Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 201245a6542983d4c3ae8db519d9721d64afc2be
https://github.com/qemu/qemu/commit/201245a6542983d4c3ae8db519d9721d64afc2be
Author: Thomas Huth <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
M configs/devices/arm-softmmu/default.mak
M docs/about/deprecated.rst
M docs/about/removed-features.rst
R docs/system/arm/highbank.rst
M docs/system/target-arm.rst
M hw/arm/Kconfig
R hw/arm/highbank.c
M hw/arm/meson.build
Log Message:
-----------
hw/arm: Remove the deprecated "highbank" and "midway" machines
These machines have been marked as deprecated two releases ago,
and so far nobody complained that they are still useful, so it's
time to remove these now.
Signed-off-by: Thomas Huth <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 072ddc8eb97581a6800eb6d8d864b28102c46280
https://github.com/qemu/qemu/commit/072ddc8eb97581a6800eb6d8d864b28102c46280
Author: Thomas Huth <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/net/Kconfig
M hw/net/meson.build
R hw/net/xgmac.c
M scripts/coverity-scan/COMPONENTS.md
Log Message:
-----------
hw/net: Remove the xgmac device
The xgmac device was only used by the highbank machine that just
has been removed. Being a sysbus device that cannot be instantiated
by the user, this is dead code now and thus can be removed, too.
Signed-off-by: Thomas Huth <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 005b1d838b09c07f4832349fe55f1cf22411edb0
https://github.com/qemu/qemu/commit/005b1d838b09c07f4832349fe55f1cf22411edb0
Author: Chisheng Chen <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/Kconfig
Log Message:
-----------
hw/arm: Add missing dependencies for STM32F405 SoC
The STM32F405 SoC relies on STM32F2xx peripherals (ADC, SPI, TIMER,
USART) and the unimplemented device (UNIMP). However, they are not
selected in Kconfig. This added these dependencies.
Signed-off-by: Chisheng Chen <[email protected]>
Message-id: [email protected]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 0885cd5504dfdbd531a1fc0e3e421d3c9934b03a
https://github.com/qemu/qemu/commit/0885cd5504dfdbd531a1fc0e3e421d3c9934b03a
Author: Nicolin Chen <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M backends/iommufd.c
M backends/trace-events
M include/system/iommufd.h
Log Message:
-----------
backends/iommufd: Introduce iommufd_backend_alloc_veventq
Add a new helper for IOMMU_VEVENTQ_ALLOC ioctl to allocate a virtual event
queue (vEVENTQ) for a vIOMMU object.
Signed-off-by: Nicolin Chen <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Nicolin Chen <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 674d57bf6e26a3ae7076a7ee56e6be90580d5208
https://github.com/qemu/qemu/commit/674d57bf6e26a3ae7076a7ee56e6be90580d5208
Author: Shameer Kolothum <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-accel.c
Log Message:
-----------
hw/arm/smmuv3-accel: Add viommu free helper
Move viommu teardown into a helper function and use it from the
last device removal path.
This groups related cleanup logic in one place and improves readability.
It also makes it easier to extend the teardown in future, for example
when freeing related objects such as vEVENTQ.
No functional change.
Reviewed-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 46f0d48393529cfa3659012971c20f6808eb3b78
https://github.com/qemu/qemu/commit/46f0d48393529cfa3659012971c20f6808eb3b78
Author: Nicolin Chen <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-accel.c
M hw/arm/smmuv3-accel.h
M hw/arm/smmuv3.c
Log Message:
-----------
hw/arm/smmuv3-accel: Allocate vEVENTQ for accelerated SMMUv3 devices
When the guest enables the Event Queue and a vIOMMU is present, allocate a
vEVENTQ object so that host-side events related to the vIOMMU can be
received and propagated back to the guest.
Allocate a vEVENTQ only when both of the following conditions are met:
1) The guest SMMUv3 driver has set EVENTQEN = 1 in SMMU_CR0.
2) A vIOMMU exists (created when the first VFIO device is attached).
These two conditions may occur in any order.
In the cold-plug case, the vIOMMU already exists before the guest
driver probes. When the guest sets EVENTQEN = 1 during driver probe,
the vEVENTQ is allocated at that point.
With hot-plug, the VFIO device may be attached either before or after
the guest sets EVENTQEN. If the vIOMMU is created first, allocation is
deferred until EVENTQEN = 1. If EVENTQEN is already set, allocation
happens when the vIOMMU is created.
In all cases, allocation is triggered when the second required
condition becomes true.
Errors from command queue consumption and vEVENTQ allocation are reported
independently as the two operations are unrelated.
Event read and propagation will be added in a later patch.
Signed-off-by: Nicolin Chen <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Tested-by: Eric Auger <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 43585524a7c628c0ebace5c33ba865c4e2c55177
https://github.com/qemu/qemu/commit/43585524a7c628c0ebace5c33ba865c4e2c55177
Author: Shameer Kolothum <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-internal.h
M hw/arm/smmuv3.c
M hw/arm/trace-events
Log Message:
-----------
hw/arm/smmuv3: Introduce a helper function for event propagation
Factor out the code that propagates event records to the guest into a
helper function. The accelerated SMMUv3 path can use this to propagate
host events in a subsequent patch.
Take the mutex inside the helper before accessing the Event Queue.
Today event propagation occurs only in the core SMMUv3 path and is
effectively serialized. A subsequent patch will also invoke this helper
from the accelerated event read path, which may run concurrently.
Therefore serialization is required here.
No functional change intended.
Reviewed-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: c0c97fbc6cf764f0d66d5122c4117d0770e89902
https://github.com/qemu/qemu/commit/c0c97fbc6cf764f0d66d5122c4117d0770e89902
Author: Shameer Kolothum <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-accel.c
Log Message:
-----------
hw/arm/smmuv3-accel: Read and propagate host vIOMMU events
Install an event handler on the vEVENTQ fd to read and propagate host
generated vIOMMU events to the guest.
The handler runs in QEMU's main loop, using a non-blocking fd registered
via qemu_set_fd_handler().
Tested-by: Nicolin Chen <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Nicolin Chen <[email protected]>
Tested-by: Eric Auger <[email protected]>
Reviewed-by: Jonathan Cameron <[email protected]>
Signed-off-by: Shameer Kolothum <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 7564492337d375a01b2440bd84be87fed4056fc6
https://github.com/qemu/qemu/commit/7564492337d375a01b2440bd84be87fed4056fc6
Author: Paul Durrant <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: remove myself as a Xen maintainer
I am no longer actively involved in the Xen Project.
Signed-off-by: Paul Durrant <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 76d126d0f61eeda35ba39a2e60cbd0c62cd0184c
https://github.com/qemu/qemu/commit/76d126d0f61eeda35ba39a2e60cbd0c62cd0184c
Author: CLEMENT MATHIEU--DRIF <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: Update Clement Mathieu--Drif's email address
Switch to bull.com email address following a company split.
The previous eviden.com address will remain active for a few months.
Signed-off-by: Clement Mathieu--Drif <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 2cae1adc42e0ec8f860056de725f35a7fdad4156
https://github.com/qemu/qemu/commit/2cae1adc42e0ec8f860056de725f35a7fdad4156
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M system/qtest.c
Log Message:
-----------
system/qtest: Support comments in input commands
Allow the qtest input to include comment lines, which start with '#'.
This allows writing an input file for qtest which includes commentary,
like this:
# set up TCR in bank 0
write 0x1001000e 2 0
# TCR TXEN
write 0x10010000 2 1
which can make hand-writing or annotating reproduce cases a bit
more convenient.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Commit: d8e19f8042dcaff8e077292209c8196acb150bdd
https://github.com/qemu/qemu/commit/d8e19f8042dcaff8e077292209c8196acb150bdd
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/net/smc91c111.c
Log Message:
-----------
hw/net/smc91c111: Don't allow negative-length packets
The smc91c111 data frame format in memory (figure 8-1 in the
datasheet) includes a "byte count" field which is intended to be the
total size of the data frame, including not just the packet data but
also the leading and trailing information like the status word and
the byte count field itself. It is therefore possible for the guest
to set this to a value so small that the leading and trailing fields
won't fit and the packet has effectively a negative area.
We weren't checking for this, with the result that when we subtract 6
from the length to get the length of the packet proper we end up with
a negative length, which is then inconsistently handled in the
qemu_send_packet() code such that we can try to transmit a very large
amount of data and read off the end of the device's data array.
Treat excessively small length values the same way we do excessively
large values. As with the oversized case, the datasheet does not
describe what happens for this software error case, and there is no
relevant tx error condition for this, so we just log and drop the
packet.
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3304
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Message-id: [email protected]
Commit: fbf9bb0d7935fa61a7bf2dcd06a22708d9347ef4
https://github.com/qemu/qemu/commit/fbf9bb0d7935fa61a7bf2dcd06a22708d9347ef4
Author: Magnus Kulke <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M MAINTAINERS
Log Message:
-----------
MAINTAINERS: fix magnuskulke email-address
Consolidating email aliases.
Signed-off-by: Magnus Kulke <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: f555338df754b37e042d5b88610c34b1d1845383
https://github.com/qemu/qemu/commit/f555338df754b37e042d5b88610c34b1d1845383
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M include/migration/vmstate.h
Log Message:
-----------
vmstate: Introduce VMSTATE_VARRAY_INT32_ALLOC
Already existing VMSTATE_VARRAY_INT32 requires an array to be
pre-allocated, however there are cases when the size is not known in
advance and there is no real need to enforce it.
Introduce VMSTATE_VARRAY_INT32_ALLOC as we currently have for UINT32
and UINT16.
The first user of this variant will be the target/arm/machine.c cpreg
indexes/values arrays.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Message-id: [email protected]
Suggested-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: ab2ddc7b662d34c242ddfcfbe35996417b047ce2
https://github.com/qemu/qemu/commit/ab2ddc7b662d34c242ddfcfbe35996417b047ce2
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/helper.c
M target/arm/kvm.c
M target/arm/machine.c
M target/arm/trace-events
M target/arm/whpx/whpx-all.c
Log Message:
-----------
target/arm/machine: Use VMSTATE_VARRAY_INT32_ALLOC for cpreg arrays
This removes the need for explicitly allocating cpreg_vmstate arrays.
On post save we simply point to cpreg arrays and set the length
accordingly.
Remove VMSTATE_VARRAY_INT32 for cpreg_vmstate_array_len as now
the array is dynamically allocated.
Also add a trace point on post_load to trace potential mismatch
between the number of incoming cpregs versus current ones.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Suggested-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 5ae081fb493510f62280afc005aa36f702192539
https://github.com/qemu/qemu/commit/5ae081fb493510f62280afc005aa36f702192539
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/kvm-stub.c
M target/arm/kvm.c
M target/arm/kvm_arm.h
Log Message:
-----------
target/arm/kvm: Export kvm_print_register_name()
We want to use kvm_print_register_name() in machine.c so
let's export the helper and implement a stub when kvm
is not enabled.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 3e0a3a8e91efabef01dad8ea1cd1f13dcc46b14d
https://github.com/qemu/qemu/commit/3e0a3a8e91efabef01dad8ea1cd1f13dcc46b14d
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/kvm.c
Log Message:
-----------
target/arm/kvm: Tweak print_register_name() for arm64 system register
As opposed to other register types, arm64 system register decoding
is not introduced by any 'register' mention which can lead to
unfriendly user-facing traces. Let's add "system register"
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: eac1e610f48923084cb07b3f1eaa05f5fedccd85
https://github.com/qemu/qemu/commit/eac1e610f48923084cb07b3f1eaa05f5fedccd85
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/machine.c
Log Message:
-----------
target/arm/machine: Trace cpreg names which do not match on migration
Whenever there is a mismatch between cpreg indexes in the incoming
stream and cpregs exposed by the destination output the name of
the register. We use a print_register_name() wrapper helper. At the
moment we are only able to do a nice decoding of the index for
KVM regs.
Without this patch, the error would be:
qemu-system-aarch64: load of migration failed: Operation not permitted:
error while loading state for instance 0x0 of device 'cpu': post load
hook failed for: cpu, version_id: 22, minimum_version: 22, ret: -1
which is not helpful for the end user to understand the actual
issue.
This patch adds the actual information about the probme:
qemu-system-aarch64: cpu_post_load: system register
op0:3 op1:0 crn:2 crm:0 op2:3 in the incoming stream but
unknown on the destination, fail migration
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: e25c63c3b368118dc109e49393554f85f1203d1e
https://github.com/qemu/qemu/commit/e25c63c3b368118dc109e49393554f85f1203d1e
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/machine.c
Log Message:
-----------
target/arm/machine: Trace all register mismatches
At the moment, cpu_post_load() exits with error on the first
catch of unexpected register in the incoming stream. Let the code
go further and trace all the issues before exiting.
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: dbfed8d80837ff7d36e763163f38549169ee64cc
https://github.com/qemu/qemu/commit/dbfed8d80837ff7d36e763163f38549169ee64cc
Author: Eric Auger <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/machine.c
Log Message:
-----------
target/arm/machine: Fix detection of unknown incoming cpregs
Currently the check of cpreg index matches fail to detect
a situation where the length of both arrays is same but
- destination has an extra register not found in the incoming stream (idx1)
- source has an extra register not found in the destination (idx2)
where idx1 < = idx2
Normally this should fail but it does not.
Fix the logic to scan all indexes.
Fixes: 721fae12536 ("target-arm: Convert TCG to using (index,value) list for cp
migration")
Signed-off-by: Eric Auger <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: e9f55f543fca5fbdb1b1eed033d4a79e06c9f54d
https://github.com/qemu/qemu/commit/e9f55f543fca5fbdb1b1eed033d4a79e06c9f54d
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M .gitlab-ci.d/buildtest.yml
A scripts/lsan_suppressions.txt
R scripts/oss-fuzz/lsan_suppressions.txt
M tests/docker/test-fuzz
Log Message:
-----------
scripts: Move lsan_suppressions.txt out of oss-fuzz subdir
The oss-fuzz code uses an lsan_suppressions file to suppress certain
leak-sanitizer cases that are known issues or not our code's bug.
This is useful more widely than just for the fuzzer harness: if you
want to build QEMU with the leak sanitizer enabled and run 'make
check' then you will want to suppress some bogus leak reports.
Move the file up a directory.
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Thomas Huth <[email protected]>
Reviewed-by: Yodel Eldar <[email protected]>
Message-id: [email protected]
Commit: 1373470577396ca0b980aed937e4f4a8c90008d6
https://github.com/qemu/qemu/commit/1373470577396ca0b980aed937e4f4a8c90008d6
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M scripts/lsan_suppressions.txt
Log Message:
-----------
scripts/lsan_suppressions.txt: Add more leaks
Running "make check" with the clang leak sanitizer reveals some
leak reports which are either not our problem or else not
a leak which is worth our time to fix. Add some suppressions
for these.
While we're touching the file, add the usual SPDX header
and a comment explaining how to use it.
Reviewed-by: Fabiano Rosas <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: cc177661ab592a69bd39524aa7d095345b5031df
https://github.com/qemu/qemu/commit/cc177661ab592a69bd39524aa7d095345b5031df
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/gpio/aspeed_gpio.c
Log Message:
-----------
hw/arm/aspeed_gpio: Don't leak string in aspeed_gpio_init()
We allocate the string for the GPIO property name, but never free it.
Use g_autofree to avoid this.
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Cédric Le Goater <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: 7220c1a0eea04607521c9f4530777807507440c0
https://github.com/qemu/qemu/commit/7220c1a0eea04607521c9f4530777807507440c0
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M tests/qtest/iommu-smmuv3-test.c
Log Message:
-----------
tests/qtest/iommu-smmuv3-test: Free QPCIDevice
The QPCIDevice we get via qpci_device_foreach() is allocated
memory, and we need to g_free() it after use.
This fixes asan leaks like this:
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x622a5f16913d in calloc
(/home/pm215/qemu/build/arm-clang/tests/qtest/iommu-smmuv3-test+0x1d413d)
(BuildId: bc598be1f4ad6d1a9a600c55aeef36108bdb6a04)
#1 0x73ee41c0f771 in g_malloc0
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId:
116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x622a5f1d4cec in qpci_device_find
/home/pm215/qemu/build/arm-clang/../../tests/qtest/libqos/pci.c:82:11
#3 0x622a5f1d4cec in qpci_device_foreach
/home/pm215/qemu/build/arm-clang/../../tests/qtest/libqos/pci.c:34:19
#4 0x622a5f23cc73 in setup_qtest_pci_device
/home/pm215/qemu/build/arm-clang/../../tests/qtest/iommu-smmuv3-test.c:45:5
#5 0x622a5f23cc73 in run_smmuv3_translation
/home/pm215/qemu/build/arm-clang/../../tests/qtest/iommu-smmuv3-test.c:74:11
Reviewed-by: Fabiano Rosas <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: 1423c170b968b809759848d79a94ec7c6a23269d
https://github.com/qemu/qemu/commit/1423c170b968b809759848d79a94ec7c6a23269d
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M chardev/char-io.c
Log Message:
-----------
chardev: Fix QIOChannel refcount
The IOWatchPoll holds a reference to the iochannel while the "child"
source (iwp->src) is removed from the context and freed. Freeing the
source leads to the iochannel being also freed at
qio_channel_fd_source_finalize().
Later, io_watch_poll_prepare() tries to create another source with the
same iochannel and hits an use after free:
==8241==ERROR: AddressSanitizer: heap-use-after-free on address 0x514000000040
READ of size 8 at 0x514000000040 thread T2
#0 0x561c2d272fcd in object_get_class ../qom/object.c:1043:17
#1 0x561c2d338f84 in QIO_CHANNEL_GET_CLASS include/io/channel.h:29:1
#2 0x561c2d33b26f in qio_channel_create_watch ../io/channel.c:388:30
#3 0x561c2d2f0993 in io_watch_poll_prepare ../chardev/char-io.c:65:20
...
0x514000000040 is located 0 bytes inside of 392-byte region
[0x514000000040,0x5140000001c8)
freed by thread T2 here:
#0 0x561c2d2319a5 in free
#1 0x7fb2c0926638 in g_free
#2 0x561c2d276507 in object_finalize ../qom/object.c:734:9
#3 0x561c2d271d0d in object_unref ../qom/object.c:1231:9
#4 0x561c2d32ef1d in qio_channel_fd_source_finalize
../io/channel-watch.c:95:5
#5 0x7fb2c091d124 in g_source_unref_internal ../glib/gmain.c:2298
#6 0x561c2d2f0b6c in io_watch_poll_prepare ../chardev/char-io.c:71:9
...
previously allocated by thread T3 (connect) here:
#0 0x561c2d231c69 in malloc
#1 0x7fb2c0926518 in g_malloc
#2 0x561c2d27246e in object_new_with_type ../qom/object.c:767:15
#3 0x561c2d272530 in object_new ../qom/object.c:789:12
#4 0x561c2d320193 in qio_channel_socket_new ../io/channel-socket.c:64:31
#5 0x561c2d308013 in tcp_chr_connect_client_async
../chardev/char-socket.c:1181:12
#6 0x561c2d3002e7 in qmp_chardev_open_socket_client
../chardev/char-socket.c:1281:9
...
Fix the issue by incrementing the iochannel reference count when the
IOWatchPoll takes a reference and decrementing when it is finalized.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 3f0170505ee1953f44439b84fe3866d833cf37bf
https://github.com/qemu/qemu/commit/3f0170505ee1953f44439b84fe3866d833cf37bf
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M chardev/char-socket.c
Log Message:
-----------
chardev: Don't attempt to unregister yank function more than once
tcp_chr_free_connection() can be called multiple times in succession,
in which case the yank function will get as argument a NULL s->sioc
that has been cleared by the previous tcp_chr_free_connection() call.
This leads to an abort() at yank_unregister_function().
#0 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 __GI_abort () at abort.c:79
#2 qtest_check_status (s=0x513000005600) at ../tests/qtest/libqtest.c:209
#3 qtest_wait_qemu (s=0x513000005600) at ../tests/qtest/libqtest.c:273
#4 qtest_kill_qemu (s=0x513000005600) at ../tests/qtest/libqtest.c:285
#5 kill_qemu_hook_func (s=0x513000005600) at ../tests/qtest/libqtest.c:294
#6 g_hook_list_invoke (hook_list=0x55ea9cc750c0 <abrt_hooks>, may_recurse=0)
at ../glib/ghook.c:534
#7 sigabrt_handler (signo=6) at ../tests/qtest/libqtest.c:299
#8 <signal handler called>
#9 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#10 __GI_abort () at abort.c:79
#11 yank_unregister_function (instance=0x7fb26f2ea9a0,
func=0x55ea9bcc0a10 <char_socket_yank_iochannel>, opaque=0x0) at
../util/yank.c:151
#12 tcp_chr_free_connection (chr=0x51300000ffc0) at
../chardev/char-socket.c:385
#13 tcp_chr_disconnect_locked (chr=0x51300000ffc0) at
../chardev/char-socket.c:477
#14 tcp_chr_disconnect (chr=0x51300000ffc0) at ../chardev/char-socket.c:495
#15 tcp_chr_hup (channel=0x514000000040, cond=G_IO_HUP, opaque=0x51300000ffc0)
at ../chardev/char-socket.c:536
#16 qio_channel_fd_source_dispatch (source=0x50c0000b5fc0,
callback=0x55ea9bcd6770 <tcp_chr_hup>,
user_data=0x51300000ffc0) at ../io/channel-watch.c:84
#17 g_main_dispatch (context=0x50f000000040) at ../glib/gmain.c:3381
#18 g_main_context_dispatch (context=context@entry=0x50f000000040) at
../glib/gmain.c:4099
#19 g_main_context_iterate (context=0x50f000000040, block=block@entry=1,
dispatch=dispatch@entry=1,
self=<optimized out>) at ../glib/gmain.c:4175
#20 g_main_loop_run (loop=0x502000055690) at ../glib/gmain.c:4373
Commit ebae6477dc ("chardev: check if the chardev is registered for
yanking") seems to have encountered a similar issue, but checking
s->registered_yank is not a complete solution because that flag
pertains to the yank instance, not to each individual function.
Skip the yank_unregister_function() in case s->sioc is already NULL,
which indicates the last yank function was already removed.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 5c102ac9f18b24bf1552bd43ca4864b4ce331a3f
https://github.com/qemu/qemu/commit/5c102ac9f18b24bf1552bd43ca4864b4ce331a3f
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M chardev/char-socket.c
Log Message:
-----------
chardev: Consolidate yank registration
There's currently five places where the yank function is being
registered and they all come right before tcp_chr_new_client(). Fold
them into it.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 56603f5d12951fbaab2bb8007ebdb212f165a508
https://github.com/qemu/qemu/commit/56603f5d12951fbaab2bb8007ebdb212f165a508
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M tests/qtest/test-x86-cpuid-compat.c
Log Message:
-----------
tests/qtest/test-x86-cpuid-compat: Free allocated memory
Free the test arguments after test execution.
Signed-off-by: Fabiano Rosas <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Commit: 93ed7d330321dca483cd4a68fc4db9af4fa1e03e
https://github.com/qemu/qemu/commit/93ed7d330321dca483cd4a68fc4db9af4fa1e03e
Author: Fabiano Rosas <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M tests/qtest/qos-test.c
Log Message:
-----------
tests/qtest/qos-test: Plug a couple of leaks
The walk_path() function of qos-test.c, which walks the graph and adds
tests to the test suite uses GLib's g_test_add_data_func_full()
function:
g_test_add_data_func_full (const char *testpath,
gpointer test_data,
GTestDataFunc test_func,
GDestroyNotify data_free_func)
Despite GLib's documentation stating that @data_free_func is a
destructor for @test_data, this is not the case. The destructor is
supposed to be paired with a constructor, which GLib only accepts via
g_test_create_case().
Providing externally allocated data plus a destructor function only
works if the test is guaranteed to execute, otherwise the test_data is
never deallocated.
Due to how subprocessess are implemented in qos-test, each test gets
added twice and an extra test gets added per subprocess. In a regular
run, the extra subprocess will not be executed and in a single test
run (-p), none of the other tests will be executed (+1 per
subprocess), leaking 'path_vec' and 'subprocess_path'.
Fix this by storing all the path vectors in a list and freeing them
all at the end of the program (including subprocess invocations) and
moving the allocation of 'subprocess_path' into run_one_subprocess().
While here add some documentation explaining why the graph needs to be
walked twice and tests re-added.
Signed-off-by: Fabiano Rosas <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
[PMM: rebased; rewrote the comment in main() a bit to account
for the if (g_test_subprocess()) block it was previously inside
no longer being present. ]
Reviewed-by: Peter Maydell <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>
Commit: 65152c2942c388c0ea0ae9e13aaa91a35710855f
https://github.com/qemu/qemu/commit/65152c2942c388c0ea0ae9e13aaa91a35710855f
Author: Tao Tang <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M include/hw/arm/smmuv3-common.h
Log Message:
-----------
hw/arm/smmuv3-common: Fix incorrect reserved mask for SMMU CR0 register
The current definition of the SMMU_CR0_RESERVED mask is incorrect.
It mistakenly treats bit 10 (DPT_WALK_EN) as a reserved bit while
treating bit 9 (RES0) as an implemented bit.
According to the SMMU architecture specification, the layout for CR0 is:
| 31:11| RES0 |
| 10 | DPT_WALK_EN |
| 9 | RES0 |
| 8:6 | VMW |
| 5 | RES0 |
| 4 | ATSCHK |
| 3 | CMDQEN |
| 2 | EVENTQEN |
| 1 | PRIQEN |
| 0 | SMMUEN |
Signed-off-by: Tao Tang <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mostafa Saleh <[email protected]>
Message-id: [email protected]
Fixes: fae4be38b35 ("hw/arm/smmuv3: Implement MMIO write operations")
Link: https://lists.gnu.org/archive/html/qemu-arm/2025-06/msg00088.html
Signed-off-by: Peter Maydell <[email protected]>
Commit: af15801a61d66510434131ae50c2ad2135fa3de1
https://github.com/qemu/qemu/commit/af15801a61d66510434131ae50c2ad2135fa3de1
Author: Tao Tang <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3-internal.h
M include/hw/arm/smmuv3-common.h
Log Message:
-----------
hw/arm/smmuv3: Correct SMMUEN field name in CR0
The FIELD macro for the SMMU enable bit in the CR0 register was
incorrectly named SMMU_ENABLE.
The ARM SMMUv3 Architecture Specification (both older IHI 0070.E.a and
newer IHI 0070.G.b) consistently refers to the SMMU enable bit as SMMUEN.
This change makes our implementation consistent with the manual.
Signed-off-by: Tao Tang <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mostafa Saleh <[email protected]>
Message-id: [email protected]
Fixes: 10a83cb9887 ("hw/arm/smmuv3: Skeleton")
Link: https://lists.nongnu.org/archive/html/qemu-arm/2025-09/msg01270.html
Signed-off-by: Peter Maydell <[email protected]>
Commit: fb147007d145866775b0cd5a794c9fa8efdb8c3d
https://github.com/qemu/qemu/commit/fb147007d145866775b0cd5a794c9fa8efdb8c3d
Author: Tao Tang <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/smmuv3.c
Log Message:
-----------
hw/arm/smmuv3: Fix CFGI_CD handling when stage-1 is unsupported
Add a STAGE1_SUPPORTED check in the CMD_CFGI_CD and CMD_CFGI_CD_ALL path
and return CERROR_ILL when stage-1 translation is not implemented,
matching the architecture requirement (IHI 0070G.b, page 176).
Fixes: 32cfd7f39e08 ("hw/arm/smmuv3: Cache/invalidate config data")
Signed-off-by: Tao Tang <[email protected]>
Reviewed-by: Pierrick Bouvier <[email protected]>
Reviewed-by: Mostafa Saleh <[email protected]>
Reviewed-by: Eric Auger <[email protected]>
Message-id: [email protected]
Links:
https://lore.kernel.org/qemu-devel/[email protected]/
Signed-off-by: Peter Maydell <[email protected]>
Commit: 170de3856023b0a045b9717561236f9f4bc59c0d
https://github.com/qemu/qemu/commit/170de3856023b0a045b9717561236f9f4bc59c0d
Author: Manos Pitsidianakis <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
A target/arm/hvf/hvf_sme_stubs.h
M target/arm/hvf/sysreg.c.inc
M target/arm/hvf_arm.h
M target/arm/machine.c
Log Message:
-----------
hvf/arm: handle FEAT_SME2 migration
SME2 support adds the following state for HVF guests:
- Vector registers Z0, ... , Z31 (introduced by FEAT_SVE but HVF does
not support it)
- Predicate registers P0, .., P15 (also FEAT_SVE)
- ZA register
- ZT0 register
- PSTATE.{SM,ZA} bits (SVCR pseudo-register)
- SMPRI_EL1 which handles the PE's priority in the SMCU
- TPIDR2_EL0 the thread local ID register for SME
Signed-off-by: Manos Pitsidianakis <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 55cd59813f148fd8adf00d8be8f36f623ec28ba9
https://github.com/qemu/qemu/commit/55cd59813f148fd8adf00d8be8f36f623ec28ba9
Author: Manos Pitsidianakis <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M target/arm/hvf/hvf.c
Log Message:
-----------
hvf/arm: expose FEAT_SME2 to guest if available
Starting from M4 cores and MacOS 15.2 SDK, HVF can virtualise FEAT_SME2.
Signed-off-by: Manos Pitsidianakis <[email protected]>
Reviewed-by: Mohamed Mediouni <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 6df5285c526ab4bec056330c89b7488298676d22
https://github.com/qemu/qemu/commit/6df5285c526ab4bec056330c89b7488298676d22
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M hw/arm/virt.c
Log Message:
-----------
hw/arm: virt: remove hvf_arm.h include
We don't need anything in this header, so drop the include.
Signed-off-by: Mohamed Mediouni <[email protected]>
[PMM: updated commit message]
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 7b6a3c3349e8ccc11c1857abee7fa218bfdf53e1
https://github.com/qemu/qemu/commit/7b6a3c3349e8ccc11c1857abee7fa218bfdf53e1
Author: Mohamed Mediouni <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M accel/hvf/hvf-all.c
Log Message:
-----------
hvf: hvf-all: stop including hvf_arm.h
We don't need this target-specific header in this
target-agnostic source file.
Signed-off-by: Mohamed Mediouni <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
Commit: 900682c57287ea308850af4490339455512e92e7
https://github.com/qemu/qemu/commit/900682c57287ea308850af4490339455512e92e7
Author: Peter Maydell <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M .gitlab-ci.d/buildtest.yml
M MAINTAINERS
M accel/hvf/hvf-all.c
M backends/iommufd.c
M backends/trace-events
M chardev/char-io.c
M chardev/char-socket.c
M configs/devices/arm-softmmu/default.mak
M docs/about/deprecated.rst
M docs/about/removed-features.rst
R docs/system/arm/highbank.rst
M docs/system/target-arm.rst
M hw/arm/Kconfig
R hw/arm/highbank.c
M hw/arm/meson.build
M hw/arm/smmuv3-accel.c
M hw/arm/smmuv3-accel.h
M hw/arm/smmuv3-internal.h
M hw/arm/smmuv3.c
M hw/arm/trace-events
M hw/arm/virt.c
M hw/gpio/aspeed_gpio.c
M hw/net/Kconfig
M hw/net/meson.build
M hw/net/smc91c111.c
R hw/net/xgmac.c
M include/hw/arm/smmuv3-common.h
M include/migration/vmstate.h
M include/system/iommufd.h
M scripts/coverity-scan/COMPONENTS.md
A scripts/lsan_suppressions.txt
R scripts/oss-fuzz/lsan_suppressions.txt
M system/qtest.c
M target/arm/helper.c
M target/arm/hvf/hvf.c
A target/arm/hvf/hvf_sme_stubs.h
M target/arm/hvf/sysreg.c.inc
M target/arm/hvf_arm.h
M target/arm/kvm-stub.c
M target/arm/kvm.c
M target/arm/kvm_arm.h
M target/arm/machine.c
M target/arm/trace-events
M target/arm/whpx/whpx-all.c
M tests/docker/test-fuzz
M tests/qtest/iommu-smmuv3-test.c
M tests/qtest/qos-test.c
M tests/qtest/test-x86-cpuid-compat.c
Log Message:
-----------
Merge tag 'pull-target-arm-20260306-2' of https://gitlab.com/pm215/qemu into
staging
* Remove deprecated 'highbank' and 'midway' machines
* hw/arm: Add missing dependencies for STM32F405 SoC
* hw/arm/smmuv3-accel: Read and propagate host vIOMMU events
* Minor MAINTAINERS updates
* target/arm: Improve logging of migration errors due to system
register mismatches between source and destination
* hw/arm/aspeed_gpio: Don't leak string in aspeed_gpio_init()
* tests/qtest/iommu-smmuv3-test: Free QPCIDevice
* chardev: Fix various sanitizer detected leaks
* tests/qtest/test-x86-cpuid-compat: Free allocated memory
* tests/qtest/qos-test: Plug a couple of leaks
* hw/arm/smmuv3: Fix various minor bugs
* hvf/arm: expose FEAT_SME2 to guest if available
* hvf/arm: drop unneeded includes
# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmmq+VsZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3lA0D/0YGr838hSBG1ugMp3WCgF6
# AjPUems5HMjuX1LBJwVF3cAekDTVrsXklqiSQHeOYnV9bq5wu87evRo7+uiOUZ3v
# i6nxFup8ncdbGBEUqDZHxafNDuBXfOwtcKvmE4eFy+QTDv63Mb58c4v3U2/Rq7/k
# EHaIzziHThU/pj4XLcsrY3DPVl87zw8q409J8UBcGTBicQli1bO1dxv8O3fbnarF
# /TKhdWwPmAHmMhGA7p9WOvWiXQGNUDo2M84yK3o5HxEysZB3FKcJgQauVjvvFLrt
# 9nJUtZlV09sYGX0PKavNhpxSy08hnwxrrPzlbWC2WB7nvRYl5IJsO8wjZgqEwSBt
# 2EZ0IznT8YyvL+KSIo+9TvbNqRBWTU/TUbTLnARDj76/kDXvImM/tRtQC9k+jZ6j
# afk2IdTPM+L5maTFIahiAf04xWPVPdRax6UCQ/WppOX6rRqZwRyf8JHx1Y0n3uoD
# r7kdRtCOkHtg4HC30oAnHF8A5FrCWrxDEahFSyH4MR0FOf+NLoixLmDbk05lb5V5
# jw9JMVQq1W2bOketJord7SqztVq64w1LVUR33WN4SF+m8HVBo7n4GOzVMVue0Zqy
# sjMWlv95M9ExlPMhwrvRSL5a1MkU1R2tVAYuuHwfKMETs5NzIeCQp4C7Fx6T7UMu
# 3LvSjYWJZ9X64XG+hyhO2A==
# =gP/m
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Mar 6 15:57:15 2026 GMT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "[email protected]"
# gpg: Good signature from "Peter Maydell <[email protected]>" [ultimate]
# gpg: aka "Peter Maydell <[email protected]>" [ultimate]
# gpg: aka "Peter Maydell <[email protected]>"
[ultimate]
# gpg: aka "Peter Maydell <[email protected]>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20260306-2' of https://gitlab.com/pm215/qemu: (36
commits)
hvf: hvf-all: stop including hvf_arm.h
hw/arm: virt: remove hvf_arm.h include
hvf/arm: expose FEAT_SME2 to guest if available
hvf/arm: handle FEAT_SME2 migration
hw/arm/smmuv3: Fix CFGI_CD handling when stage-1 is unsupported
hw/arm/smmuv3: Correct SMMUEN field name in CR0
hw/arm/smmuv3-common: Fix incorrect reserved mask for SMMU CR0 register
tests/qtest/qos-test: Plug a couple of leaks
tests/qtest/test-x86-cpuid-compat: Free allocated memory
chardev: Consolidate yank registration
chardev: Don't attempt to unregister yank function more than once
chardev: Fix QIOChannel refcount
tests/qtest/iommu-smmuv3-test: Free QPCIDevice
hw/arm/aspeed_gpio: Don't leak string in aspeed_gpio_init()
scripts/lsan_suppressions.txt: Add more leaks
scripts: Move lsan_suppressions.txt out of oss-fuzz subdir
target/arm/machine: Fix detection of unknown incoming cpregs
target/arm/machine: Trace all register mismatches
target/arm/machine: Trace cpreg names which do not match on migration
target/arm/kvm: Tweak print_register_name() for arm64 system register
...
Signed-off-by: Peter Maydell <[email protected]>
Compare: https://github.com/qemu/qemu/compare/2940018747e3...900682c57287
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
