Most importantly, the migration fixes "target/i386: add compatibility property for arch_capabilities" and "target/i386: add compatibility property for pdcm feature". For more information see: https://lore.kernel.org/all/CAATJJ0+Qq3ksRmNRDrGQLVHQ=xnsnfhxcnxuhjjfnfgwukk...@mail.gmail.com/
Signed-off-by: Fiona Ebner <[email protected]> --- ...Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch | 96 +++++++++++++++ ...ish-renaming-atomic128-cas.h-headers.patch | 25 ++++ ...l-fix-curl-internal-handles-handling.patch | 60 ++++++++++ ...g-svm-fix-incorrect-canonicalization.patch | 38 ++++++ ...07-hw-vfio-user-add-x-pci-class-code.patch | 35 ++++++ .../extra/0008-tcg-arm-Fix-tgen_deposit.patch | 37 ++++++ ...rash-from-legacy-interrupt-firing-af.patch | 58 ++++++++++ ...quirks-when-IGD-is-not-the-primary-d.patch | 79 +++++++++++++ ...able-SMM-cpu-address-space-under-KVM.patch | 106 +++++++++++++++++ ...compatibility-property-for-arch_capa.patch | 109 ++++++++++++++++++ ...compatibility-property-for-pdcm-feat.patch | 96 +++++++++++++++ ...he-CPU-model-to-kvm64-32-instead-of-.patch | 4 +- debian/patches/series | 11 ++ 13 files changed, 752 insertions(+), 2 deletions(-) create mode 100644 debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch create mode 100644 debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch create mode 100644 debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch create mode 100644 debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch create mode 100644 debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch create mode 100644 debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch create mode 100644 debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch create mode 100644 debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch create mode 100644 debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch create mode 100644 debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch create mode 100644 debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch diff --git a/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch b/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch new file mode 100644 index 0000000..6c966fe --- /dev/null +++ b/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch @@ -0,0 +1,96 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Smail AIDER <[email protected]> +Date: Tue, 26 Aug 2025 11:21:28 +0100 +Subject: [PATCH] target/arm: Trap PMCR when MDCR_EL2.TPMCR is set + +Trap PMCR_EL0 or PMCR accesses to EL2 when MDCR_EL2.TPMCR is set. +Similar to MDCR_EL2.TPM, MDCR_EL2.TPMCR allows trapping EL0 and EL1 +accesses to the PMCR register to EL2. + +Cc: [email protected] +Signed-off-by: Smail AIDER <[email protected]> +Reviewed-by: Richard Henderson <[email protected]> +Message-id: [email protected] +Message-Id: <[email protected]> +Signed-off-by: Peter Maydell <[email protected]> +(cherry picked from commit 186db6a73bc5c01026bb9f4f4a59e442c0156841) +Signed-off-by: Fiona Ebner <[email protected]> +--- + target/arm/cpregs-pmu.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +diff --git a/target/arm/cpregs-pmu.c b/target/arm/cpregs-pmu.c +index 9c4431c18b..31c01eddc8 100644 +--- a/target/arm/cpregs-pmu.c ++++ b/target/arm/cpregs-pmu.c +@@ -228,22 +228,27 @@ static bool event_supported(uint16_t number) + return supported_event_map[number] != UNSUPPORTED_EVENT; + } + +-static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri, +- bool isread) ++static CPAccessResult do_pmreg_access(CPUARMState *env, bool is_pmcr) + { + /* + * Performance monitor registers user accessibility is controlled +- * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable ++ * by PMUSERENR. MDCR_EL2.TPM/TPMCR and MDCR_EL3.TPM allow configurable + * trapping to EL2 or EL3 for other accesses. + */ + int el = arm_current_el(env); +- uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); + + if (el == 0 && !(env->cp15.c9_pmuserenr & 1)) { + return CP_ACCESS_TRAP_EL1; + } +- if (el < 2 && (mdcr_el2 & MDCR_TPM)) { +- return CP_ACCESS_TRAP_EL2; ++ if (el < 2) { ++ uint64_t mdcr_el2 = arm_mdcr_el2_eff(env); ++ ++ if (mdcr_el2 & MDCR_TPM) { ++ return CP_ACCESS_TRAP_EL2; ++ } ++ if (is_pmcr && (mdcr_el2 & MDCR_TPMCR)) { ++ return CP_ACCESS_TRAP_EL2; ++ } + } + if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) { + return CP_ACCESS_TRAP_EL3; +@@ -252,6 +257,19 @@ static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri, + return CP_ACCESS_OK; + } + ++static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri, ++ bool isread) ++{ ++ return do_pmreg_access(env, false); ++} ++ ++static CPAccessResult pmreg_access_pmcr(CPUARMState *env, ++ const ARMCPRegInfo *ri, ++ bool isread) ++{ ++ return do_pmreg_access(env, true); ++} ++ + static CPAccessResult pmreg_access_xevcntr(CPUARMState *env, + const ARMCPRegInfo *ri, + bool isread) +@@ -1187,14 +1205,14 @@ void define_pm_cpregs(ARMCPU *cpu) + .fgt = FGT_PMCR_EL0, + .type = ARM_CP_IO | ARM_CP_ALIAS, + .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr), +- .accessfn = pmreg_access, ++ .accessfn = pmreg_access_pmcr, + .readfn = pmcr_read, .raw_readfn = raw_read, + .writefn = pmcr_write, .raw_writefn = raw_write, + }; + const ARMCPRegInfo pmcr64 = { + .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64, + .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0, +- .access = PL0_RW, .accessfn = pmreg_access, ++ .access = PL0_RW, .accessfn = pmreg_access_pmcr, + .fgt = FGT_PMCR_EL0, + .type = ARM_CP_IO, + .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr), diff --git a/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch b/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch new file mode 100644 index 0000000..4ff333b --- /dev/null +++ b/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <[email protected]> +Date: Fri, 15 Aug 2025 22:26:47 +1000 +Subject: [PATCH] qemu/atomic: Finish renaming atomic128-cas.h headers + +The aarch64 header was not renamed with the others, meaning it +was skipped in favor of the generic version. + +Cc: [email protected] +Fixes: 15606965400b ("qemu/atomic: Rename atomic128-cas.h headers using .h.inc suffix") +Signed-off-by: Richard Henderson <[email protected]> +Reviewed-by: Peter Maydell <[email protected]> +Message-id: [email protected] +Signed-off-by: Peter Maydell <[email protected]> +(cherry picked from commit 1748c0d59228c7790940d8be381df1c3108022b1) +Signed-off-by: Fiona Ebner <[email protected]> +--- + .../include/aarch64/host/{atomic128-cas.h => atomic128-cas.h.inc} | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + rename host/include/aarch64/host/{atomic128-cas.h => atomic128-cas.h.inc} (100%) + +diff --git a/host/include/aarch64/host/atomic128-cas.h b/host/include/aarch64/host/atomic128-cas.h.inc +similarity index 100% +rename from host/include/aarch64/host/atomic128-cas.h +rename to host/include/aarch64/host/atomic128-cas.h.inc diff --git a/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch b/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch new file mode 100644 index 0000000..4939ce5 --- /dev/null +++ b/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Michael Tokarev <[email protected]> +Date: Sun, 24 Aug 2025 03:05:32 +0300 +Subject: [PATCH] block/curl: fix curl internal handles handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +block/curl.c uses CURLMOPT_SOCKETFUNCTION to register a socket callback. +According to the documentation, this callback is called not just with +application-created sockets but also with internal curl sockets, - and +for such sockets, user data pointer is not set by the application, so +the result qemu crashing. + +Pass BDRVCURLState directly to the callback function as user pointer, +instead of relying on CURLINFO_PRIVATE. + +This problem started happening with update of libcurl from 8.9 to 8.10 -- +apparently with this change curl started using private handles more. + +(CURLINFO_PRIVATE is used in one more place, in curl_multi_check_completion() - +it might need a similar fix too) + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3081 +Cc: [email protected] +Reviewed-by: Daniel P. Berrangé <[email protected]> +Signed-off-by: Michael Tokarev <[email protected]> +(cherry picked from commit 606978500c3d18fb89a49844f253097b17f757de) +Signed-off-by: Fiona Ebner <[email protected]> +--- + block/curl.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/block/curl.c b/block/curl.c +index 5467678024..00b949ea45 100644 +--- a/block/curl.c ++++ b/block/curl.c +@@ -162,13 +162,9 @@ static int curl_timer_cb(CURLM *multi, long timeout_ms, void *opaque) + static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action, + void *userp, void *sp) + { +- BDRVCURLState *s; +- CURLState *state = NULL; ++ BDRVCURLState *s = userp; + CURLSocket *socket; + +- curl_easy_getinfo(curl, CURLINFO_PRIVATE, (char **)&state); +- s = state->s; +- + socket = g_hash_table_lookup(s->sockets, GINT_TO_POINTER(fd)); + if (!socket) { + socket = g_new0(CURLSocket, 1); +@@ -605,6 +601,7 @@ static void curl_attach_aio_context(BlockDriverState *bs, + assert(!s->multi); + s->multi = curl_multi_init(); + s->aio_context = new_context; ++ curl_multi_setopt(s->multi, CURLMOPT_SOCKETDATA, s); + curl_multi_setopt(s->multi, CURLMOPT_SOCKETFUNCTION, curl_sock_cb); + curl_multi_setopt(s->multi, CURLMOPT_TIMERDATA, s); + curl_multi_setopt(s->multi, CURLMOPT_TIMERFUNCTION, curl_timer_cb); diff --git a/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch b/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch new file mode 100644 index 0000000..c964a14 --- /dev/null +++ b/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zero Tang <[email protected]> +Date: Mon, 18 Aug 2025 12:16:47 +0200 +Subject: [PATCH] i386/tcg/svm: fix incorrect canonicalization + +For all 32-bit systems and 64-bit Windows systems, "long" is 4 bytes long. +Due to using "long" for a linear address, svm_canonicalization would +set all high bits to 1 when (assuming 48-bit linear address) the segment +base is bigger than 0x7FFF. + +This fixes booting guests under TCG when the guest IDT and GDT bases are +above 0x7FFF, thereby resulting in incorrect bases. When an interrupt +arrives, it would trigger a #PF exception; the #PF would trigger again, +resulting in a #DF exception; the #PF would trigger for the third time, +resulting in triple-fault, and eventually causes a shutdown VM-Exit to +the hypervisor right after guest boot. + +Cc: [email protected] +Signed-off-by: Zero Tang <[email protected]> +(cherry picked from commit c12cbaa007c9da97a11e74119ea3aed9fcc3ac4c) +Signed-off-by: Fiona Ebner <[email protected]> +--- + target/i386/tcg/system/svm_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/tcg/system/svm_helper.c b/target/i386/tcg/system/svm_helper.c +index b27049b9ed..dea039b87a 100644 +--- a/target/i386/tcg/system/svm_helper.c ++++ b/target/i386/tcg/system/svm_helper.c +@@ -49,7 +49,7 @@ static void svm_save_seg(CPUX86State *env, int mmu_idx, hwaddr addr, + static inline void svm_canonicalization(CPUX86State *env, target_ulong *seg_base) + { + uint16_t shift_amt = 64 - cpu_x86_virtual_addr_width(env); +- *seg_base = ((((long) *seg_base) << shift_amt) >> shift_amt); ++ *seg_base = (((int64_t) *seg_base) << shift_amt) >> shift_amt; + } + + static void svm_load_seg(CPUX86State *env, int mmu_idx, hwaddr addr, diff --git a/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch b/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch new file mode 100644 index 0000000..dfa93a5 --- /dev/null +++ b/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: John Levon <[email protected]> +Date: Wed, 27 Aug 2025 20:08:10 +0100 +Subject: [PATCH] hw/vfio-user: add x-pci-class-code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This new option was not added to vfio_user_pci_dev_properties, which +caused an incorrect class code for vfio-user devices. + +Fixes: a59d06305fff ("vfio/pci: Introduce x-pci-class-code option") +Signed-off-by: John Levon <[email protected]> +Reviewed-by: Cédric Le Goater <[email protected]> +Link: https://lore.kernel.org/qemu-devel/[email protected] +Signed-off-by: Cédric Le Goater <[email protected]> +(cherry picked from commit 1b50621881241ac5bc75ae7f8aa4c278ada8a668) +Signed-off-by: Fiona Ebner <[email protected]> +--- + hw/vfio-user/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/vfio-user/pci.c b/hw/vfio-user/pci.c +index be71c77729..dfaa89498d 100644 +--- a/hw/vfio-user/pci.c ++++ b/hw/vfio-user/pci.c +@@ -406,6 +406,8 @@ static const Property vfio_user_pci_dev_properties[] = { + sub_vendor_id, PCI_ANY_ID), + DEFINE_PROP_UINT32("x-pci-sub-device-id", VFIOPCIDevice, + sub_device_id, PCI_ANY_ID), ++ DEFINE_PROP_UINT32("x-pci-class-code", VFIOPCIDevice, ++ class_code, PCI_ANY_ID), + DEFINE_PROP_BOOL("x-send-queued", VFIOUserPCIDevice, send_queued, false), + DEFINE_PROP_UINT32("x-msg-timeout", VFIOUserPCIDevice, wait_time, 5000), + DEFINE_PROP_BOOL("x-no-posted-writes", VFIOUserPCIDevice, no_post, false), diff --git a/debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch b/debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch new file mode 100644 index 0000000..ca01088 --- /dev/null +++ b/debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <[email protected]> +Date: Fri, 29 Aug 2025 13:49:06 +0000 +Subject: [PATCH] tcg/arm: Fix tgen_deposit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When converting from tcg_out_deposit, the arguments were not +shuffled properly. + +Cc: [email protected] +Fixes: cf4905c03135f1181e8 ("tcg: Convert deposit to TCGOutOpDeposit") +Reported-by: Michael Tokarev <[email protected]> +Tested-by: Michael Tokarev <[email protected]> +Reviewed-by: Philippe Mathieu-Daudé <[email protected]> +Signed-off-by: Richard Henderson <[email protected]> +(cherry picked from commit 27ea28a0b369b4b14a485a5d6f045e0dc1db4e38) +Signed-off-by: Fiona Ebner <[email protected]> +--- + tcg/arm/tcg-target.c.inc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc +index 836894b16a..338c57b061 100644 +--- a/tcg/arm/tcg-target.c.inc ++++ b/tcg/arm/tcg-target.c.inc +@@ -975,7 +975,8 @@ static void tgen_deposit(TCGContext *s, TCGType type, TCGReg a0, TCGReg a1, + TCGReg a2, unsigned ofs, unsigned len) + { + /* bfi/bfc */ +- tcg_out32(s, 0x07c00010 | (COND_AL << 28) | (a0 << 12) | a1 ++ tcg_debug_assert(a0 == a1); ++ tcg_out32(s, 0x07c00010 | (COND_AL << 28) | (a0 << 12) | a2 + | (ofs << 7) | ((ofs + len - 1) << 16)); + } + diff --git a/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch b/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch new file mode 100644 index 0000000..3fac459 --- /dev/null +++ b/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch @@ -0,0 +1,58 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier <[email protected]> +Date: Thu, 7 Aug 2025 13:08:06 +0200 +Subject: [PATCH] e1000e: Prevent crash from legacy interrupt firing after + MSI-X enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A race condition between guest driver actions and QEMU timers can lead +to an assertion failure when the guest switches the e1000e from legacy +interrupt mode to MSI-X. If a legacy interrupt delay timer (TIDV or +RDTR) is active, but the guest enables MSI-X before the timer fires, +the pending interrupt cause can trigger an assert in +e1000e_intmgr_collect_delayed_causes(). + +This patch removes the assertion and executes the code that clears the +pending legacy causes. This change is safe and introduces no unintended +behavioral side effects, as it only alters a state that previously led +to termination. + +- when core->delayed_causes == 0 the function was already a no-op and + remains so. + +- when core->delayed_causes != 0 the function would previously + crash due to the assertion failure. The patch now defines a safe + outcome by clearing the cause and returning. Since behavior after + the assertion never existed, this simply corrects the crash. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1863 +Suggested-by: Akihiko Odaki <[email protected]> +Signed-off-by: Laurent Vivier <[email protected]> +Acked-by: Jason Wang <[email protected]> +Reviewed-by: Akihiko Odaki <[email protected]> +Message-ID: <[email protected]> +Signed-off-by: Philippe Mathieu-Daudé <[email protected]> +(cherry picked from commit 8e4649cac9bcddc050d2df07908075e9e69bccc7) +Signed-off-by: Fiona Ebner <[email protected]> +--- + hw/net/e1000e_core.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c +index 2413858790..06657bb3ac 100644 +--- a/hw/net/e1000e_core.c ++++ b/hw/net/e1000e_core.c +@@ -341,11 +341,6 @@ e1000e_intmgr_collect_delayed_causes(E1000ECore *core) + { + uint32_t res; + +- if (msix_enabled(core->owner)) { +- assert(core->delayed_causes == 0); +- return 0; +- } +- + res = core->delayed_causes; + core->delayed_causes = 0; + diff --git a/debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch b/debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch new file mode 100644 index 0000000..98f5e9b --- /dev/null +++ b/debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch @@ -0,0 +1,79 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Tomita Moeko <[email protected]> +Date: Thu, 14 Aug 2025 00:05:10 +0800 +Subject: [PATCH] vfio/igd: Enable quirks when IGD is not the primary display +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since linux 6.15, commit 41112160ca87 ("vfio/pci: match IGD devices in +display controller class"), IGD related regions are also exposed when +IGD is not primary display (device class is Display controller). + +Allow IGD quirks to be enabled in this configuration so that guests can +have display output on IGD when it is not the primary display. + +Signed-off-by: Tomita Moeko <[email protected]> +Reviewed-by: Alex Williamson <[email protected]> +Link: https://lore.kernel.org/qemu-devel/[email protected] +Signed-off-by: Cédric Le Goater <[email protected]> +(cherry picked from commit 432ca3dfa3d57a7bf1e427576fcfca4ab0079a50) +Signed-off-by: Fiona Ebner <[email protected]> +--- + hw/vfio/igd.c | 7 ++++--- + hw/vfio/pci.h | 5 +++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/hw/vfio/igd.c b/hw/vfio/igd.c +index ee0767b0b8..f116c40ccd 100644 +--- a/hw/vfio/igd.c ++++ b/hw/vfio/igd.c +@@ -460,7 +460,7 @@ void vfio_probe_igd_bar0_quirk(VFIOPCIDevice *vdev, int nr) + int gen; + + if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) || +- !vfio_is_vga(vdev) || nr != 0) { ++ !vfio_is_base_display(vdev) || nr != 0) { + return; + } + +@@ -518,7 +518,7 @@ static bool vfio_pci_igd_config_quirk(VFIOPCIDevice *vdev, Error **errp) + Error *err = NULL; + + if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) || +- !vfio_is_vga(vdev)) { ++ !vfio_is_base_display(vdev)) { + return true; + } + +@@ -534,12 +534,13 @@ static bool vfio_pci_igd_config_quirk(VFIOPCIDevice *vdev, Error **errp) + /* + * For backward compatibility, enable legacy mode when + * - Device geneation is 6 to 9 (including both) +- * - IGD claims VGA cycles on host ++ * - IGD exposes itself as VGA controller and claims VGA cycles on host + * - Machine type is i440fx (pc_piix) + * - IGD device is at guest BDF 00:02.0 + * - Not manually disabled by x-igd-legacy-mode=off + */ + if ((vdev->igd_legacy_mode != ON_OFF_AUTO_OFF) && ++ vfio_is_vga(vdev) && + (gen >= 6 && gen <= 9) && + !(gmch & IGD_GMCH_VGA_DISABLE) && + !strcmp(MACHINE_GET_CLASS(qdev_get_machine())->family, "pc_piix") && +diff --git a/hw/vfio/pci.h b/hw/vfio/pci.h +index 810a842f4a..923cf9c2f7 100644 +--- a/hw/vfio/pci.h ++++ b/hw/vfio/pci.h +@@ -203,6 +203,11 @@ static inline bool vfio_is_vga(VFIOPCIDevice *vdev) + return (vdev->class_code >> 8) == PCI_CLASS_DISPLAY_VGA; + } + ++static inline bool vfio_is_base_display(VFIOPCIDevice *vdev) ++{ ++ return (vdev->class_code >> 16) == PCI_BASE_CLASS_DISPLAY; ++} ++ + /* MSI/MSI-X/INTx */ + void vfio_pci_vector_init(VFIOPCIDevice *vdev, int nr); + void vfio_pci_add_kvm_msi_virq(VFIOPCIDevice *vdev, VFIOMSIVector *vector, diff --git a/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch b/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch new file mode 100644 index 0000000..cb9b095 --- /dev/null +++ b/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch @@ -0,0 +1,106 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li <[email protected]> +Date: Wed, 30 Jul 2025 17:52:52 +0800 +Subject: [PATCH] i386/cpu: Enable SMM cpu address space under KVM + +Kirill Martynov reported assertation in cpu_asidx_from_attrs() being hit +when x86_cpu_dump_state() is called to dump the CPU state[*]. It happens +when the CPU is in SMM and KVM emulation failure due to misbehaving +guest. + +The root cause is that QEMU i386 never enables the SMM address space for +cpu since KVM SMM support has been added. + +Enable the SMM cpu address space under KVM when the SMM is enabled for +the x86machine. + +[*] https://lore.kernel.org/qemu-devel/[email protected]/ + +Reported-by: Kirill Martynov <[email protected]> +Reviewed-by: Zhao Liu <[email protected]> +Tested-by: Kirill Martynov <[email protected]> +Signed-off-by: Xiaoyao Li <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Paolo Bonzini <[email protected]> +(cherry picked from commit 0516f4b70264b9710a25718d21bd35ef463c875e) +Signed-off-by: Fiona Ebner <[email protected]> +--- + system/physmem.c | 5 ----- + target/i386/kvm/kvm-cpu.c | 10 ++++++++++ + target/i386/kvm/kvm.c | 5 +++++ + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/system/physmem.c b/system/physmem.c +index e5dd760e0b..8705fadc01 100644 +--- a/system/physmem.c ++++ b/system/physmem.c +@@ -793,9 +793,6 @@ void cpu_address_space_init(CPUState *cpu, int asidx, + cpu->as = as; + } + +- /* KVM cannot currently support multiple address spaces. */ +- assert(asidx == 0 || !kvm_enabled()); +- + if (!cpu->cpu_ases) { + cpu->cpu_ases = g_new0(CPUAddressSpace, cpu->num_ases); + cpu->cpu_ases_count = cpu->num_ases; +@@ -818,8 +815,6 @@ void cpu_address_space_destroy(CPUState *cpu, int asidx) + + assert(cpu->cpu_ases); + assert(asidx >= 0 && asidx < cpu->num_ases); +- /* KVM cannot currently support multiple address spaces. */ +- assert(asidx == 0 || !kvm_enabled()); + + cpuas = &cpu->cpu_ases[asidx]; + if (tcg_enabled()) { +diff --git a/target/i386/kvm/kvm-cpu.c b/target/i386/kvm/kvm-cpu.c +index 89a7953659..1dc1ba9b48 100644 +--- a/target/i386/kvm/kvm-cpu.c ++++ b/target/i386/kvm/kvm-cpu.c +@@ -13,6 +13,7 @@ + #include "qapi/error.h" + #include "system/system.h" + #include "hw/boards.h" ++#include "hw/i386/x86.h" + + #include "kvm_i386.h" + #include "accel/accel-cpu-target.h" +@@ -91,6 +92,15 @@ static bool kvm_cpu_realizefn(CPUState *cs, Error **errp) + kvm_set_guest_phys_bits(cs); + } + ++ /* ++ * When SMM is enabled, there is 2 address spaces. Otherwise only 1. ++ * ++ * Only initialize address space 0 here, the second one for SMM is ++ * initialized at register_smram_listener() after machine init done. ++ */ ++ cs->num_ases = x86_machine_is_smm_enabled(X86_MACHINE(current_machine)) ? 2 : 1; ++ cpu_address_space_init(cs, 0, "cpu-memory", cs->memory); ++ + return true; + } + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index 369626f8c8..47fb5c673c 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -2704,6 +2704,7 @@ static MemoryRegion smram_as_mem; + + static void register_smram_listener(Notifier *n, void *unused) + { ++ CPUState *cpu; + MemoryRegion *smram = + (MemoryRegion *) object_resolve_path("/machine/smram", NULL); + +@@ -2728,6 +2729,10 @@ static void register_smram_listener(Notifier *n, void *unused) + address_space_init(&smram_address_space, &smram_as_root, "KVM-SMRAM"); + kvm_memory_listener_register(kvm_state, &smram_listener, + &smram_address_space, 1, "kvm-smram"); ++ ++ CPU_FOREACH(cpu) { ++ cpu_address_space_init(cpu, 1, "cpu-smm", &smram_as_root); ++ } + } + + static void *kvm_msr_energy_thread(void *data) diff --git a/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch b/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch new file mode 100644 index 0000000..5238871 --- /dev/null +++ b/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <[email protected]> +Date: Tue, 23 Sep 2025 12:41:35 +0200 +Subject: [PATCH] target/i386: add compatibility property for arch_capabilities + +Prior to v10.1, if requested by user, arch-capabilities is always on +despite the fact that CPUID advertises it to be off/unvailable. +This causes a migration issue for VMs that are run on a machine +without arch-capabilities and expect this feature to be present +on the destination host with QEMU 10.1. + +Add a compatibility property to restore the legacy behavior for all +machines with version prior to 10.1. + +Co-authored-by: Hector Cao <[email protected]> +Signed-off-by: Hector Cao <[email protected]> +Fixes: d3a24134e37 ("target/i386: do not expose ARCH_CAPABILITIES on AMD CPU", 2025-07-17) +Signed-off-by: Paolo Bonzini <[email protected]> +Link: https://lore.proxmox.com/[email protected] +Signed-off-by: Fiona Ebner <[email protected]> +--- + hw/i386/pc.c | 1 + + target/i386/cpu.c | 17 +++++++++++++++++ + target/i386/cpu.h | 6 ++++++ + target/i386/kvm/kvm.c | 6 +----- + 4 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/hw/i386/pc.c b/hw/i386/pc.c +index 2f58e73d33..2504365bc2 100644 +--- a/hw/i386/pc.c ++++ b/hw/i386/pc.c +@@ -84,6 +84,7 @@ + GlobalProperty pc_compat_10_0[] = { + { TYPE_X86_CPU, "x-consistent-cache", "false" }, + { TYPE_X86_CPU, "x-vendor-cpuid-only-v2", "false" }, ++ { TYPE_X86_CPU, "x-arch-cap-always-on", "true" }, + }; + const size_t pc_compat_10_0_len = G_N_ELEMENTS(pc_compat_10_0); + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 6d85149e6e..fe369bb128 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -7539,6 +7539,20 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w) + #endif + break; + ++ case FEAT_7_0_EDX: ++ /* ++ * Windows does not like ARCH_CAPABILITIES on AMD machines at all. ++ * Do not show the fake ARCH_CAPABILITIES MSR that KVM sets up, ++ * except if needed for migration. ++ * ++ * When arch_cap_always_on is removed, this tweak can move to ++ * kvm_arch_get_supported_cpuid. ++ */ ++ if (cpu && IS_AMD_CPU(&cpu->env) && !cpu->arch_cap_always_on) { ++ unavail = CPUID_7_0_EDX_ARCH_CAPABILITIES; ++ } ++ break; ++ + default: + break; + } +@@ -10004,6 +10018,9 @@ static const Property x86_cpu_properties[] = { + true), + DEFINE_PROP_BOOL("x-l1-cache-per-thread", X86CPU, l1_cache_per_core, true), + DEFINE_PROP_BOOL("x-force-cpuid-0x1f", X86CPU, force_cpuid_0x1f, false), ++ ++ DEFINE_PROP_BOOL("x-arch-cap-always-on", X86CPU, ++ arch_cap_always_on, false), + }; + + #ifndef CONFIG_USER_ONLY +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index f977fc49a7..b966bc997c 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -2314,6 +2314,12 @@ struct ArchCPU { + /* Forcefully disable KVM PV features not exposed in guest CPUIDs */ + bool kvm_pv_enforce_cpuid; + ++ /* ++ * Expose arch-capabilities unconditionally even on AMD models, for backwards ++ * compatibility with QEMU <10.1. ++ */ ++ bool arch_cap_always_on; ++ + /* Number of physical address bits supported */ + uint32_t phys_bits; + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index 47fb5c673c..a4e437bb5a 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -503,12 +503,8 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, + * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts. + * We can detect the bug by checking if MSR_IA32_ARCH_CAPABILITIES is + * returned by KVM_GET_MSR_INDEX_LIST. +- * +- * But also, because Windows does not like ARCH_CAPABILITIES on AMD +- * mcahines at all, do not show the fake ARCH_CAPABILITIES MSR that +- * KVM sets up. + */ +- if (!has_msr_arch_capabs || !(edx & CPUID_7_0_EDX_ARCH_CAPABILITIES)) { ++ if (!has_msr_arch_capabs) { + ret &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES; + } + } else if (function == 7 && index == 1 && reg == R_EAX) { diff --git a/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch b/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch new file mode 100644 index 0000000..5aea067 --- /dev/null +++ b/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch @@ -0,0 +1,96 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hector Cao <[email protected]> +Date: Tue, 23 Sep 2025 12:41:36 +0200 +Subject: [PATCH] target/i386: add compatibility property for pdcm feature + +The pdcm feature is supposed to be disabled when PMU is not +available. Up until v10.1, pdcm feature is enabled even when PMU +is off. This behavior has been fixed but this change breaks the +migration of VMs that are run with QEMU < 10.0 and expect the pdcm +feature to be enabled on the destination host. + +This commit restores the legacy behavior for machines with version +prior to 10.1 to allow the migration from older QEMU to QEMU 10.1. + +Signed-off-by: Hector Cao <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Fixes: e68ec298090 ("i386/cpu: Move adjustment of CPUID_EXT_PDCM before feature_dependencies[] check", 2025-06-20) +[Move property from migration object to CPU. - Paolo] +Signed-off-by: Paolo Bonzini <[email protected]> +Link: https://lore.proxmox.com/[email protected] +Signed-off-by: Fiona Ebner <[email protected]> +--- + hw/i386/pc.c | 1 + + target/i386/cpu.c | 15 ++++++++++++--- + target/i386/cpu.h | 6 ++++++ + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/hw/i386/pc.c b/hw/i386/pc.c +index 2504365bc2..0861e329b5 100644 +--- a/hw/i386/pc.c ++++ b/hw/i386/pc.c +@@ -85,6 +85,7 @@ GlobalProperty pc_compat_10_0[] = { + { TYPE_X86_CPU, "x-consistent-cache", "false" }, + { TYPE_X86_CPU, "x-vendor-cpuid-only-v2", "false" }, + { TYPE_X86_CPU, "x-arch-cap-always-on", "true" }, ++ { TYPE_X86_CPU, "x-pdcm-on-even-without-pmu", "true" }, + }; + const size_t pc_compat_10_0_len = G_N_ELEMENTS(pc_compat_10_0); + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index fe369bb128..ab18de894e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -7908,6 +7908,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + /* Fixup overflow: max value for bits 23-16 is 255. */ + *ebx |= MIN(num, 255) << 16; + } ++ if (cpu->pdcm_on_even_without_pmu) { ++ if (!cpu->enable_pmu) { ++ *ecx &= ~CPUID_EXT_PDCM; ++ } ++ } + break; + case 2: { /* cache info: needed for Pentium Pro compatibility */ + const CPUCaches *caches; +@@ -8958,9 +8963,11 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp) + } + } + +- /* PDCM is fixed1 bit for TDX */ +- if (!cpu->enable_pmu && !is_tdx_vm()) { +- env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM; ++ if (!cpu->pdcm_on_even_without_pmu) { ++ /* PDCM is fixed1 bit for TDX */ ++ if (!cpu->enable_pmu && !is_tdx_vm()) { ++ env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM; ++ } + } + + for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) { +@@ -10021,6 +10028,8 @@ static const Property x86_cpu_properties[] = { + + DEFINE_PROP_BOOL("x-arch-cap-always-on", X86CPU, + arch_cap_always_on, false), ++ DEFINE_PROP_BOOL("x-pdcm-on-even-without-pmu", X86CPU, ++ pdcm_on_even_without_pmu, false), + }; + + #ifndef CONFIG_USER_ONLY +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index b966bc997c..2187e61654 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -2320,6 +2320,12 @@ struct ArchCPU { + */ + bool arch_cap_always_on; + ++ /* ++ * Backwards compatibility with QEMU <10.1. The PDCM feature is now disabled when ++ * PMU is not available, but prior to 10.1 it was enabled even if PMU is off. ++ */ ++ bool pdcm_on_even_without_pmu; ++ + /* Number of physical address bits supported */ + uint32_t phys_bits; + diff --git a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch index 65d18b9..c9010c6 100644 --- a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch +++ b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch @@ -10,10 +10,10 @@ Signed-off-by: Thomas Lamprecht <[email protected]> 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index f977fc49a7..d96c57c182 100644 +index 2187e61654..da8497931f 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h -@@ -2613,9 +2613,9 @@ uint64_t cpu_get_tsc(CPUX86State *env); +@@ -2625,9 +2625,9 @@ uint64_t cpu_get_tsc(CPUX86State *env); #define CPU_RESOLVING_TYPE TYPE_X86_CPU #ifdef TARGET_X86_64 diff --git a/debian/patches/series b/debian/patches/series index f2bf359..10ebb56 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,16 @@ extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch +extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch +extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch +extra/0005-block-curl-fix-curl-internal-handles-handling.patch +extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch +extra/0007-hw-vfio-user-add-x-pci-class-code.patch +extra/0008-tcg-arm-Fix-tgen_deposit.patch +extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch +extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch +extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch +extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch +extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
