* [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes
@ 2025-10-21 11:23 Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
Fix bug #6810, which is a deadlock issue with SCSI request cancelling
affecting (at least) FreeBSD.
Update to the 10.1.2 QEMU stable release to pick up some TCG fixes and
fix for a memory leak affecting vCPU hotunplug.
Lastly, pick up fixes for a VFIO regression affecting the 10.1 QEMU
release.
Fiona Ebner (3):
fix #6810: add patch to avoid deadlock upon TMF request cancelling
with VirtIO
update submodule and patches to QEMU 10.1.2
cherry pick fix for VFIO regression affecting v10.1
...Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch | 96 -------
...ch => 0003-tcg-arm-Fix-tgen_deposit.patch} | 0
...ish-renaming-atomic128-cas.h-headers.patch | 25 --
...uirks-when-IGD-is-not-the-primary-d.patch} | 0
...l-fix-curl-internal-handles-handling.patch | 60 -----
...adlock-upon-TMF-request-cancelling-w.patch | 83 ++++++
...g-svm-fix-incorrect-canonicalization.patch | 38 ---
...-rename-field-to-num_initial_regions.patch | 245 ++++++++++++++++++
...07-hw-vfio-user-add-x-pci-class-code.patch | 35 ---
...region-info-cache-for-initial-region.patch | 75 ++++++
...rash-from-legacy-interrupt-firing-af.patch | 58 -----
...able-SMM-cpu-address-space-under-KVM.patch | 106 --------
...compatibility-property-for-arch_capa.patch | 109 --------
...compatibility-property-for-pdcm-feat.patch | 96 -------
...he-CPU-model-to-kvm64-32-instead-of-.patch | 4 +-
...ui-spice-default-to-pve-certificates.patch | 4 +-
.../0015-PVE-qapi-modify-spice-query.patch | 4 +-
...VE-Backup-add-vma-backup-format-code.patch | 6 +-
...ckup-Proxmox-backup-patches-for-QEMU.patch | 4 +-
...estore-new-command-to-restore-from-p.patch | 4 +-
...k-driver-to-map-backup-archives-into.patch | 4 +-
...ct-stderr-to-journal-when-daemonized.patch | 6 +-
...igrate-dirty-bitmap-state-via-savevm.patch | 2 +-
...se-migration-blocker-check-for-snaps.patch | 2 +-
debian/patches/series | 16 +-
qemu | 2 +-
26 files changed, 429 insertions(+), 655 deletions(-)
delete mode 100644 debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
rename debian/patches/extra/{0008-tcg-arm-Fix-tgen_deposit.patch => 0003-tcg-arm-Fix-tgen_deposit.patch} (100%)
delete mode 100644 debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
rename debian/patches/extra/{0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch => 0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch} (100%)
delete mode 100644 debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
create mode 100644 debian/patches/extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
delete mode 100644 debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
create mode 100644 debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
delete mode 100644 debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
create mode 100644 debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
delete mode 100644 debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
delete mode 100644 debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
delete mode 100644 debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
delete mode 100644 debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
@ 2025-10-21 11:23 ` Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2 Fiona Ebner
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
Because of a regression caused by QEMU commit da6eebb33b
("virtio-scsi: perform TMFs in appropriate AioContexts") and the
introduction of the requests_lock earlier, there would be a deadlock
when a (FreeBSD) guest cancels SCSI requests. See the commit message
of the added patch for more information.
The issue was also reported in the community forum:
https://forum.proxmox.com/threads/freeze-on-pfsense-vm-running-in-pve-9.171557/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...adlock-upon-TMF-request-cancelling-w.patch | 83 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 84 insertions(+)
create mode 100644 debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
diff --git a/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch b/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
new file mode 100644
index 0000000..4c7441e
--- /dev/null
+++ b/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Fri, 17 Oct 2025 11:43:30 +0200
+Subject: [PATCH] hw/scsi: avoid deadlock upon TMF request cancelling with
+ VirtIO
+
+When scsi_req_dequeue() is reached via
+scsi_req_cancel_async()
+virtio_scsi_tmf_cancel_req()
+virtio_scsi_do_tmf_aio_context(),
+there is a deadlock when trying to acquire the SCSI device's requests
+lock, because it was already acquired in
+virtio_scsi_do_tmf_aio_context().
+
+In particular, the issue happens with a FreeBSD guest (13, 14, 15,
+maybe more), when it cancels SCSI requests, because of timeout.
+
+This is a regression caused by commit da6eebb33b ("virtio-scsi:
+perform TMFs in appropriate AioContexts") and the introduction of the
+requests_lock earlier.
+
+To fix the issue, only cancel the requests after releasing the
+requests_lock. For this, the SCSI device's requests are iterated while
+holding the requests_lock and the requests to be cancelled are
+collected in a list. Then, the collected requests are cancelled
+one by one while not holding the requests_lock. This is safe, because
+only requests from the current AioContext are collected and acted
+upon.
+
+Originally reported by Proxmox VE users:
+https://bugzilla.proxmox.com/show_bug.cgi?id=6810
+https://forum.proxmox.com/threads/173914/
+
+Fixes: da6eebb33b ("virtio-scsi: perform TMFs in appropriate AioContexts")
+Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Message-id: 20251017094518.328905-1-f.ebner@proxmox.com
+[Changed g_list_append() to g_list_prepend() to avoid traversing the
+list each time.
+--Stefan]
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 7d80d6d82db4c73e335f9e738d7a5778124df35e
+ from https://gitlab.com/stefanha/qemu/-/tree/block)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/virtio-scsi.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 34ae14f7bf..3b635053b5 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -343,6 +343,7 @@ static void virtio_scsi_do_tmf_aio_context(void *opaque)
+ SCSIDevice *d = virtio_scsi_device_get(s, tmf->req.tmf.lun);
+ SCSIRequest *r;
+ bool match_tag;
++ g_autoptr(GList) reqs = NULL;
+
+ if (!d) {
+ tmf->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET;
+@@ -378,10 +379,21 @@ static void virtio_scsi_do_tmf_aio_context(void *opaque)
+ if (match_tag && cmd_req->req.cmd.tag != tmf->req.tmf.tag) {
+ continue;
+ }
+- virtio_scsi_tmf_cancel_req(tmf, r);
++ /*
++ * Cannot cancel directly, because scsi_req_dequeue() would deadlock
++ * when attempting to acquire the request_lock a second time. Taking
++ * a reference here is paired with an unref after cancelling below.
++ */
++ scsi_req_ref(r);
++ reqs = g_list_prepend(reqs, r);
+ }
+ }
+
++ for (GList *elem = g_list_first(reqs); elem; elem = g_list_next(elem)) {
++ virtio_scsi_tmf_cancel_req(tmf, elem->data);
++ scsi_req_unref(elem->data);
++ }
++
+ /* Incremented by virtio_scsi_do_tmf() */
+ virtio_scsi_tmf_dec_remaining(tmf);
+
diff --git a/debian/patches/series b/debian/patches/series
index 10ebb56..ee5da2e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,6 +11,7 @@ extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
+extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
@ 2025-10-21 11:23 ` Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1 Fiona Ebner
2025-10-21 16:29 ` [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
Most notably, some TCG fixes and a memory leak for vCPU hotunplug.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch | 96 ---------------
...ch => 0003-tcg-arm-Fix-tgen_deposit.patch} | 0
| 25 ----
...uirks-when-IGD-is-not-the-primary-d.patch} | 0
...l-fix-curl-internal-handles-handling.patch | 60 ----------
...dlock-upon-TMF-request-cancelling-w.patch} | 0
...g-svm-fix-incorrect-canonicalization.patch | 38 ------
...07-hw-vfio-user-add-x-pci-class-code.patch | 35 ------
...rash-from-legacy-interrupt-firing-af.patch | 58 ----------
...able-SMM-cpu-address-space-under-KVM.patch | 106 -----------------
...compatibility-property-for-arch_capa.patch | 109 ------------------
...compatibility-property-for-pdcm-feat.patch | 96 ---------------
...he-CPU-model-to-kvm64-32-instead-of-.patch | 4 +-
...ui-spice-default-to-pve-certificates.patch | 4 +-
.../0015-PVE-qapi-modify-spice-query.patch | 4 +-
...VE-Backup-add-vma-backup-format-code.patch | 6 +-
...ckup-Proxmox-backup-patches-for-QEMU.patch | 4 +-
...estore-new-command-to-restore-from-p.patch | 4 +-
...k-driver-to-map-backup-archives-into.patch | 4 +-
...ct-stderr-to-journal-when-daemonized.patch | 6 +-
...igrate-dirty-bitmap-state-via-savevm.patch | 2 +-
...se-migration-blocker-check-for-snaps.patch | 2 +-
debian/patches/series | 15 +--
qemu | 2 +-
24 files changed, 24 insertions(+), 656 deletions(-)
delete mode 100644 debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
rename debian/patches/extra/{0008-tcg-arm-Fix-tgen_deposit.patch => 0003-tcg-arm-Fix-tgen_deposit.patch} (100%)
delete mode 100644 debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
rename debian/patches/extra/{0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch => 0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch} (100%)
delete mode 100644 debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
rename debian/patches/extra/{0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch => 0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch} (100%)
delete mode 100644 debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
delete mode 100644 debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
delete mode 100644 debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
delete mode 100644 debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
delete mode 100644 debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
delete mode 100644 debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
diff --git a/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch b/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
deleted file mode 100644
index 6c966fe..0000000
--- a/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Smail AIDER <smail.aider@huawei.com>
-Date: Tue, 26 Aug 2025 11:21:28 +0100
-Subject: [PATCH] target/arm: Trap PMCR when MDCR_EL2.TPMCR is set
-
-Trap PMCR_EL0 or PMCR accesses to EL2 when MDCR_EL2.TPMCR is set.
-Similar to MDCR_EL2.TPM, MDCR_EL2.TPMCR allows trapping EL0 and EL1
-accesses to the PMCR register to EL2.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Smail AIDER <smail.aider@huawei.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20250811112143.1577055-2-smail.aider@huawei.com
-Message-Id: <20250722131925.2119169-1-smail.aider@huawei.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 186db6a73bc5c01026bb9f4f4a59e442c0156841)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/arm/cpregs-pmu.c | 34 ++++++++++++++++++++++++++--------
- 1 file changed, 26 insertions(+), 8 deletions(-)
-
-diff --git a/target/arm/cpregs-pmu.c b/target/arm/cpregs-pmu.c
-index 9c4431c18b..31c01eddc8 100644
---- a/target/arm/cpregs-pmu.c
-+++ b/target/arm/cpregs-pmu.c
-@@ -228,22 +228,27 @@ static bool event_supported(uint16_t number)
- return supported_event_map[number] != UNSUPPORTED_EVENT;
- }
-
--static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
-- bool isread)
-+static CPAccessResult do_pmreg_access(CPUARMState *env, bool is_pmcr)
- {
- /*
- * Performance monitor registers user accessibility is controlled
-- * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable
-+ * by PMUSERENR. MDCR_EL2.TPM/TPMCR and MDCR_EL3.TPM allow configurable
- * trapping to EL2 or EL3 for other accesses.
- */
- int el = arm_current_el(env);
-- uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
-
- if (el == 0 && !(env->cp15.c9_pmuserenr & 1)) {
- return CP_ACCESS_TRAP_EL1;
- }
-- if (el < 2 && (mdcr_el2 & MDCR_TPM)) {
-- return CP_ACCESS_TRAP_EL2;
-+ if (el < 2) {
-+ uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
-+
-+ if (mdcr_el2 & MDCR_TPM) {
-+ return CP_ACCESS_TRAP_EL2;
-+ }
-+ if (is_pmcr && (mdcr_el2 & MDCR_TPMCR)) {
-+ return CP_ACCESS_TRAP_EL2;
-+ }
- }
- if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
- return CP_ACCESS_TRAP_EL3;
-@@ -252,6 +257,19 @@ static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
- return CP_ACCESS_OK;
- }
-
-+static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
-+ bool isread)
-+{
-+ return do_pmreg_access(env, false);
-+}
-+
-+static CPAccessResult pmreg_access_pmcr(CPUARMState *env,
-+ const ARMCPRegInfo *ri,
-+ bool isread)
-+{
-+ return do_pmreg_access(env, true);
-+}
-+
- static CPAccessResult pmreg_access_xevcntr(CPUARMState *env,
- const ARMCPRegInfo *ri,
- bool isread)
-@@ -1187,14 +1205,14 @@ void define_pm_cpregs(ARMCPU *cpu)
- .fgt = FGT_PMCR_EL0,
- .type = ARM_CP_IO | ARM_CP_ALIAS,
- .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
-- .accessfn = pmreg_access,
-+ .accessfn = pmreg_access_pmcr,
- .readfn = pmcr_read, .raw_readfn = raw_read,
- .writefn = pmcr_write, .raw_writefn = raw_write,
- };
- const ARMCPRegInfo pmcr64 = {
- .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
- .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
-- .access = PL0_RW, .accessfn = pmreg_access,
-+ .access = PL0_RW, .accessfn = pmreg_access_pmcr,
- .fgt = FGT_PMCR_EL0,
- .type = ARM_CP_IO,
- .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
diff --git a/debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch b/debian/patches/extra/0003-tcg-arm-Fix-tgen_deposit.patch
similarity index 100%
rename from debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch
rename to debian/patches/extra/0003-tcg-arm-Fix-tgen_deposit.patch
diff --git a/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch b/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
deleted file mode 100644
index 4ff333b..0000000
--- a/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Fri, 15 Aug 2025 22:26:47 +1000
-Subject: [PATCH] qemu/atomic: Finish renaming atomic128-cas.h headers
-
-The aarch64 header was not renamed with the others, meaning it
-was skipped in favor of the generic version.
-
-Cc: qemu-stable@nongnu.org
-Fixes: 15606965400b ("qemu/atomic: Rename atomic128-cas.h headers using .h.inc suffix")
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20250815122653.701782-2-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 1748c0d59228c7790940d8be381df1c3108022b1)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- .../include/aarch64/host/{atomic128-cas.h => atomic128-cas.h.inc} | 0
- 1 file changed, 0 insertions(+), 0 deletions(-)
- rename host/include/aarch64/host/{atomic128-cas.h => atomic128-cas.h.inc} (100%)
-
-diff --git a/host/include/aarch64/host/atomic128-cas.h b/host/include/aarch64/host/atomic128-cas.h.inc
-similarity index 100%
-rename from host/include/aarch64/host/atomic128-cas.h
-rename to host/include/aarch64/host/atomic128-cas.h.inc
diff --git a/debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch b/debian/patches/extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
similarity index 100%
rename from debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
rename to debian/patches/extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
diff --git a/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch b/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
deleted file mode 100644
index 4939ce5..0000000
--- a/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Sun, 24 Aug 2025 03:05:32 +0300
-Subject: [PATCH] block/curl: fix curl internal handles handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-block/curl.c uses CURLMOPT_SOCKETFUNCTION to register a socket callback.
-According to the documentation, this callback is called not just with
-application-created sockets but also with internal curl sockets, - and
-for such sockets, user data pointer is not set by the application, so
-the result qemu crashing.
-
-Pass BDRVCURLState directly to the callback function as user pointer,
-instead of relying on CURLINFO_PRIVATE.
-
-This problem started happening with update of libcurl from 8.9 to 8.10 --
-apparently with this change curl started using private handles more.
-
-(CURLINFO_PRIVATE is used in one more place, in curl_multi_check_completion() -
-it might need a similar fix too)
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3081
-Cc: qemu-stable@qemu.org
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(cherry picked from commit 606978500c3d18fb89a49844f253097b17f757de)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/curl.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/block/curl.c b/block/curl.c
-index 5467678024..00b949ea45 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -162,13 +162,9 @@ static int curl_timer_cb(CURLM *multi, long timeout_ms, void *opaque)
- static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
- void *userp, void *sp)
- {
-- BDRVCURLState *s;
-- CURLState *state = NULL;
-+ BDRVCURLState *s = userp;
- CURLSocket *socket;
-
-- curl_easy_getinfo(curl, CURLINFO_PRIVATE, (char **)&state);
-- s = state->s;
--
- socket = g_hash_table_lookup(s->sockets, GINT_TO_POINTER(fd));
- if (!socket) {
- socket = g_new0(CURLSocket, 1);
-@@ -605,6 +601,7 @@ static void curl_attach_aio_context(BlockDriverState *bs,
- assert(!s->multi);
- s->multi = curl_multi_init();
- s->aio_context = new_context;
-+ curl_multi_setopt(s->multi, CURLMOPT_SOCKETDATA, s);
- curl_multi_setopt(s->multi, CURLMOPT_SOCKETFUNCTION, curl_sock_cb);
- curl_multi_setopt(s->multi, CURLMOPT_TIMERDATA, s);
- curl_multi_setopt(s->multi, CURLMOPT_TIMERFUNCTION, curl_timer_cb);
diff --git a/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch b/debian/patches/extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
similarity index 100%
rename from debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
rename to debian/patches/extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
diff --git a/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch b/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
deleted file mode 100644
index c964a14..0000000
--- a/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Zero Tang <zero.tangptr@gmail.com>
-Date: Mon, 18 Aug 2025 12:16:47 +0200
-Subject: [PATCH] i386/tcg/svm: fix incorrect canonicalization
-
-For all 32-bit systems and 64-bit Windows systems, "long" is 4 bytes long.
-Due to using "long" for a linear address, svm_canonicalization would
-set all high bits to 1 when (assuming 48-bit linear address) the segment
-base is bigger than 0x7FFF.
-
-This fixes booting guests under TCG when the guest IDT and GDT bases are
-above 0x7FFF, thereby resulting in incorrect bases. When an interrupt
-arrives, it would trigger a #PF exception; the #PF would trigger again,
-resulting in a #DF exception; the #PF would trigger for the third time,
-resulting in triple-fault, and eventually causes a shutdown VM-Exit to
-the hypervisor right after guest boot.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Zero Tang <zero.tangptr@gmail.com>
-(cherry picked from commit c12cbaa007c9da97a11e74119ea3aed9fcc3ac4c)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/system/svm_helper.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/tcg/system/svm_helper.c b/target/i386/tcg/system/svm_helper.c
-index b27049b9ed..dea039b87a 100644
---- a/target/i386/tcg/system/svm_helper.c
-+++ b/target/i386/tcg/system/svm_helper.c
-@@ -49,7 +49,7 @@ static void svm_save_seg(CPUX86State *env, int mmu_idx, hwaddr addr,
- static inline void svm_canonicalization(CPUX86State *env, target_ulong *seg_base)
- {
- uint16_t shift_amt = 64 - cpu_x86_virtual_addr_width(env);
-- *seg_base = ((((long) *seg_base) << shift_amt) >> shift_amt);
-+ *seg_base = (((int64_t) *seg_base) << shift_amt) >> shift_amt;
- }
-
- static void svm_load_seg(CPUX86State *env, int mmu_idx, hwaddr addr,
diff --git a/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch b/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
deleted file mode 100644
index dfa93a5..0000000
--- a/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: John Levon <john.levon@nutanix.com>
-Date: Wed, 27 Aug 2025 20:08:10 +0100
-Subject: [PATCH] hw/vfio-user: add x-pci-class-code
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This new option was not added to vfio_user_pci_dev_properties, which
-caused an incorrect class code for vfio-user devices.
-
-Fixes: a59d06305fff ("vfio/pci: Introduce x-pci-class-code option")
-Signed-off-by: John Levon <john.levon@nutanix.com>
-Reviewed-by: Cédric Le Goater <clg@redhat.com>
-Link: https://lore.kernel.org/qemu-devel/20250827190810.1645340-1-john.levon@nutanix.com
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit 1b50621881241ac5bc75ae7f8aa4c278ada8a668)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio-user/pci.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/vfio-user/pci.c b/hw/vfio-user/pci.c
-index be71c77729..dfaa89498d 100644
---- a/hw/vfio-user/pci.c
-+++ b/hw/vfio-user/pci.c
-@@ -406,6 +406,8 @@ static const Property vfio_user_pci_dev_properties[] = {
- sub_vendor_id, PCI_ANY_ID),
- DEFINE_PROP_UINT32("x-pci-sub-device-id", VFIOPCIDevice,
- sub_device_id, PCI_ANY_ID),
-+ DEFINE_PROP_UINT32("x-pci-class-code", VFIOPCIDevice,
-+ class_code, PCI_ANY_ID),
- DEFINE_PROP_BOOL("x-send-queued", VFIOUserPCIDevice, send_queued, false),
- DEFINE_PROP_UINT32("x-msg-timeout", VFIOUserPCIDevice, wait_time, 5000),
- DEFINE_PROP_BOOL("x-no-posted-writes", VFIOUserPCIDevice, no_post, false),
diff --git a/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch b/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
deleted file mode 100644
index 3fac459..0000000
--- a/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Laurent Vivier <lvivier@redhat.com>
-Date: Thu, 7 Aug 2025 13:08:06 +0200
-Subject: [PATCH] e1000e: Prevent crash from legacy interrupt firing after
- MSI-X enable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A race condition between guest driver actions and QEMU timers can lead
-to an assertion failure when the guest switches the e1000e from legacy
-interrupt mode to MSI-X. If a legacy interrupt delay timer (TIDV or
-RDTR) is active, but the guest enables MSI-X before the timer fires,
-the pending interrupt cause can trigger an assert in
-e1000e_intmgr_collect_delayed_causes().
-
-This patch removes the assertion and executes the code that clears the
-pending legacy causes. This change is safe and introduces no unintended
-behavioral side effects, as it only alters a state that previously led
-to termination.
-
-- when core->delayed_causes == 0 the function was already a no-op and
- remains so.
-
-- when core->delayed_causes != 0 the function would previously
- crash due to the assertion failure. The patch now defines a safe
- outcome by clearing the cause and returning. Since behavior after
- the assertion never existed, this simply corrects the crash.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1863
-Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
-Signed-off-by: Laurent Vivier <lvivier@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
-Message-ID: <20250807110806.409065-1-lvivier@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-(cherry picked from commit 8e4649cac9bcddc050d2df07908075e9e69bccc7)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/net/e1000e_core.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
-index 2413858790..06657bb3ac 100644
---- a/hw/net/e1000e_core.c
-+++ b/hw/net/e1000e_core.c
-@@ -341,11 +341,6 @@ e1000e_intmgr_collect_delayed_causes(E1000ECore *core)
- {
- uint32_t res;
-
-- if (msix_enabled(core->owner)) {
-- assert(core->delayed_causes == 0);
-- return 0;
-- }
--
- res = core->delayed_causes;
- core->delayed_causes = 0;
-
diff --git a/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch b/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
deleted file mode 100644
index cb9b095..0000000
--- a/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Xiaoyao Li <xiaoyao.li@intel.com>
-Date: Wed, 30 Jul 2025 17:52:52 +0800
-Subject: [PATCH] i386/cpu: Enable SMM cpu address space under KVM
-
-Kirill Martynov reported assertation in cpu_asidx_from_attrs() being hit
-when x86_cpu_dump_state() is called to dump the CPU state[*]. It happens
-when the CPU is in SMM and KVM emulation failure due to misbehaving
-guest.
-
-The root cause is that QEMU i386 never enables the SMM address space for
-cpu since KVM SMM support has been added.
-
-Enable the SMM cpu address space under KVM when the SMM is enabled for
-the x86machine.
-
-[*] https://lore.kernel.org/qemu-devel/20250523154431.506993-1-stdcalllevi@yandex-team.ru/
-
-Reported-by: Kirill Martynov <stdcalllevi@yandex-team.ru>
-Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
-Tested-by: Kirill Martynov <stdcalllevi@yandex-team.ru>
-Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Link: https://lore.kernel.org/r/20250730095253.1833411-2-xiaoyao.li@intel.com
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 0516f4b70264b9710a25718d21bd35ef463c875e)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- system/physmem.c | 5 -----
- target/i386/kvm/kvm-cpu.c | 10 ++++++++++
- target/i386/kvm/kvm.c | 5 +++++
- 3 files changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/system/physmem.c b/system/physmem.c
-index e5dd760e0b..8705fadc01 100644
---- a/system/physmem.c
-+++ b/system/physmem.c
-@@ -793,9 +793,6 @@ void cpu_address_space_init(CPUState *cpu, int asidx,
- cpu->as = as;
- }
-
-- /* KVM cannot currently support multiple address spaces. */
-- assert(asidx == 0 || !kvm_enabled());
--
- if (!cpu->cpu_ases) {
- cpu->cpu_ases = g_new0(CPUAddressSpace, cpu->num_ases);
- cpu->cpu_ases_count = cpu->num_ases;
-@@ -818,8 +815,6 @@ void cpu_address_space_destroy(CPUState *cpu, int asidx)
-
- assert(cpu->cpu_ases);
- assert(asidx >= 0 && asidx < cpu->num_ases);
-- /* KVM cannot currently support multiple address spaces. */
-- assert(asidx == 0 || !kvm_enabled());
-
- cpuas = &cpu->cpu_ases[asidx];
- if (tcg_enabled()) {
-diff --git a/target/i386/kvm/kvm-cpu.c b/target/i386/kvm/kvm-cpu.c
-index 89a7953659..1dc1ba9b48 100644
---- a/target/i386/kvm/kvm-cpu.c
-+++ b/target/i386/kvm/kvm-cpu.c
-@@ -13,6 +13,7 @@
- #include "qapi/error.h"
- #include "system/system.h"
- #include "hw/boards.h"
-+#include "hw/i386/x86.h"
-
- #include "kvm_i386.h"
- #include "accel/accel-cpu-target.h"
-@@ -91,6 +92,15 @@ static bool kvm_cpu_realizefn(CPUState *cs, Error **errp)
- kvm_set_guest_phys_bits(cs);
- }
-
-+ /*
-+ * When SMM is enabled, there is 2 address spaces. Otherwise only 1.
-+ *
-+ * Only initialize address space 0 here, the second one for SMM is
-+ * initialized at register_smram_listener() after machine init done.
-+ */
-+ cs->num_ases = x86_machine_is_smm_enabled(X86_MACHINE(current_machine)) ? 2 : 1;
-+ cpu_address_space_init(cs, 0, "cpu-memory", cs->memory);
-+
- return true;
- }
-
-diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
-index 369626f8c8..47fb5c673c 100644
---- a/target/i386/kvm/kvm.c
-+++ b/target/i386/kvm/kvm.c
-@@ -2704,6 +2704,7 @@ static MemoryRegion smram_as_mem;
-
- static void register_smram_listener(Notifier *n, void *unused)
- {
-+ CPUState *cpu;
- MemoryRegion *smram =
- (MemoryRegion *) object_resolve_path("/machine/smram", NULL);
-
-@@ -2728,6 +2729,10 @@ static void register_smram_listener(Notifier *n, void *unused)
- address_space_init(&smram_address_space, &smram_as_root, "KVM-SMRAM");
- kvm_memory_listener_register(kvm_state, &smram_listener,
- &smram_address_space, 1, "kvm-smram");
-+
-+ CPU_FOREACH(cpu) {
-+ cpu_address_space_init(cpu, 1, "cpu-smm", &smram_as_root);
-+ }
- }
-
- static void *kvm_msr_energy_thread(void *data)
diff --git a/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch b/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
deleted file mode 100644
index 5238871..0000000
--- a/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 23 Sep 2025 12:41:35 +0200
-Subject: [PATCH] target/i386: add compatibility property for arch_capabilities
-
-Prior to v10.1, if requested by user, arch-capabilities is always on
-despite the fact that CPUID advertises it to be off/unvailable.
-This causes a migration issue for VMs that are run on a machine
-without arch-capabilities and expect this feature to be present
-on the destination host with QEMU 10.1.
-
-Add a compatibility property to restore the legacy behavior for all
-machines with version prior to 10.1.
-
-Co-authored-by: Hector Cao <hector.cao@canonical.com>
-Signed-off-by: Hector Cao <hector.cao@canonical.com>
-Fixes: d3a24134e37 ("target/i386: do not expose ARCH_CAPABILITIES on AMD CPU", 2025-07-17)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Link: https://lore.proxmox.com/20250923104136.133875-2-pbonzini@redhat.com
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/pc.c | 1 +
- target/i386/cpu.c | 17 +++++++++++++++++
- target/i386/cpu.h | 6 ++++++
- target/i386/kvm/kvm.c | 6 +-----
- 4 files changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index 2f58e73d33..2504365bc2 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -84,6 +84,7 @@
- GlobalProperty pc_compat_10_0[] = {
- { TYPE_X86_CPU, "x-consistent-cache", "false" },
- { TYPE_X86_CPU, "x-vendor-cpuid-only-v2", "false" },
-+ { TYPE_X86_CPU, "x-arch-cap-always-on", "true" },
- };
- const size_t pc_compat_10_0_len = G_N_ELEMENTS(pc_compat_10_0);
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 6d85149e6e..fe369bb128 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7539,6 +7539,20 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
- #endif
- break;
-
-+ case FEAT_7_0_EDX:
-+ /*
-+ * Windows does not like ARCH_CAPABILITIES on AMD machines at all.
-+ * Do not show the fake ARCH_CAPABILITIES MSR that KVM sets up,
-+ * except if needed for migration.
-+ *
-+ * When arch_cap_always_on is removed, this tweak can move to
-+ * kvm_arch_get_supported_cpuid.
-+ */
-+ if (cpu && IS_AMD_CPU(&cpu->env) && !cpu->arch_cap_always_on) {
-+ unavail = CPUID_7_0_EDX_ARCH_CAPABILITIES;
-+ }
-+ break;
-+
- default:
- break;
- }
-@@ -10004,6 +10018,9 @@ static const Property x86_cpu_properties[] = {
- true),
- DEFINE_PROP_BOOL("x-l1-cache-per-thread", X86CPU, l1_cache_per_core, true),
- DEFINE_PROP_BOOL("x-force-cpuid-0x1f", X86CPU, force_cpuid_0x1f, false),
-+
-+ DEFINE_PROP_BOOL("x-arch-cap-always-on", X86CPU,
-+ arch_cap_always_on, false),
- };
-
- #ifndef CONFIG_USER_ONLY
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index f977fc49a7..b966bc997c 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -2314,6 +2314,12 @@ struct ArchCPU {
- /* Forcefully disable KVM PV features not exposed in guest CPUIDs */
- bool kvm_pv_enforce_cpuid;
-
-+ /*
-+ * Expose arch-capabilities unconditionally even on AMD models, for backwards
-+ * compatibility with QEMU <10.1.
-+ */
-+ bool arch_cap_always_on;
-+
- /* Number of physical address bits supported */
- uint32_t phys_bits;
-
-diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
-index 47fb5c673c..a4e437bb5a 100644
---- a/target/i386/kvm/kvm.c
-+++ b/target/i386/kvm/kvm.c
-@@ -503,12 +503,8 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
- * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts.
- * We can detect the bug by checking if MSR_IA32_ARCH_CAPABILITIES is
- * returned by KVM_GET_MSR_INDEX_LIST.
-- *
-- * But also, because Windows does not like ARCH_CAPABILITIES on AMD
-- * mcahines at all, do not show the fake ARCH_CAPABILITIES MSR that
-- * KVM sets up.
- */
-- if (!has_msr_arch_capabs || !(edx & CPUID_7_0_EDX_ARCH_CAPABILITIES)) {
-+ if (!has_msr_arch_capabs) {
- ret &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES;
- }
- } else if (function == 7 && index == 1 && reg == R_EAX) {
diff --git a/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch b/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
deleted file mode 100644
index 5aea067..0000000
--- a/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hector Cao <hector.cao@canonical.com>
-Date: Tue, 23 Sep 2025 12:41:36 +0200
-Subject: [PATCH] target/i386: add compatibility property for pdcm feature
-
-The pdcm feature is supposed to be disabled when PMU is not
-available. Up until v10.1, pdcm feature is enabled even when PMU
-is off. This behavior has been fixed but this change breaks the
-migration of VMs that are run with QEMU < 10.0 and expect the pdcm
-feature to be enabled on the destination host.
-
-This commit restores the legacy behavior for machines with version
-prior to 10.1 to allow the migration from older QEMU to QEMU 10.1.
-
-Signed-off-by: Hector Cao <hector.cao@canonical.com>
-Link: https://lore.kernel.org/r/20250910115733.21149-3-hector.cao@canonical.com
-Fixes: e68ec298090 ("i386/cpu: Move adjustment of CPUID_EXT_PDCM before feature_dependencies[] check", 2025-06-20)
-[Move property from migration object to CPU. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Link: https://lore.proxmox.com/20250923104136.133875-3-pbonzini@redhat.com
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/pc.c | 1 +
- target/i386/cpu.c | 15 ++++++++++++---
- target/i386/cpu.h | 6 ++++++
- 3 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index 2504365bc2..0861e329b5 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -85,6 +85,7 @@ GlobalProperty pc_compat_10_0[] = {
- { TYPE_X86_CPU, "x-consistent-cache", "false" },
- { TYPE_X86_CPU, "x-vendor-cpuid-only-v2", "false" },
- { TYPE_X86_CPU, "x-arch-cap-always-on", "true" },
-+ { TYPE_X86_CPU, "x-pdcm-on-even-without-pmu", "true" },
- };
- const size_t pc_compat_10_0_len = G_N_ELEMENTS(pc_compat_10_0);
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index fe369bb128..ab18de894e 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7908,6 +7908,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
- /* Fixup overflow: max value for bits 23-16 is 255. */
- *ebx |= MIN(num, 255) << 16;
- }
-+ if (cpu->pdcm_on_even_without_pmu) {
-+ if (!cpu->enable_pmu) {
-+ *ecx &= ~CPUID_EXT_PDCM;
-+ }
-+ }
- break;
- case 2: { /* cache info: needed for Pentium Pro compatibility */
- const CPUCaches *caches;
-@@ -8958,9 +8963,11 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
- }
- }
-
-- /* PDCM is fixed1 bit for TDX */
-- if (!cpu->enable_pmu && !is_tdx_vm()) {
-- env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
-+ if (!cpu->pdcm_on_even_without_pmu) {
-+ /* PDCM is fixed1 bit for TDX */
-+ if (!cpu->enable_pmu && !is_tdx_vm()) {
-+ env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
-+ }
- }
-
- for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
-@@ -10021,6 +10028,8 @@ static const Property x86_cpu_properties[] = {
-
- DEFINE_PROP_BOOL("x-arch-cap-always-on", X86CPU,
- arch_cap_always_on, false),
-+ DEFINE_PROP_BOOL("x-pdcm-on-even-without-pmu", X86CPU,
-+ pdcm_on_even_without_pmu, false),
- };
-
- #ifndef CONFIG_USER_ONLY
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index b966bc997c..2187e61654 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -2320,6 +2320,12 @@ struct ArchCPU {
- */
- bool arch_cap_always_on;
-
-+ /*
-+ * Backwards compatibility with QEMU <10.1. The PDCM feature is now disabled when
-+ * PMU is not available, but prior to 10.1 it was enabled even if PMU is off.
-+ */
-+ bool pdcm_on_even_without_pmu;
-+
- /* Number of physical address bits supported */
- uint32_t phys_bits;
-
diff --git a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
index c9010c6..cd2e07a 100644
--- a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
+++ b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
@@ -10,10 +10,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 2187e61654..da8497931f 100644
+index 42168f1d6d..4f63100453 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
-@@ -2625,9 +2625,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+@@ -2630,9 +2630,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
#define CPU_RESOLVING_TYPE TYPE_X86_CPU
#ifdef TARGET_X86_64
diff --git a/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch b/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
index 61719e7..8fe7b5d 100644
--- a/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
+++ b/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ui/spice-core.c b/ui/spice-core.c
-index 5992f9daec..cd1ec9c082 100644
+index 2645e96ef6..a8b34d3bf5 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
-@@ -698,32 +698,35 @@ static void qemu_spice_init(void)
+@@ -694,32 +694,35 @@ static void qemu_spice_init(void)
if (tls_port) {
x509_dir = qemu_opt_get(opts, "x509-dir");
diff --git a/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch b/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
index 9ebf74c..02ec05b 100644
--- a/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
+++ b/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
@@ -33,10 +33,10 @@ index 1b2f4a4769..c9982e1bcc 100644
'if': 'CONFIG_SPICE' }
diff --git a/ui/spice-core.c b/ui/spice-core.c
-index cd1ec9c082..4064053778 100644
+index a8b34d3bf5..994079ec87 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
-@@ -556,6 +556,10 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)
+@@ -554,6 +554,10 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)
micro = SPICE_SERVER_VERSION & 0xff;
info->compiled_version = g_strdup_printf("%d.%d.%d", major, minor, micro);
diff --git a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
index 44f1b38..369f5ad 100644
--- a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
@@ -40,10 +40,10 @@ index a21d9a5411..1373612c10 100644
system_ss.add(files('block-ram-registrar.c'))
diff --git a/meson.build b/meson.build
-index 50c774a195..25eee758fc 100644
+index b7db736bbf..fe7b7a88fd 100644
--- a/meson.build
+++ b/meson.build
-@@ -2198,6 +2198,8 @@ endif
+@@ -2199,6 +2199,8 @@ endif
has_gettid = cc.has_function('gettid')
@@ -52,7 +52,7 @@ index 50c774a195..25eee758fc 100644
# libselinux
selinux = dependency('libselinux',
required: get_option('selinux'),
-@@ -4531,6 +4533,9 @@ if have_tools
+@@ -4532,6 +4534,9 @@ if have_tools
dependencies: [blockdev, qemuutil, selinux],
install: true)
diff --git a/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index 7d375ef..3c0e64c 100644
--- a/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -266,10 +266,10 @@ index 2596cc2426..9dda91d65a 100644
void hmp_device_add(Monitor *mon, const QDict *qdict);
void hmp_device_del(Monitor *mon, const QDict *qdict);
diff --git a/meson.build b/meson.build
-index 25eee758fc..347197d2d7 100644
+index fe7b7a88fd..3bb206ce4d 100644
--- a/meson.build
+++ b/meson.build
-@@ -2199,6 +2199,7 @@ endif
+@@ -2200,6 +2200,7 @@ endif
has_gettid = cc.has_function('gettid')
libuuid = cc.find_library('uuid', required: true)
diff --git a/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
index ef8a531..2f63bd1 100644
--- a/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
+++ b/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
create mode 100644 pbs-restore.c
diff --git a/meson.build b/meson.build
-index 347197d2d7..c1d9e46dd8 100644
+index 3bb206ce4d..9eba919450 100644
--- a/meson.build
+++ b/meson.build
-@@ -4537,6 +4537,10 @@ if have_tools
+@@ -4538,6 +4538,10 @@ if have_tools
vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
dependencies: [authz, block, crypto, io, qemuutil, qom], install: true)
diff --git a/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
index e218b53..41626ce 100644
--- a/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
+++ b/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
@@ -348,10 +348,10 @@ index 0000000000..3e41421716
+
+block_init(bdrv_pbs_init);
diff --git a/meson.build b/meson.build
-index c1d9e46dd8..bb1bff44b8 100644
+index 9eba919450..4861b69412 100644
--- a/meson.build
+++ b/meson.build
-@@ -5010,7 +5010,7 @@ summary_info += {'Query Processing Library support': qpl}
+@@ -5011,7 +5011,7 @@ summary_info += {'Query Processing Library support': qpl}
summary_info += {'UADK Library support': uadk}
summary_info += {'qatzip support': qatzip}
summary_info += {'NUMA host support': numa}
diff --git a/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch
index 927215e..b007793 100644
--- a/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch
+++ b/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/meson.build b/meson.build
-index bb1bff44b8..6b85f32abe 100644
+index 4861b69412..7e1935d43f 100644
--- a/meson.build
+++ b/meson.build
-@@ -2199,6 +2199,7 @@ endif
+@@ -2200,6 +2200,7 @@ endif
has_gettid = cc.has_function('gettid')
libuuid = cc.find_library('uuid', required: true)
@@ -25,7 +25,7 @@ index bb1bff44b8..6b85f32abe 100644
libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
# libselinux
-@@ -3874,7 +3875,7 @@ if have_block
+@@ -3875,7 +3876,7 @@ if have_block
elif host_os == 'emscripten'
blockdev_ss.add(files('os-wasm.c'))
else
diff --git a/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
index 6a08ce2..c581f29 100644
--- a/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
+++ b/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
@@ -58,7 +58,7 @@ index 409b748980..ca94e7e17b 100644
'savevm.c',
'savevm-async.c',
diff --git a/migration/migration.c b/migration/migration.c
-index 10c216d25d..b58cbdc2c0 100644
+index 32b8ce5613..60464d43c3 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -340,6 +340,7 @@ void migration_object_init(void)
diff --git a/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index eb21d75..a269f01 100644
--- a/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -89,7 +89,7 @@ index a687ac0efe..f36bfb2df1 100644
* @migrate_add_blocker - prevent all modes of migration from proceeding
*
diff --git a/migration/migration.c b/migration/migration.c
-index b58cbdc2c0..594e253a8a 100644
+index 60464d43c3..998a7f87b8 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2055,6 +2055,30 @@ bool migration_is_blocked(Error **errp)
diff --git a/debian/patches/series b/debian/patches/series
index ee5da2e..29c18ec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,17 +1,8 @@
extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
-extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
-extra/0005-block-curl-fix-curl-internal-handles-handling.patch
-extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
-extra/0007-hw-vfio-user-add-x-pci-class-code.patch
-extra/0008-tcg-arm-Fix-tgen_deposit.patch
-extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
-extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
-extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
-extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
-extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
-extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
+extra/0003-tcg-arm-Fix-tgen_deposit.patch
+extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
+extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
diff --git a/qemu b/qemu
index f8b2f64..ccaea6b 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit f8b2f64e2336a28bf0d50b6ef8a7d8c013e9bcf3
+Subproject commit ccaea6b2656ec6eab966585f7b16438208f98de7
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2 Fiona Ebner
@ 2025-10-21 11:23 ` Fiona Ebner
2025-10-21 16:29 ` [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
For more information, see the commit messages of the added patches and:
https://lore.kernel.org/qemu-devel/6519c5b0-46d2-4097-bb37-7a78f9087f68@redhat.com/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...-rename-field-to-num_initial_regions.patch | 245 ++++++++++++++++++
...region-info-cache-for-initial-region.patch | 75 ++++++
debian/patches/series | 2 +
3 files changed, 322 insertions(+)
create mode 100644 debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
create mode 100644 debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
diff --git a/debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch b/debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
new file mode 100644
index 0000000..3662f1d
--- /dev/null
+++ b/debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
@@ -0,0 +1,245 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Levon <john.levon@nutanix.com>
+Date: Tue, 14 Oct 2025 17:12:26 +0200
+Subject: [PATCH] vfio: rename field to "num_initial_regions"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We set VFIODevice::num_regions at initialization time, and do not
+otherwise refresh it. As it is valid in theory for a VFIO device to
+later increase the number of supported regions, rename the field to
+"num_initial_regions" to better reflect its semantics.
+
+Signed-off-by: John Levon <john.levon@nutanix.com>
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Alex Williamson <alex@shazbot.org>
+Link: https://lore.kernel.org/qemu-devel/20251014151227.2298892-2-john.levon@nutanix.com
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+(cherry picked from commit d5176a39405f0e0d20dff173e58255a7d5099411
+ from https://gitlab.com/legoater/qemu/-/tree/vfio-next)
+[FE: also rename in hw/vfio/platform.c and hw/core/sysbus-fdt.c
+ where affected code got dropped in master, but is still in v10.1]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/core/sysbus-fdt.c | 14 +++++++-------
+ hw/vfio-user/device.c | 2 +-
+ hw/vfio/ccw.c | 4 ++--
+ hw/vfio/device.c | 12 ++++++------
+ hw/vfio/iommufd.c | 3 ++-
+ hw/vfio/pci.c | 4 ++--
+ hw/vfio/platform.c | 10 +++++-----
+ include/hw/vfio/vfio-device.h | 2 +-
+ 8 files changed, 26 insertions(+), 25 deletions(-)
+
+diff --git a/hw/core/sysbus-fdt.c b/hw/core/sysbus-fdt.c
+index c339a27875..1e1966813f 100644
+--- a/hw/core/sysbus-fdt.c
++++ b/hw/core/sysbus-fdt.c
+@@ -236,15 +236,15 @@ static int add_calxeda_midway_xgmac_fdt_node(SysBusDevice *sbdev, void *opaque)
+
+ qemu_fdt_setprop(fdt, nodename, "dma-coherent", "", 0);
+
+- reg_attr = g_new(uint32_t, vbasedev->num_regions * 2);
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ reg_attr = g_new(uint32_t, vbasedev->num_initial_regions * 2);
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ mmio_base = platform_bus_get_mmio_addr(pbus, sbdev, i);
+ reg_attr[2 * i] = cpu_to_be32(mmio_base);
+ reg_attr[2 * i + 1] = cpu_to_be32(
+ memory_region_size(vdev->regions[i]->mem));
+ }
+ qemu_fdt_setprop(fdt, nodename, "reg", reg_attr,
+- vbasedev->num_regions * 2 * sizeof(uint32_t));
++ vbasedev->num_initial_regions * 2 * sizeof(uint32_t));
+
+ irq_attr = g_new(uint32_t, vbasedev->num_irqs * 3);
+ for (i = 0; i < vbasedev->num_irqs; i++) {
+@@ -330,7 +330,7 @@ static int add_amd_xgbe_fdt_node(SysBusDevice *sbdev, void *opaque)
+
+ g_free(dt_name);
+
+- if (vbasedev->num_regions != 5) {
++ if (vbasedev->num_initial_regions != 5) {
+ error_report("%s Does the host dt node combine XGBE/PHY?", __func__);
+ exit(1);
+ }
+@@ -374,15 +374,15 @@ static int add_amd_xgbe_fdt_node(SysBusDevice *sbdev, void *opaque)
+ guest_clock_phandles[0],
+ guest_clock_phandles[1]);
+
+- reg_attr = g_new(uint32_t, vbasedev->num_regions * 2);
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ reg_attr = g_new(uint32_t, vbasedev->num_initial_regions * 2);
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ mmio_base = platform_bus_get_mmio_addr(pbus, sbdev, i);
+ reg_attr[2 * i] = cpu_to_be32(mmio_base);
+ reg_attr[2 * i + 1] = cpu_to_be32(
+ memory_region_size(vdev->regions[i]->mem));
+ }
+ qemu_fdt_setprop(guest_fdt, nodename, "reg", reg_attr,
+- vbasedev->num_regions * 2 * sizeof(uint32_t));
++ vbasedev->num_initial_regions * 2 * sizeof(uint32_t));
+
+ irq_attr = g_new(uint32_t, vbasedev->num_irqs * 3);
+ for (i = 0; i < vbasedev->num_irqs; i++) {
+diff --git a/hw/vfio-user/device.c b/hw/vfio-user/device.c
+index 0609a7dc25..64ef35b320 100644
+--- a/hw/vfio-user/device.c
++++ b/hw/vfio-user/device.c
+@@ -134,7 +134,7 @@ static int vfio_user_device_io_get_region_info(VFIODevice *vbasedev,
+ VFIOUserFDs fds = { 0, 1, fd};
+ int ret;
+
+- if (info->index > vbasedev->num_regions) {
++ if (info->index > vbasedev->num_initial_regions) {
+ return -EINVAL;
+ }
+
+diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c
+index 9560b8d851..4d9588e7aa 100644
+--- a/hw/vfio/ccw.c
++++ b/hw/vfio/ccw.c
+@@ -484,9 +484,9 @@ static bool vfio_ccw_get_region(VFIOCCWDevice *vcdev, Error **errp)
+ * We always expect at least the I/O region to be present. We also
+ * may have a variable number of regions governed by capabilities.
+ */
+- if (vdev->num_regions < VFIO_CCW_CONFIG_REGION_INDEX + 1) {
++ if (vdev->num_initial_regions < VFIO_CCW_CONFIG_REGION_INDEX + 1) {
+ error_setg(errp, "vfio: too few regions (%u), expected at least %u",
+- vdev->num_regions, VFIO_CCW_CONFIG_REGION_INDEX + 1);
++ vdev->num_initial_regions, VFIO_CCW_CONFIG_REGION_INDEX + 1);
+ return false;
+ }
+
+diff --git a/hw/vfio/device.c b/hw/vfio/device.c
+index 52a1996dc4..0b459c0f7c 100644
+--- a/hw/vfio/device.c
++++ b/hw/vfio/device.c
+@@ -257,7 +257,7 @@ int vfio_device_get_region_info_type(VFIODevice *vbasedev, uint32_t type,
+ {
+ int i;
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ struct vfio_info_cap_header *hdr;
+ struct vfio_region_info_cap_type *cap_type;
+
+@@ -466,7 +466,7 @@ void vfio_device_prepare(VFIODevice *vbasedev, VFIOContainerBase *bcontainer,
+ int i;
+
+ vbasedev->num_irqs = info->num_irqs;
+- vbasedev->num_regions = info->num_regions;
++ vbasedev->num_initial_regions = info->num_regions;
+ vbasedev->flags = info->flags;
+ vbasedev->reset_works = !!(info->flags & VFIO_DEVICE_FLAGS_RESET);
+
+@@ -476,10 +476,10 @@ void vfio_device_prepare(VFIODevice *vbasedev, VFIOContainerBase *bcontainer,
+ QLIST_INSERT_HEAD(&vfio_device_list, vbasedev, global_next);
+
+ vbasedev->reginfo = g_new0(struct vfio_region_info *,
+- vbasedev->num_regions);
++ vbasedev->num_initial_regions);
+ if (vbasedev->use_region_fds) {
+- vbasedev->region_fds = g_new0(int, vbasedev->num_regions);
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ vbasedev->region_fds = g_new0(int, vbasedev->num_initial_regions);
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ vbasedev->region_fds[i] = -1;
+ }
+ }
+@@ -489,7 +489,7 @@ void vfio_device_unprepare(VFIODevice *vbasedev)
+ {
+ int i;
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ g_free(vbasedev->reginfo[i]);
+ if (vbasedev->region_fds != NULL && vbasedev->region_fds[i] != -1) {
+ close(vbasedev->region_fds[i]);
+diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
+index 48c590b6a9..dbcd861b27 100644
+--- a/hw/vfio/iommufd.c
++++ b/hw/vfio/iommufd.c
+@@ -668,7 +668,8 @@ found_container:
+ vfio_iommufd_cpr_register_device(vbasedev);
+
+ trace_iommufd_cdev_device_info(vbasedev->name, devfd, vbasedev->num_irqs,
+- vbasedev->num_regions, vbasedev->flags);
++ vbasedev->num_initial_regions,
++ vbasedev->flags);
+ return true;
+
+ err_listener_register:
+diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
+index 07257d0fa0..1e69055c7c 100644
+--- a/hw/vfio/pci.c
++++ b/hw/vfio/pci.c
+@@ -2930,9 +2930,9 @@ bool vfio_pci_populate_device(VFIOPCIDevice *vdev, Error **errp)
+ return false;
+ }
+
+- if (vbasedev->num_regions < VFIO_PCI_CONFIG_REGION_INDEX + 1) {
++ if (vbasedev->num_initial_regions < VFIO_PCI_CONFIG_REGION_INDEX + 1) {
+ error_setg(errp, "unexpected number of io regions %u",
+- vbasedev->num_regions);
++ vbasedev->num_initial_regions);
+ return false;
+ }
+
+diff --git a/hw/vfio/platform.c b/hw/vfio/platform.c
+index 5c1795a26f..c9349ba7b7 100644
+--- a/hw/vfio/platform.c
++++ b/hw/vfio/platform.c
+@@ -148,7 +148,7 @@ static void vfio_mmap_set_enabled(VFIOPlatformDevice *vdev, bool enabled)
+ {
+ int i;
+
+- for (i = 0; i < vdev->vbasedev.num_regions; i++) {
++ for (i = 0; i < vdev->vbasedev.num_initial_regions; i++) {
+ vfio_region_mmaps_set_enabled(vdev->regions[i], enabled);
+ }
+ }
+@@ -453,9 +453,9 @@ static bool vfio_populate_device(VFIODevice *vbasedev, Error **errp)
+ return false;
+ }
+
+- vdev->regions = g_new0(VFIORegion *, vbasedev->num_regions);
++ vdev->regions = g_new0(VFIORegion *, vbasedev->num_initial_regions);
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ char *name = g_strdup_printf("VFIO %s region %d\n", vbasedev->name, i);
+
+ vdev->regions[i] = g_new0(VFIORegion, 1);
+@@ -499,7 +499,7 @@ irq_err:
+ g_free(intp);
+ }
+ reg_error:
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ if (vdev->regions[i]) {
+ vfio_region_finalize(vdev->regions[i]);
+ }
+@@ -608,7 +608,7 @@ static void vfio_platform_realize(DeviceState *dev, Error **errp)
+ }
+ }
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ if (vfio_region_mmap(vdev->regions[i])) {
+ warn_report("%s mmap unsupported, performance may be slow",
+ memory_region_name(vdev->regions[i]->mem));
+diff --git a/include/hw/vfio/vfio-device.h b/include/hw/vfio/vfio-device.h
+index 6e4d5ccdac..10024730a1 100644
+--- a/include/hw/vfio/vfio-device.h
++++ b/include/hw/vfio/vfio-device.h
+@@ -74,7 +74,7 @@ typedef struct VFIODevice {
+ VFIODeviceOps *ops;
+ VFIODeviceIOOps *io_ops;
+ unsigned int num_irqs;
+- unsigned int num_regions;
++ unsigned int num_initial_regions;
+ unsigned int flags;
+ VFIOMigration *migration;
+ Error *migration_blocker;
diff --git a/debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch b/debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
new file mode 100644
index 0000000..b239cb4
--- /dev/null
+++ b/debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Levon <john.levon@nutanix.com>
+Date: Tue, 14 Oct 2025 17:12:27 +0200
+Subject: [PATCH] vfio: only check region info cache for initial regions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It is semantically valid for a VFIO device to increase the number of
+regions after initialization. In this case, we'd attempt to check for
+cached region info past the size of the ->reginfo array. Check for the
+region index and skip the cache in these cases.
+
+This also works around some VGPU use cases which appear to be a bug,
+where VFIO_DEVICE_QUERY_GFX_PLANE returns a region index beyond the
+reported ->num_regions.
+
+Fixes: 95cdb024 ("vfio: add region info cache")
+Signed-off-by: John Levon <john.levon@nutanix.com>
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Alex Williamson <alex@shazbot.org>
+Link: https://lore.kernel.org/qemu-devel/20251014151227.2298892-3-john.levon@nutanix.com
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+(cherry picked from commit 5bdcf2df64bf7e4be58524ef1442836b6d41282e
+ from https://gitlab.com/legoater/qemu/-/tree/vfio-next)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/vfio/device.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/hw/vfio/device.c b/hw/vfio/device.c
+index 0b459c0f7c..7ebf41c95e 100644
+--- a/hw/vfio/device.c
++++ b/hw/vfio/device.c
+@@ -205,10 +205,19 @@ int vfio_device_get_region_info(VFIODevice *vbasedev, int index,
+ int fd = -1;
+ int ret;
+
+- /* check cache */
+- if (vbasedev->reginfo[index] != NULL) {
+- *info = vbasedev->reginfo[index];
+- return 0;
++ /*
++ * We only set up the region info cache for the initial number of regions.
++ *
++ * Since a VFIO device may later increase the number of regions then use
++ * such regions with an index past ->num_initial_regions, don't attempt to
++ * use the info cache in those cases.
++ */
++ if (index < vbasedev->num_initial_regions) {
++ /* check cache */
++ if (vbasedev->reginfo[index] != NULL) {
++ *info = vbasedev->reginfo[index];
++ return 0;
++ }
+ }
+
+ *info = g_malloc0(argsz);
+@@ -236,10 +245,12 @@ retry:
+ goto retry;
+ }
+
+- /* fill cache */
+- vbasedev->reginfo[index] = *info;
+- if (vbasedev->region_fds != NULL) {
+- vbasedev->region_fds[index] = fd;
++ if (index < vbasedev->num_initial_regions) {
++ /* fill cache */
++ vbasedev->reginfo[index] = *info;
++ if (vbasedev->region_fds != NULL) {
++ vbasedev->region_fds[index] = fd;
++ }
+ }
+
+ return 0;
diff --git a/debian/patches/series b/debian/patches/series
index 29c18ec..900310a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,8 @@ extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
extra/0003-tcg-arm-Fix-tgen_deposit.patch
extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
+extra/0006-vfio-rename-field-to-num_initial_regions.patch
+extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
` (2 preceding siblings ...)
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1 Fiona Ebner
@ 2025-10-21 16:29 ` Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2025-10-21 16:29 UTC (permalink / raw)
To: pve-devel, Fiona Ebner
On Tue, 21 Oct 2025 13:23:31 +0200, Fiona Ebner wrote:
> Fix bug #6810, which is a deadlock issue with SCSI request cancelling
> affecting (at least) FreeBSD.
>
> Update to the 10.1.2 QEMU stable release to pick up some TCG fixes and
> fix for a memory leak affecting vCPU hotunplug.
>
> Lastly, pick up fixes for a VFIO regression affecting the 10.1 QEMU
> release.
>
> [...]
Applied, thanks!
[1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO
commit: 005898a658a788d0aca7dd974d86d9f795a9a78c
[2/3] update submodule and patches to QEMU 10.1.2
commit: 535c923e9c512903461348f7e7f8f549b74f793c
[3/3] cherry pick fix for VFIO regression affecting v10.1
commit: 6bed5de4fe7490a19192849bbd13783e2c26d8a3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-21 16:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2 Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1 Fiona Ebner
2025-10-21 16:29 ` [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.