5b2d47160723 in object_finalize
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:734:9
#2 0x5b2d471589db in object_unref
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:1232:9
#3 0x5b2d477d373c in qmp_device_list_properties
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:237:5
previously allocated by thread T0 here:
#0 0x5b2d45823af3 in malloc
(/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/qemu-system-hppa+0x17adaf3)
(BuildId: 692b49eedc6fb0ef618bbb6784a09311b3b7f1e8)
#1 0x79728fa08b09 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62b09) (BuildId:
1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b2d471595fc in object_new_with_type
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:767:15
#3 0x5b2d47159409 in object_new_with_class
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/object.c:782:12
#4 0x5b2d477d29a5 in qmp_device_list_properties
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/hppa-asan/../../qom/qom-qmp-cmds.c:206:11
Cc: [email protected]
Fixes: e029bb00a79be ("hw/pci-host: Add Astro system bus adapter found on
PA-RISC machines")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3118
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 76d2b8d42adb0db2d1ccd08a626f25ddd30208a8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 903045d724f790acfc35ea08afffd9d8f5e0668a
https://github.com/qemu/qemu/commit/903045d724f790acfc35ea08afffd9d8f5e0668a
Author: WANG Rui <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M tcg/optimize.c
Log Message:
-----------
tcg/optimize: Fix folding of vector bitsel
It looks like a typo. When the false value (C) is the constant -1, the
correct fold should be: R = B | ~A
Reproducer (LoongArch64 assembly):
.text
.globl _start
_start:
vldi $vr1, 3073
vldi $vr2, 1023
vbitsel.v $vr0, $vr2, $vr1, $vr2
vpickve2gr.d $a1, $vr0, 1
xori $a0, $a1, 1
li.w $a7, 93
syscall 0
Fixes: e58b977238e3 ("tcg/optimize: Optimize bitsel_vec")
Link: https://github.com/llvm/llvm-project/issues/159610
Signed-off-by: WANG Rui <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit a50347a4145faf6d409afd4b9b682c8b3e60854a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f4eeb2f48d04be41afdb2e0560a7b70fe0cd0e58
https://github.com/qemu/qemu/commit/f4eeb2f48d04be41afdb2e0560a7b70fe0cd0e58
Author: Peter Maydell <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M .gitlab-ci.d/buildtest.yml
Log Message:
-----------
.gitlab-ci.d/buildtest.yml: Unset CI_COMMIT_DESCRIPTION for htags
In commit 52a21689cd829 we added a workaround for a bug in older
versions of htags where they fail with a weird error message if the
environment is too large. However, we missed one variable which
gitlab CI can set to the body of the commit message:
CI_COMMIT_DESCRIPTION.
Add this to the variables we unset when running htags, so that
the 'pages' job doesn't fail if the most recent commit happens
to have a very large commit message.
Cc: [email protected]
Fixes: 52a21689cd8 (".gitlab-ci.d/buildtest.yml: Work around htags bug when
environment is large")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Thomas Huth <[email protected]>
(cherry picked from commit fd34f56fe886250bdd64f9c222c1cb4c07a594ad)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ed37926cfbbc63a624b7ccd4c9c083c60771faab
https://github.com/qemu/qemu/commit/ed37926cfbbc63a624b7ccd4c9c083c60771faab
Author: Thomas Huth <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M tests/Makefile.include
Log Message:
-----------
tests: Fix "make check-functional" for targets without thorough tests
If QEMU gets configured for a single target that does not have
any thorough functional tests, "make check-functional" currently
fails with the error message "No rule to make target 'check-func'".
This happens because "check-func" only gets defined for thorough
tests (quick ones get added to "check-func-quick" instead).
The same problem can happen with the quick tests for targets that
do not have any functional test at all. To fix it, simply make sure
that the targets are always available in the Makefile.
Reported-by: Peter Maydell <[email protected]>
Closes: https://gitlab.com/qemu-project/qemu/-/issues/3119
Signed-off-by: Thomas Huth <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 4f1ebc7712a7db61155080164f2169320d033559)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: daf8f84e7410cdd2ce1fe4c98d44cfba2726a244
https://github.com/qemu/qemu/commit/daf8f84e7410cdd2ce1fe4c98d44cfba2726a244
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M accel/tcg/tb-maint.c
Log Message:
-----------
accel/tcg: Properly unlink a TB linked to itself
When we remove dest from orig's links, we lose the link
that we rely on later to reset links. This can lead to
failure to release from spinlock with self-modifying code.
Cc: [email protected]
Reported-by: 李威威 <[email protected]>
Signed-off-by: Richard Henderson <[email protected]>
Reviewed-by: Anton Johansson <[email protected]>
Tested-by: Anton Johansson <[email protected]>
(cherry picked from commit 03fe6659803f83690b8587d01f8ee56bb4be4b90)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 562020faa2ee9c531ce58434be01e3e42cfd94d6
https://github.com/qemu/qemu/commit/562020faa2ee9c531ce58434be01e3e42cfd94d6
Author: Richard Henderson <[email protected]>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M tests/tcg/multiarch/Makefile.target
A tests/tcg/multiarch/tb-link.c
Log Message:
-----------
tests/tcg/multiarch: Add tb-link test
Signed-off-by: Richard Henderson <[email protected]>
(cherry picked from commit e13e1195db8af18e149065a59351ea85215645bb)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: dfae27159d00de9259f95cf578784cfccb56ce04
https://github.com/qemu/qemu/commit/dfae27159d00de9259f95cf578784cfccb56ce04
Author: Peter Maydell <[email protected]>
Date: 2025-09-27 (Sat, 27 Sep 2025)
Changed paths:
M hw/usb/hcd-uhci.c
Log Message:
-----------
hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint
If the guest feeds invalid data to the UHCI controller, we
can assert:
qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid ==
USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed.
(see issue 2548 for the repro case). This happens because the guest
attempts USB_TOKEN_SETUP to an endpoint other than 0, which is not
valid. The controller code doesn't catch this guest error, so
instead we hit the assertion in the USB core code.
Catch the case of SETUP to non-zero endpoint, and treat it as a fatal
error in the TD, in the same way we do for an invalid PID value in
the TD.
This is the UHCI equivalent of the same bug in OHCI that we fixed in
commit 3c3c233677 ("hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or
OUT").
This bug has been tracked as CVE-2024-8354.
Cc: [email protected]
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/2548
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
(cherry picked from commit d0af3cd0274e265435170a583c72b9f0a4100dff)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 2d1b1bad05ddce25b1dbc05cdc05a229c64f72a8
https://github.com/qemu/qemu/commit/2d1b1bad05ddce25b1dbc05cdc05a229c64f72a8
Author: Laurent Vivier <[email protected]>
Date: 2025-09-27 (Sat, 27 Sep 2025)
Changed paths:
M meson.build
Log Message:
-----------
net/passt: Fix build failure due to missing GIO dependency
The passt networking backend uses functions from the GIO library,
such as g_subprocess_launcher_new(), to manage its daemon process.
So, building with passt enabled requires GIO to be available.
If we enable passt and disable gio the build fails during linkage with
undefined reference errors:
/usr/bin/ld: libsystem.a.p/net_passt.c.o: in function
`net_passt_start_daemon':
net/passt.c:250: undefined reference to `g_subprocess_launcher_new'
/usr/bin/ld: net/passt.c:251: undefined reference to
`g_subprocess_launcher_take_fd'
/usr/bin/ld: net/passt.c:253: undefined reference to
`g_subprocess_launcher_spawnv'
/usr/bin/ld: net/passt.c:256: undefined reference to `g_object_unref'
/usr/bin/ld: net/passt.c:263: undefined reference to `g_subprocess_wait'
/usr/bin/ld: net/passt.c:268: undefined reference to
`g_subprocess_get_if_exited'
/usr/bin/ld: libsystem.a.p/net_passt.c.o: in function
`glib_autoptr_clear_GSubprocess':
/usr/include/glib-2.0/gio/gio-autocleanups.h:132: undefined reference to
`g_object_unref'
/usr/bin/ld: libsystem.a.p/net_passt.c.o: in function
`net_passt_start_daemon':
net/passt.c:269: undefined reference to `g_subprocess_get_exit_status'
Fix this by adding an explicit weson dependency on GIO for the passt
option.
The existing dependency on linux is kept because passt is only available
on this OS.
Cc: [email protected]
Fixes: 854ee02b222 ("net: Add passt network backend")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3121
Reported-by: Thomas Huth <[email protected]>
Signed-off-by: Laurent Vivier <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 4ccca2cc05a2d904d1e25365accf3bcbe553c8b0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f906aa2e333bfb652d254ab0f9cb9cebdfccb0ae
https://github.com/qemu/qemu/commit/f906aa2e333bfb652d254ab0f9cb9cebdfccb0ae
Author: Fabian Vogt <[email protected]>
Date: 2025-09-29 (Mon, 29 Sep 2025)
Changed paths:
M hw/intc/xics.c
Log Message:
-----------
hw/intc/xics: Add missing call to register vmstate_icp_server
An obsolete wrapper function with a workaround was removed entirely,
without restoring the call it wrapped.
Without this, the guest is stuck after savevm/loadvm.
Fixes: 24ee9229fe31 ("ppc/spapr: remove deprecated machine pseries-2.9")
Signed-off-by: Fabian Vogt <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/qemu-devel/6187781.lOV4Wx5bFT@fvogt-thinkpad
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Gautam Menghani <[email protected]>
Signed-off-by: Harsh Prateek Bora <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Message-ID: <[email protected]>
(cherry picked from commit f5738aedc21790bd07dbead6b6272a605d5c1138)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e60467febb406b70b0a4e8cd05c4172a6c5d99ed
https://github.com/qemu/qemu/commit/e60467febb406b70b0a4e8cd05c4172a6c5d99ed
Author: Harsh Prateek Bora <[email protected]>
Date: 2025-09-29 (Mon, 29 Sep 2025)
Changed paths:
M hw/ppc/spapr.c
Log Message:
-----------
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
lrdr-capacity contains phys field which communicates the maximum address
in bytes and therefore, the most memory that can be allocated to this
partition. This is usually populated when maxmem is provided alongwith
memory size on qemu command line. However since maxmem is an optional
param, this leads to bits being set to 0 in absence of maxmem param.
Fix this by initializing the respective bits as per total mem size in
such case.
Reported-by: Gaurav Batra <[email protected]>
Tested-by: David Christensen <[email protected]>
Signed-off-by: Harsh Prateek Bora <[email protected]>
Reviewed-by: Shivaprasad G Bhat <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Message-ID: <[email protected]>
(cherry picked from commit 6285eebd3a5fea018eb51d696b51079f44dd1eb3)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: daa07cbe017407fa43dccb33dd122fa9ab0f94f4
https://github.com/qemu/qemu/commit/daa07cbe017407fa43dccb33dd122fa9ab0f94f4
Author: Mohamed Akram <[email protected]>
Date: 2025-10-01 (Wed, 01 Oct 2025)
Changed paths:
M ui/spice-core.c
Log Message:
-----------
ui/spice: Fix abort on macOS
The check is faulty because the thread variable was assigned in the main
thread while the main loop runs in a different thread on macOS.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3070
Signed-off-by: Mohamed Akram <[email protected]>
Acked-by: Marc-André Lureau <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit e7ecb533ee0dbfbe30c90abb213247f4943a9a12)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ecc1aef81eafa53b7267fb4d93aaf2eb6a1e3d5a
https://github.com/qemu/qemu/commit/ecc1aef81eafa53b7267fb4d93aaf2eb6a1e3d5a
Author: Marc-André Lureau <[email protected]>
Date: 2025-10-01 (Wed, 01 Oct 2025)
Changed paths:
M ui/spice-display.c
Log Message:
-----------
ui/spice: fix crash when disabling GL scanout on
When spice_qxl_gl_scanout2() isn't available, the fallback code
incorrectly handles NULL arguments to disable the scanout, leading to:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 spice_server_gl_scanout (qxl=0x55a25ce57ae8, fd=0x0, width=0, height=0,
offset=0x0, stride=0x0, num_planes=0, format=0, modifier=72057594037927935,
y_0_top=0)
at ../ui/spice-display.c:983
983 if (num_planes <= 1) {
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2391334
Fixes: 98a050ca93afd8 ("ui/spice: support multi plane dmabuf scanout")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Michael Tokarev <[email protected]>
Message-Id: <[email protected]>
(cherry picked from commit 62fd247a24290dba2b2de4ee8575624a7993973c)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: f3b84ec247cfe8e4d883feb5e85bc7392ff1a7c9
https://github.com/qemu/qemu/commit/f3b84ec247cfe8e4d883feb5e85bc7392ff1a7c9
Author: Thomas Huth <[email protected]>
Date: 2025-10-01 (Wed, 01 Oct 2025)
Changed paths:
M ui/icons/qemu.svg
Log Message:
-----------
ui/icons/qemu.svg: Add metadata information (author, license) to the logo
We've got two versions of the QEMU logo in the repository, one with
the whole word "QEMU" (pc-bios/qemu_logo.svg) and one that only contains
the letter "Q" (ui/icons/qemu.svg). While qemu_logo.svg contains the
proper metadata with license and author information, this is missing
from the ui/icons/qemu.svg file. Copy the meta data there so that
people have a chance to know the license of the file if they only
look at the qemu.svg file.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/3139
Signed-off-by: Thomas Huth <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Message-ID: <[email protected]>
(cherry picked from commit 9163424c50981dbc4ded9990228ac01a3b193656)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e93d2c5fdd151241ace5090bb4a2d381626ee4bf
https://github.com/qemu/qemu/commit/e93d2c5fdd151241ace5090bb4a2d381626ee4bf
Author: Andrew Jones <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M hw/riscv/riscv-iommu.c
Log Message:
-----------
hw/riscv/riscv-iommu: Fix MSI table size limit
The MSI table is not limited to 4k. The only constraint the table has
is that its base address must be aligned to its size, ensuring no
offsets of the table size will overrun when added to the base address
(see "8.5. MSI page tables" of the AIA spec).
Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
Signed-off-by: Andrew Jones <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 4f7528295b3e6dfe1189f660fa7865ad972d82e7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c25be2649cb9be3dcf16d11d7a0c8bbaf2790d21
https://github.com/qemu/qemu/commit/c25be2649cb9be3dcf16d11d7a0c8bbaf2790d21
Author: Andrea Bolognani <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M docs/interop/firmware.json
Log Message:
-----------
docs/interop/firmware: Add riscv64 to FirmwareArchitecture
Descriptors using this value have been shipped for years
by distros, so we just need to update the spec to match
reality.
Signed-off-by: Andrea Bolognani <[email protected]>
Reviewed-by: Kashyap Chamarthy <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit da14767b356c2342197708a997eeb0da053262a0)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 0be25ffa79bb4478f2933ddd75bff8c528550ea3
https://github.com/qemu/qemu/commit/0be25ffa79bb4478f2933ddd75bff8c528550ea3
Author: Frank Chang <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M hw/char/sifive_uart.c
Log Message:
-----------
hw/char: sifive_uart: Raise IRQ according to the Tx/Rx watermark thresholds
Currently, the SiFive UART raises an IRQ whenever:
1. ie.txwm is enabled.
2. ie.rxwm is enabled and the Rx FIFO is not empty.
It does not check the watermark thresholds set by software. However,
since commit [1] changed the SiFive UART character printing from
synchronous to asynchronous, Tx overflows may occur, causing characters
to be dropped when running Linux because:
1. The Linux SiFive UART driver sets the transmit watermark level to 1
[2], meaning a transmit watermark interrupt is raised whenever a
character is enqueued into the Tx FIFO.
2. Upon receiving a transmit watermark interrupt, the Linux driver
transfers up to a full Tx FIFO's worth of characters from the Linux
serial transmit buffer [3], without checking the txdata.full flag
before transferring multiple characters [4].
To fix this issue, we must honor the Tx/Rx watermark thresholds and
raise interrupts only when the Tx threshold is exceeded or the Rx
threshold is undercut.
[1] 53c1557b230986ab6320a58e1b2c26216ecd86d5
[2]
https://github.com/torvalds/linux/blob/master/drivers/tty/serial/sifive.c#L1039
[3]
https://github.com/torvalds/linux/blob/master/drivers/tty/serial/sifive.c#L538
[4]
https://github.com/torvalds/linux/blob/master/drivers/tty/serial/sifive.c#L291
Signed-off-by: Frank Chang <[email protected]>
Signed-off-by: Emmanuel Blot <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 191df346175283af013f414375f4be59fb850120)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7c7694d73cee63c98c77b9b1db902131ba5535fc
https://github.com/qemu/qemu/commit/7c7694d73cee63c98c77b9b1db902131ba5535fc
Author: stove <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M target/riscv/cpu.h
Log Message:
-----------
target/riscv: use riscv_csrr in riscv_csr_read
Commit 38c83e8d3a33 ("target/riscv: raise an exception when CSRRS/CSRRC
writes a read-only CSR") changed the behavior of riscv_csrrw, which
would formerly be treated as read-only if the write mask were set to 0.
Fixes an exception being raised when accessing read-only vector CSRs
like vtype.
Fixes: 38c83e8d3a33 ("target/riscv: raise an exception when CSRRS/CSRRC writes
a read-only CSR")
Signed-off-by: stove <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit cebaf7434b4af059caca053ee1ec7ed8df91c2a7)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: c65d1a6b1309e222840ef6d4944ec09ab370c3a4
https://github.com/qemu/qemu/commit/c65d1a6b1309e222840ef6d4944ec09ab370c3a4
Author: Vladimir Isaev <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M target/riscv/translate.c
Log Message:
-----------
target/riscv: do not use translator_ldl in opcode_at
opcode_at is used only in semihosting checks to match opcodes with expected
pattern.
This is not a translator and if we got following assert if page is not in TLB:
qemu-system-riscv64: ../accel/tcg/translator.c:363: record_save: Assertion
`offset == db->record_start + db->record_len' failed.
Fixes: 1f9c4462334f ("target/riscv: Use translator_ld* for everything")
Signed-off-by: Vladimir Isaev <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
[ Changes by AF:
- Fixup header includes after rebase
]
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit a86d3352ab70f33f5feabbf9bad9450d3c19d0bf)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: b01f2eccf2496fd1f97139f44aaa93340f7bfd6c
https://github.com/qemu/qemu/commit/b01f2eccf2496fd1f97139f44aaa93340f7bfd6c
Author: Guo Ren (Alibaba DAMO Academy) <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M hw/riscv/riscv-iommu.c
Log Message:
-----------
hw/riscv/riscv-iommu: Fixup PDT Nested Walk
Current implementation is wrong when iohgatp != bare. The RISC-V
IOMMU specification has defined that the PDT is based on GPA, not
SPA. So this patch fixes the problem, making PDT walk correctly
when the G-stage table walk is enabled.
Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
Cc: [email protected]
Cc: Sebastien Boeuf <[email protected]>
Cc: Tomasz Jeznach <[email protected]>
Reviewed-by: Weiwei Li <[email protected]>
Reviewed-by: Nutty Liu <[email protected]>
Signed-off-by: Guo Ren (Alibaba DAMO Academy) <[email protected]>
Tested-by: Chen Pei <[email protected]>
Tested-by: Fangyu Yu <[email protected]>
Message-ID: <[email protected]>
[ Changes by AF:
- Add braces to if statements
]
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit 15abfced803929f935bb59a0e1b02558bd8325c4)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: e3641f4ecfafa71285c80dea04a000e71dab8946
https://github.com/qemu/qemu/commit/e3641f4ecfafa71285c80dea04a000e71dab8946
Author: vhaudiquet <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M target/riscv/insn_trans/trans_rvzce.c.inc
Log Message:
-----------
target/riscv: Fix endianness swap on compressed instructions
Three instructions were not using the endianness swap flag, which resulted in a
bug on big-endian architectures.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3131
Buglink: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2123828
Fixes: e0a3054f18e ("target/riscv: add support for Zcb extension")
Signed-off-by: Valentin Haudiquet <[email protected]>
Cc: [email protected]
Reviewed-by: Anton Johansson <[email protected]>
Reviewed-by: Daniel Henrique Barboza <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit b25133d38fe693589cf695b85968caa0724bfafd)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 8650b5597a9d568f0d005d4d0caf13e333c44a04
https://github.com/qemu/qemu/commit/8650b5597a9d568f0d005d4d0caf13e333c44a04
Author: Max Chou <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M target/riscv/cpu.c
M target/riscv/csr.c
M target/riscv/machine.c
M target/riscv/tcg/tcg-cpu.c
Log Message:
-----------
target/riscv: rvv: Replace checking V by checking Zve32x
The Zve32x extension will be applied by the V and Zve* extensions.
Therefore we can replace the original V checking with Zve32x checking for both
the V and Zve* extensions.
Signed-off-by: Max Chou <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit ae4a37f57818e47e212272821a5a86ad54620eb8)
(Mjt: drop the MonitorDef change due to missing v10.1.0-850-ge06d209aa6
"target/riscv: implement MonitorDef HMP API")
Signed-off-by: Michael Tokarev <[email protected]>
Commit: d7f661905b38beebd0779d45a53cc513ba744395
https://github.com/qemu/qemu/commit/d7f661905b38beebd0779d45a53cc513ba744395
Author: Max Chou <[email protected]>
Date: 2025-10-04 (Sat, 04 Oct 2025)
Changed paths:
M target/riscv/tcg/tcg-cpu.c
Log Message:
-----------
target/riscv: rvv: Modify minimum VLEN according to enabled vector extensions
According to the RISC-V unprivileged specification, the VLEN should be greater
or equal to the ELEN. This commit modifies the minimum VLEN based on the vector
extensions and introduces a check rule for VLEN and ELEN.
Extension Minimum VLEN
* V 128
* Zve64[d|f|x] 64
* Zve32[f|x] 32
Signed-off-by: Max Chou <[email protected]>
Reviewed-by: Alistair Francis <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Alistair Francis <[email protected]>
(cherry picked from commit be50ff3a73859ebbbdc0e6f704793062b1743d93)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 109f336448e7fa09f3aee6e1dab2648e2a2d4568
https://github.com/qemu/qemu/commit/109f336448e7fa09f3aee6e1dab2648e2a2d4568
Author: Juraj Marcin <[email protected]>
Date: 2025-10-05 (Sun, 05 Oct 2025)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: Fix state transition in postcopy_start() error handling
Commit 48814111366b ("migration: Always set DEVICE state") introduced
DEVICE state to postcopy, which moved the actual state transition that
leads to POSTCOPY_ACTIVE.
However, the error handling part of the postcopy_start() function still
expects the state POSTCOPY_ACTIVE, but depending on where an error
happens, now the state can be either ACTIVE, DEVICE or CANCELLING, but
never POSTCOPY_ACTIVE, as this transition now happens just before a
successful return from the function.
Instead, accept any state except CANCELLING when transitioning to FAILED
state.
Cc: [email protected]
Fixes: 48814111366b ("migration: Always set DEVICE state")
Signed-off-by: Juraj Marcin <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Reviewed-by: Fabiano Rosas <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 725a9e5f7885a3c0d0cd82022d6eb5a758ac9d47)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 977ffc7abcb06568773c724f6cd7aab48d2e490e
https://github.com/qemu/qemu/commit/977ffc7abcb06568773c724f6cd7aab48d2e490e
Author: Peter Maydell <[email protected]>
Date: 2025-10-05 (Sun, 05 Oct 2025)
Changed paths:
M include/system/memory.h
Log Message:
-----------
include/system/memory.h: Clarify address_space_destroy() behaviour
address_space_destroy() doesn't actually immediately destroy the AS;
it queues it to be destroyed via RCU. This means you can't g_free()
the memory the AS struct is in until that has happened.
Clarify this in the documentation.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: David Hildenbrand <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 9e7bfda4909cc688dd0327e17985019f08a78d5d)
(Mjt: this is just a comment fix, but it makes subsequent changes to apply c
leanly)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: ded5c6245446ee8305fe01e2471af5b02b4be3d3
https://github.com/qemu/qemu/commit/ded5c6245446ee8305fe01e2471af5b02b4be3d3
Author: Peter Xu <[email protected]>
Date: 2025-10-05 (Sun, 05 Oct 2025)
Changed paths:
M include/system/memory.h
M system/memory.c
Log Message:
-----------
memory: New AS helper to serialize destroy+free
If an AddressSpace has been created in its own allocated
memory, cleaning it up requires first destroying the AS
and then freeing the memory. Doing this doesn't work:
address_space_destroy(as);
g_free_rcu(as, rcu);
because both address_space_destroy() and g_free_rcu()
try to use the same 'rcu' node in the AddressSpace struct
and the address_space_destroy hook gets overwritten.
Provide a new address_space_destroy_free() function which
will destroy the AS and then free the memory it uses, all
in one RCU callback.
(CC to stable because the next commit needs this function.)
Cc: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: David Hildenbrand <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 041600e23f2fe2a9c252c9a8b26c7d147bedf982)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 7bd98c65e0ef871c7fe66e42a8c0b01784da1828
https://github.com/qemu/qemu/commit/7bd98c65e0ef871c7fe66e42a8c0b01784da1828
Author: Peter Maydell <[email protected]>
Date: 2025-10-05 (Sun, 05 Oct 2025)
Changed paths:
M hw/core/cpu-common.c
M include/exec/cpu-common.h
M include/hw/core/cpu.h
A stubs/cpu-destroy-address-spaces.c
M stubs/meson.build
M system/physmem.c
Log Message:
-----------
physmem: Destroy all CPU AddressSpaces on unrealize
When we unrealize a CPU object (which happens on vCPU hot-unplug), we
should destroy all the AddressSpace objects we created via calls to
cpu_address_space_init() when the CPU was realized.
Commit 24bec42f3d6eae added a function to do this for a specific
AddressSpace, but did not add any places where the function was
called.
Since we always want to destroy all the AddressSpaces on unrealize,
regardless of the target architecture, we don't need to try to keep
track of how many are still undestroyed, or make the target
architecture code manually call a destroy function for each AS it
created. Instead we can adjust the function to always completely
destroy the whole cpu->ases array, and arrange for it to be called
during CPU unrealize as part of the common code.
Without this fix, AddressSanitizer will report a leak like this
from a run where we hot-plugged and then hot-unplugged an x86 KVM
vCPU:
Direct leak of 416 byte(s) in 1 object(s) allocated from:
#0 0x5b638565053d in calloc
(/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/qemu-system-x86_64+0x1ee153d)
(BuildId: c1cd6022b195142106e1bffeca23498c2b752bca)
#1 0x7c28083f77b1 in g_malloc0
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x637b1) (BuildId:
1eb6131419edb83b2178b682829a6913cf682d75)
#2 0x5b6386999c7c in cpu_address_space_init
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../system/physmem.c:797:25
#3 0x5b638727f049 in kvm_cpu_realizefn
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../target/i386/kvm/kvm-cpu.c:102:5
#4 0x5b6385745f40 in accel_cpu_common_realize
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../accel/accel-common.c:101:13
#5 0x5b638568fe3c in cpu_exec_realizefn
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/cpu-common.c:232:10
#6 0x5b63874a2cd5 in x86_cpu_realizefn
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../target/i386/cpu.c:9321:5
#7 0x5b6387a0469a in device_set_realized
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/qdev.c:494:13
#8 0x5b6387a27d9e in property_set_bool
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:2375:5
#9 0x5b6387a2090b in object_property_set
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:1450:5
#10 0x5b6387a35b05 in object_property_set_qobject
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/qom-qobject.c:28:10
#11 0x5b6387a21739 in object_property_set_bool
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../qom/object.c:1520:15
#12 0x5b63879fe510 in qdev_realize
/data_nvme1n1/linaro/qemu-from-laptop/qemu/build/x86-tgts-asan/../../hw/core/qdev.c:276:12
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2517
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: David Hildenbrand <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Peter Xu <[email protected]>
(cherry picked from commit 300a87c502c4ba7ffc7720d8f3583e3d1a68348a)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 677d73bde7d3052f59b72780517c1e76ab687f98
https://github.com/qemu/qemu/commit/677d73bde7d3052f59b72780517c1e76ab687f98
Author: Thomas Huth <[email protected]>
Date: 2025-10-05 (Sun, 05 Oct 2025)
Changed paths:
M tests/functional/test_aarch64_hotplug_pci.py
Log Message:
-----------
tests/functional/aarch64: Fix assets of test_hotplug_pci
The old bookworm URLs don't work anymore, resulting in a 404 error
now. Let's update the test to Debian Trixie to get it going again.
Signed-off-by: Thomas Huth <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit 769acb2a1e47b97ada8e0db6ff73e303b23764d8)
Signed-off-by: Michael Tokarev <[email protected]>
Commit: 339768517a901efd8776c6245065c83cc757fa99
https://github.com/qemu/qemu/commit/339768517a901efd8776c6245065c83cc757fa99
Author: Michael Tokarev <[email protected]>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 10.1.1 release
Signed-off-by: Michael Tokarev <[email protected]>
Compare: https://github.com/qemu/qemu/compare/f8b2f64e2336...339768517a90
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
