Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 201245a6542983d4c3ae8db519d9721d64afc2be
https://github.com/qemu/qemu/commit/201245a6542983d4c3ae8db519d9721d64afc2be
Author: Thomas Huth <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
M configs/devices/arm-softmmu/default.mak
M docs/about/deprecated.rst
M docs/about/removed-features.rst
R docs/system/arm/highbank.rst
M docs/system/target-arm.rst
M hw/arm/Kconfig
R hw/arm/highbank.c
M hw/arm/meson.build
Log Message:
-----------
hw/arm: Remove the deprecated "highbank" and "midway" machines
These machines have been marked as deprecated two releases ago,
and so far nobody complained that they are still useful, so it's
time to remove these now.
Signed-off-by: Thomas Huth <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 072ddc8eb97581a6800eb6d8d864b28102c46280
https://github.com/qemu/qemu/commit/072ddc8eb97581a6800eb6d8d864b28102c46280
Author: Thomas Huth <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/net/Kconfig
M hw/net/meson.build
R hw/net/xgmac.c
M scripts/coverity-scan/COMPONENTS.md
Log Message:
-----------
hw/net: Remove the xgmac device
The xgmac device was only used by the highbank machine that just
has been removed. Being a sysbus device that cannot be instantiated
by the user, this is dead code now and thus can be removed, too.
Signed-off-by: Thomas Huth <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 005b1d838b09c07f4832349fe55f1cf22411edb0
https://github.com/qemu/qemu/commit/005b1d838b09c07f4832349fe55f1cf22411edb0
Author: Chisheng Chen <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/Kconfig
Log Message:
-----------
hw/arm: Add missing dependencies for STM32F405 SoC
The STM32F405 SoC relies on STM32F2xx peripherals (ADC, SPI, TIMER,
USART) and the unimplemented device (UNIMP). However, they are not
selected in Kconfig. This added these dependencies.
Signed-off-by: Chisheng Chen <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 0885cd5504dfdbd531a1fc0e3e421d3c9934b03a
https://github.com/qemu/qemu/commit/0885cd5504dfdbd531a1fc0e3e421d3c9934b03a
Author: Nicolin Chen <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M backends/iommufd.c
M backends/trace-events
M include/system/iommufd.h
Log Message:
-----------
backends/iommufd: Introduce iommufd_backend_alloc_veventq
Add a new helper for IOMMU_VEVENTQ_ALLOC ioctl to allocate a virtual event
queue (vEVENTQ) for a vIOMMU object.
Signed-off-by: Nicolin Chen <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Nicolin Chen <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 674d57bf6e26a3ae7076a7ee56e6be90580d5208
https://github.com/qemu/qemu/commit/674d57bf6e26a3ae7076a7ee56e6be90580d5208
Author: Shameer Kolothum <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-accel.c
Log Message:
-----------
hw/arm/smmuv3-accel: Add viommu free helper
Move viommu teardown into a helper function and use it from the
last device removal path.
This groups related cleanup logic in one place and improves readability.
It also makes it easier to extend the teardown in future, for example
when freeing related objects such as vEVENTQ.
No functional change.
Reviewed-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 46f0d48393529cfa3659012971c20f6808eb3b78
https://github.com/qemu/qemu/commit/46f0d48393529cfa3659012971c20f6808eb3b78
Author: Nicolin Chen <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-accel.c
M hw/arm/smmuv3-accel.h
M hw/arm/smmuv3.c
Log Message:
-----------
hw/arm/smmuv3-accel: Allocate vEVENTQ for accelerated SMMUv3 devices
When the guest enables the Event Queue and a vIOMMU is present, allocate a
vEVENTQ object so that host-side events related to the vIOMMU can be
received and propagated back to the guest.
Allocate a vEVENTQ only when both of the following conditions are met:
1) The guest SMMUv3 driver has set EVENTQEN = 1 in SMMU_CR0.
2) A vIOMMU exists (created when the first VFIO device is attached).
These two conditions may occur in any order.
In the cold-plug case, the vIOMMU already exists before the guest
driver probes. When the guest sets EVENTQEN = 1 during driver probe,
the vEVENTQ is allocated at that point.
With hot-plug, the VFIO device may be attached either before or after
the guest sets EVENTQEN. If the vIOMMU is created first, allocation is
deferred until EVENTQEN = 1. If EVENTQEN is already set, allocation
happens when the vIOMMU is created.
In all cases, allocation is triggered when the second required
condition becomes true.
Errors from command queue consumption and vEVENTQ allocation are reported
independently as the two operations are unrelated.
Event read and propagation will be added in a later patch.
Signed-off-by: Nicolin Chen <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Tested-by: Eric Auger <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 43585524a7c628c0ebace5c33ba865c4e2c55177
https://github.com/qemu/qemu/commit/43585524a7c628c0ebace5c33ba865c4e2c55177
Author: Shameer Kolothum <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-internal.h
M hw/arm/smmuv3.c
M hw/arm/trace-events
Log Message:
-----------
hw/arm/smmuv3: Introduce a helper function for event propagation
Factor out the code that propagates event records to the guest into a
helper function. The accelerated SMMUv3 path can use this to propagate
host events in a subsequent patch.
Take the mutex inside the helper before accessing the Event Queue.
Today event propagation occurs only in the core SMMUv3 path and is
effectively serialized. A subsequent patch will also invoke this helper
from the accelerated event read path, which may run concurrently.
Therefore serialization is required here.
No functional change intended.
Reviewed-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: c0c97fbc6cf764f0d66d5122c4117d0770e89902
https://github.com/qemu/qemu/commit/c0c97fbc6cf764f0d66d5122c4117d0770e89902
Author: Shameer Kolothum <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-accel.c
Log Message:
-----------
hw/arm/smmuv3-accel: Read and propagate host vIOMMU events
Install an event handler on the vEVENTQ fd to read and propagate host
generated vIOMMU events to the guest.
The handler runs in QEMU's main loop, using a non-blocking fd registered
via qemu_set_fd_handler().
Tested-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Nicolin Chen <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 7564492337d375a01b2440bd84be87fed4056fc6
https://github.com/qemu/qemu/commit/7564492337d375a01b2440bd84be87fed4056fc6
Author: Paul Durrant <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: remove myself as a Xen maintainer
I am no longer actively involved in the Xen Project.
Signed-off-by: Paul Durrant <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 76d126d0f61eeda35ba39a2e60cbd0c62cd0184c
https://github.com/qemu/qemu/commit/76d126d0f61eeda35ba39a2e60cbd0c62cd0184c
Author: CLEMENT MATHIEU--DRIF <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: Update Clement Mathieu--Drif's email address
Switch to bull.com email address following a company split.
The previous eviden.com address will remain active for a few months.
Signed-off-by: Clement Mathieu--Drif <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 2cae1adc42e0ec8f860056de725f35a7fdad4156
https://github.com/qemu/qemu/commit/2cae1adc42e0ec8f860056de725f35a7fdad4156
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M system/qtest.c
Log Message:
-----------
system/qtest: Support comments in input commands
Allow the qtest input to include comment lines, which start with '#'.
This allows writing an input file for qtest which includes commentary,
like this:
# set up TCR in bank 0
write 0x1001000e 2 0
# TCR TXEN
write 0x10010000 2 1
which can make hand-writing or annotating reproduce cases a bit
more convenient.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Commit: d8e19f8042dcaff8e077292209c8196acb150bdd
https://github.com/qemu/qemu/commit/d8e19f8042dcaff8e077292209c8196acb150bdd
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Don't allow negative-length packets
The smc91c111 data frame format in memory (figure 8-1 in the
datasheet) includes a "byte count" field which is intended to be the
total size of the data frame, including not just the packet data but
also the leading and trailing information like the status word and
the byte count field itself. It is therefore possible for the guest
to set this to a value so small that the leading and trailing fields
won't fit and the packet has effectively a negative area.
We weren't checking for this, with the result that when we subtract 6
from the length to get the length of the packet proper we end up with
a negative length, which is then inconsistently handled in the
qemu_send_packet() code such that we can try to transmit a very large
amount of data and read off the end of the device's data array.
Treat excessively small length values the same way we do excessively
large values. As with the oversized case, the datasheet does not
describe what happens for this software error case, and there is no
relevant tx error condition for this, so we just log and drop the
packet.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Commit: fbf9bb0d7935fa61a7bf2dcd06a22708d9347ef4
https://github.com/qemu/qemu/commit/fbf9bb0d7935fa61a7bf2dcd06a22708d9347ef4
Author: Magnus Kulke <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: fix magnuskulke email-address
Consolidating email aliases.
Signed-off-by: Magnus Kulke <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: f555338df754b37e042d5b88610c34b1d1845383
https://github.com/qemu/qemu/commit/f555338df754b37e042d5b88610c34b1d1845383
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M include/migration/vmstate.h
Log Message:
-----------
vmstate: Introduce VMSTATE_VARRAY_INT32_ALLOC
Already existing VMSTATE_VARRAY_INT32 requires an array to be
pre-allocated, however there are cases when the size is not known in
advance and there is no real need to enforce it.
Introduce VMSTATE_VARRAY_INT32_ALLOC as we currently have for UINT32
and UINT16.
The first user of this variant will be the target/arm/machine.c cpreg
indexes/values arrays.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Message-id: [email protected]
Suggested-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: ab2ddc7b662d34c242ddfcfbe35996417b047ce2
https://github.com/qemu/qemu/commit/ab2ddc7b662d34c242ddfcfbe35996417b047ce2
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/helper.c
M target/arm/kvm.c
M target/arm/machine.c
M target/arm/trace-events
M target/arm/whpx/whpx-all.c
Log Message:
-----------
target/arm/machine: Use VMSTATE_VARRAY_INT32_ALLOC for cpreg arrays
This removes the need for explicitly allocating cpreg_vmstate arrays.
On post save we simply point to cpreg arrays and set the length
accordingly.
Remove VMSTATE_VARRAY_INT32 for cpreg_vmstate_array_len as now
the array is dynamically allocated.
Also add a trace point on post_load to trace potential mismatch
between the number of incoming cpregs versus current ones.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Suggested-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 5ae081fb493510f62280afc005aa36f702192539
https://github.com/qemu/qemu/commit/5ae081fb493510f62280afc005aa36f702192539
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/kvm-stub.c
M target/arm/kvm.c
M target/arm/kvm_arm.h
Log Message:
-----------
target/arm/kvm: Export kvm_print_register_name()
We want to use kvm_print_register_name() in machine.c so
let's export the helper and implement a stub when kvm
is not enabled.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 3e0a3a8e91efabef01dad8ea1cd1f13dcc46b14d
https://github.com/qemu/qemu/commit/3e0a3a8e91efabef01dad8ea1cd1f13dcc46b14d
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/kvm.c
Log Message:
-----------
target/arm/kvm: Tweak print_register_name() for arm64 system register
As opposed to other register types, arm64 system register decoding
is not introduced by any 'register' mention which can lead to
unfriendly user-facing traces. Let's add "system register"
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: eac1e610f48923084cb07b3f1eaa05f5fedccd85
https://github.com/qemu/qemu/commit/eac1e610f48923084cb07b3f1eaa05f5fedccd85
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/machine.c
Log Message:
-----------
target/arm/machine: Trace cpreg names which do not match on migration
Whenever there is a mismatch between cpreg indexes in the incoming
stream and cpregs exposed by the destination output the name of
the register. We use a print_register_name() wrapper helper. At the
moment we are only able to do a nice decoding of the index for
KVM regs.
Without this patch, the error would be:
qemu-system-aarch64: load of migration failed: Operation not permitted:
error while loading state for instance 0x0 of device 'cpu': post load
hook failed for: cpu, version_id: 22, minimum_version: 22, ret: -1
which is not helpful for the end user to understand the actual
issue.
This patch adds the actual information about the probme:
qemu-system-aarch64: cpu_post_load: system register
op0:3 op1:0 crn:2 crm:0 op2:3 in the incoming stream but
unknown on the destination, fail migration
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: e25c63c3b368118dc109e49393554f85f1203d1e
https://github.com/qemu/qemu/commit/e25c63c3b368118dc109e49393554f85f1203d1e
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/machine.c
Log Message:
-----------
target/arm/machine: Trace all register mismatches
At the moment, cpu_post_load() exits with error on the first
catch of unexpected register in the incoming stream. Let the code
go further and trace all the issues before exiting.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: dbfed8d80837ff7d36e763163f38549169ee64cc
https://github.com/qemu/qemu/commit/dbfed8d80837ff7d36e763163f38549169ee64cc
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/machine.c
Log Message:
-----------
target/arm/machine: Fix detection of unknown incoming cpregs
Currently the check of cpreg index matches fail to detect
a situation where the length of both arrays is same but
- destination has an extra register not found in the incoming stream (idx1)
- source has an extra register not found in the destination (idx2)
where idx1 < = idx2
Normally this should fail but it does not.
Fix the logic to scan all indexes.
Fixes: 721fae12536 ("target-arm: Convert TCG to using (index,value) list for cp
migration")
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: e9f55f543fca5fbdb1b1eed033d4a79e06c9f54d
https://github.com/qemu/qemu/commit/e9f55f543fca5fbdb1b1eed033d4a79e06c9f54d
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M .gitlab-ci.d/buildtest.yml
A scripts/lsan_suppressions.txt
R scripts/oss-fuzz/lsan_suppressions.txt
M tests/docker/test-fuzz
Log Message:
-----------
scripts: Move lsan_suppressions.txt out of oss-fuzz subdir
The oss-fuzz code uses an lsan_suppressions file to suppress certain
leak-sanitizer cases that are known issues or not our code's bug.
This is useful more widely than just for the fuzzer harness: if you
want to build QEMU with the leak sanitizer enabled and run 'make
check' then you will want to suppress some bogus leak reports.
Move the file up a directory.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Reviewed-by: Yodel Eldar <[email protected]>
Message-id: [email protected]
Commit: 1373470577396ca0b980aed937e4f4a8c90008d6
https://github.com/qemu/qemu/commit/1373470577396ca0b980aed937e4f4a8c90008d6
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M scripts/lsan_suppressions.txt
Log Message:
-----------
scripts/lsan_suppressions.txt: Add more leaks
Running "make check" with the clang leak sanitizer reveals some
leak reports which are either not our problem or else not
a leak which is worth our time to fix. Add some suppressions
for these.
While we're touching the file, add the usual SPDX header
and a comment explaining how to use it.
Reviewed-by: Fabiano Rosas <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: cc177661ab592a69bd39524aa7d095345b5031df
https://github.com/qemu/qemu/commit/cc177661ab592a69bd39524aa7d095345b5031df
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/gpio/aspeed_gpio.c
Log Message:
-----------
hw/arm/aspeed_gpio: Don't leak string in aspeed_gpio_init()
We allocate the string for the GPIO property name, but never free it.
Use g_autofree to avoid this.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: 7220c1a0eea04607521c9f4530777807507440c0
https://github.com/qemu/qemu/commit/7220c1a0eea04607521c9f4530777807507440c0
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M tests/qtest/iommu-smmuv3-test.c
Log Message:
-----------
tests/qtest/iommu-smmuv3-test: Free QPCIDevice
The QPCIDevice we get via qpci_device_foreach() is allocated
memory, and we need to g_free() it after use.
This fixes asan leaks like this:
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x622a5f16913d in calloc
(/home/pm215/qemu/build/arm-clang/tests/qtest/iommu-smmuv3-test+0x1d413d)
(BuildId: bc598be1f4ad6d1a9a600c55aeef36108bdb6a04)
#1 0x73ee41c0f771 in g_malloc0
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId:
116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x622a5f1d4cec in qpci_device_find
/home/pm215/qemu/build/arm-clang/../../tests/qtest/libqos/pci.c:82:11
#3 0x622a5f1d4cec in qpci_device_foreach
/home/pm215/qemu/build/arm-clang/../../tests/qtest/libqos/pci.c:34:19
#4 0x622a5f23cc73 in setup_qtest_pci_device
/home/pm215/qemu/build/arm-clang/../../tests/qtest/iommu-smmuv3-test.c:45:5
#5 0x622a5f23cc73 in run_smmuv3_translation
/home/pm215/qemu/build/arm-clang/../../tests/qtest/iommu-smmuv3-test.c:74:11
Reviewed-by: Fabiano Rosas <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: 1423c170b968b809759848d79a94ec7c6a23269d
https://github.com/qemu/qemu/commit/1423c170b968b809759848d79a94ec7c6a23269d
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M chardev/char-io.c
Log Message:
-----------
chardev: Fix QIOChannel refcount
The IOWatchPoll holds a reference to the iochannel while the "child"
source (iwp->src) is removed from the context and freed. Freeing the
source leads to the iochannel being also freed at
qio_channel_fd_source_finalize().
Later, io_watch_poll_prepare() tries to create another source with the
same iochannel and hits an use after free:
==8241==ERROR: AddressSanitizer: heap-use-after-free on address 0x514000000040
READ of size 8 at 0x514000000040 thread T2
#0 0x561c2d272fcd in object_get_class ../qom/object.c:1043:17
#1 0x561c2d338f84 in QIO_CHANNEL_GET_CLASS include/io/channel.h:29:1
#2 0x561c2d33b26f in qio_channel_create_watch ../io/channel.c:388:30
#3 0x561c2d2f0993 in io_watch_poll_prepare ../chardev/char-io.c:65:20
...
0x514000000040 is located 0 bytes inside of 392-byte region
[0x514000000040,0x5140000001c8)
freed by thread T2 here:
#0 0x561c2d2319a5 in free
#1 0x7fb2c0926638 in g_free
#2 0x561c2d276507 in object_finalize ../qom/object.c:734:9
#3 0x561c2d271d0d in object_unref ../qom/object.c:1231:9
#4 0x561c2d32ef1d in qio_channel_fd_source_finalize
../io/channel-watch.c:95:5
#5 0x7fb2c091d124 in g_source_unref_internal ../glib/gmain.c:2298
#6 0x561c2d2f0b6c in io_watch_poll_prepare ../chardev/char-io.c:71:9
...
previously allocated by thread T3 (connect) here:
#0 0x561c2d231c69 in malloc
#1 0x7fb2c0926518 in g_malloc
#2 0x561c2d27246e in object_new_with_type ../qom/object.c:767:15
#3 0x561c2d272530 in object_new ../qom/object.c:789:12
#4 0x561c2d320193 in qio_channel_socket_new ../io/channel-socket.c:64:31
#5 0x561c2d308013 in tcp_chr_connect_client_async
../chardev/char-socket.c:1181:12
#6 0x561c2d3002e7 in qmp_chardev_open_socket_client
../chardev/char-socket.c:1281:9
...
Fix the issue by incrementing the iochannel reference count when the
IOWatchPoll takes a reference and decrementing when it is finalized.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 3f0170505ee1953f44439b84fe3866d833cf37bf
https://github.com/qemu/qemu/commit/3f0170505ee1953f44439b84fe3866d833cf37bf
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M chardev/char-socket.c
Log Message:
-----------
chardev: Don't attempt to unregister yank function more than once
tcp_chr_free_connection() can be called multiple times in succession,
in which case the yank function will get as argument a NULL s->sioc
that has been cleared by the previous tcp_chr_free_connection() call.
This leads to an abort() at yank_unregister_function().
#0 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 __GI_abort () at abort.c:79
#2 qtest_check_status (s=0x513000005600) at ../tests/qtest/libqtest.c:209
#3 qtest_wait_qemu (s=0x513000005600) at ../tests/qtest/libqtest.c:273
#4 qtest_kill_qemu (s=0x513000005600) at ../tests/qtest/libqtest.c:285
#5 kill_qemu_hook_func (s=0x513000005600) at ../tests/qtest/libqtest.c:294
#6 g_hook_list_invoke (hook_list=0x55ea9cc750c0 <abrt_hooks>, may_recurse=0)
at ../glib/ghook.c:534
#7 sigabrt_handler (signo=6) at ../tests/qtest/libqtest.c:299
#8 <signal handler called>
#9 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#10 __GI_abort () at abort.c:79
#11 yank_unregister_function (instance=0x7fb26f2ea9a0,
func=0x55ea9bcc0a10 <char_socket_yank_iochannel>, opaque=0x0) at
../util/yank.c:151
#12 tcp_chr_free_connection (chr=0x51300000ffc0) at
../chardev/char-socket.c:385
#13 tcp_chr_disconnect_locked (chr=0x51300000ffc0) at
../chardev/char-socket.c:477
#14 tcp_chr_disconnect (chr=0x51300000ffc0) at ../chardev/char-socket.c:495
#15 tcp_chr_hup (channel=0x514000000040, cond=G_IO_HUP, opaque=0x51300000ffc0)
at ../chardev/char-socket.c:536
#16 qio_channel_fd_source_dispatch (source=0x50c0000b5fc0,
callback=0x55ea9bcd6770 <tcp_chr_hup>,
user_data=0x51300000ffc0) at ../io/channel-watch.c:84
#17 g_main_dispatch (context=0x50f000000040) at ../glib/gmain.c:3381
#18 g_main_context_dispatch (context=context@entry=0x50f000000040) at
../glib/gmain.c:4099
#19 g_main_context_iterate (context=0x50f000000040, block=block@entry=1,
dispatch=dispatch@entry=1,
self=<optimized out>) at ../glib/gmain.c:4175
#20 g_main_loop_run (loop=0x502000055690) at ../glib/gmain.c:4373
Commit ebae6477dc ("chardev: check if the chardev is registered for
yanking") seems to have encountered a similar issue, but checking
s->registered_yank is not a complete solution because that flag
pertains to the yank instance, not to each individual function.
Skip the yank_unregister_function() in case s->sioc is already NULL,
which indicates the last yank function was already removed.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 5c102ac9f18b24bf1552bd43ca4864b4ce331a3f
https://github.com/qemu/qemu/commit/5c102ac9f18b24bf1552bd43ca4864b4ce331a3f
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M chardev/char-socket.c
Log Message:
-----------
chardev: Consolidate yank registration
There's currently five places where the yank function is being
registered and they all come right before tcp_chr_new_client(). Fold
them into it.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 56603f5d12951fbaab2bb8007ebdb212f165a508
https://github.com/qemu/qemu/commit/56603f5d12951fbaab2bb8007ebdb212f165a508
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M tests/qtest/test-x86-cpuid-compat.c
Log Message:
-----------
tests/qtest/test-x86-cpuid-compat: Free allocated memory
Free the test arguments after test execution.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: 93ed7d330321dca483cd4a68fc4db9af4fa1e03e
https://github.com/qemu/qemu/commit/93ed7d330321dca483cd4a68fc4db9af4fa1e03e
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M tests/qtest/qos-test.c
Log Message:
-----------
tests/qtest/qos-test: Plug a couple of leaks
The walk_path() function of qos-test.c, which walks the graph and adds
tests to the test suite uses GLib's g_test_add_data_func_full()
function:
g_test_add_data_func_full (const char *testpath,
gpointer test_data,
GTestDataFunc test_func,
GDestroyNotify data_free_func)
Despite GLib's documentation stating that @data_free_func is a
destructor for @test_data, this is not the case. The destructor is
supposed to be paired with a constructor, which GLib only accepts via
g_test_create_case().
Providing externally allocated data plus a destructor function only
works if the test is guaranteed to execute, otherwise the test_data is
never deallocated.
Due to how subprocessess are implemented in qos-test, each test gets
added twice and an extra test gets added per subprocess. In a regular
run, the extra subprocess will not be executed and in a single test
run (-p), none of the other tests will be executed (+1 per
subprocess), leaking 'path_vec' and 'subprocess_path'.
Fix this by storing all the path vectors in a list and freeing them
all at the end of the program (including subprocess invocations) and
moving the allocation of 'subprocess_path' into run_one_subprocess().
While here add some documentation explaining why the graph needs to be
walked twice and tests re-added.
Signed-off-by: Fabiano Rosas <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased; rewrote the comment in main() a bit to account
for the if (g_test_subprocess()) block it was previously inside
no longer being present. ]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 65152c2942c388c0ea0ae9e13aaa91a35710855f
https://github.com/qemu/qemu/commit/65152c2942c388c0ea0ae9e13aaa91a35710855f
Author: Tao Tang <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M include/hw/arm/smmuv3-common.h
Log Message:
-----------
hw/arm/smmuv3-common: Fix incorrect reserved mask for SMMU CR0 register
The current definition of the SMMU_CR0_RESERVED mask is incorrect.
It mistakenly treats bit 10 (DPT_WALK_EN) as a reserved bit while
treating bit 9 (RES0) as an implemented bit.
According to the SMMU architecture specification, the layout for CR0 is:
| 31:11| RES0 |
| 10 | DPT_WALK_EN |
| 9 | RES0 |
| 8:6 | VMW |
| 5 | RES0 |
| 4 | ATSCHK |
| 3 | CMDQEN |
| 2 | EVENTQEN |
| 1 | PRIQEN |
| 0 | SMMUEN |
Signed-off-by: Tao Tang <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mostafa Saleh <[email protected]>
Message-id: [email protected]
Fixes: fae4be38b35 ("hw/arm/smmuv3: Implement MMIO write operations")
Link: https://lists.gnu.org/archive/html/qemu-arm/2025-06/msg00088.html
Signed-off-by: Peter Maydell <[email protected]>
Commit: af15801a61d66510434131ae50c2ad2135fa3de1
https://github.com/qemu/qemu/commit/af15801a61d66510434131ae50c2ad2135fa3de1
Author: Tao Tang <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-internal.h
M include/hw/arm/smmuv3-common.h
Log Message:
-----------
hw/arm/smmuv3: Correct SMMUEN field name in CR0
The FIELD macro for the SMMU enable bit in the CR0 register was
incorrectly named SMMU_ENABLE.
The ARM SMMUv3 Architecture Specification (both older IHI 0070.E.a and
newer IHI 0070.G.b) consistently refers to the SMMU enable bit as SMMUEN.
This change makes our implementation consistent with the manual.
Signed-off-by: Tao Tang <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mostafa Saleh <[email protected]>
Message-id: [email protected]
Fixes: 10a83cb9887 ("hw/arm/smmuv3: Skeleton")
Link: https://lists.nongnu.org/archive/html/qemu-arm/2025-09/msg01270.html
Signed-off-by: Peter Maydell <[email protected]>
Commit: fb147007d145866775b0cd5a794c9fa8efdb8c3d
https://github.com/qemu/qemu/commit/fb147007d145866775b0cd5a794c9fa8efdb8c3d
Author: Tao Tang <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3.c
Log Message:
-----------
hw/arm/smmuv3: Fix CFGI_CD handling when stage-1 is unsupported
Add a STAGE1_SUPPORTED check in the CMD_CFGI_CD and CMD_CFGI_CD_ALL path
and return CERROR_ILL when stage-1 translation is not implemented,
matching the architecture requirement (IHI 0070G.b, page 176).
Fixes: 32cfd7f39e08 ("hw/arm/smmuv3: Cache/invalidate config data")
Signed-off-by: Tao Tang <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mostafa Saleh <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Message-id: [email protected]
Links:
https://lore.kernel.org/qemu-devel/[email protected]/
Signed-off-by: Peter Maydell <[email protected]>
Commit: 170de3856023b0a045b9717561236f9f4bc59c0d
https://github.com/qemu/qemu/commit/170de3856023b0a045b9717561236f9f4bc59c0d
Author: Manos Pitsidianakis <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
A target/arm/hvf/hvf_sme_stubs.h
M target/arm/hvf/sysreg.c.inc
M target/arm/hvf_arm.h
M target/arm/machine.c
Log Message:
-----------
hvf/arm: handle FEAT_SME2 migration
SME2 support adds the following state for HVF guests:
- Vector registers Z0, ... , Z31 (introduced by FEAT_SVE but HVF does
not support it)
- Predicate registers P0, .., P15 (also FEAT_SVE)
- ZA register
- ZT0 register
- PSTATE.{SM,ZA} bits (SVCR pseudo-register)
- SMPRI_EL1 which handles the PE's priority in the SMCU
- TPIDR2_EL0 the thread local ID register for SME
Signed-off-by: Manos Pitsidianakis <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 55cd59813f148fd8adf00d8be8f36f623ec28ba9
https://github.com/qemu/qemu/commit/55cd59813f148fd8adf00d8be8f36f623ec28ba9
Author: Manos Pitsidianakis <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
hvf/arm: expose FEAT_SME2 to guest if available
Starting from M4 cores and MacOS 15.2 SDK, HVF can virtualise FEAT_SME2.
Signed-off-by: Manos Pitsidianakis <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 6df5285c526ab4bec056330c89b7488298676d22
https://github.com/qemu/qemu/commit/6df5285c526ab4bec056330c89b7488298676d22
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/virt.c
Log Message:
-----------
hw/arm: virt: remove hvf_arm.h include
We don't need anything in this header, so drop the include.
Signed-off-by: Mohamed Mediouni <[email protected]>
[PMM: updated commit message]
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 7b6a3c3349e8ccc11c1857abee7fa218bfdf53e1
https://github.com/qemu/qemu/commit/7b6a3c3349e8ccc11c1857abee7fa218bfdf53e1
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M accel/hvf/hvf-all.c
Log Message:
-----------
hvf: hvf-all: stop including hvf_arm.h
We don't need this target-specific header in this
target-agnostic source file.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: ff62727459bfcc05fe891d826508a4d1e78780d9
https://github.com/qemu/qemu/commit/ff62727459bfcc05fe891d826508a4d1e78780d9
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
A hw/intc/arm_gicv3_hvf.c
M hw/intc/meson.build
M include/hw/intc/arm_gicv3_common.h
Log Message:
-----------
hw/intc: Add hvf vGIC interrupt controller support
This opens up the door to nested virtualisation support.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 18172feaa6b6d3404b4d2f4130318ac546c75fe5
https://github.com/qemu/qemu/commit/18172feaa6b6d3404b4d2f4130318ac546c75fe5
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/intc/arm_gicv3_common.c
M hw/intc/arm_gicv3_hvf.c
A hw/intc/arm_gicv3_hvf_stub.c
M hw/intc/meson.build
M include/hw/intc/arm_gicv3_common.h
Log Message:
-----------
hw/intc: arm_gicv3_hvf: save/restore Apple GIC state
On HVF, some of the GIC state is in an opaque Apple-provided structure.
Save/restore that state to be able to save/restore VMs that use the hardware
GIC.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 6f23b3c2211fbf01f1ac0e84219dc6db7a28e0c7
https://github.com/qemu/qemu/commit/6f23b3c2211fbf01f1ac0e84219dc6db7a28e0c7
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M accel/hvf/hvf-all.c
M accel/stubs/hvf-stub.c
M hw/arm/virt.c
M hw/intc/arm_gicv3_common.c
M include/system/hvf.h
M system/vl.c
Log Message:
-----------
accel, hw/arm, include/system/hvf: infrastructure changes for HVF vGIC
Misc changes needed for HVF vGIC enablement.
Note: x86_64 macOS exposes interrupt controller virtualisation since macOS 12.
Keeping an #ifdef here in case we end up supporting that...
However, given that x86_64 macOS is on its way out, it'll probably (?) not be
supported in Qemu.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 7c91c92765909470e9cecdde4a4874c521f292a9
https://github.com/qemu/qemu/commit/7c91c92765909470e9cecdde4a4874c521f292a9
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
target/arm: hvf: instantiate GIC early
While figuring out a better spot for it, put it in hv_arch_vm_create().
After hv_vcpu_create is documented as too late, and deferring
vCPU initialization isn't enough either.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: d7cce96c971a5241574bf9f8bd6715c89bf1a94c
https://github.com/qemu/qemu/commit/d7cce96c971a5241574bf9f8bd6715c89bf1a94c
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M accel/hvf/hvf-all.c
M accel/stubs/hvf-stub.c
M hw/arm/virt.c
M include/system/hvf.h
M target/arm/hvf/hvf.c
Log Message:
-----------
hw/arm, target/arm: nested virtualisation on HVF
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 6e829226e8d7324d03226e4028567a4549a330fe
https://github.com/qemu/qemu/commit/6e829226e8d7324d03226e4028567a4549a330fe
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
hvf: only call hvf_sync_vtimer() when running without the platform vGIC
When running with the Apple vGIC, the EL1 vtimer is handled by the platform.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Mads Ynddal <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 0d191bc2bbc49d8d6995c946f55223730eef66ba
https://github.com/qemu/qemu/commit/0d191bc2bbc49d8d6995c946f55223730eef66ba
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
hvf: gate ARM_FEATURE_PMU register emulation behind not being at EL2
>From Apple documentation:
> When EL2 is disabled, PMU register accesses trigger "Trapped MSR, MRS, or
> System Instruction" exceptions. When this happens, hv_vcpu_run() returns, and
> the
> hv_vcpu_exit_t object contains the information about this exception.
> When EL2 is enabled, the handling of PMU register accesses is determined by
> the PMUVer
> field of ID_AA64DFR0_EL1 register.
> If the PMUVer field value is zero or is invalid, PMU register accesses
> generate "Undefined"
> exceptions, which are sent to the guest.
> If the PMUVer field value is non-zero and valid, PMU register accesses are
> emulated by the framework.
> The ID_AA64DFR0_EL1 register can be modified via hv_vcpu_set_sys_reg API.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 6d0479581ea2a981684b5f564b9bb64aafdd02eb
https://github.com/qemu/qemu/commit/6d0479581ea2a981684b5f564b9bb64aafdd02eb
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
hvf: arm: allow exposing minimal PMU when running with nested virt on
When running with nested virt on, a minimum PMU is exposed by
Hypervisor.framework
if a valid PMUVer register value is set. That PMU isn't exposed otherwise.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 394144821aa8d4b704d6013f421bf8bfd43a333a
https://github.com/qemu/qemu/commit/394144821aa8d4b704d6013f421bf8bfd43a333a
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
target/arm: hvf: add asserts for code paths not leveraged when using the vGIC
When using the vGIC, timers are directly handled by the platform.
No vmexits ought to happen in that case. Abort if reaching those code paths.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Mads Ynddal <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 83bb8093b3edffba9ed59e743fd0b0c98e7fca1f
https://github.com/qemu/qemu/commit/83bb8093b3edffba9ed59e743fd0b0c98e7fca1f
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
M target/arm/hvf/sysreg.c.inc
Log Message:
-----------
hvf: sync registers used at EL2
When starting up the VM at EL2, more sysregs are available. Sync the state of
those.
In addition, sync the state of the EL1 physical timer when the vGIC is used,
even
if running at EL1. However, no OS running at EL1 is expected to use those
registers.
Signed-off-by: Mohamed Mediouni <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: d8f78d77f583627974ed53fdffdd7c4c242f13cc
https://github.com/qemu/qemu/commit/d8f78d77f583627974ed53fdffdd7c4c242f13cc
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
target/arm: hvf: pass through CNTHCTL_EL2 and MDCCINT_EL1
HVF traps accesses to CNTHCTL_EL2. For nested guests, HVF traps accesses to
MDCCINT_EL1.
Pass through those accesses to the Hypervisor.framework library.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 019f693ca38e1d0abd4eed514d4328674973f845
https://github.com/qemu/qemu/commit/019f693ca38e1d0abd4eed514d4328674973f845
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
M target/arm/hvf_arm.h
Log Message:
-----------
hvf: arm: disable SME when nested virt is active
Currently, Apple doesn't support the nested virtualisation + SME combination.
Signed-off-by: Mohamed Mediouni <[email protected]>
Message-id: [email protected]
[PMM: use FIELD_DP64_IDREG()]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 9c3ae30d411a94ddd4a0e09d26ba095748b75be3
https://github.com/qemu/qemu/commit/9c3ae30d411a94ddd4a0e09d26ba095748b75be3
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/virt.c
Log Message:
-----------
hvf: enable nested virtualisation support
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 0853d26b58a5a1c98c338fca47276611bc8b511f
https://github.com/qemu/qemu/commit/0853d26b58a5a1c98c338fca47276611bc8b511f
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M .gitlab-ci.d/buildtest.yml
M MAINTAINERS
M accel/hvf/hvf-all.c
M accel/stubs/hvf-stub.c
M backends/iommufd.c
M backends/trace-events
M chardev/char-io.c
M chardev/char-socket.c
M configs/devices/arm-softmmu/default.mak
M docs/about/deprecated.rst
M docs/about/removed-features.rst
R docs/system/arm/highbank.rst
M docs/system/target-arm.rst
M hw/arm/Kconfig
R hw/arm/highbank.c
M hw/arm/meson.build
M hw/arm/smmuv3-accel.c
M hw/arm/smmuv3-accel.h
M hw/arm/smmuv3-internal.h
M hw/arm/smmuv3.c
M hw/arm/trace-events
M hw/arm/virt.c
M hw/gpio/aspeed_gpio.c
M hw/intc/arm_gicv3_common.c
A hw/intc/arm_gicv3_hvf.c
A hw/intc/arm_gicv3_hvf_stub.c
M hw/intc/meson.build
M hw/net/Kconfig
M hw/net/meson.build
M hw/net/smc91c111.c
R hw/net/xgmac.c
M include/hw/arm/smmuv3-common.h
M include/hw/intc/arm_gicv3_common.h
M include/migration/vmstate.h
M include/system/hvf.h
M include/system/iommufd.h
M scripts/coverity-scan/COMPONENTS.md
A scripts/lsan_suppressions.txt
R scripts/oss-fuzz/lsan_suppressions.txt
M system/qtest.c
M system/vl.c
M target/arm/helper.c
M target/arm/hvf/hvf.c
A target/arm/hvf/hvf_sme_stubs.h
M target/arm/hvf/sysreg.c.inc
M target/arm/hvf_arm.h
M target/arm/kvm-stub.c
M target/arm/kvm.c
M target/arm/kvm_arm.h
M target/arm/machine.c
M target/arm/trace-events
M target/arm/whpx/whpx-all.c
M tests/docker/test-fuzz
M tests/qtest/iommu-smmuv3-test.c
M tests/qtest/qos-test.c
M tests/qtest/test-x86-cpuid-compat.c
Log Message:
-----------
Merge tag 'pull-target-arm-20260306' of https://gitlab.com/pm215/qemu into
staging
target-arm queue:
* Remove deprecated 'highbank' and 'midway' machines
* hw/arm: Add missing dependencies for STM32F405 SoC
* hw/arm/smmuv3-accel: Read and propagate host vIOMMU events
* Minor MAINTAINERS updates
* target/arm: Improve logging of migration errors due to system
register mismatches between source and destination
* hw/arm/aspeed_gpio: Don't leak string in aspeed_gpio_init()
* tests/qtest/iommu-smmuv3-test: Free QPCIDevice
* chardev: Fix various sanitizer detected leaks
* tests/qtest/test-x86-cpuid-compat: Free allocated memory
* tests/qtest/qos-test: Plug a couple of leaks
* hw/arm/smmuv3: Fix various minor bugs
* hvf/arm: expose FEAT_SME2 to guest if available
* hvf/arm: Add hvf vGIC interrupt controller support
* hvf: enable nested virtualisation support
# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmmq67YZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3pDFD/95eBCJRI0JRa1XOjcrzcAp
# SuHcbNytRWu8gheUxB2NzFAmKVnt5DuFhg2S4tXWVPcbTFOBKLcIGhqaNa/SLDAG
# ABw+46X8pxRwbc43epOzaiH6RPaaGJHCZ3bHZ1lmzpsWznyXCwPWKvej919banV1
# NQQxz7NE7O1gvvvM869nbttf6+RoO7x/QairLXY8n1gviXMKJpRw/7AE6eLnLSS0
# 5OLZKA92Y4EAm8siwt7BAY+AJBn5pSh8Yd54dvpYtZ4PIF3Ie+Fpl+98h/spCTcd
# qPW1RRKZ9IJtOjdrjWWnttvDVb4OZEd4nncdMOMWDY8Qk2dNBiHUOKymKLAJussM
# 3jypSV6LK9zanJsnZcESZJtlwMcyARt/N90K/L9YZk2cNy2N9DGW90erEB8hPQqy
# 5UJmpadzHXi5KWo4jH3hX3qYip9z+CBNw1c6O+PwrGp8ZUL+/YXspuQxBTGJVKaz
# Tf+mLw+8zQJUhYGPawzE4riYqoXbGYykCsdFammOjlCc5hOcN8pqJkeaB1biYCnN
# KXBKTr8gXXo11hNSLB0kQcT+BlPIntPRpSPDuJ1QXojepffEAJFdYM+Rswpd22jG
# TkqdnuoCS6YNICNzxcC2Jv1VFAoyPR8w2E8criDheZXDX9OpdHcoDZwyBEu0M4sW
# 32j7fF8RN8Qj4wZyT9tH0g==
# =LCag
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Mar 6 14:59:02 2026 GMT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "[email protected]"
# gpg: Good signature from "Peter Maydell <[email protected]>" [ultimate]
# gpg: aka "Peter Maydell <[email protected]>" [ultimate]
# gpg: aka "Peter Maydell <[email protected]>"
[ultimate]
# gpg: aka "Peter Maydell <[email protected]>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20260306' of https://gitlab.com/pm215/qemu: (49 commits)
hvf: enable nested virtualisation support
hvf: arm: disable SME when nested virt is active
target/arm: hvf: pass through CNTHCTL_EL2 and MDCCINT_EL1
hvf: sync registers used at EL2
target/arm: hvf: add asserts for code paths not leveraged when using the vGIC
hvf: arm: allow exposing minimal PMU when running with nested virt on
hvf: gate ARM_FEATURE_PMU register emulation behind not being at EL2
hvf: only call hvf_sync_vtimer() when running without the platform vGIC
hw/arm, target/arm: nested virtualisation on HVF
target/arm: hvf: instantiate GIC early
accel, hw/arm, include/system/hvf: infrastructure changes for HVF vGIC
hw/intc: arm_gicv3_hvf: save/restore Apple GIC state
hw/intc: Add hvf vGIC interrupt controller support
hvf: hvf-all: stop including hvf_arm.h
hw/arm: virt: remove hvf_arm.h include
hvf/arm: expose FEAT_SME2 to guest if available
hvf/arm: handle FEAT_SME2 migration
hw/arm/smmuv3: Fix CFGI_CD handling when stage-1 is unsupported
hw/arm/smmuv3: Correct SMMUEN field name in CR0
hw/arm/smmuv3-common: Fix incorrect reserved mask for SMMU CR0 register
...
Signed-off-by: Peter Maydell <[email protected]>
Compare: https://github.com/qemu/qemu/compare/2940018747e3...0853d26b58a5
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
