Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 9c23f2a7b0b45277693a14074b1aaa827eecdb92
https://github.com/qemu/qemu/commit/9c23f2a7b0b45277693a14074b1aaa827eecdb92
Author: Richard Henderson <[email protected]>
Date: 2025-12-09 (Tue, 09 Dec 2025)
Changed paths:
M VERSION
Log Message:
-----------
Update version for v10.2.0-rc3 release
Signed-off-by: Richard Henderson <[email protected]>
Commit: ab0065e36adf8becd9c1ffceec37ee809ce683af
https://github.com/qemu/qemu/commit/ab0065e36adf8becd9c1ffceec37ee809ce683af
Author: Thomas Huth <[email protected]>
Date: 2025-12-10 (Wed, 10 Dec 2025)
Changed paths:
M tests/qemu-iotests/common.rc
Log Message:
-----------
tests/qemu-iotests: Fix check for existing file in _require_disk_usage()
Looks like the "$" has been forgotten here to get the contents of
the FILENAME variable.
Fixes: c49dda7254d ("iotests: Filter out ZFS in several tests")
Signed-off-by: Thomas Huth <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Laurent Vivier <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Kevin Wolf <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
Commit: b002acacc1d72521351501fa0af81d146106c9ed
https://github.com/qemu/qemu/commit/b002acacc1d72521351501fa0af81d146106c9ed
Author: Hanna Czenczek <[email protected]>
Date: 2025-12-15 (Mon, 15 Dec 2025)
Changed paths:
M block/nvme.c
Log Message:
-----------
Revert "nvme: Fix coroutine waking"
This reverts commit 0f142cbd919fcb6cea7aa176f7e4939925806dd9.
Said commit changed the replay_bh_schedule_oneshot_event() in
nvme_rw_cb() to aio_co_wake(), allowing the request coroutine to be
entered directly (instead of only being scheduled for later execution).
This can cause the device to become stalled like so:
It is possible that after completion the request coroutine goes on to
submit another request without yielding, e.g. a flush after a write to
emulate FUA. This will likely cause a nested nvme_process_completion()
call because nvme_rw_cb() itself is called from there.
(After submitting a request, we invoke nvme_process_completion() through
defer_call(); but the fact that nvme_process_completion() ran in the
first place indicates that we are not in a call-deferring section, so
defer_call() will call nvme_process_completion() immediately.)
If this inner nvme_process_completion() loop then processes any
completions, it will write the final completion queue (CQ) head index to
the CQ head doorbell, and subsequently execution will return to the
outer nvme_process_completion() loop. Even if this loop now finds no
further completions, it still processed at least one completion before,
or it would not have called the nvme_rw_cb() which led to nesting.
Therefore, it will now write the exact same CQ head index value to the
doorbell, which effectively is an unrecoverable error[1].
Therefore, nesting of nvme_process_completion() does not work at this
point. Reverting said commit removes the nesting (by scheduling the
request coroutine instead of entering it immediately), and so fixes the
stall.
On the downside, reverting said commit breaks multiqueue for nvme, but
better to have single-queue working than neither. For 11.0, we will
have a solution that makes both work.
A side note: There is a comment in nvme_process_completion() above
qemu_bh_schedule() that claims nesting works, as long as it is done
through the completion_bh. I am quite sure that is not true, for two
reasons:
- The problem described above, which is even worse when going through
nvme_process_completion_bh() because that function unconditionally
writes to the CQ head doorbell,
- nvme_process_completion_bh() never takes q->lock, so
nvme_process_completion() unlocking it will likely abort.
Given the lack of reports of such aborts, I believe that completion_bh
simply is unused in practice.
[1] See the NVMe Base Specification revision 2.3, page 180, figure 152:
“Invalid Doorbell Write Value: A host attempted to write an invalid
doorbell value. Some possible causes of this error are: [...] the
value written is the same as the previously written doorbell value.”
To even be notified of this error, we would need to send an
Asynchronous Event Request to the admin queue (p. 178ff), which we
don’t do, and then to handle it, we would need to delete and
recreate the queue (p. 88, section 3.3.1.2 Queue Usage).
Cc: [email protected]
Reported-by: Lukáš Doktor <[email protected]>
Tested-by: Lukáš Doktor <[email protected]>
Signed-off-by: Hanna Czenczek <[email protected]>
Message-id: [email protected]
Signed-off-by: Stefan Hajnoczi <[email protected]>
Commit: 307bc43095b8ab1765fd66c26003d5da06681c05
https://github.com/qemu/qemu/commit/307bc43095b8ab1765fd66c26003d5da06681c05
Author: Kevin Wolf <[email protected]>
Date: 2025-12-15 (Mon, 15 Dec 2025)
Changed paths:
M blockdev.c
Log Message:
-----------
block: Fix BDS use after free during shutdown
During shutdown, blockdev_close_all_bdrv_states() drops any block node
references that are still owned by the monitor (i.e. the user). However,
in doing so, it forgot to also remove the node from monitor_bdrv_states
(which qmp_blockdev_del() correctly does), which means that later calls
of bdrv_first()/bdrv_next() will still return the (now stale) pointer to
the node.
Usually there is no such call after this point, but in some cases it can
happen. In the reported case, there was an ongoing migration, and the
migration thread wasn't shut down yet: migration_shutdown() called by
qemu_cleanup() doesn't actually wait for the migration to be shut down,
but may just move it to MIGRATION_STATUS_CANCELLING. The next time
migration_iteration_finish() runs, it sees the status and tries to
re-activate all block devices that migration may have previously
inactivated. This is where bdrv_first()/bdrv_next() get called and the
access to the already freed node happens.
It is debatable if migration_shutdown() should really return before
migration has settled, but leaving a dangling pointer in the list of
monitor-owned block nodes is clearly a bug either way and fixing it
solves the immediate problem, so fix it.
Cc: [email protected]
Reported-by: Thomas Huth <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Tested-by: Thomas Huth <[email protected]>
Reviewed-by: Stefan Hajnoczi <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>
Commit: a69964ff960df8057c9c426bae08f72148aad166
https://github.com/qemu/qemu/commit/a69964ff960df8057c9c426bae08f72148aad166
Author: Richard Henderson <[email protected]>
Date: 2025-12-16 (Tue, 16 Dec 2025)
Changed paths:
M block/nvme.c
Log Message:
-----------
Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into
staging
Pull request
- Hanna's fix a regression that hangs the userspace NVMe block driver.
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmlAIbcACgkQnKSrs4Gr
# c8iuqgf/VV2OPXW2t56uzuUmf+220pnRAaaGLw7atuWmaRJQ8/tHZU23Vxbu7JtX
# ZLJfObJaoGHpCeWCFJ3RccsPabf19hsDIJyki9U6f2+B+OutWLlmcp2uLtQJ8FNw
# 2jMYSuT6XsCnm6VF3UIegDBTh6lvjyjDUVNAsWeiV6wHE61Oj3RD4joif52hx5uE
# xcDPii9fiF8S9tD3CKDGxR8fw7olFXiG2ojxqRZklZuHM6SfFHespWeTr9voLfgL
# maBJO3qyS6YFH1mFuIJvvCykGN2EI6tT1nlQw8et3oUGF+GN45yqLcK12/b7lWKF
# jTE8RCPCswFD4FF3eXJpcZRysi988A==
# =Jx5T
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 16 Dec 2025 01:56:55 AM AEDT
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <[email protected]>" [unknown]
# gpg: aka "Stefan Hajnoczi <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu:
Revert "nvme: Fix coroutine waking"
Signed-off-by: Richard Henderson <[email protected]>
Commit: 6472244e1b097baa1f1bf1beb0d168372d422f42
https://github.com/qemu/qemu/commit/6472244e1b097baa1f1bf1beb0d168372d422f42
Author: Richard Henderson <[email protected]>
Date: 2025-12-16 (Tue, 16 Dec 2025)
Changed paths:
M blockdev.c
M tests/qemu-iotests/common.rc
Log Message:
-----------
Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging
Block layer patches
- Fix crash due to BDS use after free during shutdown (in particular
while migration is running)
- iotests: Fix a typo that made a check to prevent overwriting a file
ineffective
# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCgAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmlAQOARHGt3b2xmQHJl
# ZGhhdC5jb20ACgkQfwmycsiPL9YNCBAAqoWuOIdybhv44cLtrl3DZWHZnt1XbYvT
# xSUWI9fQQM6WLI1gAHXzl4awsTz0yZzc7KSyYPXdoub3A5D2LoFl4kJKXDzubAwr
# YP1Zmg6UWfaKfxkM42FV07xV8K4kvD11jMTimuYql6uFpzXZILwIPjl10ifdjwYg
# /5c9HUct+y28CdmvFYyt5B0lxJq2VSgLPjqyF7yltzKglirqBcvc1YbMoXfiN4JY
# tSvUHIiiJft839QbG1jrt5spl2xhORP6N7woqlgSiTeGKpPavp9nkWFPZO01QmkU
# la6/vgFZZPCgZOlmt0lVMWy5UsWqKb0voOzi3QvDpGYNie+85JmI4OEOXtsKQvDw
# 7EV+JaMtE72sjO35ruFo1KlapuFbM3yyJ97OpwpRuua1oCRXSyLYQMr5RvDO4rqf
# sdSJw/h+VZ524ydza3d/kj8qlzXkOhEo2WidBQCRRMpI8va4+IcMwHB8ZuthU3LZ
# MfOoEo4XayCQRUhFslHb6Y870Wsi3TxZCZ/fxpWqrCsxz5U5mNyUWoQHVdsofT6j
# WrzeA5ibt1GOC42dif0178PhdowFQHySz1wDbxUEO4yKIo3ziQbH95aUmcT3hYuI
# 17pSQegCA2EOCEzUXdD09qXSotJz7a+aKjiQ3hDxK7a1JokC9O4hvAwSbgOPsxCd
# BbKwOhhsSM4=
# =zBtX
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 16 Dec 2025 04:09:52 AM AEDT
# gpg: using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg: issuer "[email protected]"
# gpg: Good signature from "Kevin Wolf <[email protected]>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6
* tag 'for-upstream' of https://repo.or.cz/qemu/kevin:
block: Fix BDS use after free during shutdown
tests/qemu-iotests: Fix check for existing file in _require_disk_usage()
Signed-off-by: Richard Henderson <[email protected]>
Compare: https://github.com/qemu/qemu/compare/bf0e7b068b7d...6472244e1b09
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
