Booting AIX in a PowerVM partition requires the use of the "Acknowledge
O/S Interrupt to even O/S reporting line" special operation provided by
the IBM XIVE interrupt controller. This operation is invoked by writing
a byte (data is irrelevant) to offset 0xC10 of the Thread Interrupt
Management Area (TIMA). It can be used by software to notify the XIVE
logic that the interrupt was received.

Signed-off-by: Glenn Miles <[email protected]>
Reviewed-by: Nicholas Piggin <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Add support for redistributing a presented group interrupt if it
is precluded as a result of changing the CPPR value. Without this,
group interrupts can be lost.

Signed-off-by: Glenn Miles <[email protected]>
Reviewed-by: Nicholas Piggin <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

When disabling (pulling) an xive interrupt context, we need
to redistribute any active group interrupts to other threads
that can handle the interrupt if possible.  This support had
already been added for the OS context but had not yet been
added to the pool or physical context.

Signed-off-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Have the match_nvt method only perform a TCTX match but don't present
the interrupt, the caller presents. This has no functional change, but
allows for more complicated presentation logic after matching.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

…interrupt

A group interrupt that gets preempted by a higher priority interrupt
delivery must be redistributed otherwise it would get lost.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

xive_tctx_pipr_update() is used for multiple things. In an effort
to make things simpler and less overloaded, split out the function
that is used to present a new interrupt to the tctx.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

xive_tctx_pipr_present() as implemented with xive_tctx_pipr_update()
causes VP-directed (group==0) interrupt to be presented in PIPR and NSR
despite being a lower priority than the currently presented group
interrupt.

This must not happen. The IPB bit should record the low priority VP
interrupt, but PIPR and NSR must not present the lower priority
interrupt.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Further split xive_tctx_pipr_update() by splitting out a new function
that is used to re-compute the PIPR from IPB. This is generally only
used with XIVE1, because group interrputs require more logic.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

The tctx "signaling" registers (PIPR, CPPR, NSR) raise an interrupt on
the target CPU thread. The POOL and PHYS rings both raise hypervisor
interrupts, so they both share one set of signaling registers in the
PHYS ring. The PHYS NSR register contains a field that indicates which
ring has presented the interrupt being signaled to the CPU.

This sharing results in all the "alt_regs" throughout the code. alt_regs
is not very descriptive, and worse is that the name is used for
conversions in both directions, i.e., to find the presenting ring from
the signaling ring, and the signaling ring from the presenting ring.

Instead of alt_regs, use the names sig_regs and sig_ring, and regs and
ring for the presenting ring being worked on. Add a helper function to
get the sign_regs, and add some asserts to ensure the POOL regs are
never used to signal interrupts.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

The relationship between an interrupt signaled in the TIMA and the QEMU
irq line to the processor to be 1:1, so they should be raised and
lowered together and "just in case" lowering should be avoided (it could
mask

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Have xive_tctx_notify() also set the new PIPR value and rename it to
xive_tctx_pipr_set(). This can replace the last xive_tctx_pipr_update()
caller because it does not need to update IPB (it already sets it).

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

The second part of the set CPPR operation is to process (or re-present)
any pending interrupts after CPPR is adjusted.

Split this presentation processing out into a standalone function that
can be used in other places.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

OS-push operation must re-present pending interrupts. Use the
newly created xive2_tctx_process_pending() function instead of
duplicating the logic.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

When CPPR priority is decreased, pending interrupts do not need to be
re-checked if one is already presented because by definition that will
be the highest priority.

This prevents a presented group interrupt from being lost.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Add some assertions to try to ensure presented group interrupts do
not get lost without being redistributed, if they become precluded
by CPPR or preempted by a higher priority interrupt.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

In preparation to implement POOL context push, add support for POOL
NVP context save/restore.

The NVP p bit is defined in the spec as follows:

    If TRUE, the CPPR of a Pool VP in the NVP is updated during store of
    the context with the CPPR of the Hard context it was running under.

It's not clear whether non-pool VPs always or never get CPPR updated.
Before this patch, OS contexts always save CPPR, so we will assume that
is the behaviour.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

When the pool context is pulled, the shared pool/phys signal is
reset, which loses the qemu irq if a phys interrupt was presented.

Only reset the signal if a poll irq was presented.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

After pulling the pool context, if a pool irq had been presented and
was cleared in the process, there could be a pending irq in phys that
should be presented. Process the phys irq ring after pulling pool ring
to catch this case and avoid losing irqs.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Certain TIMA operations should only be performed when a ring is valid,
others when the ring is invalid, and they are considered undefined if
used incorrectly. Add checks for this condition.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Implement pool context push TIMA op.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

When pushing a context, any presented group interrupt should be
redistributed before processing pending interrupts to present
highest priority.

This can occur when pushing the POOL ring when the valid PHYS
ring has a group interrupt presented, because they share signal
registers.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

xive2 must take into account redistribution of group interrupts if
the VP directed priority exceeds the group interrupt priority after
this operation. The xive1 code is not group aware so implement this
for xive2.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Implement set LGS for the POOL ring.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

Implement the phys (aka hard) VP push. PowerVM uses this operation.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

This is needed by the next patch which will re-send on all lower
rings when pushing a context.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

When pushing a context, the lower-level context becomes valid if it
had V=1, and so on. Iterate lower level contexts and send them
pending interrupts if they become enabled.

Signed-off-by: Nicholas Piggin <[email protected]>
Reviewed-by: Glenn Miles <[email protected]>
Reviewed-by: Michael Kowal <[email protected]>
Tested-by: Gautam Menghani <[email protected]>
Link: https://lore.kernel.org/qemu-devel/[email protected]
Signed-off-by: Cédric Le Goater <[email protected]>

We don't synchronize vcpu registers from the hardware accelerator (e.g., by
cpu_synchronize_state()) in the Dabort handler, so env->pc points to the
instruction which has nothing to do with the Dabort at all.

And it doesn't seem to make much sense to log PC in every Dabort handler,
let's just remove it from this trace event.

Signed-off-by: Zenghui Yu <[email protected]>
Reviewed-by: Mads Ynddal <[email protected]>
Message-id: [email protected]
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Peter Maydell <[email protected]>

We don't implement the Debug Communications Channel (DCC), but
we do attempt to provide dummy versions of its system registers
so that software that tries to access them doesn't fall over.

However, we got the tx/rx register definitions wrong. These
should be:

AArch32:
  DBGDTRTX   p14 0 c0 c5 0  (on writes)
  DBGDTRRX   p14 0 c0 c5 0  (on reads)

AArch64:
  DBGDTRTX_EL0  2 3 0 5 0 (on writes)
  DBGDTRRX_EL0  2 3 0 5 0 (on reads)
  DBGDTR_EL0    2 3 0 4 0 (reads and writes)

where DBGDTRTX and DBGDTRRX are effectively different names for the
same 32-bit register, which has tx behaviour on writes and rx
behaviour on reads.  The AArch64-only DBGDTR_EL0 is a 64-bit wide
register whose top and bottom halves map to the DBGDTRRX and DBGDTRTX
registers.

Currently we have just one cpreg struct, which:
 * calls itself DBGDTR_EL0
 * uses the DBGDTRTX_EL0/DBGDTRRX_EL0 encoding
 * is marked as ARM_CP_STATE_BOTH but has the wrong opc1
   value for AArch32
 * is implemented as RAZ/WI

Correct the encoding so:
 * we name the DBGDTRTX/DBGDTRRX register correctly
 * we split it into AA64 and AA32 versions so we can get the
   AA32 encoding right
 * we implement DBGDTR_EL0 at its correct encoding

Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2986
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-id: [email protected]

Coverity points out that the ivshmem-pci code has some error handling
cases where it incorrectly tries to use an invalid filedescriptor.
These generally happen because ivshmem_recv_msg() calls
qemu_chr_fe_get_msgfd(), which might return -1, but the code in
process_msg() generally assumes that the file descriptor was provided
when it was supposed to be. In particular:
 * the error case in process_msg() only needs to close the fd
   if one was provided
 * process_msg_shmem() should fail if no fd was provided

Coverity: CID 1508726
Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Markus Armbruster <[email protected]>
Message-id: [email protected]

Fixes: 3248c1a (docs: update the documentation upfront about schema configuration)
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: John Snow <[email protected]>

The new QAPI code generator creates a cross-reference target for each
definition documentation.  Enabled for the QEMU QMP Reference manual
in commit a377f39, and for the QEMU Storage Daemon QMP Reference
Manual and the QEMU Guest Agent Protocol Reference in commit
a6af544.  We've put these targets to use since, but neglected to
update doc comment markup documentation.  Do that now.

Co-developed-by: John Snow <[email protected]>
Signed-off-by: John Snow <[email protected]>
Signed-off-by: Markus Armbruster <[email protected]>
Message-ID: <[email protected]>

…to staging

QAPI patches for 2025-08-09

# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmiW4TgSHGFybWJydUBy
# ZWRoYXQuY29tAAoJEDhwtADrkYZTuQEP+waO/E590BU0LIBUoZZbi5/xYY0mavtn
# oMn7dtJZGdjV4c247/YghuwhVvPTmNdPsTTsvf1T/Q1SSXmuAgW3vTtsaG/NzbBy
# gJMkvjNOBN5ihI+3cIDC95w8l1e93Wg6YcHsPKQh/NYoBSoy5Kk+QJctcO2Y1R66
# f/9rxaVBAjnWEmCGrP9acJnsTvxWIwmk+E6ABhlt24DCYG1Wjp8CgTrLqveqi8Fx
# lmhVF0XuHgnkwsItj6mnSAnj60SVQjT6F7iaAO8L+4UxHhO+LzXIQiTjdgBHppfJ
# llakFeFLKDulBvRnsnxxrT1CkO1apMfrNkua8JCwHzQAxikuhhkgV1QTIlXQXa7A
# hBE/5VQ5Jev+W6rzM6hmYl0HByKjKB23bQK7j8m8logV9OJCw+1Scsn2kgFX7rWL
# PLIyp63auXnt+vX29+T80KYu+qGi4o9BcQIr44myq/nIuAgcE7eEz7r6y0N66OiQ
# cvShDvd9YO0v8JtPbtUZAeUEyjLOEiYaExBJIAY98r0XFtxlroT8C7o8kjYlQX1K
# K5mv1Xs9y4J8kgxRjveYDosFbJAW4EOkypDc1tV50WV7f83kHRFUx340u+pnX3AI
# vmB/2KIftlt3bDVbJrJkWdbNshJyG4YBsfkzi7WScn/2BnpboNNzk8yKKkGOxrOl
# NQ3QQbUj4Gid
# =RYBV
# -----END PGP SIGNATURE-----
# gpg: Signature made Sat 09 Aug 2025 01:48:40 EDT
# gpg:                using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg:                issuer "[email protected]"
# gpg: Good signature from "Markus Armbruster <[email protected]>" [full]
# gpg:                 aka "Markus Armbruster <[email protected]>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* tag 'pull-qapi-2025-08-09' of https://repo.or.cz/qemu/armbru:
  docs/devel/qapi-code-gen: Update cross-reference syntax
  docs/devel/qapi-code-gen: Fix typos in QAPI schema language grammar
  docs/devel/qapi-code-gen: Add two cross-references we missed

Signed-off-by: Stefan Hajnoczi <[email protected]>

Commit 6ccca4b ("hw/nvme: rework csi handling") introduced a bug in
Namespace Attachment, causing it to

  a) not allow a controller to attach namespaces to other controllers
  b) assert if a valid non-attached namespace is detached

This fixes both issues.

Fixes: 6ccca4b ("hw/nvme: rework csi handling")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2976
Reviewed-by: Jesper Wendel Devantier <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>

Commit cd59f50 ("hw/nvme: always initialize a subsystem") causes
the controller to always set the CMIC.MCTRS ("Multiple Controllers")
bit. While spec-compliant, this is a deviation from the previous
behavior where this was only set if an nvme-subsys device was explicitly
created (to configure a subsystem with multiple controllers/namespaces).

Revert the behavior to only set CMIC.MCTRS if an nvme-subsys device is
created explicitly.

Reported-by: Alan Adamson <[email protected]>
Fixes: cd59f50 ("hw/nvme: always initialize a subsystem")
Reviewed-by: Alan Adamson <[email protected]>
Tested-by: Alan Adamson <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>

The emulated device had let the user set whatever max transfers size
they wanted, including no limit. However the device does have an
internal limit of 1024 segments. NVMe doesn't report max segments,
though. This is implicitly inferred based on the MDTS and MPSMIN values.

IOV_MAX is currently 1024 which 4k PRPs can exceed with 2MB transfers.
Don't allow MDTS values that can exceed this, otherwise users risk
seeing "internal error" status to their otherwise protocol compliant
commands.

Signed-off-by: Keith Busch <[email protected]>
Signed-off-by: Klaus Jensen <[email protected]>

Debian trixie has been released. The "stable" alias no longer refers to
the Debian bookworm release, so URLs referring to bookworm artifacts via
the "stable" alias no longer work.

Switch to explicit release naming ("bookworm") to make a permalink so
the test passes again.

Suggested-by: Peter Maydell <[email protected]>
Fixes: 374a245 ("tests/functional: Add PCI hotplug test for aarch64")
Resolves: #3073 ("PCI hotplug test for aarch64 fails due to broken Debian installer URL")
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Peter Maydell <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>

…to staging

vfio queue:

* Add documentation for the use-legacy-x86-rom property
* Preserve pending VFIO interrupts during CPR

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmiYwgkACgkQUaNDx8/7
# 7KH5ew//ThaCgYlT2KwwJFfNUw290uQuvZAZUCB0vx+zhsQzQW5vzAx6KvFO+UQu
# k64BQLk8OV97tDpsEcnZEUoPfLo/05mxlcSKYfG3rTpp+ZxoCXUBhQ9f0ZR9t2gz
# WihHrA+g/r69VlcW9fCdar/n2svvysmY2OzybSAILplmJlk5CsJRB4cbpy09AR70
# t70bWGl+4+voENeVQjdYa35588bjwTdnzpOqy7fbFacs6L17NzaW30lJ8S8AWX8W
# a84nnuJgL2qkR73EvY1wL10EyqqR6gYCsbE39ARf4GoC8UE0cRp7tSXm/xkFd6U1
# I6Wv/7zx9FkKq51b8GB9n8NfW9U3XTTfJSS6QR6GYU77zcukUj06Fr5PNLEg9yOf
# 9dfrPt6pap1vx4xuoq9IqrwOVcKd9e9vi9hARLonlzcLMXZqJnKr3KcelcCcF8El
# Sf994H1izHjr1PqpKCDn7dDJ5Bp7CkvnR9RSCzRssovDzfRBmSI5iC75vpjcEd9z
# zMpKG1auyamlpjyFIBOw3rlMXSkv4vk0wmjv/P5aQxKTlu0Oyyp4dZMPl7C4Grut
# WmXJao6zrcUsxvxf2pi2aELGKzLow240Xh4oceD+dDyLQ6Z25J5aj/4MUWxXbbUT
# YffunKYQ00Bk5+x0gp7tiitNu9s4Z2ezshqebweBxNGHWMiJ5sI=
# =lM1W
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 10 Aug 2025 12:00:09 EDT
# gpg:                using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <[email protected]>" [full]
# gpg:                 aka "Cédric Le Goater <[email protected]>" [full]
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B  0B60 51A3 43C7 CFFB ECA1

* tag 'pull-vfio-20250810' of https://github.com/legoater/qemu:
  vfio: Document 'use-legacy-x86-rom' property
  vfio/pci: preserve pending interrupts
  vfio/pci: augment set_handler

Signed-off-by: Stefan Hajnoczi <[email protected]>

…nto staging

nvme queue

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEUigzqnXi3OaiR2bATeGvMW1PDekFAmiZmYQACgkQTeGvMW1P
# DenI0wf9GPov0a82A2F23UTU+R8NC/NASBovEfPRTz7/J9fGL844ID3G6uT4emFP
# wAilGmMbNuPHKAtII4holCximP/7yosVZJIIdjLsRBBP9AZqpMHkr27VBny9rklZ
# X7TW6zI8INIjdqvRlIBevH5t5By/qLiaDc6GzRWJ3PoeXE6SKACDi0lNBsn75xah
# IbcHi72c96CwYJCEtOHXBs+zECo1yGDhK0OPvs/s7OykuRcOumF21IzuY958bVs/
# 7dJZkTL+oarZHIvKiUrErKK3gWfSrLeaWrR6sW1QNuOhzEeNHk47w86p+CEQ7CrU
# w0ioEaZ9awXk7wnZeY//CpUKFbsmwQ==
# =Qfvu
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 11 Aug 2025 03:19:32 EDT
# gpg:                using RSA key 522833AA75E2DCE6A24766C04DE1AF316D4F0DE9
# gpg: Good signature from "Klaus Jensen <[email protected]>" [unknown]
# gpg:                 aka "Klaus Jensen <[email protected]>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DDCA 4D9C 9EF9 31CC 3468  4272 63D5 6FC5 E55D A838
#      Subkey fingerprint: 5228 33AA 75E2 DCE6 A247  66C0 4DE1 AF31 6D4F 0DE9

* tag 'pull-nvme-20250811' of https://gitlab.com/birkelund/qemu:
  hw/nvme: cap MDTS value for internal limitation
  hw/nvme: revert CMIC behavior
  hw/nvme: fix namespace attachment

Signed-off-by: Stefan Hajnoczi <[email protected]>

When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write
callback `uefi_vars_write` is invoked. The function allocates a
heap buffer without zeroing the memory, leaving the buffer filled with
residual data from prior allocations. When the guest later reads from
register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback
`uefi_vars_read` returns leftover metadata or other sensitive process
memory from the previously allocated buffer, leading to an information
disclosure vulnerability.

Fixes: CVE-2025-8860
Fixes: 90ca4e0 ("hw/uefi: add var-service-core.c")
Reported-by: ZDI <[email protected]>
Suggested-by: Gerd Hoffmann <[email protected]>
Signed-off-by: Mauro Matteo Cascella <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>

Set status to SUCCESS for ready-to-boot and exit-boot-services
notification calls.

Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>

When listing variables (via get-next-variable-name) only the names of
variables which can be accessed will be returned.  That check was
missing for the first variable though.  Add it.

Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>

Fixes file length discrepancies due to line ending conversions
on windows hosts.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3058
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Message-ID: <[email protected]>

If the user explicitly specified --enable-rust, don't just fail if meson
is too old for Rust support, but do the same thing as if meson was too
old for the C code: Just download a newer one.

In order to avoid the additional download for people who aren't
intentionally opting in to Rust, keep the automatic disabling based on
the meson version as the default if neither --enable-rust nor
--disable-rust were given.

Signed-off-by: Kevin Wolf <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Paolo Bonzini <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>

qemu_rbd_get_specific_info() has at least two problems:

The first is that it issues a blocking rbd_read() call in order to probe
the encryption format for the image while querying the node. This means
that if the connection to the server goes down, not only I/O is stuck
(which is unavoidable), but query-names-block-nodes will actually make
the whole QEMU instance unresponsive. .bdrv_get_specific_info
implementations shouldn't perform blocking operations, but only return
what is already known.

The second is that the information returned isn't even correct. If the
image is already opened with encryption enabled at the RBD level, we'll
probe for "double encryption", i.e. if the encrypted data contains
another encryption header. If it doesn't (which is the normal case), we
won't return the encryption format. If it does, we return misleading
information because it looks like we're talking about the outer level
(the encryption format of the image itself) while the information is
about an encryption header in the guest data.

Fix this by storing the encryption format in BDRVRBDState when the image
is opened (and we do blocking operations anyway) and returning only the
stored information in qemu_rbd_get_specific_info().

The information we'll store is either the actual encryption format that
we enabled on the RBD level, or if the image is unencrypted, the result
of the same probing as we previously did when querying the node. Probing
image formats based on content that can be modified by the guest has
long been known as problematic, but as long as we only output it to the
user instead of making decisions based on it, it should be okay. It is
undoubtedly useful in the context of 'qemu-img info' when you're trying
to figure out which encryption options you have to use to open the
image successfully.

Fixes: 42e4ac9 ("block/rbd: Add support for rbd image encryption")
Buglink: https://issues.redhat.com/browse/RHEL-105440
Signed-off-by: Kevin Wolf <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Hanna Czenczek <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>

New bash 5.3 uses a different padding for reporting job status.

Resolves: boo#1246830
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3050
Signed-off-by: Werner Fink <[email protected]>
Message-ID: <[email protected]>
Reviewed-by: Kevin Wolf <[email protected]>
Tested-by: Martin Kletzander <[email protected]>
Signed-off-by: Kevin Wolf <[email protected]>

Commit 1585ab9 ("hw/sd/sdcard: Fill SPI response bits in card
code") exposed a bug in the SPI adapter: if no SD card is plugged,
we are returning "there is a card with an error". This is wrong,
we shouldn't return any particular packet response, but the noise
shifted on the MISO line. Return the dummy byte, otherwise we get:

  qemu-system-riscv64: ../hw/sd/ssi-sd.c:160: ssi_sd_transfer: Assertion `s->arglen > 0' failed.

Reported-by: Guenter Roeck <[email protected]>
Fixes: 775616c ("Partial SD card SPI mode support")
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Tested-by: Guenter Roeck <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Reviewed-by: Gustavo Romero <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>

SPI-SD adapter should be usable, even without any SD card
wired. Refactor test_riscv64_sifive_u_mmc_spi() to make it
more generic and add another test, inspired by this report:
https://lore.kernel.org/qemu-devel/[email protected]/

Inspired-by: Guenter Roeck <[email protected]>
Signed-off-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Gustavo Romero <[email protected]>
Reviewed-by: Alex Bennée <[email protected]>
Tested-by: Alex Bennée <[email protected]>
Message-Id: <[email protected]>

Fix compilation with pip-25.2 due to missing distlib.version

Bug: https://gitlab.com/qemu-project/qemu/-/issues/3062

Signed-off-by: Sv. Lockal <[email protected]>
[Edits: Type "safety" whackamole --js]
Signed-off-by: John Snow <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>

…ging

SD/MMC patches queue

- Return noise (dummy byte) when no SD card connected over SPI

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmibcbsACgkQ4+MsLN6t
# wN5DkA/9F9lOPelfONSvAkZ4IkahoTaulYglQHxePbYvCopufx7RiM5yigmVrcGW
# I6MhGf9PtD4nlQ6Zl8ZUcr+WHMZQJaCcizdtzDsWR597to1z+ylbgoQqlhZi3gEX
# V6mOl5peS2LZ0nZ5WQpMs9kNUTTGahTagqkBRLWTCuTVZF/UAyXGFGK+9U3c4vu+
# iOS8XMkfACg2Df51Jj4cnyMmjjYoJgoQliGueaiOTyNEL0Euq18t/FiaL1C6X9+i
# rraagCq9s4rVLeh3KTZSz4ywKHticNtsXpHXGzlBIRJbxGCv7rV4GOehzjHdDcgq
# H7zpv9l7J4bBr9uY6m8SHP0WkxKE/B+g261h6mIg3PNjyamjrwWnoX9IYU4wPaVu
# +JUaxqU24HUyVi5r//h5pCASQPCl0MhtrsDHQSvClaiXVcCu8dBfiFxR5+tDuCaO
# An6ORL+Rd5S5dS36XQZr+CnmLCfnlr10auPq4tQ+L32VcPWjqHp+70+yM4DVtPfq
# sFb1O5ChQEsCzk9laO7OLqDqf8zJ5T4n21/i83vH/QGOi4+NRFIJoncGfXmHW/GW
# OzAE1S3LRDVBq+RA66so4y30i83H2CCZNqjRkXCoa+680P0MP5aUSxNhS7T3dN6u
# Er3QXkZQPeQDtVTCbslXnEtJ7drU6Jtfj4ZPTanua9TpCotAnb4=
# =4VWG
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 Aug 2025 12:54:19 EDT
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <[email protected]>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'sdmmc-20250812' of https://github.com/philmd/qemu:
  tests/functional: Test SPI-SD adapter without SD card connected
  hw/sd/ssi-sd: Return noise (dummy byte) when no card connected

Signed-off-by: Stefan Hajnoczi <[email protected]>

We don't build the PDFs ourselves for the hosted docs and it looks
like rtd can't manage building PDFs now they have gone over a certain
size. Disable the extra formats so we can at least have the online
stuff again.

Signed-off-by: Alex Bennée <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>

The temporary egl fb scanout_tex_fb is only needed to facilitate the
blit to the display surface's texture (ssd->ds->texture). Therefore,
destroy it after the blit is submitted. And, also make sure that it
is empty initialized before it is actually used.

Fixes: f851cd6 ("ui/spice: Blit the scanout texture if its memory layout is not linear")
Reported-by: Peter Maydell <[email protected]>
Cc: Marc-André Lureau <[email protected]>
Signed-off-by: Vivek Kasireddy <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>

Patches for QEMU 10.1.0-rc3

- configure: Don't disable Rust for too old meson version
- rbd: Fix hang in query-named-block-nodes if the server is down
- iotests: Fix reference output for newer bash versions

# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCgAvFiEE3D3rFZqa+V09dFb+fwmycsiPL9YFAmiblrYRHGt3b2xmQHJl
# ZGhhdC5jb20ACgkQfwmycsiPL9Z3UQ//Xl3LZP4ZHScc16X4vDhH/4eru9Yu5zz/
# k2kWqmns6aClUZXplfWPKnM5a47b/23ZiM7MaxhgTolShtFPAODP0dDxAaPJSCJD
# EjhMbTB8u4GeMCe7T4HqGY/UHcGDWGzD9Ne5ssxt8yRT3fkuM/XxTptlIT93Rz9w
# bjTuCnctP6pGWW3za67bUdr9ZzwpmMXvXwpcXrlhKCqq+qbpHK8/rTp2yaNF5Pi9
# 3K+uITLOVk04UL1JbSgXgvId5JSBDE0JnPDFPhhkAcliQJKR3W3iWhIKwA4rvnZ5
# dzAMNk3TafzUsZp+k9gPXdQ/+km3Hj17vyHLEoEk0cPVoNi+ZbpKCij15O6OPKAn
# OP6aznanat8W8hQh+2lv29fLyYICZpXbsEGB7X7Kfz4uf4BhhopHHvq6SOnZwO14
# MaUjVEO7kBWHgXH3o8PzyHsZq7oWQdEZuKhcnemMb5+6ngLoGX1N1zZUGAcuaar+
# 31rePhgWprdOfZEW9X46i6AKff3xWHl5yQ9jQMPZWNwiYXNemh4oZXSYsgVbvNHd
# g73d/4G5iUt61fg6CtyqFDDa4/1WP0jU4164p6kcvYJVj1HaKy3FrAVrOfINbFFy
# dX3jCECkd52ilBwWisDWSWUqh2S09LJrn7O7FZUwYySivINuajZWwJYuDdxRvyc6
# q7Qg7ocWaQ8=
# =goPX
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 Aug 2025 15:32:06 EDT
# gpg:                using RSA key DC3DEB159A9AF95D3D7456FE7F09B272C88F2FD6
# gpg:                issuer "[email protected]"
# gpg: Good signature from "Kevin Wolf <[email protected]>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* tag 'for-upstream' of git://repo.or.cz/qemu/kevin:
  qemu-iotests: Ignore indentation in Killed messages
  rbd: Fix .bdrv_get_specific_info implementation
  configure: Don't disable Rust for too old meson version

Signed-off-by: Stefan Hajnoczi <[email protected]>

Signed-off-by: Stefan Hajnoczi <[email protected]>

 into staging

hw/uefi: last-minute bug fixes for the uefi variable store [for 10.1]

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmibENYACgkQTLbY7tPo
# cTi2vQ/9FlAPZTZ/z/D5dfDHLhB06esVe6qd7LuI7rV3/6bUB+g+LYwoJI40SVMq
# Q5YDsQGX0muhzsE343XYMXIcz8yxUEvALpvFVW6e5pg92Q2g1aeHeJaxsaiPdbo2
# gG9WU3paCOQzRK488fUe8ed6Gkqmu6SLDwuAtQ5D9UXZ7qCSfy2Rr8/Li9Qs5JCJ
# StLccRvK6G72S+ESYDo/O1Q1P0CdpgJXuOV+75NdYZn4e7G0GUXN52l1U3fH0JZZ
# sSqoo4TgMjrchEhE4YrXNm/UFrhLpn+uv1Xhyv6UuLpLLWlSU/5EeARS7mGjMGbp
# z3Np11LrqtbB9fxxrxf75OLzya2aKBVUlmuh/HCP1wLNx7kxYpT4yyjsywXkksQ3
# TV2dMknDHm0JRf/i2DJuS6bDZlbehfu+1KkR25+0h/QSd2tK9Ct/ZxO59QcR02Kt
# ecvSzRfFG8+jTVorwVguftDyRe4b/qpFn4X7KujlkKvLiOA4lZ8NZsIFi0x2FGeA
# efdLRVEaDRJBmblcykPR+NYAyxcwGdHYerOsbf/vnRlCAsNQw1oofqTSU6qxnjnH
# hDF+fGBVQ2drjTfb5aFdLpQ4Fq9yD+x9fdpshT8IzqIdsJDKrlPYZK4ueSBF4A3V
# 32N2ZumxH17bvE44WkclJ0aog25M2+dgs5OJvqjcYY5VllEMTis=
# =Ntwr
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 Aug 2025 06:00:54 EDT
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>" [full]
# gpg:                 aka "Gerd Hoffmann <[email protected]>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <[email protected]>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* tag 'uefi-20250812-pull-request' of https://gitlab.com/kraxel/qemu:
  hw/uefi: open json file in binary mode
  hw/uefi: check access for first variable
  hw/uefi: return success for notifications
  hw/uefi: clear uefi-vars buffer in uefi_vars_write callback

Signed-off-by: Stefan Hajnoczi <[email protected]>

This reverts commit 00268e0.
(The only conflict is in the !is_tdx_vm() part of the condition,
which is safe to keep).

mark_unavailable_features() actively blocks usage of the feature,
so it is a functional change, not merely a emitting warning.
The commit was intended to merely warn if PDCM was enabled when
the performance counters are not, so revert it.

Reported-by: Christian A. Ehrhardt <[email protected]>
Analyzed-by: Daniel P. Berrangé <[email protected]>
Analyzed-by: Xiaoyao Li <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Stefan Hajnoczi <[email protected]>

Signed-off-by: Stefan Hajnoczi <[email protected]>

Signed-off-by: Stefan Hajnoczi <[email protected]>

v10.1.0 release