diff --git a/block-qed-fix-use-after-free-by-nullifying-timer-poi.patch b/block-qed-fix-use-after-free-by-nullifying-timer-poi.patch new file mode 100644 index 0000000000000000000000000000000000000000..47e846625826dc87fdf3a721d7ccb21a3f083539 --- /dev/null +++ b/block-qed-fix-use-after-free-by-nullifying-timer-poi.patch @@ -0,0 +1,44 @@ +From 83d07b4feac945d8b483642d28c8eebcabc4fa12 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 21:40:03 -0400 +Subject: [PATCH] block/qed: fix use-after-free by nullifying timer pointer + after free + +cheery-pick from 9f1e501fb1cb83b46f49df8bb2fb0950ea5fa5a5 + +This error was discovered by fuzzing qemu-img. + +In the QED block driver, the need_check_timer timer is freed in +bdrv_qed_detach_aio_context, but the pointer to the timer is not +set to NULL. This can lead to a use-after-free scenario +in bdrv_qed_drain_begin(). + +The need_check_timer pointer is set to NULL after freeing the timer. +Which helps catch this condition when checking in bdrv_qed_drain_begin(). + +Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852 +Signed-off-by: Denis Rastyogin +Message-ID: <20250304083927.37681-1-gerben@altlinux.org> +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 2ad638a3d160923ef3dbf87c73944e6e44bdc724) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + block/qed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/qed.c b/block/qed.c +index bc2f0a61c0..b986353979 100644 +--- a/block/qed.c ++++ b/block/qed.c +@@ -353,6 +353,7 @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs) + + qed_cancel_need_check_timer(s); + timer_free(s->need_check_timer); ++ s->need_check_timer = NULL; + } + + static void bdrv_qed_attach_aio_context(BlockDriverState *bs, +-- +2.33.0 + diff --git a/elfload-Fix-alignment-when-unmapping-excess-reservat.patch b/elfload-Fix-alignment-when-unmapping-excess-reservat.patch new file mode 100644 index 0000000000000000000000000000000000000000..6fbeae6d3876611479ca3958149b135571b582ef --- /dev/null +++ b/elfload-Fix-alignment-when-unmapping-excess-reservat.patch @@ -0,0 +1,45 @@ +From ecdd2a7388d57c88511e8d7ffc0ce0956253c0df Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 21:57:52 -0400 +Subject: [PATCH] elfload: Fix alignment when unmapping excess reservation + +cheery-pick from 2c837358c2f3b30524754ffebedb6c5d60ae3552 + +When complying with the alignment requested in the ELF and unmapping +the excess reservation, having align_end not aligned to the guest page +causes the unmap to be rejected by the alignment check at +target_munmap and later brk adjustments hit an EEXIST. + +Fix by aligning the start of region to be unmapped. + +Fixes: c81d1fafa6 ("linux-user: Honor elf alignment when placing images") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1913 +Signed-off-by: Fabiano Rosas +[rth: Align load_end as well.] +Signed-off-by: Richard Henderson +Message-ID: <20250213143558.10504-1-farosas@suse.de> +(cherry picked from commit 4b7b20a3b72c5000ea71bef505c16e6e628268b6) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + linux-user/elfload.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux-user/elfload.c b/linux-user/elfload.c +index 87eb318b46..f0c9095d57 100644 +--- a/linux-user/elfload.c ++++ b/linux-user/elfload.c +@@ -3417,8 +3417,8 @@ static void load_elf_image(const char *image_name, const ImageSource *src, + + if (align_size != reserve_size) { + abi_ulong align_addr = ROUND_UP(load_addr, align); +- abi_ulong align_end = align_addr + reserve_size; +- abi_ulong load_end = load_addr + align_size; ++ abi_ulong align_end = TARGET_PAGE_ALIGN(align_addr + reserve_size); ++ abi_ulong load_end = TARGET_PAGE_ALIGN(load_addr + align_size); + + if (align_addr != load_addr) { + target_munmap(load_addr, align_addr - load_addr); +-- +2.33.0 + diff --git a/hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch b/hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch new file mode 100644 index 0000000000000000000000000000000000000000..3068dc237e5d5c9b2a366b4eb23d9f930cb95570 --- /dev/null +++ b/hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch @@ -0,0 +1,72 @@ +From 6c6e62479472fc67b92d7bce2d6e8c2b379b6fe1 Mon Sep 17 00:00:00 2001 +From: yxk +Date: Thu, 4 Sep 2025 22:47:10 +0800 +Subject: [PATCH] hw/arm boot.c: Enforce CCA and virtCCA isolation. + +Since both CCA and virtCCA utilize info->confidential in +arm_setup_firmware_boot, we must distinguish between them. + +Signed-off-by: yxk +--- + hw/arm/boot.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/hw/arm/boot.c b/hw/arm/boot.c +index 4f5bf6e77c..9e28199a68 100644 +--- a/hw/arm/boot.c ++++ b/hw/arm/boot.c +@@ -1228,17 +1228,18 @@ static void arm_setup_confidential_firmware_boot(ARMCPU *cpu, + uint64_t tmi_version = 0; + int ret = -1; + +- if (kvm_enabled()) { ++ if (kvm_enabled() && virtcca_cvm_enabled()) { + ret = kvm_ioctl(kvm_state, KVM_GET_TMI_VERSION, &tmi_version); ++ if (ret < 0) { ++ error_report("please check the kernel version!"); ++ exit(EXIT_FAILURE); ++ } ++ if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) { ++ error_report("please check the tmi version!"); ++ exit(EXIT_FAILURE); ++ } + } +- if (ret < 0) { +- error_report("please check the kernel version!"); +- exit(EXIT_FAILURE); +- } +- if (tmi_version < MIN_TMI_VERSION_FOR_UEFI_BOOTED_CVM) { +- error_report("please check the tmi version!"); +- exit(EXIT_FAILURE); +- } ++ + ssize_t fw_size; + const char *fname; + AddressSpace *as = arm_boot_address_space(cpu, info); +@@ -1273,7 +1274,7 @@ static void arm_setup_firmware_boot(ARMCPU *cpu, struct arm_boot_info *info, con + * DTB to the base of RAM for the bootloader to pick up. + */ + info->dtb_start = info->loader_start; +- if (info->confidential) ++ if (info->confidential && virtcca_cvm_enabled()) + tmm_add_ram_region(UEFI_LOADER_START, UEFI_MAX_SIZE, info->dtb_start, DTB_MAX , true); + } + +@@ -1317,9 +1318,11 @@ static void arm_setup_firmware_boot(ARMCPU *cpu, struct arm_boot_info *info, con + + if (info->confidential) { + arm_setup_confidential_firmware_boot(cpu, info, firmware_filename); +- virtcca_kvm_get_mmio_addr(&mmio_start, &mmio_size); +- kvm_load_user_data(info->loader_start, DTB_MAX, mmio_start, mmio_size, info->ram_size, +- (struct kvm_numa_info *)info->numa_info); ++ if (virtcca_cvm_enabled()) { ++ virtcca_kvm_get_mmio_addr(&mmio_start, &mmio_size); ++ kvm_load_user_data(info->loader_start, DTB_MAX, mmio_start, mmio_size, info->ram_size, ++ (struct kvm_numa_info *)info->numa_info); ++ } + } + /* + * We will start from address 0 (typically a boot ROM image) in the +-- +2.33.0 + diff --git a/hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch b/hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch new file mode 100644 index 0000000000000000000000000000000000000000..a214125eb0e3fa7c2d292880a05bd6727b227956 --- /dev/null +++ b/hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch @@ -0,0 +1,52 @@ +From 419104f21e81d883f1a41540512e86750363600e Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:18:09 -0400 +Subject: [PATCH] hw/gpio: npcm7xx: fixup out-of-bounds access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 27e3d81ffd81bb57b02816fc9cfe24f621d64c59 + +The reg isn't validated to be a possible register before +it's dereferenced for one case. The mmio space registered +for the gpio device is 4KiB but there aren't that many +registers in the struct. + +Cc: qemu-stable@nongnu.org +Fixes: 526dbbe0874 ("hw/gpio: Add GPIO model for Nuvoton NPCM7xx") +Signed-off-by: Patrick Venture +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20250226024603.493148-1-venture@google.com +Signed-off-by: Peter Maydell +(cherry picked from commit 3b2e22c0bbe2ce07123d93961d52f17644562cd7) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/gpio/npcm7xx_gpio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c +index 3376901ab1..c75f9e073d 100644 +--- a/hw/gpio/npcm7xx_gpio.c ++++ b/hw/gpio/npcm7xx_gpio.c +@@ -220,8 +220,6 @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v, + return; + } + +- diff = s->regs[reg] ^ value; +- + switch (reg) { + case NPCM7XX_GPIO_TLOCK1: + case NPCM7XX_GPIO_TLOCK2: +@@ -242,6 +240,7 @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v, + case NPCM7XX_GPIO_PU: + case NPCM7XX_GPIO_PD: + case NPCM7XX_GPIO_IEM: ++ diff = s->regs[reg] ^ value; + s->regs[reg] = value; + npcm7xx_gpio_update_pins(s, diff); + break; +-- +2.33.0 + diff --git a/hw-xen-hvm-Fix-Aarch64-typo.patch b/hw-xen-hvm-Fix-Aarch64-typo.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee9c560c9a4e8d816d48dffdea4672faab3ef36f --- /dev/null +++ b/hw-xen-hvm-Fix-Aarch64-typo.patch @@ -0,0 +1,39 @@ +From 62345fc389cc60ddc356ea29d9678d065afe5dfe Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:27:36 -0400 +Subject: [PATCH] hw/xen/hvm: Fix Aarch64 typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 8f9843336a6aaef1505dced5c53b83c3fd3e0c2f + +There is no TARGET_ARM_64 definition. Luckily enough, +when TARGET_AARCH64 is defined, TARGET_ARM also is. + +Fixes: 733766cd373 ("hw/arm: introduce xenpvh machine") +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Pierrick Bouvier +Reviewed-by: Richard Henderson +Message-Id: <20250305153929.43687-2-philmd@linaro.org> +(cherry picked from commit 3a11b653a63fee0e43f4ab84b93f068b961d8fe7) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + include/hw/xen/arch_hvm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/hw/xen/arch_hvm.h b/include/hw/xen/arch_hvm.h +index c7c515220d..df39c819c8 100644 +--- a/include/hw/xen/arch_hvm.h ++++ b/include/hw/xen/arch_hvm.h +@@ -1,5 +1,5 @@ + #if defined(TARGET_I386) || defined(TARGET_X86_64) + #include "hw/i386/xen_arch_hvm.h" +-#elif defined(TARGET_ARM) || defined(TARGET_ARM_64) ++#elif defined(TARGET_ARM) || defined(TARGET_AARCH64) + #include "hw/arm/xen_arch_hvm.h" + #endif +-- +2.33.0 + diff --git a/pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch b/pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch new file mode 100644 index 0000000000000000000000000000000000000000..0915bef5f79e2b1ce1fa5d5c5a123a145008af72 --- /dev/null +++ b/pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch @@ -0,0 +1,42 @@ +From dea0186756336e64133f2613cbb9bda1d5fb6515 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:34:38 -0400 +Subject: [PATCH] pci/msix: Fix msix pba read vector poll end calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 27c41db3f5bdfa40729ec749603e006e57c1e6ef + +The end vector calculation has a bug that results in polling fewer +than required vectors when reading at a non-zero offset in PBA memory. + +Fixes: bbef882cc193 ("msi: add API to get notified about pending bit poll") +Signed-off-by: Nicholas Piggin +Message-Id: <20241212120402.1475053-1-npiggin@gmail.com> +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 42e2a7a0ab23784e44fcb18369e06067abc89305) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/pci/msix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/pci/msix.c b/hw/pci/msix.c +index cd817f4ca8..057a1305cd 100644 +--- a/hw/pci/msix.c ++++ b/hw/pci/msix.c +@@ -250,7 +250,7 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr, + PCIDevice *dev = opaque; + if (dev->msix_vector_poll_notifier) { + unsigned vector_start = addr * 8; +- unsigned vector_end = MIN(addr + size * 8, dev->msix_entries_nr); ++ unsigned vector_end = MIN((addr + size) * 8, dev->msix_entries_nr); + dev->msix_vector_poll_notifier(dev, vector_start, vector_end); + } + +-- +2.33.0 + diff --git a/physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch b/physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc9bfb2112f55f27ca3ce3ae15b5170574d8ce4f --- /dev/null +++ b/physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch @@ -0,0 +1,61 @@ +From ec16a25f34ac8d2de561766e1d3ece6601ec9374 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:42:08 -0400 +Subject: [PATCH] physmem: fix qemu_ram_alloc_from_fd size calculation + +cheery-pick from 4afd17ebcc6a9412ba8009410e448a00af45f05b + +qemu_ram_alloc_from_fd allocates space if file_size == 0. If non-zero, +it uses the existing space and verifies it is large enough, but the +verification was broken when the offset parameter was introduced. As +a result, a file smaller than offset passes the verification and causes +errors later. Fix that, and update the error message to include offset. + +Peter provides this concise reproducer: + + $ touch ramfile + $ truncate -s 64M ramfile + $ ./qemu-system-x86_64 -object memory-backend-file,mem-path=./ramfile,offset=128M,size=128M,id=mem1,prealloc=on + qemu-system-x86_64: qemu_prealloc_mem: preallocating memory failed: Bad address + +With the fix, the error message is: + qemu-system-x86_64: mem1 backing store size 0x4000000 is too small for 'size' option 0x8000000 plus 'offset' option 0x8000000 + +Cc: qemu-stable@nongnu.org +Fixes: 4b870dc4d0c0 ("hostmem-file: add offset option") +Signed-off-by: Steve Sistare +Reviewed-by: Peter Xu +Acked-by: David Hildenbrand +Link: https://lore.kernel.org/r/1736967650-129648-3-git-send-email-steven.sistare@oracle.com +Signed-off-by: Fabiano Rosas +(cherry picked from commit 719168fba7c3215cc996dcfd32a6e5e9c7b8eee0) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + system/physmem.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/system/physmem.c b/system/physmem.c +index 8f4be2d131..e862f99ff6 100644 +--- a/system/physmem.c ++++ b/system/physmem.c +@@ -1945,10 +1945,12 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr, + + size = HOST_PAGE_ALIGN(size); + file_size = get_file_size(fd); +- if (file_size > offset && file_size < (offset + size)) { +- error_setg(errp, "backing store size 0x%" PRIx64 +- " does not match 'size' option 0x" RAM_ADDR_FMT, +- file_size, size); ++ if (file_size && file_size < offset + size) { ++ error_setg(errp, "%s backing store size 0x%" PRIx64 ++ " is too small for 'size' option 0x" RAM_ADDR_FMT ++ " plus 'offset' option 0x%" PRIx64, ++ memory_region_name(mr), file_size, size, ++ (uint64_t)offset); + return NULL; + } + +-- +2.33.0 + diff --git a/qemu.spec b/qemu.spec index be8d67b6fe62d0a0b3e0210dc894275eb63e164e..cab97699ab13a7c43c180fb94067145ee37680d6 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 46 +Release: 47 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -1068,6 +1068,21 @@ Patch1051: target-riscv-Fix-mcycle-minstret-increment-behavior.patch Patch1052: chardev-char.c-fix-abstract-device-type-error-messag.patch Patch1053: hw-net-cadence_gem-Fix-MDIO_OP_xxx-values.patch Patch1054: Always-create-pflash-objects-and-register-properties.patch +Patch1055: vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch +Patch1056: vfio-container-Replace-basename-with-g_path_get_base.patch +Patch1057: vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch +Patch1058: vfio-pci-Clear-MSI-X-IRQ-index-always.patch +Patch1059: hw-arm-boot.c-Enforce-CCA-and-virtCCA-isolation.patch +Patch1060: block-qed-fix-use-after-free-by-nullifying-timer-poi.patch +Patch1061: hw-gpio-npcm7xx-fixup-out-of-bounds-access.patch +Patch1062: hw-xen-hvm-Fix-Aarch64-typo.patch +Patch1063: pci-msix-Fix-msix-pba-read-vector-poll-end-calculati.patch +Patch1064: physmem-fix-qemu_ram_alloc_from_fd-size-calculation.patch +Patch1065: s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch +Patch1066: ssh-Do-not-switch-session-to-non-blocking-mode.patch +Patch1067: target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch +Patch1068: target-ppc-Fix-non-maskable-interrupt-while-halted.patch +Patch1069: elfload-Fix-alignment-when-unmapping-excess-reservat.patch BuildRequires: flex BuildRequires: gcc @@ -1670,6 +1685,23 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Oct 20 2025 Pengrui Zhang - 11:8.2.0-47 +- vdpa: Allow vDPA to work on big-endian machine +- vfio/container: Replace basename with g_path_get_basename +- vfio/migration: Report only stop-copy size in vfio_state_pending_exact() +- vfio/pci: Clear MSI-X IRQ index always +- hw/arm boot.c: Enforce CCA and virtCCA isolation. +- block/qed: fix use-after-free by nullifying timer pointer after free +- hw/gpio: npcm7xx: fixup out-of-bounds access +- hw/xen/hvm: Fix Aarch64 typo +- pci/msix: Fix msix pba read vector poll end calculation +- physmem: fix qemu_ram_alloc_from_fd size calculation +- s390x/s390-virtio-ccw: don't crash on weird RAM sizes +- ssh: Do not switch session to non-blocking mode +- target/ppc: Fix mtDPDES targeting SMT siblings +- target/ppc: Fix non-maskable interrupt while halted +- elfload: Fix alignment when unmapping excess reservation + * Fri Sep 05 2025 Pengrui Zhang - 11:8.2.0-46 - Always create pflash objects and register properties for QOM diff --git a/s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch b/s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch new file mode 100644 index 0000000000000000000000000000000000000000..385897e57d579321ae0dd8e43e1ff77bab44da2b --- /dev/null +++ b/s390x-s390-virtio-ccw-don-t-crash-on-weird-RAM-sizes.patch @@ -0,0 +1,59 @@ +From c380600ce0baf141bfd94c1dfec5a6b4ea29024a Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Thu, 31 Jul 2025 22:51:14 -0400 +Subject: [PATCH] s390x/s390-virtio-ccw: don't crash on weird RAM sizes + +cheery-pick from f19312d014633e9ae942b75ead53333a4b2ec0c2 + +KVM is not happy when starting a VM with weird RAM sizes: + + # qemu-system-s390x --enable-kvm --nographic -m 1234K + qemu-system-s390x: kvm_set_user_memory_region: KVM_SET_USER_MEMORY_REGION + failed, slot=0, start=0x0, size=0x244000: Invalid argument + kvm_set_phys_mem: error registering slot: Invalid argument + Aborted (core dumped) + +Let's handle that in a better way by rejecting such weird RAM sizes +right from the start: + + # qemu-system-s390x --enable-kvm --nographic -m 1234K + qemu-system-s390x: ram size must be multiples of 1 MiB + +Message-ID: <20241219144115.2820241-2-david@redhat.com> +Acked-by: Michael S. Tsirkin +Reviewed-by: Eric Farman +Reviewed-by: Thomas Huth +Acked-by: Janosch Frank +Signed-off-by: David Hildenbrand +(cherry picked from commit 14e568ab4836347481af2e334009c385f456a734) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/s390x/s390-virtio-ccw.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c +index 7262725d2e..6e44c1dd6a 100644 +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -176,6 +176,17 @@ static void s390_memory_init(MemoryRegion *ram) + { + MemoryRegion *sysmem = get_system_memory(); + ++ if (!QEMU_IS_ALIGNED(memory_region_size(ram), 1 * MiB)) { ++ /* ++ * SCLP cannot possibly expose smaller granularity right now and KVM ++ * cannot handle smaller granularity. As we don't support NUMA, the ++ * region size directly corresponds to machine->ram_size, and the region ++ * is a single RAM memory region. ++ */ ++ error_report("ram size must be multiples of 1 MiB"); ++ exit(EXIT_FAILURE); ++ } ++ + /* allocate RAM for core */ + memory_region_add_subregion(sysmem, 0, ram); + +-- +2.33.0 + diff --git a/ssh-Do-not-switch-session-to-non-blocking-mode.patch b/ssh-Do-not-switch-session-to-non-blocking-mode.patch new file mode 100644 index 0000000000000000000000000000000000000000..2049e64d7d07cc51bdcf7e5763344de115c28ad7 --- /dev/null +++ b/ssh-Do-not-switch-session-to-non-blocking-mode.patch @@ -0,0 +1,57 @@ +From fdd0468f6da2e8bd7ac1414a0150efc471fa1291 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 01:49:10 -0400 +Subject: [PATCH] ssh: Do not switch session to non-blocking mode + +cheery-pick from 6d52a53e7bd886e7852a6be9694901a23752c88f + +The libssh does not handle non-blocking mode in SFTP correctly. The +driver code already changes the mode to blocking for the SFTP +initialization, but for some reason changes to non-blocking mode. +This used to work accidentally until libssh in 0.11 branch merged +the patch to avoid infinite looping in case of network errors: + +https://gitlab.com/libssh/libssh-mirror/-/merge_requests/498 + +Since then, the ssh driver in qemu fails to read files over SFTP +as the first SFTP messages exchanged after switching the session +to non-blocking mode return SSH_AGAIN, but that message is lost +int the SFTP internals and interpretted as SSH_ERROR, which is +returned to the caller: + +https://gitlab.com/libssh/libssh-mirror/-/issues/280 + +This is indeed an issue in libssh that we should address in the +long term, but it will require more work on the internals. For +now, the SFTP is not supported in non-blocking mode. + +Fixes: https://gitlab.com/libssh/libssh-mirror/-/issues/280 +Signed-off-by: Jakub Jelen +Signed-off-by: Richard W.M. Jones +Message-ID: <20241113125526.2495731-1-rjones@redhat.com> +Reviewed-by: Kevin Wolf +Signed-off-by: Kevin Wolf +(cherry picked from commit fbdea3d6c13d5a75895c287a004c6f1a6bf6c164) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + block/ssh.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/block/ssh.c b/block/ssh.c +index 2748253d4a..b2da9bb4c8 100644 +--- a/block/ssh.c ++++ b/block/ssh.c +@@ -860,9 +860,6 @@ static int ssh_file_open(BlockDriverState *bs, QDict *options, int bdrv_flags, + goto err; + } + +- /* Go non-blocking. */ +- ssh_set_blocking(s->session, 0); +- + if (s->attrs->type == SSH_FILEXFER_TYPE_REGULAR) { + bs->supported_truncate_flags = BDRV_REQ_ZERO_WRITE; + } +-- +2.33.0 + diff --git a/target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch b/target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch new file mode 100644 index 0000000000000000000000000000000000000000..abea3d4ec4b70b2040c1716884ac99404d895e0b --- /dev/null +++ b/target-ppc-Fix-mtDPDES-targeting-SMT-siblings.patch @@ -0,0 +1,42 @@ +From db48224bbd2364f557ad0b29adc52d7195f14411 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:17:53 -0400 +Subject: [PATCH] target/ppc: Fix mtDPDES targeting SMT siblings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from a0f6b02792a3332c6d108f6eef002b97e30e4ab5 + +A typo in the loop over SMT threads to set irq level for doorbells +when storing to DPDES meant everything was aimed at the CPU executing +the instruction. + +Cc: qemu-stable@nongnu.org +Fixes: d24e80b2ae ("target/ppc: Add msgsnd/p and DPDES SMT support") +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Signed-off-by: Nicholas Piggin +(cherry picked from commit 0324d236d2918c18a9ad4a1081b1083965a1433b) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/ppc/misc_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/ppc/misc_helper.c b/target/ppc/misc_helper.c +index a05bdf78c9..a8d0501996 100644 +--- a/target/ppc/misc_helper.c ++++ b/target/ppc/misc_helper.c +@@ -283,7 +283,7 @@ void helper_store_dpdes(CPUPPCState *env, target_ulong val) + PowerPCCPU *ccpu = POWERPC_CPU(ccs); + uint32_t thread_id = ppc_cpu_tir(ccpu); + +- ppc_set_irq(cpu, PPC_INTERRUPT_DOORBELL, val & (0x1 << thread_id)); ++ ppc_set_irq(ccpu, PPC_INTERRUPT_DOORBELL, val & (0x1 << thread_id)); + } + qemu_mutex_unlock_iothread(); + } +-- +2.33.0 + diff --git a/target-ppc-Fix-non-maskable-interrupt-while-halted.patch b/target-ppc-Fix-non-maskable-interrupt-while-halted.patch new file mode 100644 index 0000000000000000000000000000000000000000..d9ee57d63e88044473ec8f307ebbde8fa15d3bcc --- /dev/null +++ b/target-ppc-Fix-non-maskable-interrupt-while-halted.patch @@ -0,0 +1,61 @@ +From fb3b1e10d05d62879e51d2221c199eb7b138eaa1 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Fri, 1 Aug 2025 02:25:13 -0400 +Subject: [PATCH] target/ppc: Fix non-maskable interrupt while halted + +cheery-pick from dec1eee77fc548049c8cb443a1f8176fa0c2d3c4 + +The ppc (pnv and spapr) NMI injection code does not go through the +asynchronous interrupt path and set a bit in env->pending_interrupts +and raise an interrupt request that the cpu_exec() loop can see. +Instead it injects the exception directly into registers. + +This can lead to cpu_exec() missing that the thread has work to do, +if a NMI is injected while it was idle. + +Fix this by clearing halted when injecting the interrupt. Probably +NMI injection should be reworked to use the interrupt request interface, +but this seems to work as a minimal fix. + +Fixes: 3431648272d3 ("spapr: Add support for new NMI interface") +Reviewed-by: Glenn Miles +Signed-off-by: Nicholas Piggin +(cherry picked from commit fa416ae6157a933ad3f7106090684759baaaf3c9) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + target/ppc/excp_helper.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c +index a42743a3e0..6a822b5952 100644 +--- a/target/ppc/excp_helper.c ++++ b/target/ppc/excp_helper.c +@@ -2558,10 +2558,16 @@ static void ppc_deliver_interrupt(CPUPPCState *env, int interrupt) + } + } + ++/* ++ * system reset is not delivered via normal irq method, so have to set ++ * halted = 0 to resume CPU running if it was halted. Possibly we should ++ * move it over to using PPC_INTERRUPT_RESET rather than async_run_on_cpu. ++ */ + void ppc_cpu_do_system_reset(CPUState *cs) + { + PowerPCCPU *cpu = POWERPC_CPU(cs); + ++ cs->halted = 0; + powerpc_excp(cpu, POWERPC_EXCP_RESET); + } + +@@ -2583,6 +2589,7 @@ void ppc_cpu_do_fwnmi_machine_check(CPUState *cs, target_ulong vector) + + /* Anything for nested required here? MSR[HV] bit? */ + ++ cs->halted = 0; + powerpc_set_excp_state(cpu, vector, msr); + } + +-- +2.33.0 + diff --git a/vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch b/vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch new file mode 100644 index 0000000000000000000000000000000000000000..495a317061d5c3c6b05f2773555a502aebb80b34 --- /dev/null +++ b/vdpa-Allow-vDPA-to-work-on-big-endian-machine.patch @@ -0,0 +1,57 @@ +From e9252f173b62ce2dac563249a200c3eabc028710 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:08:37 +0800 +Subject: [PATCH] vdpa: Allow vDPA to work on big-endian machine +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from b027f55a994af885a7a498a40373a2dcc2d8b15e + +Add .set_vnet_le() function that always returns success, assuming that +vDPA h/w always implements LE data format. Otherwise, QEMU disables vDPA and +outputs the message: +"backend does not support LE vnet headers; falling back on userspace virtio" + +Reviewed-by: Michael S. Tsirkin +Acked-by: Eugenio Pérez +Signed-off-by: Konstantin Shkolnyy +Signed-off-by: gubin +--- + net/vhost-vdpa.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c +index d0614d7954..68cabe2d40 100644 +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -266,6 +266,18 @@ static bool vhost_vdpa_has_ufo(NetClientState *nc) + + } + ++/* ++ * FIXME: vhost_vdpa doesn't have an API to "set h/w endianness". But it's ++ * reasonable to assume that h/w is LE by default, because LE is what ++ * virtio 1.0 and later ask for. So, this function just says "yes, the h/w is ++ * LE". Otherwise, on a BE machine, higher-level code would mistakely think ++ * the h/w is BE and can't support VDPA for a virtio 1.0 client. ++ */ ++static int vhost_vdpa_set_vnet_le(NetClientState *nc, bool enable) ++{ ++ return 0; ++} ++ + static bool vhost_vdpa_check_peer_type(NetClientState *nc, ObjectClass *oc, + Error **errp) + { +@@ -429,6 +441,7 @@ static NetClientInfo net_vhost_vdpa_info = { + .cleanup = vhost_vdpa_cleanup, + .has_vnet_hdr = vhost_vdpa_has_vnet_hdr, + .has_ufo = vhost_vdpa_has_ufo, ++ .set_vnet_le = vhost_vdpa_set_vnet_le, + .check_peer_type = vhost_vdpa_check_peer_type, + .set_steering_ebpf = vhost_vdpa_set_steering_ebpf, + }; +-- +2.33.0 + diff --git a/vfio-container-Replace-basename-with-g_path_get_base.patch b/vfio-container-Replace-basename-with-g_path_get_base.patch new file mode 100644 index 0000000000000000000000000000000000000000..905aacb00d3dca20b85ae47916c40ddba502b677 --- /dev/null +++ b/vfio-container-Replace-basename-with-g_path_get_base.patch @@ -0,0 +1,52 @@ +From bdfe852421d4b4e5da3e04931967223726fea9e2 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:15:11 +0800 +Subject: [PATCH] vfio/container: Replace basename with g_path_get_basename +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 213ae3ffda463c0503e39e0cf827511b5298c314 + +g_path_get_basename() is a portable utility function that has the +advantage of not modifing the string argument. It also fixes a compile +breakage with the Musl C library reported in [1]. + +[1] https://lore.kernel.org/all/20231212010228.2701544-1-raj.khem@gmail.com/ + +Reported-by: Khem Raj +Reviewed-by: Eric Auger +Reviewed-by: Zhao Liu +Reviewed-by: Zhenzhong Duan +Signed-off-by: Cédric Le Goater +Signed-off-by: gubin +--- + hw/vfio/container.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/vfio/container.c b/hw/vfio/container.c +index 539cf34b20..95b8cff33b 100644 +--- a/hw/vfio/container.c ++++ b/hw/vfio/container.c +@@ -987,7 +987,8 @@ static void vfio_put_base_device(VFIODevice *vbasedev) + + static int vfio_device_groupid(VFIODevice *vbasedev, Error **errp) + { +- char *tmp, group_path[PATH_MAX], *group_name; ++ char *tmp, group_path[PATH_MAX]; ++ g_autofree char *group_name = NULL; + int ret, groupid; + ssize_t len; + +@@ -1003,7 +1004,7 @@ static int vfio_device_groupid(VFIODevice *vbasedev, Error **errp) + + group_path[len] = 0; + +- group_name = basename(group_path); ++ group_name = g_path_get_basename(group_path); + if (sscanf(group_name, "%d", &groupid) != 1) { + error_setg_errno(errp, errno, "failed to read %s", group_path); + return -errno; +-- +2.33.0 + diff --git a/vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch b/vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a35846fe587a2f8ca143b991518ff720d322b89 --- /dev/null +++ b/vfio-migration-Report-only-stop-copy-size-in-vfio_st.patch @@ -0,0 +1,52 @@ +From ccb05dc51a8265b86b76a35cb291ee4990cf5019 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:39:11 +0800 +Subject: [PATCH] vfio/migration: Report only stop-copy size in + vfio_state_pending_exact() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 3b5948f808e3b99aedfa0aff45cffbe8b7ec07ed + +vfio_state_pending_exact() is used to update migration core how much +device data is left for the device migration. Currently, the sum of +pre-copy and stop-copy sizes of the VFIO device are reported. + +The pre-copy size is obtained via the VFIO_MIG_GET_PRECOPY_INFO ioctl, +which returns the amount of device data available to be transferred +while the device is in the PRE_COPY states. + +The stop-copy size is obtained via the VFIO_DEVICE_FEATURE_MIG_DATA_SIZE +ioctl, which returns the total amount of device data left to be +transferred in order to complete the device migration. + +According to the above, current implementation is wrong -- it reports +extra overlapping data because pre-copy size is already contained in +stop-copy size. Fix it by reporting only stop-copy size. + +Fixes: eda7362af959 ("vfio/migration: Add VFIO migration pre-copy support") +Signed-off-by: Avihai Horon +Reviewed-by: Cédric Le Goater +Signed-off-by: gubin +--- + hw/vfio/migration.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c +index 3924beb289..b81cb7e23b 100644 +--- a/hw/vfio/migration.c ++++ b/hw/vfio/migration.c +@@ -480,9 +480,6 @@ static void vfio_state_pending_exact(void *opaque, uint64_t *must_precopy, + + if (vfio_device_state_is_precopy(vbasedev)) { + vfio_query_precopy_size(migration); +- +- *must_precopy += +- migration->precopy_init_size + migration->precopy_dirty_size; + } + + trace_vfio_state_pending_exact(vbasedev->name, *must_precopy, *can_postcopy, +-- +2.33.0 + diff --git a/vfio-pci-Clear-MSI-X-IRQ-index-always.patch b/vfio-pci-Clear-MSI-X-IRQ-index-always.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b38556eb222be62bbb165b55ffae8b0d81a728c --- /dev/null +++ b/vfio-pci-Clear-MSI-X-IRQ-index-always.patch @@ -0,0 +1,55 @@ +From 0e819d1b6e8391922dfa8bd66add74dd8f73f564 Mon Sep 17 00:00:00 2001 +From: gubin +Date: Wed, 3 Sep 2025 17:51:38 +0800 +Subject: [PATCH] vfio/pci: Clear MSI-X IRQ index always +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from d2b668fca5652760b435ce812a743bba03d2f316 + +When doing device assignment of a physical device, MSI-X can be +enabled with no vectors enabled and this sets the IRQ index to +VFIO_PCI_MSIX_IRQ_INDEX. However, when MSI-X is disabled, the IRQ +index is left untouched if no vectors are in use. Then, when INTx +is enabled, the IRQ index value is considered incompatible (set to +MSI-X) and VFIO_DEVICE_SET_IRQS fails. QEMU complains with : + +qemu-system-x86_64: vfio 0000:08:00.0: Failed to set up TRIGGER eventfd signaling for interrupt INTX-0: VFIO_DEVICE_SET_IRQS failure: Invalid argument + +To avoid that, unconditionaly clear the IRQ index when MSI-X is +disabled. + +Buglink: https://issues.redhat.com/browse/RHEL-21293 +Fixes: 5ebffa4e87e7 ("vfio/pci: use an invalid fd to enable MSI-X") +Cc: Jing Liu +Cc: Alex Williamson +Reviewed-by: Alex Williamson +Signed-off-by: Cédric Le Goater +Signed-off-by: gubin +--- + hw/vfio/pci.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c +index ce958848b6..7322c8be63 100644 +--- a/hw/vfio/pci.c ++++ b/hw/vfio/pci.c +@@ -828,9 +828,11 @@ static void vfio_msix_disable(VFIOPCIDevice *vdev) + } + } + +- if (vdev->nr_vectors) { +- vfio_disable_irqindex(&vdev->vbasedev, VFIO_PCI_MSIX_IRQ_INDEX); +- } ++ /* ++ * Always clear MSI-X IRQ index. A PF device could have enabled ++ * MSI-X with no vectors. See vfio_msix_enable(). ++ */ ++ vfio_disable_irqindex(&vdev->vbasedev, VFIO_PCI_MSIX_IRQ_INDEX); + + vfio_msi_disable_common(vdev); + vfio_intx_enable(vdev, &err); +-- +2.33.0 +