Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 48c8916aec4319efc60324d9d971831a8a1d6350
https://github.com/qemu/qemu/commit/48c8916aec4319efc60324d9d971831a8a1d6350
Author: Josh Poimboeuf <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M hw/i386/vmmouse.c
Log Message:
-----------
hw/i386/vmmouse: Fix hypercall clobbers
Fedora QA reported the following kernel panic:
BUG: unable to handle page fault for address: 0000000040003e54
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1082ec067 P4D 0
Oops: Oops: 0002 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted
6.19.0-0.rc4.260108gf0b9d8eb98df.34.fc43.x86_64 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20251119-3.fc43
11/19/2025
RIP: 0010:vmware_hypercall4.constprop.0+0x52/0x90
Code: 48 83 c4 20 5b e9 69 f0 fc fe 8b 05 a0 c1 b2 01 85 c0 74 23 b8 68 58 4d
56 b9 27 00 00 00 31 d2 bb 04 00 00 00 66 ba 58 56 ed <89> 1f 89 0e 41 89 10 5b
e9 3c f0 fc fe 6a 00 49 89 f9 45 31 c0 31
RSP: 0018:ff5eeb3240003e40 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 000000000000ffca RCX: 000000000000ffac
RDX: 0000000000000000 RSI: 0000000040003e58 RDI: 0000000040003e54
RBP: ff1e05f3c1204800 R08: ff5eeb3240003e5c R09: 000000009d899c41
R10: 000000000000003d R11: ff5eeb3240003ff8 R12: 0000000000000000
R13: 00000000000000ff R14: ff1e05f3c02f9e00 R15: 000000000000000c
FS: 0000000000000000(0000) GS:ff1e05f489e40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000040003e54 CR3: 000000010841d002 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<IRQ>
vmmouse_report_events+0x13e/0x1b0
psmouse_handle_byte+0x15/0x60
ps2_interrupt+0x8a/0xd0
...
It was triggered by dereferencing a bad pointer (RDI) immediately after
a VMware hypercall for VMWARE_CMD_ABSPOINTER_DATA in the vmmouse driver:
ffffffff82135070 <vmware_hypercall4.constprop.0>:
...
ffffffff821350ac: b8 68 58 4d 56 mov $0x564d5868,%eax
ffffffff821350b1: b9 27 00 00 00 mov $0x27,%ecx
ffffffff821350b6: 31 d2 xor %edx,%edx
ffffffff821350b8: bb 04 00 00 00 mov $0x4,%ebx
ffffffff821350bd: 66 ba 58 56 mov $0x5658,%dx
ffffffff821350c1: ed in (%dx),%eax <--
hypercall
ffffffff821350c2: 89 1f mov %ebx,(%rdi) <--
crash
Reading the kernel disassembly shows that RDI should contain the value
of a valid kernel stack address here (0xff5eeb3240003e54). Instead it
contains 0x40003e54, suggesting the hypervisor cleared the upper 32
bits.
And indeed, Alexey discovered that QEMU's vmmouse_get_data() and
vmmouse_set_data() are only saving/restoring the lower 32 bits, while
clearing the upper 32. Fix that by changing the type of the saved data
array from uint32_t to uint64_t.
Fixes: 548df2acc6fc ("VMMouse Emulation, by Anthony Liguori.")
Reported-by: Justin Forbes <[email protected]>
Debugged-by: Alexey Makhalov <[email protected]>
Signed-off-by: Josh Poimboeuf <[email protected]>
Link:
https://lore.kernel.org/r/c508fc1d4a4ccd8c9fb1e51b71df089e31115a53.1770309998.git.jpoim...@kernel.org
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3293
Cc: [email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: c86bca1671e9e4161e2a93d73514384de510bbf3
https://github.com/qemu/qemu/commit/c86bca1671e9e4161e2a93d73514384de510bbf3
Author: Bernhard Beschow <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/emulate/x86_decode.c
Log Message:
-----------
target/i386/emulate/x86_decode: Fix compiler warning
When compiling for i386-softmmu under MSYS2, GCC emits the following warning:
In function 'get_reg_val',
inlined from 'calc_modrm_operand64' at
../src/target/i386/emulate/x86_decode.c:1796:15:
../src/target/i386/emulate/x86_decode.c:1703:5: error: 'memcpy' forming
offset [4, 7] is out of the bounds [0, 4] of object 'val' with type
'target_ulong' {aka 'unsigned int'} [-Werror=array-bounds=]
1703 | memcpy(&val,
| ^~~~~~~~~~~~
1704 | get_reg_ref(env, reg, rex_present, is_extended, size),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1705 | size);
| ~~~~~
../src/target/i386/emulate/x86_decode.c: In function 'calc_modrm_operand64':
../src/target/i386/emulate/x86_decode.c:1702:18: note: 'val' declared here
1702 | target_ulong val = 0;
| ^~~
In the calc_modrm_operand64() case the compiler sees size == 8 to be mem-copied
to a target_ulong variable which is only 4 bytes wide in case of i386-softmmu.
Note that when size != 1, get_reg_ref() always returns a pointer to an 8 byte
register, regardless of the target_ulong size. Fix the compiler warning by
always providing 8 bytes of storage by means of uint64_t.
Fixes: 77a2dba45cc9 ("target/i386/emulate: stop overloading decode->op[N].ptr")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Wei Liu (Microsoft) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 529e5e7643078e19d65e694f51cad64be49090ab
https://github.com/qemu/qemu/commit/529e5e7643078e19d65e694f51cad64be49090ab
Author: Bernhard Beschow <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/hvf/x86_mmu.c
Log Message:
-----------
target/i386/hvf/x86_mmu: Fix compiler warning
When reusing the code in WHPX, GCC emits the following warning when compiling
for i386-softmmu under MSYS2:
In file included from ../src/target/i386/emulate/x86_mmu.c:20:
../src/target/i386/emulate/x86_mmu.c: In function 'vmx_write_mem':
../src/target/i386/emulate/x86_mmu.c:251:25: error: format '%llx' expects
argument of type 'long long unsigned int', but argument 3 has type
'target_ulong' {aka 'unsigned int'} [-Werror=format=]
251 | VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __func__,
gva);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
|
|
|
target_ulong {aka unsigned int}
../src/target/i386/emulate/panic.h:34:12: note: in definition of macro
'VM_PANIC_EX'
34 | printf(__VA_ARGS__); \
| ^~~~~~~~~~~
../src/target/i386/emulate/x86_mmu.c:251:48: note: format string is defined
here
251 | VM_PANIC_EX("%s: mmu_gva_to_gpa %llx failed\n", __func__,
gva);
| ~~~^
| |
| long long unsigned int
| %x
Fix the warning by reusing the target-specific macro TARGET_FMT_lx which exists
for this exact purpose.
Fixes: c97d6d2cdf97 ("i386: hvf: add code base from Google's QEMU repository")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Wei Liu (Microsoft) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 1b93832f55927b1b76a6587ca75a5a35676188de
https://github.com/qemu/qemu/commit/1b93832f55927b1b76a6587ca75a5a35676188de
Author: Bernhard Beschow <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/emulate/x86_decode.c
Log Message:
-----------
target/i386/emulate/x86_decode: Actually use stream in
decode_instruction_stream()
Compared to decode_instruction(), decode_instruction_stream() has an additional
stream parameter which avoids some guest memory accesses during instruction
decoding. Both functions defer the actual work to decode_opcode() which would
set the stream pointer to zero such that decode_instruction_stream() essentially
behaved like decode_instruction(). Given that all callers of
decode_instruction_stream() properly zero-initialize the decode parameter, the
memset() call can be moved into decode_instruction() which is the only other
user of decode_opcode(). This preserves the non-zero stream pointer which
avoids extra guest memory accesses.
Fixes: 1e25327b244a ("target/i386/emulate: Allow instruction decoding from
stream")
cc: qemu-stable
Signed-off-by: Bernhard Beschow <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Wei Liu (Microsoft) <[email protected]>
Tested-by: Magnus Kulke <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 03bd8515a3bc5d2da7d95105e5fbc7ede8e658d3
https://github.com/qemu/qemu/commit/03bd8515a3bc5d2da7d95105e5fbc7ede8e658d3
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/emulate/x86_emu.c
Log Message:
-----------
target/i386/emulate: rework string_rep emulation
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2c87eb5cad9d0e6712a3704f05eb24b9b1608d0d
https://github.com/qemu/qemu/commit/2c87eb5cad9d0e6712a3704f05eb24b9b1608d0d
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/emulate/meson.build
A target/i386/emulate/x86_mmu.c
A target/i386/emulate/x86_mmu.h
M target/i386/hvf/hvf.c
M target/i386/hvf/meson.build
M target/i386/hvf/x86.c
R target/i386/hvf/x86_mmu.c
R target/i386/hvf/x86_mmu.h
M target/i386/hvf/x86_task.c
Log Message:
-----------
target/i386: emulate, hvf: move x86_mmu to common code
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 19b48084f713fb5c894c6979f4d583fe809c1c6b
https://github.com/qemu/qemu/commit/19b48084f713fb5c894c6979f4d583fe809c1c6b
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M accel/whpx/whpx-accel-ops.c
M include/system/whpx-all.h
M target/arm/whpx/whpx-all.c
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: re-enable guest debug support
Fix what got broken several years ago by adding ops->supports_guest_debug
support as an architecture-specific function.
arm64 WHP doesn't currently provide support needed for this.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 91a76b2c2d425f6d918c4f7d7201d9a901a14452
https://github.com/qemu/qemu/commit/91a76b2c2d425f6d918c4f7d7201d9a901a14452
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/cpu.h
M target/i386/emulate/meson.build
M target/i386/mshv/meson.build
Log Message:
-----------
whpx: preparatory changes before switching over from winhvemulation
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 02dff8f72d3319b40e747e957906842344622fda
https://github.com/qemu/qemu/commit/02dff8f72d3319b40e747e957906842344622fda
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M accel/whpx/whpx-common.c
M include/system/whpx-all.h
M target/arm/whpx/whpx-all.c
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: refactor whpx_destroy_vcpu to arch-specific function
Avoid a TARGET_X86_64 define by moving platform-specific code
away from generic WHPX support.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9fdece1224e9d2348c4f25cf0fb89a907fe35734
https://github.com/qemu/qemu/commit/9fdece1224e9d2348c4f25cf0fb89a907fe35734
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M accel/whpx/whpx-common.c
M include/system/whpx-common.h
M target/arm/whpx/whpx-all.c
Log Message:
-----------
whpx: move whpx_get_reg/whpx_set_reg to generic code
These will be used in the next commit on the x86_64 backend too.
Also move flush_cpu_state as it's used by get_reg/set_reg and the arm64 code.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Bernhard Beschow <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: ad17d24d189661715bb35334085aa640db2decd8
https://github.com/qemu/qemu/commit/ad17d24d189661715bb35334085aa640db2decd8
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: switch over from winhvemulation to target/i386/emulate
Using the mshv backend as a base, move away from winhvemulation
to using common QEMU code used by the HVF and mshv backends.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: a33a57f8d24988ec2e89ad5cd8c262788ebfac8b
https://github.com/qemu/qemu/commit/a33a57f8d24988ec2e89ad5cd8c262788ebfac8b
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: flags conversion for target/i386/emulate internal state
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9bd8a24a170660066da3c67f24870dbb6c1c29f6
https://github.com/qemu/qemu/commit/9bd8a24a170660066da3c67f24870dbb6c1c29f6
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M accel/whpx/whpx-common.c
M include/system/whpx-common.h
M include/system/whpx-internal.h
M meson.build
Log Message:
-----------
whpx: i386: remove remaining winhvemulation support code
After moving away to target/i386/emulate, this is no longer necessary.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 40860e0c957b84cd71a4488d504a6cb470709ab4
https://github.com/qemu/qemu/commit/40860e0c957b84cd71a4488d504a6cb470709ab4
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: remove messages
Remove some messages printed by the WHPX backend that don't
have an equivalent elsewhere and don't convey an error.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2c08624db03d7f791b69e5cf6b1a4e859f6b0dd0
https://github.com/qemu/qemu/commit/2c08624db03d7f791b69e5cf6b1a4e859f6b0dd0
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: remove CPUID trapping
Very partial in its current state and results in significantly inconsistent
CPUID data. Remove it until it's reimplemented later.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 49f31a967140e65babe2f78fe6e6859342446619
https://github.com/qemu/qemu/commit/49f31a967140e65babe2f78fe6e6859342446619
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M accel/whpx/whpx-common.c
M include/system/whpx-accel-ops.h
M include/system/whpx-all.h
M target/arm/whpx/whpx-all.c
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: common, i386, arm: rework state levels
Change state levels from a set of ifdefs to an enum.
Make register state loads use state levels too.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2a9c0d0ac964e8763d9f64d84cee9872a832f283
https://github.com/qemu/qemu/commit/2a9c0d0ac964e8763d9f64d84cee9872a832f283
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: saving/restoring less state for WHPX_LEVEL_FAST_RUNTIME_STATE
Optimise vmexits by save/restoring less state in those cases instead of the
full state.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Bernhard Beschow <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 84d1d2b79d478e2d903e35f2dbc4c7a80a39c533
https://github.com/qemu/qemu/commit/84d1d2b79d478e2d903e35f2dbc4c7a80a39c533
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/emulate/meson.build
A target/i386/emulate/x86_helpers.c
M target/i386/mshv/meson.build
R target/i386/mshv/x86.c
Log Message:
-----------
target/i386: mshv, emulate: move the generic x86 helpers to
target/i386/emulate
HVF doesn't use them at this point, but move them to common code as that's what
they are.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: d1d985a34d5b30c5b99e8e203bc33f22b6e363b4
https://github.com/qemu/qemu/commit/d1d985a34d5b30c5b99e8e203bc33f22b6e363b4
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M target/i386/emulate/x86.h
M target/i386/emulate/x86_helpers.c
M target/i386/emulate/x86_mmu.c
M target/i386/hvf/x86.c
Log Message:
-----------
target/i386: emulate: 5-level paging for the page table walker
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 1c85a4a3d7a5eca63f3f05c4a4c99223d044b4ce
https://github.com/qemu/qemu/commit/1c85a4a3d7a5eca63f3f05c4a4c99223d044b4ce
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/emulate/x86_decode.c
M target/i386/emulate/x86_emu.c
M target/i386/emulate/x86_emu.h
M target/i386/emulate/x86_helpers.c
M target/i386/emulate/x86_mmu.c
M target/i386/emulate/x86_mmu.h
M target/i386/hvf/hvf.c
M target/i386/hvf/x86.c
M target/i386/hvf/x86_task.c
M target/i386/mshv/mshv-cpu.c
M target/i386/whpx/whpx-all.c
Log Message:
-----------
target/i386: emulate, hvf, mshv: rework MMU code
target/i386/emulate doesn't currently properly emulate instructions
which might cause a page fault during their execution. Notably, REP STOS/MOVS
from MMIO to an address which is unmapped until a page fault exception is raised
causes an abort() in vmx_write_mem.
Change the interface between the HW accel backend and target/i386/emulate as a
first step towards addressing that.
Adapt the page table walker code to give actionable errors,
while leaving a possibility for backends to provide their own walker.
This removes the usage of the Hyper-V page walker in the mshv backend.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 7e44b76644273065003abd7d87547c38a5dd64e3
https://github.com/qemu/qemu/commit/7e44b76644273065003abd7d87547c38a5dd64e3
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/hvf/hvf.c
Log Message:
-----------
hvf: i386: save/restore CR0/2/3
For symmetry, save/restore the same set of registers even when not needed.
CR2 save/restore needed as page faults injected to the guest imply modifying
CR2.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: a32e4ffc72dfc15d4cf2e6edab313aa8611a071a
https://github.com/qemu/qemu/commit/a32e4ffc72dfc15d4cf2e6edab313aa8611a071a
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/emulate/x86_emu.c
Log Message:
-----------
target/i386: emulate: get rid of write_val_to_mem() helper
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: a998be992651c5ea4165539819f982641c23b6ba
https://github.com/qemu/qemu/commit/a998be992651c5ea4165539819f982641c23b6ba
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/emulate/x86_mmu.c
Log Message:
-----------
target/i386: emulate: raise an exception on translation fault
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: fb45807fffb1d3f4d591cc1852fb9039b2011263
https://github.com/qemu/qemu/commit/fb45807fffb1d3f4d591cc1852fb9039b2011263
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/emulate/x86_decode.c
M target/i386/emulate/x86_emu.h
Log Message:
-----------
target/i386: emulate: remove fetch_instruction helper too
Not used anymore.
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 192d377c98d3d8fcd89b009c56eb4ca32e121744
https://github.com/qemu/qemu/commit/192d377c98d3d8fcd89b009c56eb4ca32e121744
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/emulate/x86_emu.c
Log Message:
-----------
target/i386: emulate: propagate memory errors on most reads/writes
Use that to not bump RIP for those cases.
Warn on read/write from/to unmapped MMIO, but not consider that as an exception.
For reads, return 0xFF(s) as the register value in that case.
Leaves a coverage gap for read_val_ext(), to be handled in a later commit.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: b5f7036a71e6b109efeb4a9a709e6d3e25e6ba69
https://github.com/qemu/qemu/commit/b5f7036a71e6b109efeb4a9a709e6d3e25e6ba69
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: inject exceptions
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 5b4810a0ffa65824ec2747b6f054768a98423235
https://github.com/qemu/qemu/commit/5b4810a0ffa65824ec2747b6f054768a98423235
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: bump to x2apic
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9533cc6d360415e88935bcf0808771357b8faf56
https://github.com/qemu/qemu/commit/9533cc6d360415e88935bcf0808771357b8faf56
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-apic.c
Log Message:
-----------
whpx: i386: ignore send_msi to interrupt vector 0
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: f5b03da29f9eb2fe88d96fcf17dab730f19c184e
https://github.com/qemu/qemu/commit/f5b03da29f9eb2fe88d96fcf17dab730f19c184e
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/emulate/x86_emu.c
M target/i386/emulate/x86_emu.h
Log Message:
-----------
target/i386: emulate: propagate errors all the way and stop early
This ended up being a bigger patch than I thought it'd be...
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 777d9f78ff0ba50a7fb9c7bc05fca0213101897d
https://github.com/qemu/qemu/commit/777d9f78ff0ba50a7fb9c7bc05fca0213101897d
Author: Maxim Levitsky <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
accel/kvm: Don't clear pending #SMI in kvm_get_vcpu_events
The kvm_get_vcpu_events propogates the state of the pending smi
from the kernel to the cpu->interrupt_request, with the intention
of having un up to date migration state.
Later the opposite is done, the kvm_put_vcpu_events restores the state
of the pending #SMI from the 'cs->interrupt_request'
The only problem is that kvm_get_vcpu_events also resets the SMI
in cpu->interrupt_request when there is no pending #SMI indicated by the kernel,
and that is wrong as the SMI might be still raised by qemu.
While at it, also fix a similar but more theoretical bug with regard to a
latched #INIT while in SMM.
A simple reproducer for this bug is to read an EFI variable in a loop
from within a guest, while at the same time run 'info registers' on
the qemu HMP monitor.
The reads will, once in a while, fail with an 'Invalid argument' error.
Signed-off-by: Maxim Levitsky <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2ae6d10c240f12e187804ebc5374b7ac3407054b
https://github.com/qemu/qemu/commit/2ae6d10c240f12e187804ebc5374b7ac3407054b
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M scripts/update-linux-headers.sh
Log Message:
-----------
scripts/update-linux-headers: Add Nitro Enclaves header
We want to enable QEMU to drive the /dev/nitro_enclaves device node. Add
its UAPI header into our kernel sync so we have all defines we need to
drive it.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: ac46a829965670f232f71741971ae5065fd1155e
https://github.com/qemu/qemu/commit/ac46a829965670f232f71741971ae5065fd1155e
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
A include/standard-headers/linux/nitro_enclaves.h
Log Message:
-----------
linux-headers: Add nitro_enclaves.h
QEMU is learning to drive the /dev/nitro_enclaves device node. Include
its UAPI header into our local copy of kernel headers so it has all
defines we need to drive it.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 4953bf187db08e995c3be2a47ac96332e767c434
https://github.com/qemu/qemu/commit/4953bf187db08e995c3be2a47ac96332e767c434
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M MAINTAINERS
M hw/Kconfig
M hw/meson.build
A hw/nitro/Kconfig
A hw/nitro/meson.build
A hw/nitro/nitro-vsock-bus.c
A hw/nitro/trace-events
A hw/nitro/trace.h
A include/hw/nitro/nitro-vsock-bus.h
M meson.build
Log Message:
-----------
hw/nitro: Add Nitro Vsock Bus
Add a dedicated bus for Nitro Enclave vsock devices. In Nitro Enclaves,
communication between parent and enclave/hypervisor happens almost
exclusively through vsock. The nitro-vsock-bus models this dependency
in QEMU, which allows devices in this bus to implement individual services
on top of vsock.
The nitro machine spawns this bus by creating the included
nitro-vsock-bridge sysbus device.
The nitro accel then advertises the Enclave's CID to the bus by calling
nitro_vsock_bridge_start_enclave() on the bridge device as soon as it
knows the CID.
Nitro vsock devices can listen to that event and learn the Enclave's CID
when it is available to perform actions, such as connect to the debug
serial vsock port.
Suggested-by: Paolo Bonzini <[email protected]>
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 8155bca60d436e6422ee08be3b93c952540e45da
https://github.com/qemu/qemu/commit/8155bca60d436e6422ee08be3b93c952540e45da
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M MAINTAINERS
M accel/Kconfig
M accel/meson.build
A accel/nitro/meson.build
A accel/nitro/nitro-accel.c
A accel/nitro/trace-events
A accel/nitro/trace.h
M accel/stubs/meson.build
A accel/stubs/nitro-stub.c
M include/system/hw_accel.h
A include/system/nitro-accel.h
M meson.build
M meson_options.txt
M qemu-options.hx
M scripts/meson-buildoptions.sh
Log Message:
-----------
accel: Add Nitro Enclaves accelerator
Nitro Enclaves are a confidential compute technology which
allows a parent instance to carve out resources from itself
and spawn a confidential sibling VM next to itself. Similar
to other confidential compute solutions, this sibling is
controlled by an underlying vmm, but still has a higher level
vmm (QEMU) to implement some of its I/O functionality and
lifecycle.
Add an accelerator to drive this interface. In combination with
follow-on patches to enhance the Nitro Enclaves machine model, this
will allow users to run a Nitro Enclave using QEMU.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 00c83607206c0d98e40fc71f78713276e03489db
https://github.com/qemu/qemu/commit/00c83607206c0d98e40fc71f78713276e03489db
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/nitro/Kconfig
M hw/nitro/meson.build
A hw/nitro/serial-vsock.c
M hw/nitro/trace-events
A include/hw/nitro/serial-vsock.h
Log Message:
-----------
hw/nitro/nitro-serial-vsock: Nitro Enclaves vsock console
Nitro Enclaves support a special "debug" mode. When in debug mode, the
Nitro Hypervisor provides a vsock port that the parent can connect to to
receive serial console output of the Enclave. Add a new nitro-serial-vsock
driver that implements short-circuit logic to establish the vsock
connection to that port and feed its data into a chardev, so that a machine
model can use it as serial device.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9bdc612a18588975f5776ee4e562df607fea1b2c
https://github.com/qemu/qemu/commit/9bdc612a18588975f5776ee4e562df607fea1b2c
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/nitro/Kconfig
A hw/nitro/heartbeat.c
M hw/nitro/meson.build
M hw/nitro/trace-events
A include/hw/nitro/heartbeat.h
Log Message:
-----------
hw/nitro: Introduce Nitro Enclave Heartbeat device
Nitro Enclaves expect the parent instance to host a vsock heartbeat listener
at port 9000. To host a Nitro Enclave with the nitro accel in QEMU, add
such a heartbeat listener as device model, so that the machine can
easily instantiate it.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 246f0f67271e35e9d1ac178c5fd19372e18e70be
https://github.com/qemu/qemu/commit/246f0f67271e35e9d1ac178c5fd19372e18e70be
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/arm/cpu64.c
Log Message:
-----------
target/arm/cpu64: Allow -host for nitro
The nitro accel does not actually make use of CPU emulation or details:
It always uses the host CPU regardless of configuration. Machines for
the nitro accel select the host CPU type as default to have a clear
statement of the above and to have a unified cpu type across all
supported architectures.
The arm64 logic on Linux currently only allows -cpu host for KVM based
virtual machines. Add a special case for nitro so that when the nitro
accel is active, it allows use of the host cpu type.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 0e7f6f6359c6204736b80d98e956cdeaf84f4534
https://github.com/qemu/qemu/commit/0e7f6f6359c6204736b80d98e956cdeaf84f4534
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/nitro/Kconfig
A hw/nitro/machine.c
M hw/nitro/meson.build
A include/hw/nitro/machine.h
M tests/qtest/libqtest.c
Log Message:
-----------
hw/nitro: Add nitro machine
Add a machine model to spawn a Nitro Enclave. Unlike the existing -M
nitro-enclave, this machine model works exclusively with the -accel
nitro accelerator to drive real Nitro Enclave creation. It supports
memory allocation, number of CPU selection, both x86_64 as well as
aarch64, implements the Enclave heartbeat logic and debug serial
console.
To use it, create an EIF file and run
$ qemu-system-x86_64 -accel nitro,debug-mode=on -M nitro -nographic \
-kernel test.eif
or
$ qemu-system-aarch64 -accel nitro,debug-mode=on -M nitro -nographic \
-kernel test.eif
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 73f84b622f0dace9741dd9d1ae908b2e84f00281
https://github.com/qemu/qemu/commit/73f84b622f0dace9741dd9d1ae908b2e84f00281
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/core/eif.c
M hw/core/eif.h
Log Message:
-----------
hw/core/eif: Move definitions to header
In follow-up patches we need some EIF file definitions that are
currently in the eif.c file, but want to access them from a separate
device. Move them into the header instead.
Signed-off-by: Alexander Graf <[email protected]>
Reviewed-by: Dorjoy Chowdhury <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: f75e7baeafc93c715f469366ddc1de0790337548
https://github.com/qemu/qemu/commit/f75e7baeafc93c715f469366ddc1de0790337548
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/core/eif.h
M hw/nitro/machine.c
M hw/nitro/meson.build
Log Message:
-----------
hw/nitro: Enable direct kernel boot
Nitro Enclaves can only boot EIF files which are a combination of
kernel, initramfs and cmdline in a single file. When the kernel image is
not an EIF, treat it like a kernel image and assemble an EIF image on
the fly. This way, users can call QEMU with a direct
kernel/initrd/cmdline combination and everything "just works".
Signed-off-by: Alexander Graf <[email protected]>
Reviewed-by: Dorjoy Chowdhury <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2855cee7c83cb85603805a1a4f27435ed9e4cac5
https://github.com/qemu/qemu/commit/2855cee7c83cb85603805a1a4f27435ed9e4cac5
Author: Alexander Graf <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M MAINTAINERS
M docs/system/confidential-guest-support.rst
M docs/system/index.rst
A docs/system/nitro.rst
Log Message:
-----------
docs: Add Nitro Enclaves documentation
Now that all pieces are in place to spawn Nitro Enclaves using
a special purpose accelerator and machine model, document how
to use it.
Signed-off-by: Alexander Graf <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: b3f0a55576434245906e85b43be4eeb21b198b6a
https://github.com/qemu/qemu/commit/b3f0a55576434245906e85b43be4eeb21b198b6a
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
i386/kvm: avoid installing duplicate msr entries in msr_handlers
kvm_filter_msr() does not check if an msr entry is already present in the
msr_handlers table and installs a new handler unconditionally. If the function
is called again with the same MSR, it will result in duplicate entries in the
table and multiple such calls will fill up the table needlessly. Fix that.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2391125f13526e9f389bee0abf4af39e566b6cc8
https://github.com/qemu/qemu/commit/2391125f13526e9f389bee0abf4af39e566b6cc8
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M include/system/confidential-guest-support.h
M system/runstate.c
M target/i386/kvm/tdx.c
M target/i386/sev.c
Log Message:
-----------
accel/kvm: add confidential class member to indicate guest rebuild capability
As a part of the confidential guest reset process, the existing encrypted guest
state must be made mutable since it would be discarded after reset. A new
encrypted and locked guest state must be established after the reset. To this
end, a new boolean member per confidential guest support class
(eg, tdx or sev-snp) is added that will indicate whether its possible to
rebuild guest state:
bool can_rebuild_guest_state;
This is true if rebuilding guest state is possible, false otherwise.
A KVM based confidential guest reset is only possible when
the existing state is locked but its possible to rebuild guest state.
Otherwise, the guest is not resettable.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 4003e5e65fe0a497705275eba73aef6c89870c82
https://github.com/qemu/qemu/commit/4003e5e65fe0a497705275eba73aef6c89870c82
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M include/accel/accel-ops.h
M system/runstate.c
Log Message:
-----------
hw/accel: add a per-accelerator callback to change VM accelerator handle
When a confidential virtual machine is reset, a new guest context in the
accelerator must be generated post reset. Therefore, the old accelerator guest
file handle must be closed and a new one created. To this end, a per-accelerator
callback, "rebuild_guest" is introduced that would get called when a
confidential
guest is reset. Subsequent patches will introduce specific implementation of
this callback for KVM accelerator.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: df8df3cb6b743372ebb335bd8404bc3d748da350
https://github.com/qemu/qemu/commit/df8df3cb6b743372ebb335bd8404bc3d748da350
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M include/system/physmem.h
M system/physmem.c
Log Message:
-----------
system/physmem: add helper to reattach existing memory after KVM VM fd change
After the guest KVM file descriptor has changed as a part of the process of
confidential guest reset mechanism, existing memory needs to be reattached to
the new file descriptor. This change adds a helper function ram_block_rebind()
for this purpose. The next patch will make use of this function.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 98884e0cc10997a17ce9abfd6ff10be19224ca6a
https://github.com/qemu/qemu/commit/98884e0cc10997a17ce9abfd6ff10be19224ca6a
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M MAINTAINERS
M accel/kvm/kvm-all.c
M accel/kvm/trace-events
M include/system/kvm.h
A stubs/kvm.c
M stubs/meson.build
M target/i386/kvm/kvm.c
Log Message:
-----------
accel/kvm: add changes required to support KVM VM file descriptor change
This change adds common kvm specific support to handle KVM VM file descriptor
change. KVM VM file descriptor can change as a part of confidential guest reset
mechanism. A new function api kvm_arch_on_vmfd_change() per
architecture platform is added in order to implement architecture specific
changes required to support it. A subsequent patch will add x86 specific
implementation for kvm_arch_on_vmfd_change() as currently only x86 supports
confidential guest reset.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9f0c2b3032639315faf141010a2603b0dbf56230
https://github.com/qemu/qemu/commit/9f0c2b3032639315faf141010a2603b0dbf56230
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M accel/kvm/kvm-all.c
Log Message:
-----------
accel/kvm: mark guest state as unprotected after vm file descriptor change
When the KVM VM file descriptor has changed and a new one created, the guest
state is no longer in protected state. Mark it as such.
The guest state becomes protected again when TDX and SEV-ES and SEV-SNP mark
it as such.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 4dd184cb4134e2bc439d6e03360230bef266b5cc
https://github.com/qemu/qemu/commit/4dd184cb4134e2bc439d6e03360230bef266b5cc
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M accel/kvm/kvm-all.c
M accel/stubs/kvm-stub.c
M include/system/kvm.h
Log Message:
-----------
accel/kvm: add a notifier to indicate KVM VM file descriptor has changed
A notifier callback can be used by various subsystems to perform actions when
KVM file descriptor for a virtual machine changes as a part of confidential
guest reset process. This change adds this notifier mechanism. Subsequent
patches will add specific implementations for various notifier callbacks
corresponding to various subsystems that need to take action when KVM VM file
descriptor changed.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 0f53f021ad1ede28dc8944686544e496cab02e5e
https://github.com/qemu/qemu/commit/0f53f021ad1ede28dc8944686544e496cab02e5e
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M accel/kvm/kvm-all.c
M include/system/kvm.h
Log Message:
-----------
accel/kvm: notify when KVM VM file fd is about to be changed
Various subsystems might need to take some steps before the KVM file descriptor
for a virtual machine is changed. So a new boolean attribute is added to the
vmfd_notifier structure which is passed to the notifier callbacks.
vmfd_notifer.pre is true for pre-notification of vmfd change and false for
post notification. Notifier callback implementations can simply check
the boolean value for (vmfd_notifer*)->pre and can take actions for pre or
post vmfd change based on the value.
Subsequent patches will add callback implementations for specific components
that need this pre-notification.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 68457a8c2e9467720c766446957a98ac2a17f034
https://github.com/qemu/qemu/commit/68457a8c2e9467720c766446957a98ac2a17f034
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
i386/kvm: unregister smram listeners prior to vm file descriptor change
We will re-register smram listeners after the VM file descriptors has changed.
We need to unregister them first to make sure addresses and reference counters
work properly.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9d7e73222982c77a5eb36de149597b8be74d8011
https://github.com/qemu/qemu/commit/9d7e73222982c77a5eb36de149597b8be74d8011
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
M target/i386/kvm/trace-events
Log Message:
-----------
kvm/i386: implement architecture support for kvm file descriptor change
When the kvm file descriptor changes as a part of confidential guest reset,
some architecture specific setups including SEV/SEV-SNP/TDX specific setups
needs to be redone. These changes are implemented as a part of the
kvm_arch_on_vmfd_change() callback which was introduced previously.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 1842537960b7f53a23d3632e9f88922cc69e66fc
https://github.com/qemu/qemu/commit/1842537960b7f53a23d3632e9f88922cc69e66fc
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
i386/kvm: refactor xen init into a new function
Cosmetic - no new functionality added. Xen initialisation code is refactored
into its own function.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 473932c2eb694c59044a7d68c553701602e05381
https://github.com/qemu/qemu/commit/473932c2eb694c59044a7d68c553701602e05381
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/i386/x86-common.c
Log Message:
-----------
hw/i386: refactor x86_bios_rom_init for reuse in confidential guest reset
For confidential guests, bios image must be reinitialized upon reset. This
is because bios memory is encrypted and hence once the old confidential
kvm context is destroyed, it cannot be decrypted. It needs to be reinitilized.
Towards that, this change refactors x86_bios_rom_init() code so that
parts of it can be called during confidential guest reset.
No functional chnage.
Acked-by: Michael S. Tsirkin <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 40c015e96942fd2a3e4d5ace6063b3333a3dd372
https://github.com/qemu/qemu/commit/40c015e96942fd2a3e4d5ace6063b3333a3dd372
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/i386/x86-common.c
M include/hw/i386/x86.h
Log Message:
-----------
hw/i386: export a new function x86_bios_rom_reload
Confidential guest smust reload their bios rom upon reset. This is because
bios memory is encrypted and upon reset, the contents of the old bios memory
is lost and cannot be re-used. To this end, export a new x86 function
x86_bios_rom_reload() to reload the bios again. This function will be used in
the subsequent patches.
Reviewed-by: Bernhard Beschow <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 7561c3247c5646ce5d5d5da043df8e7903720420
https://github.com/qemu/qemu/commit/7561c3247c5646ce5d5d5da043df8e7903720420
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
kvm/i386: reload firmware for confidential guest reset
When IGVM is not being used by the confidential guest, the guest firmware has
to be reloaded explicitly again into memory. This is because, the memory into
which the firmware was loaded before reset was encrypted and is thus lost
upon reset. When IGVM is used, it is expected that the IGVM will contain the
guest firmware and the execution of the IGVM directives will set up the guest
firmware memory.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 083ce77fc435660330d7497927340020969a29c3
https://github.com/qemu/qemu/commit/083ce77fc435660330d7497927340020969a29c3
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M accel/kvm/kvm-all.c
M accel/kvm/trace-events
Log Message:
-----------
accel/kvm: rebind current VCPUs to the new KVM VM file descriptor upon reset
Confidential guests needs to generate a new KVM file descriptor upon virtual
machine reset. Existing VCPUs needs to be reattached to this new
KVM VM file descriptor. As a part of this, new VCPU file descriptors against
this new KVM VM file descriptor needs to be created and re-initialized.
Resources allocated against the old VCPU fds needs to be released. This change
makes this happen.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: b318bb6969d00439337abd30ac415d931c396494
https://github.com/qemu/qemu/commit/b318bb6969d00439337abd30ac415d931c396494
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/tdx.c
Log Message:
-----------
i386/tdx: refactor TDX firmware memory initialization code into a new function
A new helper function is introduced that refactors all firmware memory
initialization code into a separate function. No functional change.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 05caf2690e5a29a25928c6717c4204ea3c0bfee3
https://github.com/qemu/qemu/commit/05caf2690e5a29a25928c6717c4204ea3c0bfee3
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/tdx.c
M target/i386/kvm/tdx.h
M target/i386/kvm/trace-events
Log Message:
-----------
i386/tdx: finalize TDX guest state upon reset
When the confidential virtual machine KVM file descriptor changes due to the
guest reset, some TDX specific setup steps needs to be done again. This
includes finalizing the initial guest launch state again. This change
re-executes some parts of the TDX setup during the device reset phaze using a
resettable interface. This finalizes the guest launch state again and locks
it in. Machine done notifier which was previously used is no longer needed as
the same code is now executed as a part of VM reset.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 154f1bcd64869471198d501ffaf928fe6c72e6b9
https://github.com/qemu/qemu/commit/154f1bcd64869471198d501ffaf928fe6c72e6b9
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/tdx.c
Log Message:
-----------
i386/tdx: add a pre-vmfd change notifier to reset tdx state
During reset, when the VM file descriptor is changed, the TDX state needs to be
re-initialized. A notifier callback is implemented to reset the old
state and free memory before the new state is initialized post VM file
descriptor change.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 13395029b567a49609ac05c9bfefad3d4a3eddb1
https://github.com/qemu/qemu/commit/13395029b567a49609ac05c9bfefad3d4a3eddb1
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/sev.c
Log Message:
-----------
i386/sev: add migration blockers only once
sev_launch_finish() and sev_snp_launch_finish() could be called multiple times
when the confidential guest is being reset/rebooted. The migration
blockers should not be added multiple times, once per invocation. This change
makes sure that the migration blockers are added only one time by adding the
migration blockers to the vm state change handler when the vm transitions to
the running state. Subsequent reboots do not change the state of the vm.
Reviewed-by: Prasad Pandit <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 1b4573f538837aca7638c9a57f5808f935bd1c65
https://github.com/qemu/qemu/commit/1b4573f538837aca7638c9a57f5808f935bd1c65
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/sev.c
Log Message:
-----------
i386/sev: add notifiers only once
The various notifiers that are used needs to be installed only once not on
every initialization. This includes the vm state change notifier and others.
This change uses 'cgs->ready' flag to install the notifiers only one time,
the first time.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 99d50e32c7b5b318a561ead10dd4bf86528cab5e
https://github.com/qemu/qemu/commit/99d50e32c7b5b318a561ead10dd4bf86528cab5e
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/sev.c
Log Message:
-----------
i386/sev: free existing launch update data and kernel hashes data on init
If there is existing launch update data and kernel hashes data, they need to be
freed when initialization code is executed. This is important for resettable
confidential guests where the initialization happens once every reset.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: ec9bafd2ea9d12cdd607c12fbb3084e34ea40099
https://github.com/qemu/qemu/commit/ec9bafd2ea9d12cdd607c12fbb3084e34ea40099
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/sev.c
M target/i386/trace-events
Log Message:
-----------
i386/sev: add support for confidential guest reset
When the KVM VM file descriptor changes as a part of the confidential guest
reset mechanism, it necessary to create a new confidential guest context and
re-encrypt the VM memory. This happens for SEV-ES and SEV-SNP virtual machines
as a part of SEV_LAUNCH_FINISH, SEV_SNP_LAUNCH_FINISH operations.
A new resettable interface for SEV module has been added. A new reset callback
for the reset 'exit' state has been implemented to perform the above operations
when the VM file descriptor has changed during VM reset.
Tracepoints has been added also for tracing purpose.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 668c8abd8f9c83061180b5488d1129f61456a65a
https://github.com/qemu/qemu/commit/668c8abd8f9c83061180b5488d1129f61456a65a
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/vfio/helpers.c
Log Message:
-----------
hw/vfio: generate new file fd for pseudo device and rebind existing
descriptors
Normally the vfio pseudo device file descriptor lives for the life of the VM.
However, when the kvm VM file descriptor changes, a new file descriptor
for the pseudo device needs to be generated against the new kvm VM descriptor.
Other existing vfio descriptors needs to be reattached to the new pseudo device
descriptor. This change performs the above steps.
Tested-by: Cédric Le Goater <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 815f0e916b059ee195c96d6df926bdd1d627afe0
https://github.com/qemu/qemu/commit/815f0e916b059ee195c96d6df926bdd1d627afe0
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/i386/kvm/i8254.c
Log Message:
-----------
kvm/i8254: refactor pit initialization into a helper
The initialization code will be used again by VM file descriptor change
notifier callback in a subsequent change. So refactor common code into a new
helper function.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 06fd6ae04444530f5117df5d77ba9d12b70c58ba
https://github.com/qemu/qemu/commit/06fd6ae04444530f5117df5d77ba9d12b70c58ba
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/i386/kvm/i8254.c
M hw/i386/kvm/trace-events
Log Message:
-----------
kvm/i8254: add support for confidential guest reset
A confidential guest reset involves closing the old virtual machine KVM file
descriptor and opening a new one. Since its a new KVM fd, PIT needs to be
re-initialized again. This is done with the help of a notifier which is invoked
upon KVM vm file descriptor change during the confidential guest reset process.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: c4cf32fc63f1879232e4a692e5208b705cec49f0
https://github.com/qemu/qemu/commit/c4cf32fc63f1879232e4a692e5208b705cec49f0
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/kvm.c
Log Message:
-----------
kvm/hyperv: add synic feature to CPU only if its not enabled
We need to make sure that synic CPU feature is not already enabled. If it is,
trying to enable it again will result in the following assertion:
Unexpected error in object_property_try_add() at ../qom/object.c:1268:
qemu-system-x86_64: attempt to add duplicate property 'synic' to object (type
'host-x86_64-cpu')
So enable synic only if its not enabled already.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: b6fde55342d16653ae48113a56792809d667e2e1
https://github.com/qemu/qemu/commit/b6fde55342d16653ae48113a56792809d667e2e1
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/hyperv/trace-events
M hw/hyperv/vmbus.c
Log Message:
-----------
hw/hyperv/vmbus: add support for confidential guest reset
On confidential guests when the KVM virtual machine file descriptor changes as
a part of the reset process, event file descriptors needs to be reassociated
with the new KVM VM file descriptor. This is achieved with the help of a
callback handler that gets called when KVM VM file descriptor changes during
the confidential guest reset process.
This patch is tested on non-confidential platform only.
Acked-by: Maciej S. Szmigiero <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 5e14320daccf54efad4b8fdbc9e5ab82b6e3d44e
https://github.com/qemu/qemu/commit/5e14320daccf54efad4b8fdbc9e5ab82b6e3d44e
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/kvm/xen-emu.c
Log Message:
-----------
kvm/xen-emu: re-initialize capabilities during confidential guest reset
On confidential guests KVM virtual machine file descriptor changes as a
part of the guest reset process. Xen capabilities needs to be re-initialized in
KVM against the new file descriptor.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: c320bd40f7cddc2a755ad3eac4ee2088a7d466cd
https://github.com/qemu/qemu/commit/c320bd40f7cddc2a755ad3eac4ee2088a7d466cd
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/intc/openpic_kvm.c
Log Message:
-----------
ppc/openpic: create a new openpic device and reattach mem region on coco reset
For confidential guests during the reset process, the old KVM VM file
descriptor is closed and a new one is created. When a new file descriptor is
created, a new openpic device needs to be created against this new KVM VM file
descriptor as well. Additionally, existing memory region needs to be reattached
to this new openpic device and proper CPU attributes set associating new file
descriptor. This change makes this happen with the help of a callback handler
that gets called when the KVM VM file descriptor changes as a part of the
confidential guest reset process.
Reviewed-by: Bernhard Beschow <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 956200b180001b0ea46c9684dda1b6c36212cf87
https://github.com/qemu/qemu/commit/956200b180001b0ea46c9684dda1b6c36212cf87
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M accel/kvm/kvm-all.c
M accel/stubs/kvm-stub.c
M include/system/kvm.h
Log Message:
-----------
kvm/vcpu: add notifiers to inform vcpu file descriptor change
When new vcpu file descriptors are created and bound to the new kvm file
descriptor as a part of the confidential guest reset mechanism, various
subsystems needs to know about it. This change adds notifiers so that various
subsystems can take appropriate actions when vcpu fds change by registering
their handlers to this notifier.
Subsequent changes will register specific handlers to this notifier.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 18d55d0f66e2ff2881064a6c30bf8a02589b68b3
https://github.com/qemu/qemu/commit/18d55d0f66e2ff2881064a6c30bf8a02589b68b3
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/i386/kvm/clock.c
Log Message:
-----------
kvm/clock: add support for confidential guest reset
Confidential guests change the KVM VM file descriptor upon reset and also create
new VCPU file descriptors against the new KVM VM file descriptor. We need to
save the clock state from kvm before KVM VM file descriptor changes and restore
it after. Also after VCPU file descriptors changed, we must call
KVM_KVMCLOCK_CTRL on the VCPU file descriptor to inform KVM that the VCPU is
in paused state.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: e76c30bb13ecb9dc716fa629954bfb6253056ce2
https://github.com/qemu/qemu/commit/e76c30bb13ecb9dc716fa629954bfb6253056ce2
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/core/machine.c
M include/hw/core/boards.h
M system/runstate.c
Log Message:
-----------
hw/machine: introduce machine specific option 'x-change-vmfd-on-reset'
A new machine specific option 'x-change-vmfd-on-reset' is introduced for
debugging and testing only (hence the 'x-' prefix). This option when enabled
will force KVM VM file descriptor to be changed upon guest reset like
in the case of confidential guests. This can be used to exercise the code
changes that are specific for confidential guests on non-confidential
guests as well (except changes that require hardware support for
confidential guests).
A new functional test has been added in the next patch that uses this new
parameter to test the VM file descriptor changes.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: da4ba40695beb4df4907b9ce7e88a8beb8dc9c37
https://github.com/qemu/qemu/commit/da4ba40695beb4df4907b9ce7e88a8beb8dc9c37
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M MAINTAINERS
M tests/functional/x86_64/meson.build
A tests/functional/x86_64/test_rebuild_vmfd.py
Log Message:
-----------
tests/functional/x86_64: add functional test to exercise vm fd change on reset
A new functional test is added that exercises the code changes related to
closing of the old KVM VM file descriptor and opening a new one upon VM reset.
This normally happens when confidential guests are reset but for
non-confidential guests, we use a special machine specific debug/test parameter
'x-change-vmfd-on-reset' to enable this behavior.
Only specific code changes related to re-initialisation of SEV-ES, SEV-SNP and
TDX platforms are not exercised in this test as they require hardware that
supports running confidential guests.
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: a9b328611143d2a14b287cf2916dacb82e58ef74
https://github.com/qemu/qemu/commit/a9b328611143d2a14b287cf2916dacb82e58ef74
Author: Ani Sinha <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M qapi/qom.json
Log Message:
-----------
qom: add 'confidential-guest-reset' property for x86 confidential vms
Through the new 'confidential-guest-reset' property, control plane should be
able to detect if the hypervisor supports x86 confidential guest resets. Older
hypervisors that do not support resets will not have this property populated.
Suggested-by: Daniel P. Berrangé <[email protected]>
Reviewed-by: Markus Armbruster <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Ani Sinha <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9b12aeda033a531cc2725fedb156b5f51d4c7294
https://github.com/qemu/qemu/commit/9b12aeda033a531cc2725fedb156b5f51d4c7294
Author: Marc-André Lureau <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M audio/audio-mixeng-be.c
Log Message:
-----------
audio: fix nominal volume channel (cosmetic)
Signed-off-by: Marc-André Lureau <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 61fb8ca023d7cdfdebbcec2c4d9cb15b41467c08
https://github.com/qemu/qemu/commit/61fb8ca023d7cdfdebbcec2c4d9cb15b41467c08
Author: Marc-André Lureau <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
R python/wheels/meson-1.9.0-py3-none-any.whl
Log Message:
-----------
python/wheel: remove meson-1.9.0
Leftover from commit 8c04b6a48b15a478ff3f9d152592a0ba503a31e4.
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: f08abbae621a9ca239091fe7afad18faad8747c3
https://github.com/qemu/qemu/commit/f08abbae621a9ca239091fe7afad18faad8747c3
Author: Marc-André Lureau <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M python/scripts/vendor.py
Log Message:
-----------
scripts/vendor.py: add pycotap
Related to commit 5ec1eec11000ef118b2a87c330245ffaa475f5ee ("python:
Install pycotap in our venv if necessary")
Signed-off-by: Marc-André Lureau <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 2168afd96c10c57def638d99074c87f901ff893b
https://github.com/qemu/qemu/commit/2168afd96c10c57def638d99074c87f901ff893b
Author: Marc-André Lureau <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M audio/paaudio.c
M meson.build
Log Message:
-----------
audio: require pulse >= 0.9.13
pulseaudio 0.9.13 was released on 2009-09-10. All our supported
distros have it.
PA_*_IS_GOOD are from 0.9.11.
Signed-off-by: Marc-André Lureau <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 727451eadb8e16d4437489c7329eac7ad894c3ad
https://github.com/qemu/qemu/commit/727451eadb8e16d4437489c7329eac7ad894c3ad
Author: Marc-André Lureau <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M audio/spiceaudio.c
Log Message:
-----------
audio: require spice >= 0.15
Spice server 0.15.0 was released on 2021-04-16. It is part of all our
supported distro (except CentOS 9, which doesn't include it).
It has all the new required audio APIs/interfaces.
Signed-off-by: Marc-André Lureau <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 1df5a9be657c619edefe152ebc60ce70640feef8
https://github.com/qemu/qemu/commit/1df5a9be657c619edefe152ebc60ce70640feef8
Author: Marc-André Lureau <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M meson.build
M ui/vdagent.c
Log Message:
-----------
ui: drop spice-protocol < 0.14.3 support
According to repology, all our supported distributions have 0.14.3.
Signed-off-by: Marc-André Lureau <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 062acfffe5c07940ec0c419d7e353b46c0514c92
https://github.com/qemu/qemu/commit/062acfffe5c07940ec0c419d7e353b46c0514c92
Author: John Snow <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M rust/Cargo.toml
M rust/hw/core/src/qdev.rs
Log Message:
-----------
rust: use checked_div to make clippy happy
When upgrading from Fedora 41 to Fedora 43 for CI tests, clippy begins
complaining about not using checked_div instead of manually checking
divisors. Make clippy happy and use checked_div() instead.
Signed-off-by: John Snow <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 5dacb3b8fab99f8b4ed52b8d0334ff4547a01ab5
https://github.com/qemu/qemu/commit/5dacb3b8fab99f8b4ed52b8d0334ff4547a01ab5
Author: myrslint <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M accel/kvm/kvm-all.c
M include/system/kvm_int.h
M target/i386/kvm/kvm.c
Log Message:
-----------
KVM: i386: Default disable ignore guest PAT quirk
Add a new accelerator option that allows the guest to adjust the PAT.
This is already the case for TDX guests and allows using virtio-gpu
Venus with RADV or NVIDIA drivers.
The quirk is disabled by default. Since this caused problems with
Linux's Bochs video device driver, add a knob to leave it enabled,
and for now do ont enable it by default.
Signed-off-by: Myrsky Lintu <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2943
Link:
https://lore.kernel.org/r/[email protected]
[Add property; for now leave it off by default. - Paolo]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: fc15a4c38472ff5216fd4970d3e19d10a3601637
https://github.com/qemu/qemu/commit/fc15a4c38472ff5216fd4970d3e19d10a3601637
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: x86: remove inaccurate comment
WHvRunVpExitReasonX64Halt _is_ triggered on halt with kernel-irqchip=off as of
Windows 11 version 25H2.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: ca7a6add3bd20267f124ea8bed4391da8ee8e253
https://github.com/qemu/qemu/commit/ca7a6add3bd20267f124ea8bed4391da8ee8e253
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: x86: kick out of HLT manually when using the kernel-irqchip
Otherwise, interrupts processed through the cancel vCPU and inject path will
not cause the vCPU to go out of its halt state.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 69dfc078a6f03ce643e050de6360887df6c3406c
https://github.com/qemu/qemu/commit/69dfc078a6f03ce643e050de6360887df6c3406c
Author: Mohamed Mediouni <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M hw/i386/vapic.c
Log Message:
-----------
hw: i386: vapic: enable on WHPX with user-mode irqchip
Alleviate a performance bottleneck on legacy Windows guests.
In my test setup, this makes Windows XP boot times be 20x faster
than they're otherwise.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 284c01f76e86630577bbc90cea702a4b6575d458
https://github.com/qemu/qemu/commit/284c01f76e86630577bbc90cea702a4b6575d458
Author: Akihiko Odaki <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M target/alpha/cpu.c
Log Message:
-----------
target/alpha: Reset CPU
alpha_cpu_realizefn() did not properly call cpu_reset(), which
corrupted icount. Add the missing function call to fix icount.
Signed-off-by: Akihiko Odaki <[email protected]>
Tested-by: Thomas Huth <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 649a78aa324dd339fe9396bbb35d1f333329fa43
https://github.com/qemu/qemu/commit/649a78aa324dd339fe9396bbb35d1f333329fa43
Author: Akihiko Odaki <[email protected]>
Date: 2026-02-27 (Fri, 27 Feb 2026)
Changed paths:
M util/rcu.c
Log Message:
-----------
Reapply "rcu: Unify force quiescent state"
This reverts commit ddb4d9d1748681cfde824d765af6cda4334fcce3.
The commit says:
> This reverts commit 55d98e3edeeb17dd8445db27605d2b34f4c3ba85.
>
> The commit introduced a regression in the replay functional test
> on alpha (tests/functional/alpha/test_replay.py), that causes CI
> failures regularly. Thus revert this change until someone has
> figured out what is going wrong here.
Reapply the change as alpha is fixed.
Signed-off-by: Akihiko Odaki <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: bfff4b2ae5452463ab8c14b4a8a020288b5ff5d8
https://github.com/qemu/qemu/commit/bfff4b2ae5452463ab8c14b4a8a020288b5ff5d8
Author: Jon Kohler <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/cpu.c
M target/i386/cpu.h
Log Message:
-----------
target/i386: Add VMX_SECONDARY_EXEC_MODE_BASED_EPT_EXEC
Enumerate ability to enable Intel Mode-Based Execute Control (MBEC)
on secondary execution control bit 22.
Intel MBEC is a hardware feature, introduced in the Kabylake
generation, that allows for more granular control over execution
permissions. MBEC enables the separation and tracking of execution
permissions for supervisor (kernel) and user-mode code. It is used as
an accelerator for Microsoft's Memory Integrity [1] (also known as
hypervisor-protected code integrity or HVCI).
[1]
https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
Code is mirrored here:
https://github.com/JonKohler/linux/tree/mbec-v1-6.18
https://github.com/JonKohler/kvm-unit-tests/tree/mbec-v1
LKML thread(s) are here:
Original RFC:
https://lore.kernel.org/all/[email protected]/
V1 code: https://lore.kernel.org/all/[email protected]/
KVM unit test changes:
https://lore.kernel.org/all/[email protected]/
Cc: Xiaoyao Li <[email protected]>
Cc: Zhao Liu <[email protected]>
Co-authored-by: Jon Kohler <[email protected]>
Co-authored-by: Aditya Desai <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: cf5dc5d019d8662ed9abe7b128b8dc3836b55b41
https://github.com/qemu/qemu/commit/cf5dc5d019d8662ed9abe7b128b8dc3836b55b41
Author: Jon Kohler <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/cpu.h
Log Message:
-----------
target/i386: Add MSR_IA32_ARCH_CAPABILITIES ITS_NO
Add bit definition for Indirect Target Selection (ITS_NO) bit 62, to
allow ITS_NO to be added directly to a CPU model in the future.
Cc: Pawan Gupta <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 856cb7bd35c1e79682b4448cb2e8c5f8c2077541
https://github.com/qemu/qemu/commit/856cb7bd35c1e79682b4448cb2e8c5f8c2077541
Author: Jon Kohler <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
target/i386: introduce SapphireRapids-v6 to expose ITS_NO
Expose ITS_NO by default, as users using Sapphire Rapids and higher
CPU models would not be able to live migrate to lower CPU hosts due to
missing features. In that case, they would not be vulnerable to ITS.
its-no was originally added on [1], but needs to be exposed on the
individual CPU models for the guests to see by default.
[1] 74978391b2da ("target/i386: Make ITS_NO available to guests")
Cc: Pawan Gupta <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: b40be41f37e15603059e6acd656dd335ca93f696
https://github.com/qemu/qemu/commit/b40be41f37e15603059e6acd656dd335ca93f696
Author: Jon Kohler <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
target/i386: introduce GraniteRapids-v5 to expose ITS_NO
Expose ITS_NO by default, as users using Granite Rapids and higher
CPU models would not be able to live migrate to lower CPU hosts due to
missing features. In that case, they would not be vulnerable to ITS.
its-no was originally added on [1], but needs to be exposed on the
individual CPU models for the guests to see by default.
[1] 74978391b2da ("target/i386: Make ITS_NO available to guests")
Cc: Pawan Gupta <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: c63bbb7a400cc903b35a7a12e9a3628fc6173fd5
https://github.com/qemu/qemu/commit/c63bbb7a400cc903b35a7a12e9a3628fc6173fd5
Author: Jon Kohler <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
target/i386: introduce SierraForest-v5 to expose ITS_NO
Expose ITS_NO by default, as users using Sierra Forest and higher
CPU models would not be able to live migrate to lower CPU hosts due to
missing features. In that case, they would not be vulnerable to ITS.
its-no was originally added on [1], but needs to be exposed on the
individual CPU models for the guests to see by default.
Note: For SRF, version 2 already exposed BHI_CTRL, which would already
mark the CPU as invulnerable to ITS (at least in Linux); however,
expose ITS_NO for completeness.
[1] 74978391b2da ("target/i386: Make ITS_NO available to guests")
Cc: Pawan Gupta <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 364d7890c6f56352d184bc58203d5e0e6b537a58
https://github.com/qemu/qemu/commit/364d7890c6f56352d184bc58203d5e0e6b537a58
Author: Jon Kohler <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/cpu.c
Log Message:
-----------
target/i386: introduce ClearwaterForest-v3 to expose ITS_NO
Expose ITS_NO by default, as users using Clearwater Forest and higher
CPU models would not be able to live migrate to lower CPU hosts due to
missing features. In that case, they would not be vulnerable to ITS.
its-no was originally added on [1], but needs to be exposed on the
individual CPU models for the guests to see by default.
Note: Version 1 already exposes ARCH_CAP_BHI_NO, which would already
mark the CPU as invulnerable to ITS (at least in Linux); however,
expose ITS_NO for completeness.
[1] 74978391b2da ("target/i386: Make ITS_NO available to guests")
Cc: Pawan Gupta <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 3588d68bc8da44639405ad8d9a0fc3bb94611ca3
https://github.com/qemu/qemu/commit/3588d68bc8da44639405ad8d9a0fc3bb94611ca3
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: move whpx_vcpu_kick_out_of_hlt() invocation to interrupt raise
time
This fixes the sti followed by hlt kvm_unit_tests.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 8b87283ce4c58cb2da64be4690711205d137eb3c
https://github.com/qemu/qemu/commit/8b87283ce4c58cb2da64be4690711205d137eb3c
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: enable all supported host features
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 8022c62878f9199f2f436f8058ad5504bbeca8ff
https://github.com/qemu/qemu/commit/8022c62878f9199f2f436f8058ad5504bbeca8ff
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: enable synthetic processor features
At the point in time in which we setup the partition, the vCPUs
aren't available yet.
So enable them by default for now like what the MSHV backend does.
AccessFrequencyRegs is shared for both the LAPIC frequency reporting and the
TSC frequency.
To still benefit from the fixed TSC frequency reporting when
kernel-irqchip=off, still enable AccessFrequencyRegs anyway.
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 3f7e6348b071c6384e00f45462d75b7a74ee9c05
https://github.com/qemu/qemu/commit/3f7e6348b071c6384e00f45462d75b7a74ee9c05
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: warn on unsupported MSR access instead of failing silently
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 7f7e797737eb1965bdf2260d10e6819a3998d28d
https://github.com/qemu/qemu/commit/7f7e797737eb1965bdf2260d10e6819a3998d28d
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/emulate/x86_emu.c
M target/i386/emulate/x86_flags.c
M target/i386/emulate/x86_flags.h
Log Message:
-----------
target/i386: emulate: more 64-bit register handling
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: eb3eaf882edc64f6e1bf20a504b6dde1f5f027f0
https://github.com/qemu/qemu/commit/eb3eaf882edc64f6e1bf20a504b6dde1f5f027f0
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: enable PMU
Also a partition property instead of a CPU one...
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: f2875e19d207de13b3308d859bb3cbb687f05d3c
https://github.com/qemu/qemu/commit/f2875e19d207de13b3308d859bb3cbb687f05d3c
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/whpx/whpx-all.c
Log Message:
-----------
whpx: i386: expose HV_X64_MSR_APIC_FREQUENCY when kernel-irqchip=off
Now that we expose AccessFrequencyRegs, expose HV_X64_MSR_APIC_FREQUENCY as
well for the case when the Hyper-V LAPIC is not used.
If the Hyper-V LAPIC is used, this will be handled by the hypervisor instead of
the VMM, hence gating it on !whpx_irqchip_in_kernel().
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 5a0f9481b0cf344c4437515b596e4ecf57ccc30f
https://github.com/qemu/qemu/commit/5a0f9481b0cf344c4437515b596e4ecf57ccc30f
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M target/i386/emulate/x86_emu.c
Log Message:
-----------
target/i386: emulate: fix scas
Signed-off-by: Mohamed Mediouni <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 78c6b6010ce7cfa54874dda514e694640b76f1e4
https://github.com/qemu/qemu/commit/78c6b6010ce7cfa54874dda514e694640b76f1e4
Author: Peter Maydell <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M target/ppc/translate/ppe-impl.c.inc
Log Message:
-----------
target/ppc/translate: Fix TCG debug assert translating CLRBWIBC
The test case in the ppe42 functional test triggers a TCG debug
assertion, which causes the test to fail in an --enable-debug
build or when the sanitizers are enabled:
#6 0x00007ffff4a3b517 in __assert_fail
(assertion=0x5555562e7589 "!temp_readonly(ots)", file=0x5555562e5b23
"../../tcg/tcg.c", line=4928, function=0x5555562e8900 <__PRETTY_FUNCTION__.23>
"tcg_reg_alloc_mov") at ./assert/assert.c:105
#7 0x0000555555cc2189 in tcg_reg_alloc_mov (s=0x7fff60000b70,
op=0x7fff600126f8) at ../../tcg/tcg.c:4928
#8 0x0000555555cc74e0 in tcg_gen_code (s=0x7fff60000b70, tb=0x7fffa802f540,
pc_start=4294446080) at ../../tcg/tcg.c:6667
#9 0x0000555555d02abe in setjmp_gen_code
(env=0x555556cbe610, tb=0x7fffa802f540, pc=4294446080,
host_pc=0x7fffeea00c00, max_insns=0x7fffee9f9d74, ti=0x7fffee9f9d90)
at ../../accel/tcg/translate-all.c:257
#10 0x0000555555d02d75 in tb_gen_code (cpu=0x555556cba590, s=...) at
../../accel/tcg/translate-all.c:325
#11 0x0000555555cf5922 in cpu_exec_loop (cpu=0x555556cba590, sc=0x7fffee9f9ee0)
at ../../accel/tcg/cpu-exec.c:970
#12 0x0000555555cf5aae in cpu_exec_setjmp (cpu=0x555556cba590,
sc=0x7fffee9f9ee0) at ../../accel/tcg/cpu-exec.c:1016
#13 0x0000555555cf5b4b in cpu_exec (cpu=0x555556cba590) at
../../accel/tcg/cpu-exec.c:1042
#14 0x0000555555d1e7ab in tcg_cpu_exec (cpu=0x555556cba590) at
../../accel/tcg/tcg-accel-ops.c:82
#15 0x0000555555d1ff97 in rr_cpu_thread_fn (arg=0x555556cba590) at
../../accel/tcg/tcg-accel-ops-rr.c:285
#16 0x00005555561586c9 in qemu_thread_start (args=0x555556ee3c90) at
../../util/qemu-thread-posix.c:393
#17 0x00007ffff4a9caa4 in start_thread (arg=<optimized out>) at
./nptl/pthread_create.c:447
#18 0x00007ffff4b29c6c in clone3 () at
../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
This can be reproduced "by hand":
./build/clang/qemu-system-ppc -display none -vga none \
-machine ppe42_machine -serial stdio \
-device
loader,file=$HOME/.cache/qemu/download/03c1ac0fb7f6c025102a02776a93b35101dae7c14b75e4eab36a337e39042ea8
\
-device loader,addr=0xfff80040,cpu-num=0
(assuming you have the image file from the functional test
in your local cache).
This happens for this input:
IN:
0xfff80c00: 07436004 .byte 0x07, 0x43, 0x60, 0x04
which generates (among other things):
not_i32 $0x80000,$0x80000
which the TCG optimization pass turns into:
mov_i32 $0x80000,$0xfff7ffff dead: 1 pref=0xffff
and where we then assert because we tried to write to a constant.
This happens for the CLRBWIBC instruction which ends up in
do_mask_branch() with rb_is_gpr false and invert true. In this case
we will generate code that sets mask to a tcg_constant_tl() but then
uses it as the LHS in tcg_gen_not_tl().
Fix the assertion by doing the invert in the translate time C code
for the "mask is constant" case.
Cc: [email protected]
Fixes: f7ec91c23906 ("target/ppc: Add IBM PPE42 special instructions")
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Harsh Prateek Bora <[email protected]>
Commit: 2211bb484c9d11c8fc0504dd05d0fdc0b4969218
https://github.com/qemu/qemu/commit/2211bb484c9d11c8fc0504dd05d0fdc0b4969218
Author: Caleb Schlossin <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M hw/ppc/pnv_xscom.c
Log Message:
-----------
ppc/pnv: Support for SECURITY_SWITCH XSCOM register access
Power Hypervisor code requires access to the SECURITY_SWITCH
XSCOM register at MMIO address 0x80028 (scom address 0x10005).
Adding basic read support for now so that is doesn't cause
error messages to be posted.
Reviewed-by: Chalapathi V <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Aditya Gupta <[email protected]>
Signed-off-by: Glenn Miles <[email protected]>
Signed-off-by: Caleb Schlossin <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Harsh Prateek Bora <[email protected]>
Commit: 0b74dd1d8054dfff56562ccc6cedc869cebac623
https://github.com/qemu/qemu/commit/0b74dd1d8054dfff56562ccc6cedc869cebac623
Author: Caleb Schlossin <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M hw/ppc/pnv_occ.c
M include/hw/ppc/pnv_occ.h
Log Message:
-----------
ppc/pnv: Add OCC FLAG registers
OCCFLG are scratch registers that can be shared with OCC firmware.
Log reads and writes to the registers as a reminder when we run
into more OCC code.
Add RW, WO_CLEAR and WO_OR SCOM Type enums in pnv_occ.c
Reviewed-by: Chalapathi V <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Aditya Gupta <[email protected]>
Signed-off-by: Chalapathi V <[email protected]>
Signed-off-by: Caleb Schlossin <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Harsh Prateek Bora <[email protected]>
Commit: 8dec25e04e016e02c19cca68deb7ac6afff26cbe
https://github.com/qemu/qemu/commit/8dec25e04e016e02c19cca68deb7ac6afff26cbe
Author: Glenn Miles <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: Add self as reviewer for PowerPC TCG
Added myself as a reviewer for PowerPC TCG
Signed-off-by: Glenn Miles <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Link:
https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Harsh Prateek Bora <[email protected]>
Commit: 0aac79bd790148a6ee597225a9762a036a454b06
https://github.com/qemu/qemu/commit/0aac79bd790148a6ee597225a9762a036a454b06
Author: Peter Maydell <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M MAINTAINERS
M hw/ppc/pnv_occ.c
M hw/ppc/pnv_xscom.c
M include/hw/ppc/pnv_occ.h
M target/ppc/translate/ppe-impl.c.inc
Log Message:
-----------
Merge tag 'pull-ppc-for-11.0-20260302' of https://gitlab.com/harshpb/qemu
into staging
ppc queue for 11.0
- Fix TCG debug assert translating CLRBWIBC
- Misc Power10 PowerVM bringup fixes
- MAINTAINERS: Add Glenn as PPC TCG Reviewer.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmmlLJAACgkQRUTplPnW
# j7t5yg//S6Ch3ipR0gt13Q4/Hpseila6NADPaU+ASDcRNaWgJCjc+a6jW8xN6m5D
# myfms5vcbNdRLvDNdLYqNhtEjVqJgsbvb7jaFDK+Ny1vJDPRHZK4QIlsx5fWSteL
# fefWgfAu0ce70MQNY6zIsy/a6ORz6g+fTEv6XWsfZEdvlxow4BsClfnDcQw6vu5B
# YLi9FY50Kk7BxQ2gfFbAAPqCU9XSmjSObCANil9qiGl81lLG7VqIflSBEdQ6NWa1
# hJpUUoSEq+BzLtrVLTswb0/EnG2HATHyExRG5jy+oycuB8hKtZIV7g6zAdMBibrk
# EBAAU7MoH/dzcf5XDtrWEFzRm3yXHorMEIxejt51ss/7s6XaiDOciViOR2OEPOxY
# pzJ+8K8wRCxrM9tE2ZHZhmscz7Dns9nU0T5TrJ0NExUe8sB9A19nOQCSJsdNaWSl
# 4AXsevm0lqkoUCBgd+6ZHPgSSoheNW4DXuGr7dvaQiDY9xUw8lvAeG1WIVa2W0il
# GAGECZ4Da5e1bLlpSw8ALvINLL+/OjzpL8d//QQOTE7xoF/5SgGUAI/w7OJJXYtX
# vdvzAE9Dk2EMo0juRU9yLKiy7fjz+Ecp6wV74t9r18ZjzkD286+6nAOaXjvFH35i
# c3UMUPdVYRNRjVdFxKw8B/CJ22aWauz8z9X+fFwnqKYH7YLLUZ8=
# =AkZY
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Mar 2 06:22:08 2026 GMT
# gpg: using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <[email protected]>"
[full]
# gpg: aka "Harsh Prateek Bora <[email protected]>" [full]
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D 2142 4544 E994 F9D6 8FBB
* tag 'pull-ppc-for-11.0-20260302' of https://gitlab.com/harshpb/qemu:
MAINTAINERS: Add self as reviewer for PowerPC TCG
ppc/pnv: Add OCC FLAG registers
ppc/pnv: Support for SECURITY_SWITCH XSCOM register access
target/ppc/translate: Fix TCG debug assert translating CLRBWIBC
Signed-off-by: Peter Maydell <[email protected]>
Commit: 333aaa55f051977cc897fb71e0a9ed52bb00a675
https://github.com/qemu/qemu/commit/333aaa55f051977cc897fb71e0a9ed52bb00a675
Author: Peter Maydell <[email protected]>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M MAINTAINERS
M accel/Kconfig
M accel/kvm/kvm-all.c
M accel/kvm/trace-events
M accel/meson.build
A accel/nitro/meson.build
A accel/nitro/nitro-accel.c
A accel/nitro/trace-events
A accel/nitro/trace.h
M accel/stubs/kvm-stub.c
M accel/stubs/meson.build
A accel/stubs/nitro-stub.c
M accel/whpx/whpx-accel-ops.c
M accel/whpx/whpx-common.c
M audio/audio-mixeng-be.c
M audio/paaudio.c
M audio/spiceaudio.c
M docs/system/confidential-guest-support.rst
M docs/system/index.rst
A docs/system/nitro.rst
M hw/Kconfig
M hw/core/eif.c
M hw/core/eif.h
M hw/core/machine.c
M hw/hyperv/trace-events
M hw/hyperv/vmbus.c
M hw/i386/kvm/clock.c
M hw/i386/kvm/i8254.c
M hw/i386/kvm/trace-events
M hw/i386/vapic.c
M hw/i386/vmmouse.c
M hw/i386/x86-common.c
M hw/intc/openpic_kvm.c
M hw/meson.build
A hw/nitro/Kconfig
A hw/nitro/heartbeat.c
A hw/nitro/machine.c
A hw/nitro/meson.build
A hw/nitro/nitro-vsock-bus.c
A hw/nitro/serial-vsock.c
A hw/nitro/trace-events
A hw/nitro/trace.h
M hw/vfio/helpers.c
M include/accel/accel-ops.h
M include/hw/core/boards.h
M include/hw/i386/x86.h
A include/hw/nitro/heartbeat.h
A include/hw/nitro/machine.h
A include/hw/nitro/nitro-vsock-bus.h
A include/hw/nitro/serial-vsock.h
A include/standard-headers/linux/nitro_enclaves.h
M include/system/confidential-guest-support.h
M include/system/hw_accel.h
M include/system/kvm.h
M include/system/kvm_int.h
A include/system/nitro-accel.h
M include/system/physmem.h
M include/system/whpx-accel-ops.h
M include/system/whpx-all.h
M include/system/whpx-common.h
M include/system/whpx-internal.h
M meson.build
M meson_options.txt
M python/scripts/vendor.py
R python/wheels/meson-1.9.0-py3-none-any.whl
M qapi/qom.json
M qemu-options.hx
M rust/Cargo.toml
M rust/hw/core/src/qdev.rs
M scripts/meson-buildoptions.sh
M scripts/update-linux-headers.sh
A stubs/kvm.c
M stubs/meson.build
M system/physmem.c
M system/runstate.c
M target/alpha/cpu.c
M target/arm/cpu64.c
M target/arm/whpx/whpx-all.c
M target/i386/cpu.c
M target/i386/cpu.h
M target/i386/emulate/meson.build
M target/i386/emulate/x86.h
M target/i386/emulate/x86_decode.c
M target/i386/emulate/x86_emu.c
M target/i386/emulate/x86_emu.h
M target/i386/emulate/x86_flags.c
M target/i386/emulate/x86_flags.h
A target/i386/emulate/x86_helpers.c
A target/i386/emulate/x86_mmu.c
A target/i386/emulate/x86_mmu.h
M target/i386/hvf/hvf.c
M target/i386/hvf/meson.build
M target/i386/hvf/x86.c
R target/i386/hvf/x86_mmu.c
R target/i386/hvf/x86_mmu.h
M target/i386/hvf/x86_task.c
M target/i386/kvm/kvm.c
M target/i386/kvm/tdx.c
M target/i386/kvm/tdx.h
M target/i386/kvm/trace-events
M target/i386/kvm/xen-emu.c
M target/i386/mshv/meson.build
M target/i386/mshv/mshv-cpu.c
R target/i386/mshv/x86.c
M target/i386/sev.c
M target/i386/trace-events
M target/i386/whpx/whpx-all.c
M target/i386/whpx/whpx-apic.c
M tests/functional/x86_64/meson.build
A tests/functional/x86_64/test_rebuild_vmfd.py
M tests/qtest/libqtest.c
M ui/vdagent.c
M util/rcu.c
Log Message:
-----------
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* target/alpha: Fix for record/replay issue
* accel/nitro: New Nitro Enclaves accelerator
* generic + kvm: add support for rebuilding VMs on reset
* audio requirements cleanup
* vmmouse: Fix hypercall clobbers
* rust: use checked_div to make clippy happy
* kvm: Don't clear pending #SMI in kvm_get_vcpu_events
* target/i386/emulate: rework MMU code, many fixes
* target/i386/whpx: replace winhvemulation with target/i386/emulate
* target/i386/whpx: x2apic support
* target/i386/whpx: vapic support
* kvm: support for the "ignore guest PAT" quirk
* target/i386: add ITS_NO bit for the arch-capabilities MSR
* target/i386: add MBEC bit for nested VMX
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmmkVTUUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroOa8Qf+J16s57unw/DiM4Mw7wvnLGA86OSu
# bJwlHBgmgz3uT8LwPpg2F3+yTDzTGErm5Ex7JHYJqdLdhVuU0cC3d3/TndUovWZf
# lMwQi2QJNKECtOIIz3rqbqvuSoy577Q7qN7CIN4vR8JKFvToPnwABVfkl+VKedCT
# Tu/f3SiazXnNH8FejtXsyjDHMwJfMwhYg5HyAHeqxtrqMCnQ/pc46ZQoM4CJr8P+
# jDZu85RDlLVXkA0RtwkJ6QfvxSU3wUjEeDBz9ThGLk00PFCr1LAXj/oz+0Ayz3qu
# LkVpLLBxt0hfMCZPlYF0+17m1CJv7/micHVZEgblawpq/xXXk1iE8avGQQ==
# =mEuN
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun Mar 1 15:03:17 2026 GMT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "[email protected]"
# gpg: Good signature from "Paolo Bonzini <[email protected]>" [full]
# gpg: aka "Paolo Bonzini <[email protected]>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (102 commits)
target/i386: emulate: fix scas
whpx: i386: expose HV_X64_MSR_APIC_FREQUENCY when kernel-irqchip=off
whpx: i386: enable PMU
target/i386: emulate: more 64-bit register handling
whpx: i386: warn on unsupported MSR access instead of failing silently
whpx: i386: enable synthetic processor features
whpx: i386: enable all supported host features
whpx: i386: move whpx_vcpu_kick_out_of_hlt() invocation to interrupt raise
time
target/i386: introduce ClearwaterForest-v3 to expose ITS_NO
target/i386: introduce SierraForest-v5 to expose ITS_NO
target/i386: introduce GraniteRapids-v5 to expose ITS_NO
target/i386: introduce SapphireRapids-v6 to expose ITS_NO
target/i386: Add MSR_IA32_ARCH_CAPABILITIES ITS_NO
target/i386: Add VMX_SECONDARY_EXEC_MODE_BASED_EPT_EXEC
Reapply "rcu: Unify force quiescent state"
target/alpha: Reset CPU
hw: i386: vapic: enable on WHPX with user-mode irqchip
whpx: x86: kick out of HLT manually when using the kernel-irqchip
whpx: x86: remove inaccurate comment
KVM: i386: Default disable ignore guest PAT quirk
...
Signed-off-by: Peter Maydell <[email protected]>
Compare: https://github.com/qemu/qemu/compare/ffcf1a798179...333aaa55f051
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
