aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)AuthorFilesLines
3 dayshw/i386/microvm: Explicitly select ACPI_PCIEric Auger1-0/+1
With a microvm-only build based on a custom device config, we get a link failure due to undefined reference to build_pci_host_bridge_osc_method() which is defined in hw/acpi/pci.c and whose compilation depends on CONFIG_ACPI_PCI. Although CONFIG_ACPI and CONFIG_PCI are set with such configuration, implied CONFIG_ACPI_PCI in config PCI_EXPRESS_GENERIC_BRIDGE is not selected as expected. It Looks like CONFIG_ACPI_PCI must be enforced and this patch selects CONFIG_ACPI_PCI in MICROVM config directly as done for PC config. Reproducer: ../configure \ --without-default-features \ --target-list=x86_64-softmmu \ --enable-kvm --disable-tcg \ --enable-pixman \ --enable-vnc \ --audio-drv-list="" \ --without-default-devices \ --with-devices-x86_64=microvm \ --enable-vhost-user with configs/devices/x86_64-softmmu/microvm.mak: CONFIG_PCI_DEVICES=n CONFIG_MICROVM=y CONFIG_VIRTIO_BLK=y CONFIG_VIRTIO_SERIAL=y CONFIG_VIRTIO_INPUT=y CONFIG_VIRTIO_INPUT_HOST=y CONFIG_VHOST_USER_INPUT=y CONFIG_VIRTIO_NET=y CONFIG_VIRTIO_SCSI=y CONFIG_VIRTIO_RNG=y CONFIG_VIRTIO_CRYPTO=y CONFIG_VIRTIO_BALLOON=y CONFIG_VIRTIO_GPU=y CONFIG_VHOST_USER_GPU=y FAILED: qemu-system-x86_64 cc -m64 @qemu-system-x86_64.rsp /usr/bin/ld: libsystem.a.p/hw_pci-host_gpex-acpi.c.o: in function `acpi_dsdt_add_host_bridge_methods': hw/pci-host/gpex-acpi.c:83:(.text+0x274): undefined reference to `build_pci_host_bridge_osc_method' collect2: error: ld returned 1 exit status Fixes: af151d50eac24 "hw/pci-host/gpex-acpi: Use build_pci_host_bridge_osc_method" Signed-off-by: Eric Auger <eric.auger@redhat.com> Reported-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-ID: <20250804152008.247673-1-eric.auger@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
4 dayshw/sd/sdcard: Remove SDState::mode fieldPhilippe Mathieu-Daudé2-20/+19
SD card mode is a superset of its state (SDState::state), no need to migrate it. Use sd_mode() to get the SDCardModes from the SDCardStates. Fixes: 50a5be6c3d5 ("hw/sd.c: add SD card save/load support") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-11-philmd@linaro.org>
4 dayshw/sd/sdcard: Disable checking STBY mode in SPI SEND_CSD/CIDPhilippe Mathieu-Daudé1-0/+11
The card should be in STANDBY mode to process SEND_CSD or SEND_CID, but is still in IDLE mode. Unfortunately I don't have enough time to keep debugging this issue, so disable the check for the time being and the next release, as it blocks Linux. I'll keep looking. Reported-by: Guenter Roeck <linux@roeck-us.net> Reported-by: Ben Dooks <ben.dooks@codethink.co.uk> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-10-philmd@linaro.org>
4 dayshw/sd/sdcard: Factor spi_cmd_SEND_CxD() outPhilippe Mathieu-Daudé1-9/+10
spi_cmd_SEND_CSD() and spi_cmd_SEND_CID() are very similar. Factor the common code as spi_cmd_SEND_CxD(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-9-philmd@linaro.org>
4 dayshw/sd/sdcard: Allow using SWITCH_FUNCTION in more SPI statesPhilippe Mathieu-Daudé1-2/+8
In SPI mode, SWITCH_FUNCTION is valid in all mode (except the IDLE one). Fixes: 775616c3ae8 ("Partial SD card SPI mode support") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-8-philmd@linaro.org>
4 dayshw/sd/sdcard: Use complete SEND_OP_COND implementation in SPI modePhilippe Mathieu-Daudé1-10/+5
While spi_cmd_SEND_OP_COND() is incomplete, sd_cmd_SEND_OP_COND() is, except it doesn't return the correct value in SPI mode. Correct and use, removing the need for spi_cmd_SEND_OP_COND(). Fixes: 775616c3ae8 ("Partial SD card SPI mode support") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-7-philmd@linaro.org>
4 dayshw/sd/sdcard: Implement SPI R2 return valuePhilippe Mathieu-Daudé2-6/+35
In SPI mode, R2 is a 2-byte value. Implement in spi_response_r2_make() and return SPI R2 in the SEND_STATUS commands. Reported-by: Guenter Roeck <linux@roeck-us.net> Fixes: 775616c3ae8 ("Partial SD card SPI mode support") Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-6-philmd@linaro.org>
4 dayshw/sd/sdcard: Fill SPI response bits in card codePhilippe Mathieu-Daudé2-84/+35
ssi-sd.c contains the SPI link layer adaptation, while sd.c contains all the SD card internal details. We already handle the response values in sd.c, but missed the SPI case. Complete them (fill R1, prepend R1 in R3/R7 and always return something in SPI mode). Remove all the duplication in ssi-sd.c. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-5-philmd@linaro.org>
4 dayshw/sd/sdbus: Provide buffer size to sdbus_do_command()Philippe Mathieu-Daudé8-28/+26
We provide to sdbus_do_command() a pointer to a buffer to be filled with a varying number of bytes. By not providing the buffer size, the callee can not check the buffer is big enough. Pass the buffer size as argument to follow good practices. sdbus_do_command() doesn't return any error, only the size filled in the buffer. Convert the returned type to unsigned and remove the few unreachable lines in callers. This allow to check for possible overflow in sd_do_command(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-4-philmd@linaro.org>
4 dayshw/sd/sdcard: Factor sd_response_size() outPhilippe Mathieu-Daudé1-7/+29
Set @rsplen once before switching to fill the response buffer. This will allow to assert in a single place that the buffer is big enough to be filled with the response. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20250804133406.17456-3-philmd@linaro.org>
4 dayshw/sd/sdcard: Do not ignore errors in sd_cmd_to_sendingdata()Philippe Mathieu-Daudé1-1/+1
Unfortunately when adding sd_cmd_to_sendingdata() in commit f486bf7d109 we neglected to return any possible error. Fix. Fixes: f486bf7d109 ("hw/sd/sdcard: Introduce sd_cmd_to_sendingdata and sd_generic_read_byte") Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20250804133406.17456-2-philmd@linaro.org>
5 daysMerge tag 'pull-aspeed-20250804' of https://github.com/legoater/qemu into ↵Stefan Hajnoczi1-1/+2
staging aspeed queue: * Fixed vbootrom build under roms/ * Updated vbootrom image to 183c9ff805 * Fixed SMC model of AST1030 SoC # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmiQkpMACgkQUaNDx8/7 # 7KFVFw//X8mpLW97oCdh2ZuelkwQh+udAn34/f8cZWu97g9/Dmi6oDNb/GmPy5t2 # lFNg4hCSBh3JcRbHSMLVieE3lZLi5XuRb/g64TSH0gzgfhFKaPsqxzaD51R5cxVF # JG9JSsGKJdbp1inWZvr1uEZsioAOdUPP4qeD+WLoTHKrhSPCrUHsjslVmReBKu/O # sbgTGHkI8RJA6knz+j5JzXgy5y7XGsfbkl3pWlI8Ni9l6VDVrgfCcSgGtjQdzF4Q # J/QtpYYjo6crJ4wbvAPhKP3RZNNl0m60oxn0BSLFzrM3fZ95VP4pGVOrkCKtZLgG # Q0KvHcDKvm3BsgLPaUeyMjYHKbku2f/U3acsY4VqfLbvLNarmsG8OtFPiEs1tKnu # Dkqb1Ac85O/8dKohyIFhxEy1nEY4iW4495iDD2CklD2lY1Ck+bFkwC2jBNfpgaO6 # xzfLPpiyyU+GbnXbV5HASHland+5AyIjxEKfYpIcARIsfuDOR0qYPl/wmPkV8utO # /X0cKHZxSZ0x3E7xiOwTo6ZIgKdYbNEljTRT0AYxChB/ZRIEByQvYnwAXaL9IqLc # qSc2GRXTy+G8WNy4z1kn2B0Sp9rENvB5uzoRGZ1PtwBySclzUHICQ653a7HKEYeH # imXU9dGNhkQ+RMdA9+bZ3B3H8ykJDtX27woK6yerlbk3CUT9ZIs= # =oAuL # -----END PGP SIGNATURE----- # gpg: Signature made Mon 04 Aug 2025 06:59:31 EDT # gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1 # gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full] # gpg: aka "Cédric Le Goater <clg@kaod.org>" [full] # Primary key fingerprint: A0F6 6548 F048 95EB FE6B 0B60 51A3 43C7 CFFB ECA1 * tag 'pull-aspeed-20250804' of https://github.com/legoater/qemu: hw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030 pc-bios: Update vbootrom image to commit 183c9ff8056b roms/Makefile: build ast27x0_bootrom roms/vbootrom: update to 7b1eb5f7fe6a Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 daysMerge tag 'pull-target-arm-20250801' of https://gitlab.com/pm215/qemu into ↵Stefan Hajnoczi2-7/+5
staging target-arm queue: * Add missing 64-bit PMCCNTR in AArch32 mode * Reinstate bogus AArch32 DBGDTRTX register for migration compat * fix big-endian handling of AArch64 FPU registers in gdbstub * fix handling of setting SVE registers from gdbstub * hw/intc/arm_gicv3_kvm: fix writing of enable/active/pending state to KVM * hw/display/framebuffer: Add cast to force 64x64 multiply * tests/tcg: Fix run for tests with specific plugin # -----BEGIN PGP SIGNATURE----- # # iQJMBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmiM4mgZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3lH/D/iniJpHRVDVAvHcYe7vSgLl # HHfdEro/lOJJbaktQwOwkSuyl5HFy3YoIg3/5K2kX40DRkeA/M1HWkaWpwpCUReV # 6XS8fCDmxw5M0oncJsTD1cYxCAAHm/CSt2uvdwgHo6nU+vnEa85ml3Q57phLEkvl # 2R6xjXDD2FY3Xi6l2Jvqhnx/y60D5YnZVo/G9jcwRI2kIvpwTxukge5rGRTeagzL # fKwsgr8jThvWyzTJtd88n36uD8xiH8/IfHh+e0kGYfzPRjEGfN3rKh4OlyfRyv7D # AVI8qgVz0ex7DEjJTCS2nNYmNhO8hTE+cybcsH6AU2e3V7/vqg3Lh0/1cWlmvGnR # 8L0/RBy0exPI1kRABfjXPV4VtNSuByxp+F+s4LvUrxgnnbv29ldOnQNHn3BZJtZn # OuuixZNa3/tJFa+2U20fPW+q2H9uhPhvLn5fhtCx1ucYONLMrWl3Z8Q3/qwbW+5e # FR459UaVHUvqKDGL6cjnaQ3VclrsXngCbeBmLm7fDfniRf/4uIc3q6RzdwY3waj3 # t7D/+GmLwZzajEaCU1NcI+Uz+yO/wJhEXUtWAzm6xeowYfOEeZc1pRgGWSqy4qvi # L9vKmZtRW5LvwLwpMLdcoB3BOIszSDy7AylX4onSWl3Vp3GYiOhYqv9OKlQoUGtu # xjFCVDCB/0FPl9b+xoYK # =lN06 # -----END PGP SIGNATURE----- # gpg: Signature made Fri 01 Aug 2025 11:51:04 EDT # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full] # gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * tag 'pull-target-arm-20250801' of https://gitlab.com/pm215/qemu: tests/tcg: Fix run for tests with specific plugin target/arm: Fix handling of setting SVE registers from gdb target/arm: Fix big-endian handling of NEON gdb remote debugging target/arm: Reinstate bogus AArch32 DBGDTRTX register for migration compat hw/display/framebuffer: Add cast to force 64x64 multiply hw/intc/arm_gicv3_kvm: Write all 1's to clear enable/active hw/intc/arm_gicv3_kvm: Remove writes to ICPENDR registers target/arm: add support for 64-bit PMCCNTR in AArch32 mode Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 dayshw/ssi/aspeed_smc: Fix incorrect FMC_WDT2 register read on AST1030Jamin Lin1-1/+2
On AST1030, reading the FMC_WDT2 register always returns 0xFFFFFFFF. This issue is due to the aspeed_smc_read function, which checks for the ASPEED_SMC_FEATURE_WDT_CONTROL feature. Since AST1030 was missing this feature flag, the read operation fails and returns -1. To resolve this, add the WDT_CONTROL feature to AST1030's feature set so that FMC_WDT2 can be correctly accessed by firmware. Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Fixes: 2850df6a81bcdc2e063dfdd56751ee2d11c58030 ("aspeed/smc: Add AST1030 support ") Link: https://lore.kernel.org/qemu-devel/20250804014633.512737-1-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
7 dayshw/display/framebuffer: Add cast to force 64x64 multiplyPeter Maydell1-3/+3
In framebuffer_update_display(), Coverity complains because we multiply two values of type 'int' (which will be done as a 32x32 multiply and so in theory might overflow) and then add the result to a ram_addr_t, which can be 64 bits. 4GB framebuffers are not plausible anyway, but keep Coverity happy by adding casts which force these multiplies to be done as 64x64. Coverity: CID 1487248 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Message-id: 20250710174312.1313177-1-peter.maydell@linaro.org
7 dayshw/intc/arm_gicv3_kvm: Write all 1's to clear enable/activeZenghui Yu1-1/+1
KVM's userspace access interface to the GICD enable and active bits is via set/clear register pairs which implement the hardware's "write 1s to the clear register to clear the 0 bits, and write 1s to the set register to set the 1 bits" semantics. We didn't get this right, because we were writing 0 to the clear register. Writing 0 to GICD_IC{ENABLE,ACTIVE}R architecturally has no effect on interrupt status (all writes are simply ignored by KVM) and doesn't comply with the intention of "first write to the clear-reg to clear all bits". Write all 1's to actually clear the enable/active status. This didn't have any adverse effects on migration because there we start with a clean VM state; it would be guest-visible when doing a system reset, but since Linux always cleans up the register state of the GIC during bootup before it enables it most users won't have run into a problem here. Cc: qemu-stable@nongnu.org Fixes: 367b9f527bec ("hw/intc/arm_gicv3_kvm: Implement get/put functions") Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev> Message-id: 20250729161650.43758-3-zenghui.yu@linux.dev Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 dayshw/intc/arm_gicv3_kvm: Remove writes to ICPENDR registersZenghui Yu1-3/+1
As per the arm-vgic-v3 kernel doc [1]: Accesses to GICD_ICPENDR register region and GICR_ICPENDR0 registers have RAZ/WI semantics, meaning that reads always return 0 and writes are always ignored. The state behind these registers (both 0 and 1 bits) is written by writing to the GICD_ISPENDR and GICR_ISPENDR0 registers, unlike some of the other set/clear register pairs. Remove the useless writes to ICPENDR registers in kvm_arm_gicv3_put(). [1] https://docs.kernel.org/virt/kvm/devices/arm-vgic-v3.html Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev> Message-id: 20250729161650.43758-2-zenghui.yu@linux.dev Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
7 daysMerge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu ↵Stefan Hajnoczi7-60/+136
into staging virtio,pci,pc: bugfixes small fixes all over the place. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # -----BEGIN PGP SIGNATURE----- # # iQFDBAABCgAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmiMzgoPHG1zdEByZWRo # YXQuY29tAAoJECgfDbjSjVRpAO4H+gKeZbkJFFPHBduwn/LyTTkBpEghy14wEp7G # 6y3knCkWXOVOnFJ/Lw1p6ZLtB6o547Ktin49msY+SKF2X33N1b6I0DmLxixnLVqP # fHMUF+/QssH7QdIMuZNTxr/nwdDzGnj6Rv4xVyrwdZlf+nQPE8GuXWPmAmyGwcXM # 1sEPTjZq30y2eRiQkKsgS7g+COqfPy+O3VeiyQWR1Q/Cb85alegGwUPBy289u3V+ # uHaBC6d73NWxRCHJM4J8CnWpY5LA+y/YgfJXys1NH8pzRLbTpiYt7gfUbfdHbIvF # IpjZraVh+ApbwXhQLmDmsHtGsyIE1zFlcZTq9pR6WUgYGUDQMpY= # =cJxn # -----END PGP SIGNATURE----- # gpg: Signature made Fri 01 Aug 2025 10:24:10 EDT # gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469 # gpg: issuer "mst@redhat.com" # gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [full] # gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [full] # Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 # Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469 * tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: net/vdpa: fix potential fd leak in net_init_vhost_vdpa() MAINTAINERS: add net/vhost* files under `vhost` intel_iommu: Allow both Status Write and Interrupt Flag in QI wait tests/acpi: virt: update HEST file with its current data tests/qtest/bios-tables-test: extend to also check HEST table tests/acpi: virt: add an empty HEST file hw/i386/amd_iommu: Fix event log generation hw/i386/amd_iommu: Support MMIO writes to the status register hw/i386/amd_iommu: Fix amdvi_write*() hw/i386/amd_iommu: Move IOAPIC memory region initialization to the end hw/i386/amd_iommu: Remove unused and wrongly set ats_enabled field hw/i386/amd_iommu: Fix MMIO register write tracing pcie_sriov: Fix configuration and state synchronization virtio-net: Fix VLAN filter table reset timing vhost: Do not abort on log-stop error vhost: Do not abort on log-start error virtio: fix off-by-one and invalid access in virtqueue_ordered_fill Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
8 daysintel_iommu: Allow both Status Write and Interrupt Flag in QI waitDavid Woodhouse1-6/+9
FreeBSD does both, and this appears to be perfectly valid. The VT-d spec even talks about the ordering (the status write should be done first, unsurprisingly). We certainly shouldn't assert() and abort QEMU if the guest asks for both. Fixes: ed7b8fbcfb88 ("intel-iommu: add supports for queued invalidation interface") Closes: https://gitlab.com/qemu-project/qemu/-/issues/3028 Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> Message-Id: <0122cbabc0adcc3cf878f5fd7834d8f258c7a2f2.camel@infradead.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayshw/i386/amd_iommu: Fix event log generationSairaj Kodilkar2-9/+36
Current event logging code is broken, because of following issues 1. The code uses '|' instead of '&' to test the bit field, which causes vIOMMU to generate overflow interrupt for every log entry. 2. Code does not update the eventlog tail MMIO register after adding an entry to the buffer, because of which guest cannot process new entries (as head == tail means buffer is empty). 3. Compares eventlog tail (which is byte offset in the buffer) to eventlog length (which is number of maximum entries in the buffer). This causes vIOMMU to generate only fix number of event logs, after which it keeps on generating overflow interrupts, without actually resetting the log buffer. 4. Updates ComWaitInt instead of EventLogInt bitfield in Status register. Guest checks this field to see if there are new event log entries in the buffer. 5. Does not reset event log head and tail pointers when guest writes to eventlog base register. Fix above issues, so that guest can process event log entries. Fixes: d29a09ca68428 ("hw/i386: Introduce AMD IOMMU") Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Message-Id: <20250801060507.3382-7-sarunkod@amd.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayshw/i386/amd_iommu: Support MMIO writes to the status registerSairaj Kodilkar1-0/+3
Support the writes to the status register so that guest can reset the EventOverflow, EventLogInt, ComWaitIntr, etc bits after servicing the respective interrupt. Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Message-Id: <20250801060507.3382-6-sarunkod@amd.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayshw/i386/amd_iommu: Fix amdvi_write*()Sairaj Kodilkar1-3/+18
amdvi_write*() function do not preserve the older values of W1C bits in the MMIO register. This results in all W1C bits set to 0, when guest tries to reset a single bit by writing 1 to it. Fix this by preserving W1C bits in the old value of the MMIO register. Fixes: d29a09ca68428 ("hw/i386: Introduce AMD IOMMU") Suggested-by: Ethan MILON <ethan.milon@eviden.com> Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Message-Id: <20250801060507.3382-5-sarunkod@amd.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayshw/i386/amd_iommu: Move IOAPIC memory region initialization to the endSairaj Kodilkar1-3/+3
Setting up IOAPIC memory region requires mr_sys and mr_ir. Currently these two memory regions are setup after the initializing the IOAPIC memory region, which cause `amdvi_host_dma_iommu()` to use unitialized mr_sys and mr_ir. Move the IOAPIC memory region initialization to the end in order to use the mr_sys and mr_ir regions after they are fully initialized. Fixes: 577c470f4326 ("x86_iommu/amd: Prepare for interrupt remap support") Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Message-Id: <20250801060507.3382-4-sarunkod@amd.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayshw/i386/amd_iommu: Remove unused and wrongly set ats_enabled fieldSairaj Kodilkar2-4/+2
The ats_enabled field is set using HTTUNEN, which is wrong. Fix this by removing the field as it is never used. MST: includes a tweak suggested by Philippe Fixes: d29a09ca68428 ("hw/i386: Introduce AMD IOMMU") Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Message-Id: <20250801060507.3382-3-sarunkod@amd.com> Message-ID: <948a6ac3-ded9-475b-8c45-9d36220b442b@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayshw/i386/amd_iommu: Fix MMIO register write tracingSairaj Kodilkar1-5/+18
Define separate functions to trace MMIO write accesses instead of using `trace_amdvi_mmio_read()` for both read and write. Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20250801060507.3382-2-sarunkod@amd.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 dayspcie_sriov: Fix configuration and state synchronizationAkihiko Odaki1-19/+23
Fix issues in PCIe SR-IOV configuration register handling that caused inconsistent internal state due to improper write mask handling and incorrect migration behavior. Two main problems were identified: 1. VF Enable bit write mask handling: pcie_sriov_config_write() incorrectly assumed that its val parameter was already masked, causing it to ignore the actual write mask. This led to the VF Enable bit being processed even when masked, resulting in incorrect VF registration/unregistration. It is identified as CVE-2025-54567. 2. Migration state inconsistency: pcie_sriov_pf_post_load() unconditionally called register_vfs() regardless of the VF Enable bit state, creating inconsistent internal state when VFs should not be enabled. Additionally, it failed to properly update the NumVFs write mask based on the current configuration. It is identified as CVE-2025-54566. Root cause analysis revealed that both functions relied on incorrect special-case assumptions instead of properly reading and consuming the actual configuration values. This change introduces a unified consume_config() function that reads actual configuration values and synchronize the internal state without special-case assumptions. The solution only adds register read overhead in non-hot-path code while ensuring correct SR-IOV state management across configuration writes and migration scenarios. Fixes: 5e7dd17e4348 ("pcie_sriov: Remove num_vfs from PCIESriovPF") Fixes: f9efcd47110d ("pcie_sriov: Register VFs after migration") Fixes: CVE-2025-54566 Fixes: CVE-2025-54567 Cc: qemu-stable@nongnu.org Reported-by: Corentin BAYET <corentin.bayet@reversetactics.com> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Message-Id: <20250727-wmask-v2-1-394910b1c0b6@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 daysvirtio-net: Fix VLAN filter table reset timingAkihiko Odaki1-3/+4
Problem ------- The expected initial state of the table depends on feature negotiation: With VIRTIO_NET_F_CTRL_VLAN: The table must be empty in accordance with the specification. Without VIRTIO_NET_F_CTRL_VLAN: The table must be filled to permit all VLAN traffic. Prior to commit 06b636a1e2ad ("virtio-net: do not reset vlan filtering at set_features"), virtio_net_set_features() always reset the VLAN table. That commit changed the behavior to skip table reset when VIRTIO_NET_F_CTRL_VLAN was negotiated, assuming the table would be properly cleared during device reset and remain stable. However, this assumption breaks when a driver renegotiates features: 1. Initial negotiation without VIRTIO_NET_F_CTRL_VLAN (table filled) 2. Renegotiation with VIRTIO_NET_F_CTRL_VLAN (table will not be cleared) The problem was exacerbated by commit 0caed25cd171 ("virtio: Call set_features during reset"), which triggered virtio_net_set_features() during device reset, exposing the bug whenever VIRTIO_NET_F_CTRL_VLAN was negotiated after a device reset. Solution -------- Fix the issue by initializing the table when virtio_net_set_features() is called to change the VIRTIO_NET_F_CTRL_VLAN bit of vdev->guest_features. This approach ensures the correct table state regardless of feature negotiation sequence by performing initialization in virtio_net_set_features() as QEMU did prior to commit 06b636a1e2ad ("virtio-net: do not reset vlan filtering at set_features"). This change still preserves the goal of the commit, which was to avoid resetting the table during migration, by checking whether the VIRTIO_NET_F_CTRL_VLAN bit of vdev->guest_features is being changed; vdev->guest_features is set before virtio_net_set_features() gets called during migration. It also avoids resetting the table when the driver sets a feature bitmask with no change for the VIRTIO_NET_F_CTRL_VLAN bit, which makes the operation idempotent and its semantics cleaner. Additionally, this change ensures the table is initialized after feature negotiation and before the DRIVER_OK status bit being set for compatibility with the Linux driver before commit 50c0ada627f5 ("virtio-net: fix race between ndo_open() and virtio_device_ready()"), which did not ensure to set the DRIVER_OK status bit before modifying the table. Fixes: 06b636a1e2ad ("virtio-net: do not reset vlan filtering at set_features") Cc: qemu-stable@nongnu.org Reported-by: Konstantin Shkolnyy <kshk@linux.ibm.com> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Tested-by: Konstantin Shkolnyy <kshk@linux.ibm.com> Tested-by: Lei Yang <leiyang@redhat.com> Message-Id: <20250727-vlan-v3-1-bbee738619b1@rsg.ci.i.u-tokyo.ac.jp> Tested-by: Konstantin Shkolnyy <kshk@linux.ibm.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 daysvhost: Do not abort on log-stop errorHanna Czenczek1-1/+2
Failing to stop logging in a vhost device is not exactly fatal. We can log such an error, but there is no need to abort the whole qemu process because of it. Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20250724125928.61045-3-hreitz@redhat.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Tested-by: Lei Yang <leiyang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 daysvhost: Do not abort on log-start errorHanna Czenczek1-1/+2
Commit 3688fec8923 ("memory: Add Error** argument to .log_global_start() handler") enabled vhost_log_global_start() to return a proper error, but did not change it to do so; instead, it still aborts the whole process on error. This crash can be reproduced by e.g. killing a virtiofsd daemon before initiating migration. In such a case, qemu should not crash, but just make the attempted migration fail. Buglink: https://issues.redhat.com/browse/RHEL-94534 Reported-by: Tingting Mao <timao@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com> Message-Id: <20250724125928.61045-2-hreitz@redhat.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Tested-by: Lei Yang <leiyang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
8 daysvirtio: fix off-by-one and invalid access in virtqueue_ordered_fillJonah Palmer1-6/+16
Commit b44135daa372 introduced virtqueue_ordered_fill for VIRTIO_F_IN_ORDER support but had a few issues: * Conditional while loop used 'steps <= max_steps' but should've been 'steps < max_steps' since reaching steps == max_steps would indicate that we didn't find an element, which is an error. Without this change, the code would attempt to read invalid data at an index outside of our search range. * Incremented 'steps' using the next chain's ndescs instead of the current one. This patch corrects the loop bounds and synchronizes 'steps' and index increments. We also add a defensive sanity check against malicious or invalid descriptor counts to avoid a potential infinite loop and DoS. Fixes: b44135daa372 ("virtio: virtqueue_ordered_fill - VIRTIO_F_IN_ORDER support") Reported-by: terrynini <terrynini38514@gmail.com> Signed-off-by: Jonah Palmer <jonah.palmer@oracle.com> Message-Id: <20250721150208.2409779-1-jonah.palmer@oracle.com> Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
9 dayshw/intc/loongarch_ipi: Fix start fail with smp cpu < smp maxcpus on KVMSong Gao1-11/+16
QEMU start failed when smp cpu < smp maxcpus , because qemu send a NULL cpu to KVM, this patch adds a check for kvm_ipi_access_regs() to fix it. run with '-smp 1,maxcpus=4,sockets=4,cores=1,threads=1' we got: Unexpected error in kvm_device_access() at ../accel/kvm/kvm-all.c:3477: qemu-system-loongarch64: KVM_SET_DEVICE_ATTR failed: Group 1073741825 attr 0x0000000000010000: Invalid argument Signed-off-by: Song Gao <gaosong@loongson.cn> Reviewed-by: Bibo Mao <maobibo@loongson.cn> Message-ID: <20250725081213.3867592-1-gaosong@loongson.cn>
10 daysintc/riscv_aplic: Fix target register read when source is inactiveYang Jialong1-1/+5
The RISC-V Advanced interrupt Architecture: 4.5.16. Interrupt targets: If interrupt source i is inactive in this domain, register target[i] is read-only zero. Signed-off-by: Yang Jialong <z_bajeer@yeah.net> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Message-ID: <20250728055114.252024-1-z_bajeer@yeah.net> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
10 dayshw/riscv/virt-acpi-build.c: Update FADT and MADT versionsSunil V L1-15/+10
RISC-V support is added only in ACPI 6.6. According to the ACPI 6.6 specification, the minor version of the Fixed ACPI Description Table (FADT) should be 6, and the Multiple APIC Description Table (MADT) should use revision 7. So, update the RISC-V FADT and MADT to reflect correct versions. Update the code comments to reflect ACPI 6.6 version details. Signed-off-by: Sunil V L <sunilvl@ventanamicro.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Nutty Liu <liujingqi@lanxincomputing.com> Message-ID: <20250724110350.452828-3-sunilvl@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
10 daysMerge tag 'hw-misc-20250729' of https://github.com/philmd/qemu into stagingStefan Hajnoczi4-2/+3
Misc HW patches - Fix MIPS MVPControl.EVP update - Fix qxl_unpack_chunks() chunk size calculation - Fix Cadence GEM register mask initialization - Fix AddressSpaceDispatch use after free - Fix building npcm7xx/npcm8xx bootroms - Include missing headers # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmiItwoACgkQ4+MsLN6t # wN5OGw//SFNgCvin6ic3H+QoUNwrRAH7eFuVfAKSKGopSqWf19imHy8rZl/8DYeo # WsCRUPkVcAGzgRHZFc+8VYGdSR5GW7AulSzHh7fGQ8EFNunu3cnGsDflVV6UjgRP # wnCfFuyrnyGfXVWkkjWYqCLI78AR0hB0Gp1E5nR4ZwGM4OhatDjKpYxWlRZbnjSA # pBArLw8eKUrq90RekVpsa15oF9eMU89HzDBfxYvk0tb4//BWBiWfgQ+cz7j9f1wC # wtTOEQ2BTkvGhqhe9VacV4YpQDXE9comlTked48GzHGqsAgp55NcB6FAR438qiG1 # 3z7LpL4LQn39+oC0S9cR2OahIGFEveOvGJoj014Iny4QR/ghNzt3F2Z9tgPISIKj # MhJ0Bu7K7X+RWikY9xiAu24ORrRd5O6EItgLsl+24vkySOKODZ85WdKtIx0DQ7Yj # rvRTkFDs/3K3kzMfZ20Jpeu7Bc74qUgsii27rivM/9rN0R9w+Br8MWLe0QSFalUe # 08NoRZMVuSPCWlvJGGb0SRYpVAZsZaE9Ucd8wQzEcjHdVu0/+7KQfACXrJ09Y8sq # lTgytCL8gO2jSEAh4cN/Ds1uBc8X5KKL32hNzRgddZVujqAuriBjAYEEk1pc7qe4 # yBxVkhASOpY53b1O2UqanajT2vY4T3JX5w+Jqn1HubZ/ZUwcK64= # =H2Ie # -----END PGP SIGNATURE----- # gpg: Signature made Tue 29 Jul 2025 07:56:58 EDT # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * tag 'hw-misc-20250729' of https://github.com/philmd/qemu: hw/display/sm501: fix missing error-report.h roms/Makefile: fix npcmNxx_bootrom build rules system/physmem: fix use-after-free with dispatch hw/xen/passthrough: add missing error-report include hw/net/cadence_gem: fix register mask initialization migration: rename target.c to vfio.c hw/vfio/vfio-migration: Remove unnecessary 'qemu/typedefs.h' include hw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculation target/mips: Only update MVPControl.EVP bit if executed by master VPE Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
11 dayshw/display/sm501: fix missing error-report.hClément Chigot1-0/+1
"qemu/error-report.h" was previously implicitly included. This is no longer the case following 012842c075520dbe1bd96a2fdcf4e218874ba443. However, the issue predates this change as `error-report.h` should have been included when the `warn_report` call was introduced. Fixes: fa140b9562 ("hw/sm501: allow compiling without PIXMAN") Signed-off-by: Clément Chigot <chigot@adacore.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-ID: <20250728090518.963573-1-chigot@adacore.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
11 dayshw/xen/passthrough: add missing error-report includeAdam Williamson1-0/+1
In commit cfcacbab38e ("xen/passthrough: use gsi to map pirq when dom0 is PVH") an `error_report` was added to this file, but the corresponding include of `qemu/error-report.h` was missed. This only becomes apparent when building against Xen 4.20+ with trace backend log disabled. Fixes: cfcacbab38e4 (xen/passthrough: use gsi to map pirq when dom0 is PVH) Signed-off-by: Adam Williamson <awilliam@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20250717220207.171040-1-awilliam@redhat.com> [PMD: Improved commit description, added Fixes: tag] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
11 dayshw/net/cadence_gem: fix register mask initializationLuc Michel1-1/+1
The gem_init_register_masks function was called at init time but it relies on the num-priority-queues property. Call it at realize time instead. Cc: qemu-stable@nongnu.org Fixes: 4c70e32f05f ("net: cadence_gem: Define access permission for interrupt registers") Signed-off-by: Luc Michel <luc.michel@amd.com> Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com> Reviewed-by: Sai Pavan Boddu <sai.pavan.boddu@amd.com> Message-ID: <20250716095432.81923-2-luc.michel@amd.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
11 dayshw/vfio/vfio-migration: Remove unnecessary 'qemu/typedefs.h' includePhilippe Mathieu-Daudé1-1/+0
"qemu/typedefs.h" is already included by "qemu/osdep.h". Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-ID: <20250708085859.7885-3-philmd@linaro.org>
11 dayshw/display/qxl-render: fix qxl_unpack_chunks() chunk size calculationMichael Tokarev1-1/+10
In case of multiple chunks, code in qxl_unpack_chunks() takes size of the wrong (next in the chain) chunk, instead of using current chunk size. This leads to wrong number of bytes being copied, and to crashes if next chunk size is larger than the current one. Based on the code by Gao Yong. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1628 Tested-by: Thaddeus Hogan <thaddeus@thogan.com> Tested-by: Vadim Zeitlin <vadim@wxwidgets.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20250221134856.478806-1-mjt@tls.msk.ru> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
11 daysvfio/igd: Fix VGA regions are not exposed in legacy modeTomita Moeko3-6/+18
In commit a59d06305fff ("vfio/pci: Introduce x-pci-class-code option"), pci_register_vga() has been moved ouside of vfio_populate_vga(). As a result, IGD VGA ranges are no longer properly exposed to guest. To fix this, call pci_register_vga() after vfio_populate_vga() legacy mode. A wrapper function vfio_pci_config_register_vga() is introduced to handle it. Fixes: a59d06305fff ("vfio/pci: Introduce x-pci-class-code option") Signed-off-by: Tomita Moeko <tomitamoeko@gmail.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Link: https://lore.kernel.org/qemu-devel/20250723160906.44941-3-tomitamoeko@gmail.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
11 daysvfio/igd: Require host VGA decode for legacy modeTomita Moeko1-5/+6
Commit a59d06305fff ("vfio/pci: Introduce x-pci-class-code option") allows user to expose non-VGA IGD device as VGA controller to the guest. However, legacy mode requires host VGA range access. Check that GGC.IVD == 0 before enabling legacy mode to ensure IGD is a real VGA device claiming host VGA ranges. Signed-off-by: Tomita Moeko <tomitamoeko@gmail.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Link: https://lore.kernel.org/qemu-devel/20250723160906.44941-2-tomitamoeko@gmail.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
11 daysvfio: fix sub-page bar after cprSteve Sistare3-0/+17
Regions for sub-page BARs are normally mapped here, in response to the guest writing to PCI config space: vfio_pci_write_config() pci_default_write_config() pci_update_mappings() memory_region_add_subregion() vfio_sub_page_bar_update_mapping() ... vfio_dma_map() However, after CPR, the guest does not reconfigure the device and the code path above is not taken. To fix, in vfio_cpr_pci_post_load, call vfio_sub_page_bar_update_mapping for each sub-page BAR with a valid address. Fixes: 7e9f21411302 ("vfio/container: restore DMA vaddr") Signed-off-by: Steve Sistare <steven.sistare@oracle.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Link: https://lore.kernel.org/qemu-devel/1752520890-223356-1-git-send-email-steven.sistare@oracle.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
11 daysi386: Build SEV only for 64-bit targetCédric Le Goater1-1/+1
Recent changes broke build on 32-bit host. Since there is no 32-bit support, restrict SEV to 64-bit. Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Link: https://lore.kernel.org/qemu-devel/20250716071554.377356-1-clg@redhat.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
11 dayshw/i386: Fix 'use-legacy-x86-rom' property compatibilityCédric Le Goater6-6/+6
Commit 350785d41d8b ("ramfb: Add property to control if load the romfile") introduced the `use-legacy-x86-rom` property for the `vfio-pci-nohotplug` device, allowing control over VGA BIOS ROM loading. However, the property compatibility setting was incorrectly applied to the `vfio-pci` device instead, which causes all `vfio-pci` devices to fail to load. This change fixes the issue by ensuring the property is set on the correct device. Fixes: d5fcf0d960d8 ("hw/i386: Add the ramfb romfile compatibility") Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Shaoqin Huang <shahuang@redhat.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Link: https://lore.kernel.org/qemu-devel/20250723062714.1245826-1-clg@redhat.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
12 daysMerge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into stagingStefan Hajnoczi1-1/+10
trivial patches for 2025-07-25 # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmiDqDsACgkQgqpKJDse # lHitSg//Uy6gv6Xk+Q4WW220ik9Mr0U00bJmOFiD14I3S1z7D/L8ZvjZlA85WpZs # XhSgXzHW2qFKDAz4suEh/u4p6fboYYf0r/+QiK0Qxumup23ClcClWRBQ14GVp3T4 # JXzojzJtzYTCvr0LixNHGai8ZNr8D5XsTeKH4noH9sgDC0uRS2fD20GD5AnyJiNS # sdAlfFLJM8yLSE+pgwUr06m3s/m+wn+xH5wMVr4vUzprgXxOubz4CkOyoPMIsOxZ # 679CPfsfYueEjZ6EJJHCgLwlQIXwTEfPHWkw3GMHdgHD3qbezXH4HUanRX8zK/k1 # KeDj/goeTYQuevsLss30HgxGaoEJXAS8pPmyP7biDrxfpN+aJRIJXVZbXa0bgdFW # RF6CT+kfZCyC2/kAdUlbVNvUfgsfANWD7toIRbRwcyk7awg1jUJElEbEx17DMqr3 # nCLzfFiS09Y/9c7rtLfTwyPW1k6XAr9fykVziup5KeOEQaetpPTtvV6DFqcvQ57p # OdwMZytY+f8KKctV+X0XckmDVRQu9I9/FaWsQT82sXUSI21apAwl22Vh3mRMGkHv # eHSa+I9KQwFpXEh/LE9PYWnQBR95DIuI1u2TP1tyXdu53/seUFmTUQ6JHeQynNJ3 # E25yxYzxRXwtfTINo+YWzORVe5Gie/aWek8AnC3GSQ2yaJXBCH4= # =0G1o # -----END PGP SIGNATURE----- # gpg: Signature made Fri 25 Jul 2025 11:52:27 EDT # gpg: using RSA key 64AA2AB531D56903366BFEF982AA4A243B1E9478 # gpg: Good signature from "Michael Tokarev <mjt@debian.org>" [unknown] # gpg: aka "Michael Tokarev <mjt@corpit.ru>" [unknown] # gpg: aka "Michael Tokarev <mjt@tls.msk.ru>" [unknown] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E # Subkey fingerprint: 64AA 2AB5 31D5 6903 366B FEF9 82AA 4A24 3B1E 9478 * tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu: hw/display/qxl-render.c: fix qxl_unpack_chunks() chunk size calculation Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2025-07-25hw/arm/smmu-common: Avoid using inlined functions with external linkageJianChunfu1-1/+1
Similarly to commit 9de9fa5c ("hw/arm/smmu-common: Avoid using inlined functions with external linkage"): None of our code base require / use inlined functions with external linkage. Some places use internal inlining in the hot path. These two functions are certainly not in any hot path and don't justify any inlining, so these are likely oversights rather than intentional. Fixes: b8fa4c23 (hw/arm/smmu: Support nesting in the rest of commands) Signed-off-by: JianChunfu <jansef.jian@hj-micro.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2025-07-25hw/display/qxl-render.c: fix qxl_unpack_chunks() chunk size calculationMichael Tokarev1-1/+10
In case of multiple chunks, code in qxl_unpack_chunks() takes size of the wrong (next in the chain) chunk, instead of using current chunk size. This leads to wrong number of bytes being copied, and to crashes if next chunk size is larger than the current one. Based on the code by Gao Yong. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1628 Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Thomas Huth <thuth@redhat.com>
2025-07-21Merge tag 'pull-ppc-20250721' of https://github.com/legoater/qemu into stagingStefan Hajnoczi9-465/+1063
ppc/xive queue: * Various bug fixes around lost interrupts particularly. * Major group interrupt work, in particular around redistributing interrupts. Upstream group support is not in a complete or usable state as it is. * Significant context push/pull improvements, particularly pool and phys context handling was quite incomplete beyond trivial OPAL case that pushes at boot. * Improved tracing and checking for unimp and guest error situations. * Various other missing feature support. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmh951cACgkQUaNDx8/7 # 7KFK6w//SAmZpNmE380UN4OxMBcjsT5m5Cf2hy+Wq9pSEcwWckBFT03HyR86JAv3 # QLR1d6yx7dY0aVWAHtFC24vlU2jpv0Io97wfX9VbgG7e4TY/i1vRMSXYYehXuU/Y # gLrwuJGxAMKWrd+4ymvHOyXHRAq3LMGQQYfqLCB77b8UJ18JyCL8FwAl/D6EsZ1y # nUW8WlDy6qQ/SJQHZZ664kyJEv7Qw4xd81ZnmoPsy3xVd7c4ASNBWvDTjRoUn2EN # sfJW76UqqFn3EqASaKsqoNPHu3kklQ/AX3KlE1wFCBjYoXwl/051wIX4RIb+b2S4 # SLtc/YSAie1n2Pp1sghfLRFiRpjrmnqaLlw04Buw1TXY2OaQbFc9zTkc9rvFSez1 # cNjdJcvm3myAWy2Pg//Nt3FgCqfMlrrdTlyGsdqmrEaplBy6pHnas+82o5tPGC3t # SBMgTDqNMq0v/V/gOIsmHc5/9f+FS5s+v/nvm0xJDfLkY39qP73W+YZllYyyuTHY # HiLVjD7x5BSGZAsP9EN6EnL7DPXKPIIQSfNwo2564tAhe3/IyJo8hpGhMeiZ83Hf # G9oPiLa4YljsHzP0UPRNhID5IYyngEDoh2j3AXnew1tkikHd5LIpNCdbtW5x52RR # kik4hBmqJU6sYpO0O9yCd6YWv/Bpm4bDs6tQOSWMc6uWqP0qN8M= # =65BL # -----END PGP SIGNATURE----- # gpg: Signature made Mon 21 Jul 2025 03:08:07 EDT # gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1 # gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full] # gpg: aka "Cédric Le Goater <clg@kaod.org>" [full] # Primary key fingerprint: A0F6 6548 F048 95EB FE6B 0B60 51A3 43C7 CFFB ECA1 * tag 'pull-ppc-20250721' of https://github.com/legoater/qemu: (50 commits) ppc/xive2: Enable lower level contexts on VP push ppc/xive: Split need_resend into restore_nvp ppc/xive2: Implement PHYS ring VP push TIMA op ppc/xive2: Implement POOL LGS push TIMA op ppc/xive2: Implement set_os_pending TIMA op ppc/xive2: redistribute group interrupts on context push ppc/xive2: Implement pool context push TIMA op ppc/xive: Check TIMA operations validity ppc/xive: Redistribute phys after pulling of pool context ppc/xive2: Prevent pulling of pool context losing phys interrupt ppc/xive2: implement NVP context save restore for POOL ring ppc/xive: Assert group interrupts were redistributed ppc/xive2: Avoid needless interrupt re-check on CPPR set ppc/xive2: Consolidate presentation processing in context push ppc/xive2: split tctx presentation processing from set CPPR ppc/xive: Add xive_tctx_pipr_set() helper function ppc/xive: tctx_accept only lower irq line if an interrupt was presented ppc/xive: tctx signaling registers rework ppc/xive: Split xive recompute from IPB function ppc/xive: Fix high prio group interrupt being preempted by low prio VP ... Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2025-07-21Merge tag 'display-20250718-pull-request' of https://gitlab.com/kraxel/qemu ↵Stefan Hajnoczi11-15/+54
into staging Load ramfb vgabios on x86 only. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmh6o80ACgkQTLbY7tPo # cTjxPBAAktTXxFK6loSMSWC1ul8RCl/4F7G84J4eT+Ui8/KIG8do5KcebTnXb9zo # keOG7n9HPk4fROWiAFgGnuBfw41DWmLDS34iuENrG3X26TQgSSgBveuwas67Pzqu # HpaFSxjh7BRLlkUWaNoll57cDM3kKLmx+Onw6m/7kbcVXAsy1N4wxfCT1faUU7ID # R1ggULG1WhB8q+YtQjac6EfOpdHe1BTBGLuxSwE3mNkce9ZP7C8uxZTCR5PXggZi # IXzJzGpFRDCHqrilWksiE62yF20Kem4ZcpO/GgLWmF+X+DYBDEWcajihvF20TGUL # n6dyT7MBxuvqFy0OtBPHNcnq2PZzOIKyxyMvBg9402xeD6goNbFKloAYeae4C9u0 # QuqQUpb8D3lVagVu55N5XfpdMHR0P8yefPAjaFL4o3rf2JSjyI6MRX/+2eA7aXcX # xiwHSx3iavEeNQNsPZsS3JhH5bKy/zkWRiBd+msGVAYMZGzhdEtLg/w8yUd6dQ5p # /3Y3F4fL6T6QSwhsiihcbdPtjhfVCP09MYK/P4cIFbWOzjfbndt1/UIXHQ54s8Jo # PShcE7QH7ttT2gK5nFPG5yeTqF70kKpSyhwF2pukf2fAgcU+0SNoj2zZNtHAvKeh # 8EHqAy8m1J4AlQeO5nT9tJj/v1CM0q6cljzIfV8hWWgM/hL/vLc= # =76m5 # -----END PGP SIGNATURE----- # gpg: Signature made Fri 18 Jul 2025 15:43:09 EDT # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * tag 'display-20250718-pull-request' of https://gitlab.com/kraxel/qemu: hw/i386: Add the ramfb romfile compatibility vfio: Move the TYPE_* to hw/vfio/types.h ramfb: Add property to control if load the romfile Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Conflicts: hw/core/machine.c Context conflict because the vfio-pci "x-migration-load-config-after-iter" was added recently.
2025-07-21Merge tag 'pull-target-arm-20250721' of https://gitlab.com/pm215/qemu into ↵Stefan Hajnoczi2-1/+14
staging target-arm queue: * hvf: arm: Remove $pc from trace_hvf_data_abort() * target/arm: Correct encoding of Debug Communications Channel registers * hw/misc/ivshmem-pci: Improve error handling * target/arm: Provide always-false kvm_arm_*_supported() stubs for usermode * host-utils: Drop workaround for buggy Apple Clang __builtin_subcll() * hw/misc/max78000_aes: Comment Internal Key Storage * docs: Fix Aspeed title * Implement a handful of missing FEAT_SVE_B16_B16 insns * Fix bugs in FMAXQV, FMINQV, etc * Fix assert in LD1Q decode * hvf: arm: Add permission check in GIC sysreg handlers * hvf: arm: Emulate ICC_RPR_EL1 accesses properly * accel/hvf: Display executable bit as 'X' # -----BEGIN PGP SIGNATURE----- # # iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmh+OlgZHHBldGVyLm1h # eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3klRD/0QvWyi0z0wbBdIKGi8kury # VP/S1FcqP2w9l0jUAmINxsOYu/+ql8w3t6m2jxlTOYZc9rNauQrxRYGD1GdqfJVn # VCYN47OHRye+iMH6c5jdKyJTi3n2uvT2g8anh2Yt18xOey45Pwr2fTs8rje3N5sH # fvv1mNaeGyA7wgXEY9Z4tEvW19ZPsuKIBd4Ea7klDXwUpTmmQkJMVTKyz7/TefqK # YicpM9E4dMxwNvW/8zrsVH505E4s15OytIjhDci30v2M7Uh3tUIRKo+s44Kk7cEq # HIwO/ra1HEhp8xGU2UfRf643EF1k7A0VUgetHSxYbi1gIknjiSU8Ohnd268CgY7G # /UbjgjFu5mcJgBvoNCwGy0iuCkEfRZ+veq24OjL6GbMvt2utCm9Rumu5KLemLpvW # mB4RexjbT+FDldhz8Ub42sR96UpZ0TSEfwjOswHibA4Zk4o2S6fRv0OqaBMB2dKU # MhcMdBdPXe3SmecRlYoqde+RCUyIOMD46uiJYrBhG6Nfn6SgcnS+ZGB960veaH2r # p5lvyJIBn3/a1KwOET9z5Gp3C6l4TXgJjIaCB4qAWHxeBR/AIobRC71heCc0uPU+ # J3Nm5/p6rcz0vjzs1To0VuXM57qNpQJWu0Un+8CDjpXJ0piyBk4o2iu1dw26bsMs # yrgqlMfDsXNlK/yUdykAbw== # =rQ+N # -----END PGP SIGNATURE----- # gpg: Signature made Mon 21 Jul 2025 09:02:16 EDT # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full] # gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * tag 'pull-target-arm-20250721' of https://gitlab.com/pm215/qemu: accel/hvf: Display executable bit as 'X' hvf: arm: Emulate ICC_RPR_EL1 accesses properly hvf: arm: Add permission check in GIC sysreg handlers target/arm: Make LD1Q decode and trans fn agree about a->u target/arm: Honour FPCR.AH=1 default NaN value in FMAXNMQV, FMINNMQV target/arm: Don't nest H() macro calls in SVE DO_REDUCE target/arm: Correct sense of FPCR.AH test for FMAXQV and FMINQV target/arm: Add BFMLA, BFMLS (indexed) target/arm: Add BFMLA, BFMLS (vectors) target/arm: Add BFMUL (indexed) target/arm: Add BFMIN, BFMAX (predicated) target/arm: Add BFADD, BFSUB, BFMUL, BFMAXNM, BFMINNM (predicated) target/arm: Add BFADD, BFSUB, BFMUL (unpredicated) docs: Fix Aspeed title hw/misc/max78000_aes: Comment Internal Key Storage host-utils: Drop workaround for buggy Apple Clang __builtin_subcll() target/arm: Provide always-false kvm_arm_*_supported() stubs for usermode hw/misc/ivshmem-pci: Improve error handling target/arm: Correct encoding of Debug Communications Channel registers hvf: arm: Remove $pc from trace_hvf_data_abort() Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>