* [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes
@ 2025-10-21 11:23 Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
Fix bug #6810, which is a deadlock issue with SCSI request cancelling
affecting (at least) FreeBSD.
Update to the 10.1.2 QEMU stable release to pick up some TCG fixes and
fix for a memory leak affecting vCPU hotunplug.
Lastly, pick up fixes for a VFIO regression affecting the 10.1 QEMU
release.
Fiona Ebner (3):
fix #6810: add patch to avoid deadlock upon TMF request cancelling
with VirtIO
update submodule and patches to QEMU 10.1.2
cherry pick fix for VFIO regression affecting v10.1
...Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch | 96 -------
...ch => 0003-tcg-arm-Fix-tgen_deposit.patch} | 0
...ish-renaming-atomic128-cas.h-headers.patch | 25 --
...uirks-when-IGD-is-not-the-primary-d.patch} | 0
...l-fix-curl-internal-handles-handling.patch | 60 -----
...adlock-upon-TMF-request-cancelling-w.patch | 83 ++++++
...g-svm-fix-incorrect-canonicalization.patch | 38 ---
...-rename-field-to-num_initial_regions.patch | 245 ++++++++++++++++++
...07-hw-vfio-user-add-x-pci-class-code.patch | 35 ---
...region-info-cache-for-initial-region.patch | 75 ++++++
...rash-from-legacy-interrupt-firing-af.patch | 58 -----
...able-SMM-cpu-address-space-under-KVM.patch | 106 --------
...compatibility-property-for-arch_capa.patch | 109 --------
...compatibility-property-for-pdcm-feat.patch | 96 -------
...he-CPU-model-to-kvm64-32-instead-of-.patch | 4 +-
...ui-spice-default-to-pve-certificates.patch | 4 +-
.../0015-PVE-qapi-modify-spice-query.patch | 4 +-
...VE-Backup-add-vma-backup-format-code.patch | 6 +-
...ckup-Proxmox-backup-patches-for-QEMU.patch | 4 +-
...estore-new-command-to-restore-from-p.patch | 4 +-
...k-driver-to-map-backup-archives-into.patch | 4 +-
...ct-stderr-to-journal-when-daemonized.patch | 6 +-
...igrate-dirty-bitmap-state-via-savevm.patch | 2 +-
...se-migration-blocker-check-for-snaps.patch | 2 +-
debian/patches/series | 16 +-
qemu | 2 +-
26 files changed, 429 insertions(+), 655 deletions(-)
delete mode 100644 debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
rename debian/patches/extra/{0008-tcg-arm-Fix-tgen_deposit.patch => 0003-tcg-arm-Fix-tgen_deposit.patch} (100%)
delete mode 100644 debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
rename debian/patches/extra/{0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch => 0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch} (100%)
delete mode 100644 debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
create mode 100644 debian/patches/extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
delete mode 100644 debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
create mode 100644 debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
delete mode 100644 debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
create mode 100644 debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
delete mode 100644 debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
delete mode 100644 debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
delete mode 100644 debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
delete mode 100644 debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
@ 2025-10-21 11:23 ` Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2 Fiona Ebner
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
Because of a regression caused by QEMU commit da6eebb33b
("virtio-scsi: perform TMFs in appropriate AioContexts") and the
introduction of the requests_lock earlier, there would be a deadlock
when a (FreeBSD) guest cancels SCSI requests. See the commit message
of the added patch for more information.
The issue was also reported in the community forum:
https://forum.proxmox.com/threads/freeze-on-pfsense-vm-running-in-pve-9.171557/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...adlock-upon-TMF-request-cancelling-w.patch | 83 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 84 insertions(+)
create mode 100644 debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
diff --git a/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch b/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
new file mode 100644
index 0000000..4c7441e
--- /dev/null
+++ b/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Fri, 17 Oct 2025 11:43:30 +0200
+Subject: [PATCH] hw/scsi: avoid deadlock upon TMF request cancelling with
+ VirtIO
+
+When scsi_req_dequeue() is reached via
+scsi_req_cancel_async()
+virtio_scsi_tmf_cancel_req()
+virtio_scsi_do_tmf_aio_context(),
+there is a deadlock when trying to acquire the SCSI device's requests
+lock, because it was already acquired in
+virtio_scsi_do_tmf_aio_context().
+
+In particular, the issue happens with a FreeBSD guest (13, 14, 15,
+maybe more), when it cancels SCSI requests, because of timeout.
+
+This is a regression caused by commit da6eebb33b ("virtio-scsi:
+perform TMFs in appropriate AioContexts") and the introduction of the
+requests_lock earlier.
+
+To fix the issue, only cancel the requests after releasing the
+requests_lock. For this, the SCSI device's requests are iterated while
+holding the requests_lock and the requests to be cancelled are
+collected in a list. Then, the collected requests are cancelled
+one by one while not holding the requests_lock. This is safe, because
+only requests from the current AioContext are collected and acted
+upon.
+
+Originally reported by Proxmox VE users:
+https://bugzilla.proxmox.com/show_bug.cgi?id=6810
+https://forum.proxmox.com/threads/173914/
+
+Fixes: da6eebb33b ("virtio-scsi: perform TMFs in appropriate AioContexts")
+Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Message-id: 20251017094518.328905-1-f.ebner@proxmox.com
+[Changed g_list_append() to g_list_prepend() to avoid traversing the
+list each time.
+--Stefan]
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 7d80d6d82db4c73e335f9e738d7a5778124df35e
+ from https://gitlab.com/stefanha/qemu/-/tree/block)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/scsi/virtio-scsi.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
+index 34ae14f7bf..3b635053b5 100644
+--- a/hw/scsi/virtio-scsi.c
++++ b/hw/scsi/virtio-scsi.c
+@@ -343,6 +343,7 @@ static void virtio_scsi_do_tmf_aio_context(void *opaque)
+ SCSIDevice *d = virtio_scsi_device_get(s, tmf->req.tmf.lun);
+ SCSIRequest *r;
+ bool match_tag;
++ g_autoptr(GList) reqs = NULL;
+
+ if (!d) {
+ tmf->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET;
+@@ -378,10 +379,21 @@ static void virtio_scsi_do_tmf_aio_context(void *opaque)
+ if (match_tag && cmd_req->req.cmd.tag != tmf->req.tmf.tag) {
+ continue;
+ }
+- virtio_scsi_tmf_cancel_req(tmf, r);
++ /*
++ * Cannot cancel directly, because scsi_req_dequeue() would deadlock
++ * when attempting to acquire the request_lock a second time. Taking
++ * a reference here is paired with an unref after cancelling below.
++ */
++ scsi_req_ref(r);
++ reqs = g_list_prepend(reqs, r);
+ }
+ }
+
++ for (GList *elem = g_list_first(reqs); elem; elem = g_list_next(elem)) {
++ virtio_scsi_tmf_cancel_req(tmf, elem->data);
++ scsi_req_unref(elem->data);
++ }
++
+ /* Incremented by virtio_scsi_do_tmf() */
+ virtio_scsi_tmf_dec_remaining(tmf);
+
diff --git a/debian/patches/series b/debian/patches/series
index 10ebb56..ee5da2e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,6 +11,7 @@ extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
+extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
@ 2025-10-21 11:23 ` Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1 Fiona Ebner
2025-10-21 16:29 ` [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
Most notably, some TCG fixes and a memory leak for vCPU hotunplug.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch | 96 ---------------
...ch => 0003-tcg-arm-Fix-tgen_deposit.patch} | 0
| 25 ----
...uirks-when-IGD-is-not-the-primary-d.patch} | 0
...l-fix-curl-internal-handles-handling.patch | 60 ----------
...dlock-upon-TMF-request-cancelling-w.patch} | 0
...g-svm-fix-incorrect-canonicalization.patch | 38 ------
...07-hw-vfio-user-add-x-pci-class-code.patch | 35 ------
...rash-from-legacy-interrupt-firing-af.patch | 58 ----------
...able-SMM-cpu-address-space-under-KVM.patch | 106 -----------------
...compatibility-property-for-arch_capa.patch | 109 ------------------
...compatibility-property-for-pdcm-feat.patch | 96 ---------------
...he-CPU-model-to-kvm64-32-instead-of-.patch | 4 +-
...ui-spice-default-to-pve-certificates.patch | 4 +-
.../0015-PVE-qapi-modify-spice-query.patch | 4 +-
...VE-Backup-add-vma-backup-format-code.patch | 6 +-
...ckup-Proxmox-backup-patches-for-QEMU.patch | 4 +-
...estore-new-command-to-restore-from-p.patch | 4 +-
...k-driver-to-map-backup-archives-into.patch | 4 +-
...ct-stderr-to-journal-when-daemonized.patch | 6 +-
...igrate-dirty-bitmap-state-via-savevm.patch | 2 +-
...se-migration-blocker-check-for-snaps.patch | 2 +-
debian/patches/series | 15 +--
qemu | 2 +-
24 files changed, 24 insertions(+), 656 deletions(-)
delete mode 100644 debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
rename debian/patches/extra/{0008-tcg-arm-Fix-tgen_deposit.patch => 0003-tcg-arm-Fix-tgen_deposit.patch} (100%)
delete mode 100644 debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
rename debian/patches/extra/{0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch => 0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch} (100%)
delete mode 100644 debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
rename debian/patches/extra/{0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch => 0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch} (100%)
delete mode 100644 debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
delete mode 100644 debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
delete mode 100644 debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
delete mode 100644 debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
delete mode 100644 debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
delete mode 100644 debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
diff --git a/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch b/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
deleted file mode 100644
index 6c966fe..0000000
--- a/debian/patches/extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Smail AIDER <smail.aider@huawei.com>
-Date: Tue, 26 Aug 2025 11:21:28 +0100
-Subject: [PATCH] target/arm: Trap PMCR when MDCR_EL2.TPMCR is set
-
-Trap PMCR_EL0 or PMCR accesses to EL2 when MDCR_EL2.TPMCR is set.
-Similar to MDCR_EL2.TPM, MDCR_EL2.TPMCR allows trapping EL0 and EL1
-accesses to the PMCR register to EL2.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Smail AIDER <smail.aider@huawei.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20250811112143.1577055-2-smail.aider@huawei.com
-Message-Id: <20250722131925.2119169-1-smail.aider@huawei.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 186db6a73bc5c01026bb9f4f4a59e442c0156841)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/arm/cpregs-pmu.c | 34 ++++++++++++++++++++++++++--------
- 1 file changed, 26 insertions(+), 8 deletions(-)
-
-diff --git a/target/arm/cpregs-pmu.c b/target/arm/cpregs-pmu.c
-index 9c4431c18b..31c01eddc8 100644
---- a/target/arm/cpregs-pmu.c
-+++ b/target/arm/cpregs-pmu.c
-@@ -228,22 +228,27 @@ static bool event_supported(uint16_t number)
- return supported_event_map[number] != UNSUPPORTED_EVENT;
- }
-
--static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
-- bool isread)
-+static CPAccessResult do_pmreg_access(CPUARMState *env, bool is_pmcr)
- {
- /*
- * Performance monitor registers user accessibility is controlled
-- * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable
-+ * by PMUSERENR. MDCR_EL2.TPM/TPMCR and MDCR_EL3.TPM allow configurable
- * trapping to EL2 or EL3 for other accesses.
- */
- int el = arm_current_el(env);
-- uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
-
- if (el == 0 && !(env->cp15.c9_pmuserenr & 1)) {
- return CP_ACCESS_TRAP_EL1;
- }
-- if (el < 2 && (mdcr_el2 & MDCR_TPM)) {
-- return CP_ACCESS_TRAP_EL2;
-+ if (el < 2) {
-+ uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
-+
-+ if (mdcr_el2 & MDCR_TPM) {
-+ return CP_ACCESS_TRAP_EL2;
-+ }
-+ if (is_pmcr && (mdcr_el2 & MDCR_TPMCR)) {
-+ return CP_ACCESS_TRAP_EL2;
-+ }
- }
- if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
- return CP_ACCESS_TRAP_EL3;
-@@ -252,6 +257,19 @@ static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
- return CP_ACCESS_OK;
- }
-
-+static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
-+ bool isread)
-+{
-+ return do_pmreg_access(env, false);
-+}
-+
-+static CPAccessResult pmreg_access_pmcr(CPUARMState *env,
-+ const ARMCPRegInfo *ri,
-+ bool isread)
-+{
-+ return do_pmreg_access(env, true);
-+}
-+
- static CPAccessResult pmreg_access_xevcntr(CPUARMState *env,
- const ARMCPRegInfo *ri,
- bool isread)
-@@ -1187,14 +1205,14 @@ void define_pm_cpregs(ARMCPU *cpu)
- .fgt = FGT_PMCR_EL0,
- .type = ARM_CP_IO | ARM_CP_ALIAS,
- .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
-- .accessfn = pmreg_access,
-+ .accessfn = pmreg_access_pmcr,
- .readfn = pmcr_read, .raw_readfn = raw_read,
- .writefn = pmcr_write, .raw_writefn = raw_write,
- };
- const ARMCPRegInfo pmcr64 = {
- .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
- .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
-- .access = PL0_RW, .accessfn = pmreg_access,
-+ .access = PL0_RW, .accessfn = pmreg_access_pmcr,
- .fgt = FGT_PMCR_EL0,
- .type = ARM_CP_IO,
- .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
diff --git a/debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch b/debian/patches/extra/0003-tcg-arm-Fix-tgen_deposit.patch
similarity index 100%
rename from debian/patches/extra/0008-tcg-arm-Fix-tgen_deposit.patch
rename to debian/patches/extra/0003-tcg-arm-Fix-tgen_deposit.patch
diff --git a/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch b/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
deleted file mode 100644
index 4ff333b..0000000
--- a/debian/patches/extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Richard Henderson <richard.henderson@linaro.org>
-Date: Fri, 15 Aug 2025 22:26:47 +1000
-Subject: [PATCH] qemu/atomic: Finish renaming atomic128-cas.h headers
-
-The aarch64 header was not renamed with the others, meaning it
-was skipped in favor of the generic version.
-
-Cc: qemu-stable@nongnu.org
-Fixes: 15606965400b ("qemu/atomic: Rename atomic128-cas.h headers using .h.inc suffix")
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20250815122653.701782-2-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 1748c0d59228c7790940d8be381df1c3108022b1)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- .../include/aarch64/host/{atomic128-cas.h => atomic128-cas.h.inc} | 0
- 1 file changed, 0 insertions(+), 0 deletions(-)
- rename host/include/aarch64/host/{atomic128-cas.h => atomic128-cas.h.inc} (100%)
-
-diff --git a/host/include/aarch64/host/atomic128-cas.h b/host/include/aarch64/host/atomic128-cas.h.inc
-similarity index 100%
-rename from host/include/aarch64/host/atomic128-cas.h
-rename to host/include/aarch64/host/atomic128-cas.h.inc
diff --git a/debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch b/debian/patches/extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
similarity index 100%
rename from debian/patches/extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
rename to debian/patches/extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
diff --git a/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch b/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
deleted file mode 100644
index 4939ce5..0000000
--- a/debian/patches/extra/0005-block-curl-fix-curl-internal-handles-handling.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Michael Tokarev <mjt@tls.msk.ru>
-Date: Sun, 24 Aug 2025 03:05:32 +0300
-Subject: [PATCH] block/curl: fix curl internal handles handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-block/curl.c uses CURLMOPT_SOCKETFUNCTION to register a socket callback.
-According to the documentation, this callback is called not just with
-application-created sockets but also with internal curl sockets, - and
-for such sockets, user data pointer is not set by the application, so
-the result qemu crashing.
-
-Pass BDRVCURLState directly to the callback function as user pointer,
-instead of relying on CURLINFO_PRIVATE.
-
-This problem started happening with update of libcurl from 8.9 to 8.10 --
-apparently with this change curl started using private handles more.
-
-(CURLINFO_PRIVATE is used in one more place, in curl_multi_check_completion() -
-it might need a similar fix too)
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3081
-Cc: qemu-stable@qemu.org
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(cherry picked from commit 606978500c3d18fb89a49844f253097b17f757de)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- block/curl.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/block/curl.c b/block/curl.c
-index 5467678024..00b949ea45 100644
---- a/block/curl.c
-+++ b/block/curl.c
-@@ -162,13 +162,9 @@ static int curl_timer_cb(CURLM *multi, long timeout_ms, void *opaque)
- static int curl_sock_cb(CURL *curl, curl_socket_t fd, int action,
- void *userp, void *sp)
- {
-- BDRVCURLState *s;
-- CURLState *state = NULL;
-+ BDRVCURLState *s = userp;
- CURLSocket *socket;
-
-- curl_easy_getinfo(curl, CURLINFO_PRIVATE, (char **)&state);
-- s = state->s;
--
- socket = g_hash_table_lookup(s->sockets, GINT_TO_POINTER(fd));
- if (!socket) {
- socket = g_new0(CURLSocket, 1);
-@@ -605,6 +601,7 @@ static void curl_attach_aio_context(BlockDriverState *bs,
- assert(!s->multi);
- s->multi = curl_multi_init();
- s->aio_context = new_context;
-+ curl_multi_setopt(s->multi, CURLMOPT_SOCKETDATA, s);
- curl_multi_setopt(s->multi, CURLMOPT_SOCKETFUNCTION, curl_sock_cb);
- curl_multi_setopt(s->multi, CURLMOPT_TIMERDATA, s);
- curl_multi_setopt(s->multi, CURLMOPT_TIMERFUNCTION, curl_timer_cb);
diff --git a/debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch b/debian/patches/extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
similarity index 100%
rename from debian/patches/extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
rename to debian/patches/extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
diff --git a/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch b/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
deleted file mode 100644
index c964a14..0000000
--- a/debian/patches/extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Zero Tang <zero.tangptr@gmail.com>
-Date: Mon, 18 Aug 2025 12:16:47 +0200
-Subject: [PATCH] i386/tcg/svm: fix incorrect canonicalization
-
-For all 32-bit systems and 64-bit Windows systems, "long" is 4 bytes long.
-Due to using "long" for a linear address, svm_canonicalization would
-set all high bits to 1 when (assuming 48-bit linear address) the segment
-base is bigger than 0x7FFF.
-
-This fixes booting guests under TCG when the guest IDT and GDT bases are
-above 0x7FFF, thereby resulting in incorrect bases. When an interrupt
-arrives, it would trigger a #PF exception; the #PF would trigger again,
-resulting in a #DF exception; the #PF would trigger for the third time,
-resulting in triple-fault, and eventually causes a shutdown VM-Exit to
-the hypervisor right after guest boot.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Zero Tang <zero.tangptr@gmail.com>
-(cherry picked from commit c12cbaa007c9da97a11e74119ea3aed9fcc3ac4c)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- target/i386/tcg/system/svm_helper.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/tcg/system/svm_helper.c b/target/i386/tcg/system/svm_helper.c
-index b27049b9ed..dea039b87a 100644
---- a/target/i386/tcg/system/svm_helper.c
-+++ b/target/i386/tcg/system/svm_helper.c
-@@ -49,7 +49,7 @@ static void svm_save_seg(CPUX86State *env, int mmu_idx, hwaddr addr,
- static inline void svm_canonicalization(CPUX86State *env, target_ulong *seg_base)
- {
- uint16_t shift_amt = 64 - cpu_x86_virtual_addr_width(env);
-- *seg_base = ((((long) *seg_base) << shift_amt) >> shift_amt);
-+ *seg_base = (((int64_t) *seg_base) << shift_amt) >> shift_amt;
- }
-
- static void svm_load_seg(CPUX86State *env, int mmu_idx, hwaddr addr,
diff --git a/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch b/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
deleted file mode 100644
index dfa93a5..0000000
--- a/debian/patches/extra/0007-hw-vfio-user-add-x-pci-class-code.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: John Levon <john.levon@nutanix.com>
-Date: Wed, 27 Aug 2025 20:08:10 +0100
-Subject: [PATCH] hw/vfio-user: add x-pci-class-code
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This new option was not added to vfio_user_pci_dev_properties, which
-caused an incorrect class code for vfio-user devices.
-
-Fixes: a59d06305fff ("vfio/pci: Introduce x-pci-class-code option")
-Signed-off-by: John Levon <john.levon@nutanix.com>
-Reviewed-by: Cédric Le Goater <clg@redhat.com>
-Link: https://lore.kernel.org/qemu-devel/20250827190810.1645340-1-john.levon@nutanix.com
-Signed-off-by: Cédric Le Goater <clg@redhat.com>
-(cherry picked from commit 1b50621881241ac5bc75ae7f8aa4c278ada8a668)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/vfio-user/pci.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/vfio-user/pci.c b/hw/vfio-user/pci.c
-index be71c77729..dfaa89498d 100644
---- a/hw/vfio-user/pci.c
-+++ b/hw/vfio-user/pci.c
-@@ -406,6 +406,8 @@ static const Property vfio_user_pci_dev_properties[] = {
- sub_vendor_id, PCI_ANY_ID),
- DEFINE_PROP_UINT32("x-pci-sub-device-id", VFIOPCIDevice,
- sub_device_id, PCI_ANY_ID),
-+ DEFINE_PROP_UINT32("x-pci-class-code", VFIOPCIDevice,
-+ class_code, PCI_ANY_ID),
- DEFINE_PROP_BOOL("x-send-queued", VFIOUserPCIDevice, send_queued, false),
- DEFINE_PROP_UINT32("x-msg-timeout", VFIOUserPCIDevice, wait_time, 5000),
- DEFINE_PROP_BOOL("x-no-posted-writes", VFIOUserPCIDevice, no_post, false),
diff --git a/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch b/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
deleted file mode 100644
index 3fac459..0000000
--- a/debian/patches/extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Laurent Vivier <lvivier@redhat.com>
-Date: Thu, 7 Aug 2025 13:08:06 +0200
-Subject: [PATCH] e1000e: Prevent crash from legacy interrupt firing after
- MSI-X enable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A race condition between guest driver actions and QEMU timers can lead
-to an assertion failure when the guest switches the e1000e from legacy
-interrupt mode to MSI-X. If a legacy interrupt delay timer (TIDV or
-RDTR) is active, but the guest enables MSI-X before the timer fires,
-the pending interrupt cause can trigger an assert in
-e1000e_intmgr_collect_delayed_causes().
-
-This patch removes the assertion and executes the code that clears the
-pending legacy causes. This change is safe and introduces no unintended
-behavioral side effects, as it only alters a state that previously led
-to termination.
-
-- when core->delayed_causes == 0 the function was already a no-op and
- remains so.
-
-- when core->delayed_causes != 0 the function would previously
- crash due to the assertion failure. The patch now defines a safe
- outcome by clearing the cause and returning. Since behavior after
- the assertion never existed, this simply corrects the crash.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1863
-Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
-Signed-off-by: Laurent Vivier <lvivier@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
-Message-ID: <20250807110806.409065-1-lvivier@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-(cherry picked from commit 8e4649cac9bcddc050d2df07908075e9e69bccc7)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/net/e1000e_core.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
-index 2413858790..06657bb3ac 100644
---- a/hw/net/e1000e_core.c
-+++ b/hw/net/e1000e_core.c
-@@ -341,11 +341,6 @@ e1000e_intmgr_collect_delayed_causes(E1000ECore *core)
- {
- uint32_t res;
-
-- if (msix_enabled(core->owner)) {
-- assert(core->delayed_causes == 0);
-- return 0;
-- }
--
- res = core->delayed_causes;
- core->delayed_causes = 0;
-
diff --git a/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch b/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
deleted file mode 100644
index cb9b095..0000000
--- a/debian/patches/extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Xiaoyao Li <xiaoyao.li@intel.com>
-Date: Wed, 30 Jul 2025 17:52:52 +0800
-Subject: [PATCH] i386/cpu: Enable SMM cpu address space under KVM
-
-Kirill Martynov reported assertation in cpu_asidx_from_attrs() being hit
-when x86_cpu_dump_state() is called to dump the CPU state[*]. It happens
-when the CPU is in SMM and KVM emulation failure due to misbehaving
-guest.
-
-The root cause is that QEMU i386 never enables the SMM address space for
-cpu since KVM SMM support has been added.
-
-Enable the SMM cpu address space under KVM when the SMM is enabled for
-the x86machine.
-
-[*] https://lore.kernel.org/qemu-devel/20250523154431.506993-1-stdcalllevi@yandex-team.ru/
-
-Reported-by: Kirill Martynov <stdcalllevi@yandex-team.ru>
-Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
-Tested-by: Kirill Martynov <stdcalllevi@yandex-team.ru>
-Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Link: https://lore.kernel.org/r/20250730095253.1833411-2-xiaoyao.li@intel.com
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 0516f4b70264b9710a25718d21bd35ef463c875e)
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- system/physmem.c | 5 -----
- target/i386/kvm/kvm-cpu.c | 10 ++++++++++
- target/i386/kvm/kvm.c | 5 +++++
- 3 files changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/system/physmem.c b/system/physmem.c
-index e5dd760e0b..8705fadc01 100644
---- a/system/physmem.c
-+++ b/system/physmem.c
-@@ -793,9 +793,6 @@ void cpu_address_space_init(CPUState *cpu, int asidx,
- cpu->as = as;
- }
-
-- /* KVM cannot currently support multiple address spaces. */
-- assert(asidx == 0 || !kvm_enabled());
--
- if (!cpu->cpu_ases) {
- cpu->cpu_ases = g_new0(CPUAddressSpace, cpu->num_ases);
- cpu->cpu_ases_count = cpu->num_ases;
-@@ -818,8 +815,6 @@ void cpu_address_space_destroy(CPUState *cpu, int asidx)
-
- assert(cpu->cpu_ases);
- assert(asidx >= 0 && asidx < cpu->num_ases);
-- /* KVM cannot currently support multiple address spaces. */
-- assert(asidx == 0 || !kvm_enabled());
-
- cpuas = &cpu->cpu_ases[asidx];
- if (tcg_enabled()) {
-diff --git a/target/i386/kvm/kvm-cpu.c b/target/i386/kvm/kvm-cpu.c
-index 89a7953659..1dc1ba9b48 100644
---- a/target/i386/kvm/kvm-cpu.c
-+++ b/target/i386/kvm/kvm-cpu.c
-@@ -13,6 +13,7 @@
- #include "qapi/error.h"
- #include "system/system.h"
- #include "hw/boards.h"
-+#include "hw/i386/x86.h"
-
- #include "kvm_i386.h"
- #include "accel/accel-cpu-target.h"
-@@ -91,6 +92,15 @@ static bool kvm_cpu_realizefn(CPUState *cs, Error **errp)
- kvm_set_guest_phys_bits(cs);
- }
-
-+ /*
-+ * When SMM is enabled, there is 2 address spaces. Otherwise only 1.
-+ *
-+ * Only initialize address space 0 here, the second one for SMM is
-+ * initialized at register_smram_listener() after machine init done.
-+ */
-+ cs->num_ases = x86_machine_is_smm_enabled(X86_MACHINE(current_machine)) ? 2 : 1;
-+ cpu_address_space_init(cs, 0, "cpu-memory", cs->memory);
-+
- return true;
- }
-
-diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
-index 369626f8c8..47fb5c673c 100644
---- a/target/i386/kvm/kvm.c
-+++ b/target/i386/kvm/kvm.c
-@@ -2704,6 +2704,7 @@ static MemoryRegion smram_as_mem;
-
- static void register_smram_listener(Notifier *n, void *unused)
- {
-+ CPUState *cpu;
- MemoryRegion *smram =
- (MemoryRegion *) object_resolve_path("/machine/smram", NULL);
-
-@@ -2728,6 +2729,10 @@ static void register_smram_listener(Notifier *n, void *unused)
- address_space_init(&smram_address_space, &smram_as_root, "KVM-SMRAM");
- kvm_memory_listener_register(kvm_state, &smram_listener,
- &smram_address_space, 1, "kvm-smram");
-+
-+ CPU_FOREACH(cpu) {
-+ cpu_address_space_init(cpu, 1, "cpu-smm", &smram_as_root);
-+ }
- }
-
- static void *kvm_msr_energy_thread(void *data)
diff --git a/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch b/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
deleted file mode 100644
index 5238871..0000000
--- a/debian/patches/extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 23 Sep 2025 12:41:35 +0200
-Subject: [PATCH] target/i386: add compatibility property for arch_capabilities
-
-Prior to v10.1, if requested by user, arch-capabilities is always on
-despite the fact that CPUID advertises it to be off/unvailable.
-This causes a migration issue for VMs that are run on a machine
-without arch-capabilities and expect this feature to be present
-on the destination host with QEMU 10.1.
-
-Add a compatibility property to restore the legacy behavior for all
-machines with version prior to 10.1.
-
-Co-authored-by: Hector Cao <hector.cao@canonical.com>
-Signed-off-by: Hector Cao <hector.cao@canonical.com>
-Fixes: d3a24134e37 ("target/i386: do not expose ARCH_CAPABILITIES on AMD CPU", 2025-07-17)
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Link: https://lore.proxmox.com/20250923104136.133875-2-pbonzini@redhat.com
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/pc.c | 1 +
- target/i386/cpu.c | 17 +++++++++++++++++
- target/i386/cpu.h | 6 ++++++
- target/i386/kvm/kvm.c | 6 +-----
- 4 files changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index 2f58e73d33..2504365bc2 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -84,6 +84,7 @@
- GlobalProperty pc_compat_10_0[] = {
- { TYPE_X86_CPU, "x-consistent-cache", "false" },
- { TYPE_X86_CPU, "x-vendor-cpuid-only-v2", "false" },
-+ { TYPE_X86_CPU, "x-arch-cap-always-on", "true" },
- };
- const size_t pc_compat_10_0_len = G_N_ELEMENTS(pc_compat_10_0);
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 6d85149e6e..fe369bb128 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7539,6 +7539,20 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
- #endif
- break;
-
-+ case FEAT_7_0_EDX:
-+ /*
-+ * Windows does not like ARCH_CAPABILITIES on AMD machines at all.
-+ * Do not show the fake ARCH_CAPABILITIES MSR that KVM sets up,
-+ * except if needed for migration.
-+ *
-+ * When arch_cap_always_on is removed, this tweak can move to
-+ * kvm_arch_get_supported_cpuid.
-+ */
-+ if (cpu && IS_AMD_CPU(&cpu->env) && !cpu->arch_cap_always_on) {
-+ unavail = CPUID_7_0_EDX_ARCH_CAPABILITIES;
-+ }
-+ break;
-+
- default:
- break;
- }
-@@ -10004,6 +10018,9 @@ static const Property x86_cpu_properties[] = {
- true),
- DEFINE_PROP_BOOL("x-l1-cache-per-thread", X86CPU, l1_cache_per_core, true),
- DEFINE_PROP_BOOL("x-force-cpuid-0x1f", X86CPU, force_cpuid_0x1f, false),
-+
-+ DEFINE_PROP_BOOL("x-arch-cap-always-on", X86CPU,
-+ arch_cap_always_on, false),
- };
-
- #ifndef CONFIG_USER_ONLY
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index f977fc49a7..b966bc997c 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -2314,6 +2314,12 @@ struct ArchCPU {
- /* Forcefully disable KVM PV features not exposed in guest CPUIDs */
- bool kvm_pv_enforce_cpuid;
-
-+ /*
-+ * Expose arch-capabilities unconditionally even on AMD models, for backwards
-+ * compatibility with QEMU <10.1.
-+ */
-+ bool arch_cap_always_on;
-+
- /* Number of physical address bits supported */
- uint32_t phys_bits;
-
-diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
-index 47fb5c673c..a4e437bb5a 100644
---- a/target/i386/kvm/kvm.c
-+++ b/target/i386/kvm/kvm.c
-@@ -503,12 +503,8 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
- * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts.
- * We can detect the bug by checking if MSR_IA32_ARCH_CAPABILITIES is
- * returned by KVM_GET_MSR_INDEX_LIST.
-- *
-- * But also, because Windows does not like ARCH_CAPABILITIES on AMD
-- * mcahines at all, do not show the fake ARCH_CAPABILITIES MSR that
-- * KVM sets up.
- */
-- if (!has_msr_arch_capabs || !(edx & CPUID_7_0_EDX_ARCH_CAPABILITIES)) {
-+ if (!has_msr_arch_capabs) {
- ret &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES;
- }
- } else if (function == 7 && index == 1 && reg == R_EAX) {
diff --git a/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch b/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
deleted file mode 100644
index 5aea067..0000000
--- a/debian/patches/extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hector Cao <hector.cao@canonical.com>
-Date: Tue, 23 Sep 2025 12:41:36 +0200
-Subject: [PATCH] target/i386: add compatibility property for pdcm feature
-
-The pdcm feature is supposed to be disabled when PMU is not
-available. Up until v10.1, pdcm feature is enabled even when PMU
-is off. This behavior has been fixed but this change breaks the
-migration of VMs that are run with QEMU < 10.0 and expect the pdcm
-feature to be enabled on the destination host.
-
-This commit restores the legacy behavior for machines with version
-prior to 10.1 to allow the migration from older QEMU to QEMU 10.1.
-
-Signed-off-by: Hector Cao <hector.cao@canonical.com>
-Link: https://lore.kernel.org/r/20250910115733.21149-3-hector.cao@canonical.com
-Fixes: e68ec298090 ("i386/cpu: Move adjustment of CPUID_EXT_PDCM before feature_dependencies[] check", 2025-06-20)
-[Move property from migration object to CPU. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Link: https://lore.proxmox.com/20250923104136.133875-3-pbonzini@redhat.com
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
----
- hw/i386/pc.c | 1 +
- target/i386/cpu.c | 15 ++++++++++++---
- target/i386/cpu.h | 6 ++++++
- 3 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index 2504365bc2..0861e329b5 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -85,6 +85,7 @@ GlobalProperty pc_compat_10_0[] = {
- { TYPE_X86_CPU, "x-consistent-cache", "false" },
- { TYPE_X86_CPU, "x-vendor-cpuid-only-v2", "false" },
- { TYPE_X86_CPU, "x-arch-cap-always-on", "true" },
-+ { TYPE_X86_CPU, "x-pdcm-on-even-without-pmu", "true" },
- };
- const size_t pc_compat_10_0_len = G_N_ELEMENTS(pc_compat_10_0);
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index fe369bb128..ab18de894e 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -7908,6 +7908,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
- /* Fixup overflow: max value for bits 23-16 is 255. */
- *ebx |= MIN(num, 255) << 16;
- }
-+ if (cpu->pdcm_on_even_without_pmu) {
-+ if (!cpu->enable_pmu) {
-+ *ecx &= ~CPUID_EXT_PDCM;
-+ }
-+ }
- break;
- case 2: { /* cache info: needed for Pentium Pro compatibility */
- const CPUCaches *caches;
-@@ -8958,9 +8963,11 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
- }
- }
-
-- /* PDCM is fixed1 bit for TDX */
-- if (!cpu->enable_pmu && !is_tdx_vm()) {
-- env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
-+ if (!cpu->pdcm_on_even_without_pmu) {
-+ /* PDCM is fixed1 bit for TDX */
-+ if (!cpu->enable_pmu && !is_tdx_vm()) {
-+ env->features[FEAT_1_ECX] &= ~CPUID_EXT_PDCM;
-+ }
- }
-
- for (i = 0; i < ARRAY_SIZE(feature_dependencies); i++) {
-@@ -10021,6 +10028,8 @@ static const Property x86_cpu_properties[] = {
-
- DEFINE_PROP_BOOL("x-arch-cap-always-on", X86CPU,
- arch_cap_always_on, false),
-+ DEFINE_PROP_BOOL("x-pdcm-on-even-without-pmu", X86CPU,
-+ pdcm_on_even_without_pmu, false),
- };
-
- #ifndef CONFIG_USER_ONLY
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index b966bc997c..2187e61654 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -2320,6 +2320,12 @@ struct ArchCPU {
- */
- bool arch_cap_always_on;
-
-+ /*
-+ * Backwards compatibility with QEMU <10.1. The PDCM feature is now disabled when
-+ * PMU is not available, but prior to 10.1 it was enabled even if PMU is off.
-+ */
-+ bool pdcm_on_even_without_pmu;
-+
- /* Number of physical address bits supported */
- uint32_t phys_bits;
-
diff --git a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
index c9010c6..cd2e07a 100644
--- a/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
+++ b/debian/patches/pve/0003-PVE-Config-set-the-CPU-model-to-kvm64-32-instead-of-.patch
@@ -10,10 +10,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 2187e61654..da8497931f 100644
+index 42168f1d6d..4f63100453 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
-@@ -2625,9 +2625,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
+@@ -2630,9 +2630,9 @@ uint64_t cpu_get_tsc(CPUX86State *env);
#define CPU_RESOLVING_TYPE TYPE_X86_CPU
#ifdef TARGET_X86_64
diff --git a/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch b/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
index 61719e7..8fe7b5d 100644
--- a/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
+++ b/debian/patches/pve/0004-PVE-Config-ui-spice-default-to-pve-certificates.patch
@@ -9,10 +9,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ui/spice-core.c b/ui/spice-core.c
-index 5992f9daec..cd1ec9c082 100644
+index 2645e96ef6..a8b34d3bf5 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
-@@ -698,32 +698,35 @@ static void qemu_spice_init(void)
+@@ -694,32 +694,35 @@ static void qemu_spice_init(void)
if (tls_port) {
x509_dir = qemu_opt_get(opts, "x509-dir");
diff --git a/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch b/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
index 9ebf74c..02ec05b 100644
--- a/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
+++ b/debian/patches/pve/0015-PVE-qapi-modify-spice-query.patch
@@ -33,10 +33,10 @@ index 1b2f4a4769..c9982e1bcc 100644
'if': 'CONFIG_SPICE' }
diff --git a/ui/spice-core.c b/ui/spice-core.c
-index cd1ec9c082..4064053778 100644
+index a8b34d3bf5..994079ec87 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
-@@ -556,6 +556,10 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)
+@@ -554,6 +554,10 @@ static SpiceInfo *qmp_query_spice_real(Error **errp)
micro = SPICE_SERVER_VERSION & 0xff;
info->compiled_version = g_strdup_printf("%d.%d.%d", major, minor, micro);
diff --git a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
index 44f1b38..369f5ad 100644
--- a/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
+++ b/debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch
@@ -40,10 +40,10 @@ index a21d9a5411..1373612c10 100644
system_ss.add(files('block-ram-registrar.c'))
diff --git a/meson.build b/meson.build
-index 50c774a195..25eee758fc 100644
+index b7db736bbf..fe7b7a88fd 100644
--- a/meson.build
+++ b/meson.build
-@@ -2198,6 +2198,8 @@ endif
+@@ -2199,6 +2199,8 @@ endif
has_gettid = cc.has_function('gettid')
@@ -52,7 +52,7 @@ index 50c774a195..25eee758fc 100644
# libselinux
selinux = dependency('libselinux',
required: get_option('selinux'),
-@@ -4531,6 +4533,9 @@ if have_tools
+@@ -4532,6 +4534,9 @@ if have_tools
dependencies: [blockdev, qemuutil, selinux],
install: true)
diff --git a/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
index 7d375ef..3c0e64c 100644
--- a/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
+++ b/debian/patches/pve/0030-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch
@@ -266,10 +266,10 @@ index 2596cc2426..9dda91d65a 100644
void hmp_device_add(Monitor *mon, const QDict *qdict);
void hmp_device_del(Monitor *mon, const QDict *qdict);
diff --git a/meson.build b/meson.build
-index 25eee758fc..347197d2d7 100644
+index fe7b7a88fd..3bb206ce4d 100644
--- a/meson.build
+++ b/meson.build
-@@ -2199,6 +2199,7 @@ endif
+@@ -2200,6 +2200,7 @@ endif
has_gettid = cc.has_function('gettid')
libuuid = cc.find_library('uuid', required: true)
diff --git a/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
index ef8a531..2f63bd1 100644
--- a/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
+++ b/debian/patches/pve/0031-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
create mode 100644 pbs-restore.c
diff --git a/meson.build b/meson.build
-index 347197d2d7..c1d9e46dd8 100644
+index 3bb206ce4d..9eba919450 100644
--- a/meson.build
+++ b/meson.build
-@@ -4537,6 +4537,10 @@ if have_tools
+@@ -4538,6 +4538,10 @@ if have_tools
vma = executable('vma', files('vma.c', 'vma-reader.c') + genh,
dependencies: [authz, block, crypto, io, qemuutil, qom], install: true)
diff --git a/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
index e218b53..41626ce 100644
--- a/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
+++ b/debian/patches/pve/0032-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch
@@ -348,10 +348,10 @@ index 0000000000..3e41421716
+
+block_init(bdrv_pbs_init);
diff --git a/meson.build b/meson.build
-index c1d9e46dd8..bb1bff44b8 100644
+index 9eba919450..4861b69412 100644
--- a/meson.build
+++ b/meson.build
-@@ -5010,7 +5010,7 @@ summary_info += {'Query Processing Library support': qpl}
+@@ -5011,7 +5011,7 @@ summary_info += {'Query Processing Library support': qpl}
summary_info += {'UADK Library support': uadk}
summary_info += {'qatzip support': qatzip}
summary_info += {'NUMA host support': numa}
diff --git a/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch
index 927215e..b007793 100644
--- a/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch
+++ b/debian/patches/pve/0033-PVE-redirect-stderr-to-journal-when-daemonized.patch
@@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/meson.build b/meson.build
-index bb1bff44b8..6b85f32abe 100644
+index 4861b69412..7e1935d43f 100644
--- a/meson.build
+++ b/meson.build
-@@ -2199,6 +2199,7 @@ endif
+@@ -2200,6 +2200,7 @@ endif
has_gettid = cc.has_function('gettid')
libuuid = cc.find_library('uuid', required: true)
@@ -25,7 +25,7 @@ index bb1bff44b8..6b85f32abe 100644
libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true)
# libselinux
-@@ -3874,7 +3875,7 @@ if have_block
+@@ -3875,7 +3876,7 @@ if have_block
elif host_os == 'emscripten'
blockdev_ss.add(files('os-wasm.c'))
else
diff --git a/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
index 6a08ce2..c581f29 100644
--- a/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
+++ b/debian/patches/pve/0034-PVE-Migrate-dirty-bitmap-state-via-savevm.patch
@@ -58,7 +58,7 @@ index 409b748980..ca94e7e17b 100644
'savevm.c',
'savevm-async.c',
diff --git a/migration/migration.c b/migration/migration.c
-index 10c216d25d..b58cbdc2c0 100644
+index 32b8ce5613..60464d43c3 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -340,6 +340,7 @@ void migration_object_init(void)
diff --git a/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch
index eb21d75..a269f01 100644
--- a/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch
+++ b/debian/patches/pve/0047-savevm-async-reuse-migration-blocker-check-for-snaps.patch
@@ -89,7 +89,7 @@ index a687ac0efe..f36bfb2df1 100644
* @migrate_add_blocker - prevent all modes of migration from proceeding
*
diff --git a/migration/migration.c b/migration/migration.c
-index b58cbdc2c0..594e253a8a 100644
+index 60464d43c3..998a7f87b8 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -2055,6 +2055,30 @@ bool migration_is_blocked(Error **errp)
diff --git a/debian/patches/series b/debian/patches/series
index ee5da2e..29c18ec 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,17 +1,8 @@
extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch
extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
-extra/0003-target-arm-Trap-PMCR-when-MDCR_EL2.TPMCR-is-set.patch
-extra/0004-qemu-atomic-Finish-renaming-atomic128-cas.h-headers.patch
-extra/0005-block-curl-fix-curl-internal-handles-handling.patch
-extra/0006-i386-tcg-svm-fix-incorrect-canonicalization.patch
-extra/0007-hw-vfio-user-add-x-pci-class-code.patch
-extra/0008-tcg-arm-Fix-tgen_deposit.patch
-extra/0009-e1000e-Prevent-crash-from-legacy-interrupt-firing-af.patch
-extra/0010-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
-extra/0011-i386-cpu-Enable-SMM-cpu-address-space-under-KVM.patch
-extra/0012-target-i386-add-compatibility-property-for-arch_capa.patch
-extra/0013-target-i386-add-compatibility-property-for-pdcm-feat.patch
-extra/0014-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
+extra/0003-tcg-arm-Fix-tgen_deposit.patch
+extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
+extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
diff --git a/qemu b/qemu
index f8b2f64..ccaea6b 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit f8b2f64e2336a28bf0d50b6ef8a7d8c013e9bcf3
+Subproject commit ccaea6b2656ec6eab966585f7b16438208f98de7
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2 Fiona Ebner
@ 2025-10-21 11:23 ` Fiona Ebner
2025-10-21 16:29 ` [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2025-10-21 11:23 UTC (permalink / raw)
To: pve-devel
For more information, see the commit messages of the added patches and:
https://lore.kernel.org/qemu-devel/6519c5b0-46d2-4097-bb37-7a78f9087f68@redhat.com/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
...-rename-field-to-num_initial_regions.patch | 245 ++++++++++++++++++
...region-info-cache-for-initial-region.patch | 75 ++++++
debian/patches/series | 2 +
3 files changed, 322 insertions(+)
create mode 100644 debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
create mode 100644 debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
diff --git a/debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch b/debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
new file mode 100644
index 0000000..3662f1d
--- /dev/null
+++ b/debian/patches/extra/0006-vfio-rename-field-to-num_initial_regions.patch
@@ -0,0 +1,245 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Levon <john.levon@nutanix.com>
+Date: Tue, 14 Oct 2025 17:12:26 +0200
+Subject: [PATCH] vfio: rename field to "num_initial_regions"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We set VFIODevice::num_regions at initialization time, and do not
+otherwise refresh it. As it is valid in theory for a VFIO device to
+later increase the number of supported regions, rename the field to
+"num_initial_regions" to better reflect its semantics.
+
+Signed-off-by: John Levon <john.levon@nutanix.com>
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Alex Williamson <alex@shazbot.org>
+Link: https://lore.kernel.org/qemu-devel/20251014151227.2298892-2-john.levon@nutanix.com
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+(cherry picked from commit d5176a39405f0e0d20dff173e58255a7d5099411
+ from https://gitlab.com/legoater/qemu/-/tree/vfio-next)
+[FE: also rename in hw/vfio/platform.c and hw/core/sysbus-fdt.c
+ where affected code got dropped in master, but is still in v10.1]
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/core/sysbus-fdt.c | 14 +++++++-------
+ hw/vfio-user/device.c | 2 +-
+ hw/vfio/ccw.c | 4 ++--
+ hw/vfio/device.c | 12 ++++++------
+ hw/vfio/iommufd.c | 3 ++-
+ hw/vfio/pci.c | 4 ++--
+ hw/vfio/platform.c | 10 +++++-----
+ include/hw/vfio/vfio-device.h | 2 +-
+ 8 files changed, 26 insertions(+), 25 deletions(-)
+
+diff --git a/hw/core/sysbus-fdt.c b/hw/core/sysbus-fdt.c
+index c339a27875..1e1966813f 100644
+--- a/hw/core/sysbus-fdt.c
++++ b/hw/core/sysbus-fdt.c
+@@ -236,15 +236,15 @@ static int add_calxeda_midway_xgmac_fdt_node(SysBusDevice *sbdev, void *opaque)
+
+ qemu_fdt_setprop(fdt, nodename, "dma-coherent", "", 0);
+
+- reg_attr = g_new(uint32_t, vbasedev->num_regions * 2);
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ reg_attr = g_new(uint32_t, vbasedev->num_initial_regions * 2);
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ mmio_base = platform_bus_get_mmio_addr(pbus, sbdev, i);
+ reg_attr[2 * i] = cpu_to_be32(mmio_base);
+ reg_attr[2 * i + 1] = cpu_to_be32(
+ memory_region_size(vdev->regions[i]->mem));
+ }
+ qemu_fdt_setprop(fdt, nodename, "reg", reg_attr,
+- vbasedev->num_regions * 2 * sizeof(uint32_t));
++ vbasedev->num_initial_regions * 2 * sizeof(uint32_t));
+
+ irq_attr = g_new(uint32_t, vbasedev->num_irqs * 3);
+ for (i = 0; i < vbasedev->num_irqs; i++) {
+@@ -330,7 +330,7 @@ static int add_amd_xgbe_fdt_node(SysBusDevice *sbdev, void *opaque)
+
+ g_free(dt_name);
+
+- if (vbasedev->num_regions != 5) {
++ if (vbasedev->num_initial_regions != 5) {
+ error_report("%s Does the host dt node combine XGBE/PHY?", __func__);
+ exit(1);
+ }
+@@ -374,15 +374,15 @@ static int add_amd_xgbe_fdt_node(SysBusDevice *sbdev, void *opaque)
+ guest_clock_phandles[0],
+ guest_clock_phandles[1]);
+
+- reg_attr = g_new(uint32_t, vbasedev->num_regions * 2);
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ reg_attr = g_new(uint32_t, vbasedev->num_initial_regions * 2);
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ mmio_base = platform_bus_get_mmio_addr(pbus, sbdev, i);
+ reg_attr[2 * i] = cpu_to_be32(mmio_base);
+ reg_attr[2 * i + 1] = cpu_to_be32(
+ memory_region_size(vdev->regions[i]->mem));
+ }
+ qemu_fdt_setprop(guest_fdt, nodename, "reg", reg_attr,
+- vbasedev->num_regions * 2 * sizeof(uint32_t));
++ vbasedev->num_initial_regions * 2 * sizeof(uint32_t));
+
+ irq_attr = g_new(uint32_t, vbasedev->num_irqs * 3);
+ for (i = 0; i < vbasedev->num_irqs; i++) {
+diff --git a/hw/vfio-user/device.c b/hw/vfio-user/device.c
+index 0609a7dc25..64ef35b320 100644
+--- a/hw/vfio-user/device.c
++++ b/hw/vfio-user/device.c
+@@ -134,7 +134,7 @@ static int vfio_user_device_io_get_region_info(VFIODevice *vbasedev,
+ VFIOUserFDs fds = { 0, 1, fd};
+ int ret;
+
+- if (info->index > vbasedev->num_regions) {
++ if (info->index > vbasedev->num_initial_regions) {
+ return -EINVAL;
+ }
+
+diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c
+index 9560b8d851..4d9588e7aa 100644
+--- a/hw/vfio/ccw.c
++++ b/hw/vfio/ccw.c
+@@ -484,9 +484,9 @@ static bool vfio_ccw_get_region(VFIOCCWDevice *vcdev, Error **errp)
+ * We always expect at least the I/O region to be present. We also
+ * may have a variable number of regions governed by capabilities.
+ */
+- if (vdev->num_regions < VFIO_CCW_CONFIG_REGION_INDEX + 1) {
++ if (vdev->num_initial_regions < VFIO_CCW_CONFIG_REGION_INDEX + 1) {
+ error_setg(errp, "vfio: too few regions (%u), expected at least %u",
+- vdev->num_regions, VFIO_CCW_CONFIG_REGION_INDEX + 1);
++ vdev->num_initial_regions, VFIO_CCW_CONFIG_REGION_INDEX + 1);
+ return false;
+ }
+
+diff --git a/hw/vfio/device.c b/hw/vfio/device.c
+index 52a1996dc4..0b459c0f7c 100644
+--- a/hw/vfio/device.c
++++ b/hw/vfio/device.c
+@@ -257,7 +257,7 @@ int vfio_device_get_region_info_type(VFIODevice *vbasedev, uint32_t type,
+ {
+ int i;
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ struct vfio_info_cap_header *hdr;
+ struct vfio_region_info_cap_type *cap_type;
+
+@@ -466,7 +466,7 @@ void vfio_device_prepare(VFIODevice *vbasedev, VFIOContainerBase *bcontainer,
+ int i;
+
+ vbasedev->num_irqs = info->num_irqs;
+- vbasedev->num_regions = info->num_regions;
++ vbasedev->num_initial_regions = info->num_regions;
+ vbasedev->flags = info->flags;
+ vbasedev->reset_works = !!(info->flags & VFIO_DEVICE_FLAGS_RESET);
+
+@@ -476,10 +476,10 @@ void vfio_device_prepare(VFIODevice *vbasedev, VFIOContainerBase *bcontainer,
+ QLIST_INSERT_HEAD(&vfio_device_list, vbasedev, global_next);
+
+ vbasedev->reginfo = g_new0(struct vfio_region_info *,
+- vbasedev->num_regions);
++ vbasedev->num_initial_regions);
+ if (vbasedev->use_region_fds) {
+- vbasedev->region_fds = g_new0(int, vbasedev->num_regions);
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ vbasedev->region_fds = g_new0(int, vbasedev->num_initial_regions);
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ vbasedev->region_fds[i] = -1;
+ }
+ }
+@@ -489,7 +489,7 @@ void vfio_device_unprepare(VFIODevice *vbasedev)
+ {
+ int i;
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ g_free(vbasedev->reginfo[i]);
+ if (vbasedev->region_fds != NULL && vbasedev->region_fds[i] != -1) {
+ close(vbasedev->region_fds[i]);
+diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
+index 48c590b6a9..dbcd861b27 100644
+--- a/hw/vfio/iommufd.c
++++ b/hw/vfio/iommufd.c
+@@ -668,7 +668,8 @@ found_container:
+ vfio_iommufd_cpr_register_device(vbasedev);
+
+ trace_iommufd_cdev_device_info(vbasedev->name, devfd, vbasedev->num_irqs,
+- vbasedev->num_regions, vbasedev->flags);
++ vbasedev->num_initial_regions,
++ vbasedev->flags);
+ return true;
+
+ err_listener_register:
+diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
+index 07257d0fa0..1e69055c7c 100644
+--- a/hw/vfio/pci.c
++++ b/hw/vfio/pci.c
+@@ -2930,9 +2930,9 @@ bool vfio_pci_populate_device(VFIOPCIDevice *vdev, Error **errp)
+ return false;
+ }
+
+- if (vbasedev->num_regions < VFIO_PCI_CONFIG_REGION_INDEX + 1) {
++ if (vbasedev->num_initial_regions < VFIO_PCI_CONFIG_REGION_INDEX + 1) {
+ error_setg(errp, "unexpected number of io regions %u",
+- vbasedev->num_regions);
++ vbasedev->num_initial_regions);
+ return false;
+ }
+
+diff --git a/hw/vfio/platform.c b/hw/vfio/platform.c
+index 5c1795a26f..c9349ba7b7 100644
+--- a/hw/vfio/platform.c
++++ b/hw/vfio/platform.c
+@@ -148,7 +148,7 @@ static void vfio_mmap_set_enabled(VFIOPlatformDevice *vdev, bool enabled)
+ {
+ int i;
+
+- for (i = 0; i < vdev->vbasedev.num_regions; i++) {
++ for (i = 0; i < vdev->vbasedev.num_initial_regions; i++) {
+ vfio_region_mmaps_set_enabled(vdev->regions[i], enabled);
+ }
+ }
+@@ -453,9 +453,9 @@ static bool vfio_populate_device(VFIODevice *vbasedev, Error **errp)
+ return false;
+ }
+
+- vdev->regions = g_new0(VFIORegion *, vbasedev->num_regions);
++ vdev->regions = g_new0(VFIORegion *, vbasedev->num_initial_regions);
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ char *name = g_strdup_printf("VFIO %s region %d\n", vbasedev->name, i);
+
+ vdev->regions[i] = g_new0(VFIORegion, 1);
+@@ -499,7 +499,7 @@ irq_err:
+ g_free(intp);
+ }
+ reg_error:
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ if (vdev->regions[i]) {
+ vfio_region_finalize(vdev->regions[i]);
+ }
+@@ -608,7 +608,7 @@ static void vfio_platform_realize(DeviceState *dev, Error **errp)
+ }
+ }
+
+- for (i = 0; i < vbasedev->num_regions; i++) {
++ for (i = 0; i < vbasedev->num_initial_regions; i++) {
+ if (vfio_region_mmap(vdev->regions[i])) {
+ warn_report("%s mmap unsupported, performance may be slow",
+ memory_region_name(vdev->regions[i]->mem));
+diff --git a/include/hw/vfio/vfio-device.h b/include/hw/vfio/vfio-device.h
+index 6e4d5ccdac..10024730a1 100644
+--- a/include/hw/vfio/vfio-device.h
++++ b/include/hw/vfio/vfio-device.h
+@@ -74,7 +74,7 @@ typedef struct VFIODevice {
+ VFIODeviceOps *ops;
+ VFIODeviceIOOps *io_ops;
+ unsigned int num_irqs;
+- unsigned int num_regions;
++ unsigned int num_initial_regions;
+ unsigned int flags;
+ VFIOMigration *migration;
+ Error *migration_blocker;
diff --git a/debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch b/debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
new file mode 100644
index 0000000..b239cb4
--- /dev/null
+++ b/debian/patches/extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Levon <john.levon@nutanix.com>
+Date: Tue, 14 Oct 2025 17:12:27 +0200
+Subject: [PATCH] vfio: only check region info cache for initial regions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It is semantically valid for a VFIO device to increase the number of
+regions after initialization. In this case, we'd attempt to check for
+cached region info past the size of the ->reginfo array. Check for the
+region index and skip the cache in these cases.
+
+This also works around some VGPU use cases which appear to be a bug,
+where VFIO_DEVICE_QUERY_GFX_PLANE returns a region index beyond the
+reported ->num_regions.
+
+Fixes: 95cdb024 ("vfio: add region info cache")
+Signed-off-by: John Levon <john.levon@nutanix.com>
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Reviewed-by: Alex Williamson <alex@shazbot.org>
+Link: https://lore.kernel.org/qemu-devel/20251014151227.2298892-3-john.levon@nutanix.com
+Signed-off-by: Cédric Le Goater <clg@redhat.com>
+(cherry picked from commit 5bdcf2df64bf7e4be58524ef1442836b6d41282e
+ from https://gitlab.com/legoater/qemu/-/tree/vfio-next)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ hw/vfio/device.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/hw/vfio/device.c b/hw/vfio/device.c
+index 0b459c0f7c..7ebf41c95e 100644
+--- a/hw/vfio/device.c
++++ b/hw/vfio/device.c
+@@ -205,10 +205,19 @@ int vfio_device_get_region_info(VFIODevice *vbasedev, int index,
+ int fd = -1;
+ int ret;
+
+- /* check cache */
+- if (vbasedev->reginfo[index] != NULL) {
+- *info = vbasedev->reginfo[index];
+- return 0;
++ /*
++ * We only set up the region info cache for the initial number of regions.
++ *
++ * Since a VFIO device may later increase the number of regions then use
++ * such regions with an index past ->num_initial_regions, don't attempt to
++ * use the info cache in those cases.
++ */
++ if (index < vbasedev->num_initial_regions) {
++ /* check cache */
++ if (vbasedev->reginfo[index] != NULL) {
++ *info = vbasedev->reginfo[index];
++ return 0;
++ }
+ }
+
+ *info = g_malloc0(argsz);
+@@ -236,10 +245,12 @@ retry:
+ goto retry;
+ }
+
+- /* fill cache */
+- vbasedev->reginfo[index] = *info;
+- if (vbasedev->region_fds != NULL) {
+- vbasedev->region_fds[index] = fd;
++ if (index < vbasedev->num_initial_regions) {
++ /* fill cache */
++ vbasedev->reginfo[index] = *info;
++ if (vbasedev->region_fds != NULL) {
++ vbasedev->region_fds[index] = fd;
++ }
+ }
+
+ return 0;
diff --git a/debian/patches/series b/debian/patches/series
index 29c18ec..900310a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,8 @@ extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch
extra/0003-tcg-arm-Fix-tgen_deposit.patch
extra/0004-vfio-igd-Enable-quirks-when-IGD-is-not-the-primary-d.patch
extra/0005-hw-scsi-avoid-deadlock-upon-TMF-request-cancelling-w.patch
+extra/0006-vfio-rename-field-to-num_initial_regions.patch
+extra/0007-vfio-only-check-region-info-cache-for-initial-region.patch
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
` (2 preceding siblings ...)
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1 Fiona Ebner
@ 2025-10-21 16:29 ` Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2025-10-21 16:29 UTC (permalink / raw)
To: pve-devel, Fiona Ebner
On Tue, 21 Oct 2025 13:23:31 +0200, Fiona Ebner wrote:
> Fix bug #6810, which is a deadlock issue with SCSI request cancelling
> affecting (at least) FreeBSD.
>
> Update to the 10.1.2 QEMU stable release to pick up some TCG fixes and
> fix for a memory leak affecting vCPU hotunplug.
>
> Lastly, pick up fixes for a VFIO regression affecting the 10.1 QEMU
> release.
>
> [...]
Applied, thanks!
[1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO
commit: 005898a658a788d0aca7dd974d86d9f795a9a78c
[2/3] update submodule and patches to QEMU 10.1.2
commit: 535c923e9c512903461348f7e7f8f549b74f793c
[3/3] cherry pick fix for VFIO regression affecting v10.1
commit: 6bed5de4fe7490a19192849bbd13783e2c26d8a3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-21 16:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-21 11:23 [pve-devel] [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 1/3] fix #6810: add patch to avoid deadlock upon TMF request cancelling with VirtIO Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 2/3] update submodule and patches to QEMU 10.1.2 Fiona Ebner
2025-10-21 11:23 ` [pve-devel] [PATCH qemu 3/3] cherry pick fix for VFIO regression affecting v10.1 Fiona Ebner
2025-10-21 16:29 ` [pve-devel] applied: [PATCH-SERIES qemu 0/3] fix #6810 and other QEMU 10.1 stable fixes Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox