From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id 235D91FF138 for ; Mon, 29 Jun 2026 15:55:00 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 5F6CD21407; Mon, 29 Jun 2026 15:54:59 +0200 (CEST) From: Fiona Ebner To: pve-devel@lists.proxmox.com Subject: [PATCH qemu v2 2/5] update submodule and patches to QEMU 11.0.2 Date: Mon, 29 Jun 2026 15:54:18 +0200 Message-ID: <20260629135438.172004-3-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260629135438.172004-1-f.ebner@proxmox.com> References: <20260629135438.172004-1-f.ebner@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782741270274 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.116 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LOTSOFHASH 0.25 Emails with lots of hash-like gibberish SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: BKZ2GYHWJYV6I57QIQCOJX4GIVHIARTZ X-Message-ID-Hash: BKZ2GYHWJYV6I57QIQCOJX4GIVHIARTZ X-MailFrom: f.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Most notably, patches for fixing the deadlock between trim and drain with IDE/SATA has finally been applied upstream with the following two commits, so the stop-gap patch "ide: avoid potential deadlock when draining during trim" can be dropped: 6e5b03431b ide: Minimal fix for deadlock between TRIM and drain 5044ebfad8 ide: Clean up ide_trim_co_entry() to be idiomatic coroutine code Drop patches that already landed upstream. Note that patch "block/export/fuse: fix regression when mmap()-ing export with MAP_SHARED" landed in a slightly different version upstream, so "block/export/fuse: fix regression with block device export or growable=off and O_TRUNC" needed a rebase. Otherwise, there are some minor fixes in x86 and ARM emulation and migration code, fixes for rare edge cases in the block layer, memory check improvements in VNC. Signed-off-by: Fiona Ebner --- Changes in v2: * update to 11.0.2 instead of 11.0.1 ...d-support-for-sync-bitmap-mode-never.patch | 6 +- ...-support-for-conditional-and-always-.patch | 2 +- ...-to-bdrv_dirty_bitmap_merge_internal.patch | 2 +- .../0006-mirror-move-some-checks-to-qmp.patch | 2 +- ...oid-idle-event-loop-being-accounted.patch} | 0 ...ial-deadlock-when-draining-during-tr.patch | 100 -------------- ...-fix-regression-with-block-device-e.patch} | 15 +-- ...k-to-bounce-buffer-if-BLKZEROOUT-is-.patch | 36 ----- ...fix-decoding-of-MOVBE-and-CRC32-in-1.patch | 84 ------------ ...-accidentally-autofree-existing-virg.patch | 59 -------- ...store-IRQ-polling-for-non-kernel-irq.patch | 47 ------- ...strList-leak-in-x86_cpu_get_unavaila.patch | 36 ----- ...-missing-PF_INSTR-in-SIGSEGV-context.patch | 43 ------ ...e_save_state_v-fix-double-error_setg.patch | 46 ------- ...e-fix-regression-when-mmap-ing-expor.patch | 94 ------------- ...issing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch | 48 ------- ...-use-after-free-of-cancelled-request.patch | 82 ----------- ...ar-tag-byte-when-processing-messages.patch | 40 ------ ...very-bitmask-with-modified-xAPIC-ids.patch | 63 --------- ...aio-bound-ioq_submit-recursion-depth.patch | 127 ------------------ ...reject-zero-DMA-page-size-capability.patch | 46 ------- ...-zero-migration-page-size-capability.patch | 44 ------ ...estrict-dma_map_file-to-shared-RAM-o.patch | 88 ------------ ...add-the-zeroinit-block-driver-filter.patch | 4 +- ...le-posix-make-locking-optiono-on-cre.patch | 6 +- ...VE-Backup-add-vma-backup-format-code.patch | 6 +- ...ckup-Proxmox-backup-patches-for-QEMU.patch | 6 +- ...estore-new-command-to-restore-from-p.patch | 4 +- ...k-driver-to-map-backup-archives-into.patch | 8 +- ...ct-stderr-to-journal-when-daemonized.patch | 6 +- ...igrate-dirty-bitmap-state-via-savevm.patch | 4 +- .../0037-block-add-alloc-track-driver.patch | 4 +- .../0038-PVE-backup-add-fleecing-option.patch | 2 +- ...ment-backup-access-setup-and-teardow.patch | 2 +- ...se-migration-blocker-check-for-snaps.patch | 2 +- debian/patches/series | 21 +-- qemu | 2 +- 37 files changed, 43 insertions(+), 1144 deletions(-) rename debian/patches/extra/{0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch => 0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch} (100%) delete mode 100644 debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch rename debian/patches/extra/{0012-block-export-fuse-fix-regression-with-block-device-e.patch => 0003-block-export-fuse-fix-regression-with-block-device-e.patch} (71%) delete mode 100644 debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch delete mode 100644 debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch delete mode 100644 debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch delete mode 100644 debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch delete mode 100644 debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch delete mode 100644 debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch delete mode 100644 debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch delete mode 100644 debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch delete mode 100644 debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch delete mode 100644 debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch delete mode 100644 debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch delete mode 100644 debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch delete mode 100644 debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch delete mode 100644 debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch delete mode 100644 debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch delete mode 100644 debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch diff --git a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch index 8f196da9e2..0fb45d16e0 100644 --- a/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch +++ b/debian/patches/bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch @@ -38,7 +38,7 @@ Signed-off-by: Fiona Ebner 5 files changed, 135 insertions(+), 21 deletions(-) diff --git a/block/mirror.c b/block/mirror.c -index 2fcded9e93..f34b5fe733 100644 +index 089856f4a8..e6f645e0f2 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -74,6 +74,8 @@ typedef struct MirrorBlockJob { @@ -333,7 +333,7 @@ index e7c8f1a856..d5aa68caeb 100644 BlockdevOnError on_source_error, BlockdevOnError on_target_error, diff --git a/qapi/block-core.json b/qapi/block-core.json -index 508b081ac1..496118bdc7 100644 +index 0efd51787b..50a0af3569 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -2280,6 +2280,15 @@ @@ -390,7 +390,7 @@ index 508b081ac1..496118bdc7 100644 '*buf-size': 'int', '*on-source-error': 'BlockdevOnError', '*on-target-error': 'BlockdevOnError', diff --git a/tests/unit/test-block-iothread.c b/tests/unit/test-block-iothread.c -index e26b3be593..396a53a757 100644 +index 5273ff235a..7055d32686 100644 --- a/tests/unit/test-block-iothread.c +++ b/tests/unit/test-block-iothread.c @@ -755,8 +755,8 @@ static void test_propagate_mirror(void) diff --git a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch index 2c030dc751..468bd94bc5 100644 --- a/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch +++ b/debian/patches/bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch @@ -24,7 +24,7 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/block/mirror.c b/block/mirror.c -index f34b5fe733..67d85799f4 100644 +index e6f645e0f2..414737045f 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -735,8 +735,6 @@ static int mirror_exit_common(Job *job) diff --git a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch index faef2cc4b9..5215b95855 100644 --- a/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch +++ b/debian/patches/bitmap-mirror/0004-mirror-switch-to-bdrv_dirty_bitmap_merge_internal.patch @@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/block/mirror.c b/block/mirror.c -index 67d85799f4..b88e8b4c51 100644 +index 414737045f..0f56ad1f54 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -856,8 +856,8 @@ static int mirror_exit_common(Job *job) diff --git a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch index 9223eefaa5..98c3f7b93d 100644 --- a/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch +++ b/debian/patches/bitmap-mirror/0006-mirror-move-some-checks-to-qmp.patch @@ -21,7 +21,7 @@ Signed-off-by: Fiona Ebner 3 files changed, 70 insertions(+), 59 deletions(-) diff --git a/block/mirror.c b/block/mirror.c -index b88e8b4c51..1e143ccab1 100644 +index 0f56ad1f54..75563e6e75 100644 --- a/block/mirror.c +++ b/block/mirror.c @@ -1885,31 +1885,13 @@ static BlockJob *mirror_start_job( diff --git a/debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch b/debian/patches/extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch similarity index 100% rename from debian/patches/extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch rename to debian/patches/extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch diff --git a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch b/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch deleted file mode 100644 index 04271fe4fe..0000000000 --- a/debian/patches/extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Fiona Ebner -Date: Tue, 7 Mar 2023 15:03:02 +0100 -Subject: [PATCH] ide: avoid potential deadlock when draining during trim -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The deadlock can happen as follows: -1. ide_issue_trim is called, and increments the in_flight counter. -2. ide_issue_trim_cb calls blk_aio_pdiscard. -3. Somebody else starts draining (e.g. backup to insert the cbw node). -4. ide_issue_trim_cb is called as the completion callback for - blk_aio_pdiscard. -5. ide_issue_trim_cb issues yet another blk_aio_pdiscard request. -6. The request is added to the wait queue via blk_wait_while_drained, - because draining has been started. -7. Nobody ever decrements the in_flight counter and draining can't - finish. This would be done by ide_trim_bh_cb, which is called after - ide_issue_trim_cb has issued its last request, but - ide_issue_trim_cb is not called anymore, because it's the - completion callback of blk_aio_pdiscard, which waits on draining. - -Quoting Hanna Czenczek: -> The point of 7e5cdb345f was that we need any in-flight count to -> accompany a set s->bus->dma->aiocb. While blk_aio_pdiscard() is -> happening, we don’t necessarily need another count. But we do need -> it while there is no blk_aio_pdiscard(). -> ide_issue_trim_cb() returns in two cases (and, recursively through -> its callers, leaves s->bus->dma->aiocb set): -> 1. After calling blk_aio_pdiscard(), which will keep an in-flight -> count, -> 2. After calling replay_bh_schedule_event() (i.e. -> qemu_bh_schedule()), which does not keep an in-flight count. - -Thus, even after moving the blk_inc_in_flight to above the -replay_bh_schedule_event call, the invariant "ide_issue_trim_cb -returns with an accompanying in-flight count" is still satisfied. - -However, the issue 7e5cdb345f fixed for canceling resurfaces, because -ide_cancel_dma_sync assumes that it just needs to drain once. But now -the in_flight count is not consistently > 0 during the trim operation. -So, change it to drain until !s->bus->dma->aiocb, which means that the -operation finished (s->bus->dma->aiocb is cleared by ide_set_inactive -via the ide_dma_cb when the end of the transfer is reached). - -Discussion here: -https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg02506.html - -Fixes: 7e5cdb345f ("ide: Increment BB in-flight counter for TRIM BH") -Suggested-by: Hanna Czenczek -Signed-off-by: Fiona Ebner ---- - hw/ide/core.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 7a15d6cac9..db44d83f57 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -456,7 +456,7 @@ static void ide_trim_bh_cb(void *opaque) - iocb->bh = NULL; - qemu_aio_unref(iocb); - -- /* Paired with an increment in ide_issue_trim() */ -+ /* Paired with an increment in ide_issue_trim_cb() */ - blk_dec_in_flight(blk); - } - -@@ -516,6 +516,8 @@ static void ide_issue_trim_cb(void *opaque, int ret) - done: - iocb->aiocb = NULL; - if (iocb->bh) { -+ /* Paired with a decrement in ide_trim_bh_cb() */ -+ blk_inc_in_flight(s->blk); - replay_bh_schedule_event(iocb->bh); - } - } -@@ -528,9 +530,6 @@ BlockAIOCB *ide_issue_trim( - IDEDevice *dev = s->unit ? s->bus->slave : s->bus->master; - TrimAIOCB *iocb; - -- /* Paired with a decrement in ide_trim_bh_cb() */ -- blk_inc_in_flight(s->blk); -- - iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque); - iocb->s = s; - iocb->bh = qemu_bh_new_guarded(ide_trim_bh_cb, iocb, -@@ -754,8 +753,9 @@ void ide_cancel_dma_sync(IDEState *s) - */ - if (s->bus->dma->aiocb) { - trace_ide_cancel_dma_sync_remaining(); -- blk_drain(s->blk); -- assert(s->bus->dma->aiocb == NULL); -+ while (s->bus->dma->aiocb) { -+ blk_drain(s->blk); -+ } - } - } - diff --git a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch b/debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch similarity index 71% rename from debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch rename to debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch index 121e5712cd..37999ac6d4 100644 --- a/debian/patches/extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch +++ b/debian/patches/extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch @@ -17,20 +17,19 @@ growable=off and/or a block device based export for setting the flag. Signed-off-by: Fiona Ebner --- - block/export/fuse.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + block/export/fuse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/export/fuse.c b/block/export/fuse.c -index ef381fd844..7a7386c904 100644 +index c0e8dfb643..8430c73293 100644 --- a/block/export/fuse.c +++ b/block/export/fuse.c -@@ -816,7 +816,8 @@ static ssize_t coroutine_fn GRAPH_RDLOCK +@@ -856,7 +856,7 @@ static ssize_t coroutine_fn GRAPH_RDLOCK fuse_co_init(FuseExport *exp, struct fuse_init_out *out, const struct fuse_init_in *in) { -- const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_INIT_EXT; -+ const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO -+ | FUSE_INIT_EXT | FUSE_ATOMIC_O_TRUNC; - const uint32_t supported_flags2 = (FUSE_DIRECT_IO_ALLOW_MMAP >> 32); +- uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO; ++ uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_ATOMIC_O_TRUNC; + uint32_t flags2 = 0; if (in->major != 7) { diff --git a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch b/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch deleted file mode 100644 index 5d7020a11f..0000000000 --- a/debian/patches/extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Fiona Ebner -Date: Mon, 5 Jan 2026 13:36:20 +0100 -Subject: [PATCH] block/io: fallback to bounce buffer if BLKZEROOUT is not - supported because of alignment - -Commit 5634622bcb ("file-posix: allow BLKZEROOUT with -t writeback") -enables the BLKZEROOUT ioctl when using 'writeback' cache, regressing -certain 'qemu-img convert' invocations, because of a pre-existing -issue. Namely, the BLKZEROOUT ioctl might fail with errno EINVAL when -the request is shorter than the block size of the block device. -Fallback to the bounce buffer, similar to when the ioctl is not -supported at all, rather than treating such an error as fatal. - -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3257 -Resolves: https://bugzilla.proxmox.com/show_bug.cgi?id=7197 -Cc: qemu-stable@nongnu.org -Signed-off-by: Fiona Ebner ---- - block/io.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/block/io.c b/block/io.c -index e8fb4ede4d..82e3383e8d 100644 ---- a/block/io.c -+++ b/block/io.c -@@ -1918,7 +1918,8 @@ bdrv_co_do_pwrite_zeroes(BlockDriverState *bs, int64_t offset, int64_t bytes, - assert(!bs->supported_zero_flags); - } - -- if (ret == -ENOTSUP && !(flags & BDRV_REQ_NO_FALLBACK)) { -+ if ((ret == -ENOTSUP || (ret == -EINVAL && num < alignment)) && -+ !(flags & BDRV_REQ_NO_FALLBACK)) { - /* Fall back to bounce buffer if write zeroes is unsupported */ - BdrvRequestFlags write_flags = flags & ~BDRV_REQ_ZERO_WRITE; - diff --git a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch b/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch deleted file mode 100644 index 9874c26972..0000000000 --- a/debian/patches/extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Tue, 31 Mar 2026 08:32:23 +0200 -Subject: [PATCH] target/i386/tcg: fix decoding of MOVBE and CRC32 in 16-bit - mode - -Table A-4 of the SDM shows - - F0 F1 --------------------------------------------------------- - NP MOVBE Gy,My MOVBE My,Gy - 66 MOVBE Gw,Mw MOVBW Mw,Gw - F2 CRC32 Gd,Eb CRC32 Gd,Ey - 66+F2 CRC32 Gd,Eb CRC32 Gd,Ew - -However, this is incorrect. Both MOVBE and (for 0xF1) CRC32 -take Gv, Ev or Mv operands. In 16-bit mode therefore the -operand is of 16-bit size without prefix and 32-bit mode -with 0x66 (the data size override). - -For example, with NASM you get: - - bits 16 - 67 0F 38 F0 02 movbe ax, [edx] - 66 67 0F 38 F0 02 movbe eax, [edx] - - 67 F2 0F 38 F1 02 crc32 ax, word [edx] - 66 67 F2 0F 38 F1 02 crc32 eax, dword [edx] - -versus - - bits 32 - 66 0F 38 F0 02 movbe ax, [edx] - 0F 38 F0 02 movbe eax, [edx] - - 66 F2 0F 38 F1 02 crc32 eax, word [edx] - F2 0F 38 F1 02 crc32 eax, dword [edx] - -The instruction is listed correctly in the APX documentation -as "SCALABLE" (which means it has v-size operands). - -Cc: qemu-stable@nongnu.org -Reviewed-by: Richard Henderson -Signed-off-by: Paolo Bonzini -(cherry picked from commit 76ad26dd172d27aae9f1e76d1165b497167c36c2) -Signed-off-by: Fiona Ebner ---- - target/i386/tcg/decode-new.c.inc | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc -index bc105aab9e..c8b5bd6ad2 100644 ---- a/target/i386/tcg/decode-new.c.inc -+++ b/target/i386/tcg/decode-new.c.inc -@@ -875,19 +875,23 @@ static const X86OpEntry opcodes_0F38_00toEF[240] = { - - /* five rows for no prefix, 66, F3, F2, 66+F2 */ - static const X86OpEntry opcodes_0F38_F0toFF[16][5] = { -+ /* -+ * MOVBE and CRC32 are incorrectly listed as always doing 32-bit operation -+ * without prefix and 16-bit operation with 0x66. -+ */ - [0] = { -- X86_OP_ENTRYwr(MOVBE, G,y, M,y, cpuid(MOVBE)), -- X86_OP_ENTRYwr(MOVBE, G,w, M,w, cpuid(MOVBE)), -+ X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)), -+ X86_OP_ENTRYwr(MOVBE, G,v, M,v, cpuid(MOVBE)), - {}, - X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)), - X86_OP_ENTRY2(CRC32, G,d, E,b, cpuid(SSE42)), - }, - [1] = { -- X86_OP_ENTRYwr(MOVBE, M,y, G,y, cpuid(MOVBE)), -- X86_OP_ENTRYwr(MOVBE, M,w, G,w, cpuid(MOVBE)), -+ X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)), -+ X86_OP_ENTRYwr(MOVBE, M,v, G,v, cpuid(MOVBE)), - {}, -- X86_OP_ENTRY2(CRC32, G,d, E,y, cpuid(SSE42)), -- X86_OP_ENTRY2(CRC32, G,d, E,w, cpuid(SSE42)), -+ X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)), -+ X86_OP_ENTRY2(CRC32, G,d, E,v, cpuid(SSE42)), - }, - [2] = { - X86_OP_ENTRY3(ANDN, G,y, B,y, E,y, vex13 cpuid(BMI1)), diff --git a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch b/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch deleted file mode 100644 index b8f224e9be..0000000000 --- a/debian/patches/extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alex=20Benn=C3=A9e?= -Date: Fri, 17 Apr 2026 13:27:03 +0100 -Subject: [PATCH] hw/display: don't accidentally autofree existing virgl - resources -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While sanity checking a create blob operation the use of the auto -freed res variable could lead to inadvertently freeing an existing -blob. - -Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as -the value is not needed anyway. - -While at it add a comment to the end and use g_steal_pointer to make -it clearer the object lifetime exceeds the function bounds if we pass -all the checks. - -Fixes: CVE-2026-6502 -Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands) -Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org -Reviewed-by: Manos Pitsidianakis -Cc: qemu-stable@nongnu.org -Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org> -Signed-off-by: Alex Bennée -Reviewed-by: Dmitry Osipenko -(cherry picked from commit 30fad722ce68316d22b926ba0e6017f0440465df) -Signed-off-by: Fiona Ebner ---- - hw/display/virtio-gpu-virgl.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c -index b7a2d160dd..add85bd4e6 100644 ---- a/hw/display/virtio-gpu-virgl.c -+++ b/hw/display/virtio-gpu-virgl.c -@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g, - return; - } - -- res = virtio_gpu_virgl_find_resource(g, cblob.resource_id); -- if (res) { -+ if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) { - qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n", - __func__, cblob.resource_id); - cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID; -@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g, - - res->base.dmabuf_fd = info.fd; - -+ /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */ - QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next); -- res = NULL; -+ g_steal_pointer(&res); - } - - static void virgl_cmd_resource_map_blob(VirtIOGPU *g, diff --git a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch b/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch deleted file mode 100644 index 88f899f85f..0000000000 --- a/debian/patches/extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: rickgcn -Date: Sat, 18 Apr 2026 14:14:29 +0800 -Subject: [PATCH] hw: i386: vapic: restore IRQ polling for non-kernel irqchip - backends - -69dfc078 extended vAPIC handling for WHPX with user-mode irqchip, but it -also changed vapic_write() case 4 in a way that excludes TCG from -apic_poll_irq(). - -Before that change, IRQ polling happened whenever no in-kernel irqchip -was active. After the change, it only happened for KVM or WHPX with a -user-mode irqchip. Under TCG, both kvm_enabled() and whpx_enabled() are -false, so the poll never happens. - -This regresses 32-bit Windows XP guests on a Windows host with --machine pc-i440fx-10.0,accel=tcg, causing a STOP 0x0000000A during boot. - -Fix it by making the decision depend on whether KVM or WHPX is using an -in-kernel irqchip, instead of whether either accelerator is enabled. - -Fixes: 69dfc078a6f0 ("hw: i386: vapic: enable on WHPX with user-mode irqchip") - -Signed-off-by: rickgcn -Link: https://lore.kernel.org/r/20260418061429.16898-1-rickgcn@gmail.com -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit c906c2337058bd467e6ac0176c2966d1eeb6f8f5) -Signed-off-by: Fiona Ebner ---- - hw/i386/vapic.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/hw/i386/vapic.c b/hw/i386/vapic.c -index 41e5ca26df..1acb9f91b2 100644 ---- a/hw/i386/vapic.c -+++ b/hw/i386/vapic.c -@@ -716,8 +716,7 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data, - break; - default: - case 4: -- if ((kvm_enabled() && !kvm_irqchip_in_kernel()) -- || (whpx_enabled() && !whpx_irqchip_in_kernel())) { -+ if (!kvm_irqchip_in_kernel() && !whpx_irqchip_in_kernel()) { - apic_poll_irq(cpu->apic_state); - } - break; diff --git a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch b/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch deleted file mode 100644 index a9975bbb3b..0000000000 --- a/debian/patches/extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Mon, 13 Apr 2026 16:50:40 +0400 -Subject: [PATCH] target/i386: fix strList leak in - x86_cpu_get_unavailable_features -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The result list built by x86_cpu_list_feature_names() was never freed -after being visited, causing a memory leak detected by ASan. -(the getter visitor is VISITOR_OUTPUT kind and doesn't own data) - -Fixes: 506174bf8219 ("i386: "unavailable-features" QOM property") -Signed-off-by: Marc-André Lureau -Link: https://lore.kernel.org/r/20260413125040.3842686-1-marcandre.lureau@redhat.com -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 87e1226e6f6844845ac407d50198d84205e7ed7f) -Signed-off-by: Fiona Ebner ---- - target/i386/cpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index c6fd1dc00e..9d126600c0 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -7842,6 +7842,7 @@ static void x86_cpu_get_unavailable_features(Object *obj, Visitor *v, - - x86_cpu_list_feature_names(xc->filtered_features, &result); - visit_type_strList(v, "unavailable-features", &result, errp); -+ qapi_free_strList(result); - } - - /* Print all cpuid feature names in featureset diff --git a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch b/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch deleted file mode 100644 index dfa3f4c20a..0000000000 --- a/debian/patches/extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Simon Scherer -Date: Mon, 13 Apr 2026 13:56:22 +0200 -Subject: [PATCH] target/i386: fix missing PF_INSTR in SIGSEGV context - -When running linux-user emulation, the SIGSEGV handler does not -correctly set the 4th bit (PF_INSTR) in the error_code variable of -the context argument (context->uc_mcontext.gregs[REG_ERR]). - -Because this bit is never set, guest applications cannot distinguish -if a fault was due to missing executable permissions. This patch -ensures that when a page fault occurs during an instruction fetch, -the PF_INSTR flag is properly populated in the signal context. - -Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3384 -Signed-off-by: Simon Scherer -Link: https://lore.kernel.org/r/20260413115622.160212-1-scherer.simon89@gmail.com -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 3eae91a8b93a35f194a39ab5b894ae405def9270) -Signed-off-by: Fiona Ebner ---- - target/i386/tcg/user/excp_helper.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/target/i386/tcg/user/excp_helper.c b/target/i386/tcg/user/excp_helper.c -index 98fab4cbc3..6c5df5e0e8 100644 ---- a/target/i386/tcg/user/excp_helper.c -+++ b/target/i386/tcg/user/excp_helper.c -@@ -36,9 +36,10 @@ void x86_cpu_record_sigsegv(CPUState *cs, vaddr addr, - * signal and set exception_index to EXCP_INTERRUPT. - */ - env->cr[2] = addr; -- env->error_code = ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT) -- | (maperr ? 0 : PG_ERROR_P_MASK) -- | PG_ERROR_U_MASK; -+ env->error_code = (maperr ? 0 : PG_ERROR_P_MASK) -+ | ((access_type == MMU_DATA_STORE) << PG_ERROR_W_BIT) -+ | PG_ERROR_U_MASK -+ | ((access_type == MMU_INST_FETCH) ? PG_ERROR_I_D_MASK : 0); - cs->exception_index = EXCP0E_PAGE; - - /* Disable do_interrupt_user. */ diff --git a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch b/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch deleted file mode 100644 index a4faa8635c..0000000000 --- a/debian/patches/extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Vladimir Sementsov-Ogievskiy -Date: Thu, 5 Mar 2026 00:22:45 +0300 -Subject: [PATCH] migration: vmstate_save_state_v: fix double error_setg - -We may call error_setg twice on same errp if inner -vmstate_save_state_v() or vmstate_save_state() call fails. Next we will -crash on assertion in error_setv(). - -Fixes: 848a0503422d043 "migration: Update error description outside migration.c" -Signed-off-by: Vladimir Sementsov-Ogievskiy -Reviewed-by: Fabiano Rosas -Reviewed-by: Peter Xu -Link: https://lore.kernel.org/qemu-devel/20260304212303.667141-2-vsementsov@yandex-team.ru -Signed-off-by: Fabiano Rosas -(cherry picked from commit d41ce10d0f5a3d6e497e4b75807a8e675033c597) -Signed-off-by: Fiona Ebner ---- - migration/vmstate.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/migration/vmstate.c b/migration/vmstate.c -index 4d28364f7b..fccd030dfd 100644 ---- a/migration/vmstate.c -+++ b/migration/vmstate.c -@@ -539,6 +539,9 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd, - } else { - ret = inner_field->info->put(f, curr_elem, size, - inner_field, vmdesc_loop); -+ if (ret < 0) { -+ error_setg(errp, "put failed"); -+ } - } - - written_bytes = qemu_file_transferred(f) - old_offset; -@@ -551,8 +554,8 @@ int vmstate_save_state_v(QEMUFile *f, const VMStateDescription *vmsd, - } - - if (ret) { -- error_setg(errp, "Save of field %s/%s failed", -- vmsd->name, field->name); -+ error_prepend(errp, "Save of field %s/%s failed: ", -+ vmsd->name, field->name); - if (vmsd->post_save) { - vmsd->post_save(opaque); - } diff --git a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch b/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch deleted file mode 100644 index 71df0416de..0000000000 --- a/debian/patches/extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Fiona Ebner -Date: Tue, 5 May 2026 13:04:29 +0200 -Subject: [PATCH] block/export/fuse: fix regression when mmap()-ing export with - MAP_SHARED - -The swtpm_setup binary will fail accessing a FUSE export from -qemu-storage-daemon since commit 8599559580 ("fuse: Set direct_io and -parallel_direct_writes"). It uses mmap() with MAP_SHARED, which fails -fails when direct IO is used, but the FUSE_DIRECT_IO_ALLOW_MMAP flag -is not. This is documented behavior [0]. Enable the flag if the kernel -supports it to fix the regression. - -The FUSE_INIT_EXT flag needs to be set to be able to use the flags2 -argument. - -This patch bumps the required minimal protocol version to 7.36 for -availablity of the FUSE_INIT_EXT flag, which is available since kernel -5.17. A proper upstream submission should try to avoid this. -Discussion upstream [1]. - -[0]: https://www.kernel.org/doc/html/next/filesystems/fuse/fuse-io.html -[1]: https://lore.kernel.org/qemu-devel/e86b82e4-a85d-46d2-bb8f-4e0f59e49a44@proxmox.com/ - -Fixes: 8599559580 ("fuse: Set direct_io and parallel_direct_writes") -Signed-off-by: Fiona Ebner ---- - block/export/fuse.c | 27 ++++++++------------------- - 1 file changed, 8 insertions(+), 19 deletions(-) - -diff --git a/block/export/fuse.c b/block/export/fuse.c -index a2a478d293..ef381fd844 100644 ---- a/block/export/fuse.c -+++ b/block/export/fuse.c -@@ -51,23 +51,11 @@ - #define FUSE_MAX_READ_BYTES (MIN(BDRV_REQUEST_MAX_BYTES, 1 * 1024 * 1024)) - #define FUSE_MAX_WRITE_BYTES (64 * 1024) - --/* -- * fuse_init_in structure before 7.36. We don't need the flags2 field added -- * there, so we can work with the smaller older structure to stay compatible -- * with older kernels. -- */ --struct fuse_init_in_compat { -- uint32_t major; -- uint32_t minor; -- uint32_t max_readahead; -- uint32_t flags; --}; -- - typedef struct FuseRequestInHeader { - struct fuse_in_header common; - /* All supported requests */ - union { -- struct fuse_init_in_compat init; -+ struct fuse_init_in init; - struct fuse_open_in open; - struct fuse_setattr_in setattr; - struct fuse_read_in read; -@@ -826,9 +814,10 @@ static bool is_regular_file(const char *path, Error **errp) - */ - static ssize_t coroutine_fn GRAPH_RDLOCK - fuse_co_init(FuseExport *exp, struct fuse_init_out *out, -- const struct fuse_init_in_compat *in) -+ const struct fuse_init_in *in) - { -- const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO; -+ const uint32_t supported_flags = FUSE_ASYNC_READ | FUSE_ASYNC_DIO | FUSE_INIT_EXT; -+ const uint32_t supported_flags2 = (FUSE_DIRECT_IO_ALLOW_MMAP >> 32); - - if (in->major != 7) { - error_report("FUSE major version mismatch: We have 7, but kernel has %" -@@ -836,9 +825,9 @@ fuse_co_init(FuseExport *exp, struct fuse_init_out *out, - return -EINVAL; - } - -- /* 2007's 7.9 added fuse_attr.blksize; working around that would be hard */ -- if (in->minor < 9) { -- error_report("FUSE minor version too old: 9 required, but kernel has %" -+ /* Kernel 5.17's 7.36 protocol version added FUSE_INIT_EXT */ -+ if (in->minor < 36) { -+ error_report("FUSE minor version too old: 36 required, but kernel has %" - PRIu32, in->minor); - return -EINVAL; - } -@@ -849,7 +838,7 @@ fuse_co_init(FuseExport *exp, struct fuse_init_out *out, - .max_readahead = in->max_readahead, - .max_write = FUSE_MAX_WRITE_BYTES, - .flags = in->flags & supported_flags, -- .flags2 = 0, -+ .flags2 = in->flags2 & supported_flags2, - - /* libfuse maximum: 2^16 - 1 */ - .max_background = UINT16_MAX, diff --git a/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch b/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch deleted file mode 100644 index 7f00682227..0000000000 --- a/debian/patches/extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Tue, 26 May 2026 11:49:57 -0400 -Subject: [PATCH] virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check - (CVE-2026-48914) - -Check that the iovec containing struct virtio_scsi_inhdr is large enough -before storing an error value there. - -Feifan Qian pointed out that this can be used to -corrupt heap memory when the descriptor uses an MMIO address and a -length of 1, forcing QEMU to allocate a 1-byte heap bounce buffer. -virtio_stl_p() stores 4 bytes and therefore corrupts whatever is beyond -the bounce buffer. - -Fixes: CVE-2026-48914 -Fixes: f34e73cd69bd ("virtio-blk: report non-zero status when failing SG_IO requests") -Reported-by: Feifan Qian -Cc: Paolo Bonzini -Signed-off-by: Stefan Hajnoczi -(pick from: https://lore.kernel.org/qemu-devel/20260526154957.1741622-1-stefanha@redhat.com) -Signed-off-by: Fiona Ebner ---- - hw/block/virtio-blk.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c -index 9cb9f1fb2b..6b92066aff 100644 ---- a/hw/block/virtio-blk.c -+++ b/hw/block/virtio-blk.c -@@ -199,10 +199,16 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req) - - /* - * The scsi inhdr is placed in the second-to-last input segment, just -- * before the regular inhdr. -+ * before the regular inhdr. VIRTIO implementations normally do not rely on -+ * the precise message framing, but legacy implementations did and so we do -+ * too for the legacy virtio-blk SCSI request type. - * - * Just put anything nonzero so that the ioctl fails in the guest. - */ -+ if (elem->in_sg[elem->in_num - 2].iov_len != sizeof(*scsi)) { -+ status = VIRTIO_BLK_S_IOERR; -+ goto fail; -+ } - scsi = (void *)elem->in_sg[elem->in_num - 2].iov_base; - virtio_stl_p(vdev, &scsi->errors, 255); - status = VIRTIO_BLK_S_UNSUPP; diff --git a/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch b/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch deleted file mode 100644 index 3bf65cb920..0000000000 --- a/debian/patches/extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Fri, 15 May 2026 11:01:00 +0200 -Subject: [PATCH] lsi53c895a: fix use-after-free of cancelled request - -When processing the Message Out phase, the lsi53c895a controller -can cancel a request and the continue by processing more messages. -When this happens, it is important that a cancelled request is not -processed further, because scsi_req_cancel can cause the request -to be freed. - -Right now this is happening in two cases, but not when cancelling -the entire queue of requests after an ABORT, CLEAR QUEUE or -BUS DEVICE RESET message. In that case, a subsequent ABORT TAG -message can use a dangling current_req. - -There are three possible fixes: - -- add a missing check inside the loop, clearing current_req - if p->req == current_req. This is obvious but complicates the - code inside the foreach loop. - -- change the conditional prior to the loop from "if (s->current)" - to "if (current_req)". This would work, because s->current != NULL - implies current_req != NULL, and would clear current_req correctly. - However it is less obvious because the point of the code - is to clear the entire queue, which consists of s->current - and s->queue; current_req is not special here. - -- delay the retrieval of current_req until an ABORT TAG message - is seen. This is the most correct option, because the SCSI - protocol only deals with tags; requests are a QEMU concept - that only makes sense for the purpose of calling into the - SCSI layer. - -Reported-by: Wei Che Kao -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 5297a0fc65317ba7f79ef44ce7a44e41d15fdb27) -Signed-off-by: Fiona Ebner ---- - hw/scsi/lsi53c895a.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index 54123f7757..0843d325ab 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -1000,10 +1000,8 @@ static void lsi_do_msgout(LSIState *s) - - if (s->current) { - current_tag = s->current->tag; -- current_req = s->current; - } else { - current_tag = s->select_tag; -- current_req = lsi_find_by_tag(s, current_tag); - } - - trace_lsi_do_msgout(s->dbc); -@@ -1058,9 +1056,13 @@ static void lsi_do_msgout(LSIState *s) - case 0x0d: - /* The ABORT TAG message clears the current I/O process only. */ - trace_lsi_do_msgout_abort(current_tag); -+ if (s->current) { -+ current_req = s->current; -+ } else { -+ current_req = lsi_find_by_tag(s, current_tag); -+ } - if (current_req && current_req->req) { - scsi_req_cancel(current_req->req); -- current_req = NULL; - } - lsi_disconnect(s); - break; -@@ -1086,7 +1088,6 @@ static void lsi_do_msgout(LSIState *s) - /* clear the current I/O process */ - if (s->current) { - scsi_req_cancel(s->current->req); -- current_req = NULL; - } - - /* As the current implemented devices scsi_disk and scsi_generic diff --git a/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch b/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch deleted file mode 100644 index 2581b191f7..0000000000 --- a/debian/patches/extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Fri, 15 May 2026 11:08:28 +0200 -Subject: [PATCH] lsi53c895a: clear tag byte when processing messages - -Instead of simply ORing the message byte, clear what -was there before. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 4494dec8c2bfd8a5d9b1eabe4a26ab850a4f6700) -Signed-off-by: Fiona Ebner ---- - hw/scsi/lsi53c895a.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index 0843d325ab..1b7f02fc7c 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -1041,16 +1041,19 @@ static void lsi_do_msgout(LSIState *s) - } - break; - case 0x20: /* SIMPLE queue */ -+ s->select_tag &= ~0xff; - s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; - trace_lsi_do_msgout_simplequeue(s->select_tag & 0xff); - break; - case 0x21: /* HEAD of queue */ - qemu_log_mask(LOG_UNIMP, "lsi_scsi: HEAD queue not implemented\n"); -+ s->select_tag &= ~0xff; - s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; - break; - case 0x22: /* ORDERED queue */ - qemu_log_mask(LOG_UNIMP, - "lsi_scsi: ORDERED queue not implemented\n"); -+ s->select_tag &= ~0xff; - s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID; - break; - case 0x0d: diff --git a/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch b/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch deleted file mode 100644 index 14d0cc9f84..0000000000 --- a/debian/patches/extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Fri, 15 May 2026 12:10:22 +0200 -Subject: [PATCH] apic: fix delivery bitmask with modified xAPIC ids - -Self-IPIs (or all-but-self IPIs) in QEMU can cause a out-of-bounds access -to deliver_bitmask, because the access uses the APIC ID register which -is writable by the guest. However, foreach_apic uses the delivery -bitmask indexes to look up the local_apics[] array, which is indexed -by *initial* APIC id. Using the right id fixes both a possible heap -write overflow if the modified APIC id is too large for max_apic_words, -and a mis-delivery of both self and all-but-self IPIs. - -Reported-by: Wei Che Kao -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit 153dc2fa7bbe0491290d22c4bbb6807074f24260) -Signed-off-by: Fiona Ebner ---- - hw/intc/apic.c | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/hw/intc/apic.c b/hw/intc/apic.c -index 8766ed00b9..ced7df49bd 100644 ---- a/hw/intc/apic.c -+++ b/hw/intc/apic.c -@@ -648,13 +648,6 @@ static void apic_deliver(APICCommonState *s, uint32_t dest, uint8_t dest_mode, - APICCommonState *apic_iter; - uint32_t deliver_bitmask_size = max_apic_words * sizeof(uint32_t); - g_autofree uint32_t *deliver_bitmask = g_new(uint32_t, max_apic_words); -- uint32_t current_apic_id; -- -- if (is_x2apic_mode(s)) { -- current_apic_id = s->initial_apic_id; -- } else { -- current_apic_id = s->id; -- } - - switch (dest_shorthand) { - case 0: -@@ -662,14 +655,20 @@ static void apic_deliver(APICCommonState *s, uint32_t dest, uint8_t dest_mode, - break; - case 1: - memset(deliver_bitmask, 0x00, deliver_bitmask_size); -- apic_set_bit(deliver_bitmask, current_apic_id); -+ /* -+ * The self and all-but-self cases do not use apic_match_dest() and -+ * directly fill in deliver_bitmask; the bitmask's indexes in turn -+ * map to local_apics[] slots which are never changed even if the -+ * xAPIC id is modified. So use s->initial_apic_id instead of s->id. -+ */ -+ apic_set_bit(deliver_bitmask, s->initial_apic_id); - break; - case 2: - memset(deliver_bitmask, 0xff, deliver_bitmask_size); - break; - case 3: - memset(deliver_bitmask, 0xff, deliver_bitmask_size); -- apic_reset_bit(deliver_bitmask, current_apic_id); -+ apic_reset_bit(deliver_bitmask, s->initial_apic_id); - break; - } - diff --git a/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch b/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch deleted file mode 100644 index a3810615c2..0000000000 --- a/debian/patches/extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Denis V. Lunev" -Date: Wed, 20 May 2026 16:25:03 +0200 -Subject: [PATCH] block/linux-aio: bound ioq_submit() recursion depth - -qemu_laio_process_completions() wraps its body in defer_call_begin / -defer_call_end. Inside the section, completion callbacks wake coroutines -that queue new aiocbs; laio_do_submit() defers laio_deferred_fn. At the -bottom of qemu_laio_process_completions() the defer_call_end() fires -laio_deferred_fn, which calls ioq_submit(), closing the cycle: - - ioq_submit - -> io_submit(2) // some sync completions - -> qemu_laio_process_completions // defer_call_begin - -> aio_co_wake // resumes coroutine - -> laio_do_submit - -> defer_call(laio_deferred_fn, s) // enqueued - -> defer_call_end // nesting drops to 0 - -> laio_deferred_fn - -> ioq_submit // +1 stack frame, loop - -When io_submit(2) returns asynchronously (O_DIRECT) the cycle -terminates in one extra frame: the fresh aiocb is still in flight, no -completion is drained, no coroutine wakes, no new submission queues. -When submissions complete synchronously (non-O_DIRECT, or per-descriptor -drivers such as vmdk) each level enqueues more work for the next -defer_call_end() to drain, so recursion grows without bound and QEMU -crashes with SIGSEGV on the thread guard page. - -The cycle was closed by two performance commits, each correct in -isolation: - - 076682885d ("block/linux-aio: convert to blk_io_plug_call() API") - -- introduced laio_deferred_fn and wired - laio_do_submit -> defer_call(laio_deferred_fn, s). - - 84d61e5f36 ("virtio: use defer_call() in virtio_irqfd_notify()") - -- added defer_call_begin/end around qemu_laio_process_completions - so virtio-irqfd notifications batch across a completion pass. - -The supported aio=native + cache=none pairing keeps submissions -asynchronous, so the cycle stays bounded; nothing in the code enforces -that contract. Observed in production as a SIGSEGV during a backup job -configured with --cached + aio=native; reproducible on upstream with -qemu-io against vmdk. - -Cap ioq_submit() recursion with a counter on LaioQueue, which is only -accessed from the AioContext home thread. On overflow, return without -submitting. The pending work is drained by s->completion_bh, which -qemu_laio_process_completions() has already scheduled on entry -- no -work is lost; one event-loop round-trip of latency is paid only when -the bound is hit, which cannot happen on a supported configuration. - -Signed-off-by: Denis V. Lunev -CC: Kevin Wolf -CC: Hanna Reitz -CC: Stefan Hajnoczi -CC: Paolo Bonzini -Message-ID: <20260520142503.251959-2-den@openvz.org> -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit 6864bec553b2e37699739615e604fc3c7bae0e1d) -Signed-off-by: Fiona Ebner ---- - block/linux-aio.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/block/linux-aio.c b/block/linux-aio.c -index 0a7424fbb3..5aaf2e8514 100644 ---- a/block/linux-aio.c -+++ b/block/linux-aio.c -@@ -36,6 +36,19 @@ - /* Maximum number of requests in a batch. (default value) */ - #define DEFAULT_MAX_BATCH 32 - -+/* -+ * Bound on how deep ioq_submit() may recurse on a single LaioQueue via the -+ * ioq_submit -> qemu_laio_process_completions -> defer_call_end -> -+ * laio_deferred_fn -> ioq_submit cycle. The cycle terminates naturally -+ * when io_submit(2) returns asynchronously (O_DIRECT), but can grow -+ * without bound when submissions complete synchronously. On overflow -+ * the caller returns without submitting; the outermost -+ * qemu_laio_process_completions() has already scheduled s->completion_bh -+ * (via qemu_bh_schedule() at the top of that function), which resumes -+ * submission from the next event-loop dispatch. -+ */ -+#define IOQ_SUBMIT_MAX_DEPTH 8 -+ - struct qemu_laiocb { - Coroutine *co; - LinuxAioState *ctx; -@@ -61,6 +74,7 @@ typedef struct { - unsigned int in_queue; - unsigned int in_flight; - bool blocked; -+ unsigned int submit_depth; - QSIMPLEQ_HEAD(, qemu_laiocb) pending; - } LaioQueue; - -@@ -331,6 +345,7 @@ static void ioq_init(LaioQueue *io_q) - io_q->in_queue = 0; - io_q->in_flight = 0; - io_q->blocked = false; -+ io_q->submit_depth = 0; - } - - static void ioq_submit(LinuxAioState *s) -@@ -340,6 +355,11 @@ static void ioq_submit(LinuxAioState *s) - QEMU_UNINITIALIZED struct iocb *iocbs[MAX_EVENTS]; - QSIMPLEQ_HEAD(, qemu_laiocb) completed; - -+ if (s->io_q.submit_depth >= IOQ_SUBMIT_MAX_DEPTH) { -+ return; -+ } -+ s->io_q.submit_depth++; -+ - do { - if (s->io_q.in_flight >= MAX_EVENTS) { - break; -@@ -385,6 +405,8 @@ static void ioq_submit(LinuxAioState *s) - * pended requests will be submitted from there. - */ - } -+ -+ s->io_q.submit_depth--; - } - - static uint64_t laio_max_batch(LinuxAioState *s, uint64_t dev_max_batch) diff --git a/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch b/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch deleted file mode 100644 index 913e22e486..0000000000 --- a/debian/patches/extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: GuoHan Zhao -Date: Fri, 22 May 2026 16:13:05 +0800 -Subject: [PATCH] vfio-user: reject zero DMA page size capability -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -check_pgsizes() validates that no page-size bits smaller than -VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a -malformed server overwrite the default page-size mask with zero. - -Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device -realization aborts instead of reporting a version capability error. Reject a -zero DMA page-size mask during version capability parsing. - -Fixes: 36227628d824 (vfio-user: implement message send infrastructure) -Signed-off-by: GuoHan Zhao -Reviewed-by: John Levon -Link: https://lore.kernel.org/qemu-devel/20260522081306.4186242-1-zhaoguohan@kylinos.cn -Signed-off-by: Cédric Le Goater -(cherry picked from commit ab89d02dac6f0f53e35a689f01099602aa2de816) -Signed-off-by: Fiona Ebner ---- - hw/vfio-user/proxy.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c -index 314dfd23d8..3fe5b0138b 100644 ---- a/hw/vfio-user/proxy.c -+++ b/hw/vfio-user/proxy.c -@@ -1155,9 +1155,11 @@ static bool check_pgsizes(VFIOUserProxy *proxy, QObject *qobj, Error **errp) - return false; - } - -- /* must be larger than default */ -- if (pgsizes & (VFIO_USER_DEF_PGSIZE - 1)) { -- error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsizes); -+ /* must not be zero or smaller than default */ -+ if (pgsizes < VFIO_USER_DEF_PGSIZE || -+ (pgsizes & (VFIO_USER_DEF_PGSIZE - 1))) { -+ error_setg(errp, "%s 0x%"PRIx64" too small", -+ VFIO_USER_CAP_PGSIZES, pgsizes); - return false; - } - diff --git a/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch b/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch deleted file mode 100644 index 26c0bc433d..0000000000 --- a/debian/patches/extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: GuoHan Zhao -Date: Fri, 22 May 2026 16:13:06 +0800 -Subject: [PATCH] vfio-user: reject zero migration page size capability -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -check_migr_pgsize() validates that no page-size bits smaller than -VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsize=0. This can replace -the default migration page size with an unusable value. - -Reject a zero migration page size during version capability parsing, matching -the lower-bound check used for the DMA page-size capability. - -Fixes: 36227628d824 (vfio-user: implement message send infrastructure) -Signed-off-by: GuoHan Zhao -Link: https://lore.kernel.org/qemu-devel/20260522081306.4186242-2-zhaoguohan@kylinos.cn -Signed-off-by: Cédric Le Goater -(cherry picked from commit 497b5c5b05ac2be00ae16c723e2445ebbc486cb2) -Signed-off-by: Fiona Ebner ---- - hw/vfio-user/proxy.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c -index 3fe5b0138b..3167d27b03 100644 ---- a/hw/vfio-user/proxy.c -+++ b/hw/vfio-user/proxy.c -@@ -1081,9 +1081,11 @@ static bool check_migr_pgsize(VFIOUserProxy *proxy, QObject *qobj, Error **errp) - return false; - } - -- /* must be larger than default */ -- if (pgsize & (VFIO_USER_DEF_PGSIZE - 1)) { -- error_setg(errp, "pgsize 0x%"PRIx64" too small", pgsize); -+ /* must not be zero or smaller than default */ -+ if (pgsize < VFIO_USER_DEF_PGSIZE || -+ (pgsize & (VFIO_USER_DEF_PGSIZE - 1))) { -+ error_setg(errp, "%s 0x%"PRIx64" too small", -+ VFIO_USER_CAP_PGSIZE, pgsize); - return false; - } - diff --git a/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch b/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch deleted file mode 100644 index a385072bcf..0000000000 --- a/debian/patches/extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Chenyi Qiang -Date: Wed, 27 May 2026 18:11:08 +0800 -Subject: [PATCH] vfio/container: Restrict dma_map_file() to shared RAM or RAM - devices -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -vfio_container_dma_map() uses dma_map_file() whenever a RAMBlock has an -fd and the VFIO IOMMU backend supports file-based DMA mapping. That is -not correct for private file-backed guest RAM. - -dma_map_file() resolves PFNs from the backing file, but private guest -RAM mappings (MAP_PRIVATE) can run on different PFNs than the file -because they are subject to copy-on-write (COW) anomalies. As a result, -using dma_map_file() on a privately mapped RAMBlock can program DMA -against pages that do not back QEMU's actual guest memory. - -Fix this by using dma_map_file() only for shared mapped RAMBlocks -(MAP_SHARED) or RAM device regions. - -Fixes: fb32965b6dd8 ("vfio/iommufd: use IOMMU_IOAS_MAP_FILE") -Reported-by: Farrah Chen -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220776 -Reviewed-by: Zhenzhong Duan -Suggested-by: Cédric Le Goater -Signed-off-by: Chenyi Qiang -Link: https://lore.kernel.org/qemu-devel/20260527101109.71781-1-chenyi.qiang@intel.com -Reviewed-by: Cédric Le Goater -Signed-off-by: Cédric Le Goater -(cherry picked from commit e6c47bebdf8628e635e1ba970919ca96d572dbbe) -Signed-off-by: Fiona Ebner ---- - hw/vfio/container.c | 34 +++++++++++++++++++++++++++++++--- - 1 file changed, 31 insertions(+), 3 deletions(-) - -diff --git a/hw/vfio/container.c b/hw/vfio/container.c -index 4c2816b574..56bd9ac009 100644 ---- a/hw/vfio/container.c -+++ b/hw/vfio/container.c -@@ -74,15 +74,43 @@ void vfio_address_space_insert(VFIOAddressSpace *space, - bcontainer->space = space; - } - -+static bool vfio_container_can_dma_map_file(VFIOContainer *bcontainer, -+ MemoryRegion *mr, int *fd) -+{ -+ VFIOIOMMUClass *vioc = VFIO_IOMMU_GET_CLASS(bcontainer); -+ RAMBlock *rb = mr->ram_block; -+ -+ if (!vioc->dma_map_file || !rb) { -+ return false; -+ } -+ -+ *fd = qemu_ram_get_fd(rb); -+ if (*fd < 0) { -+ return false; -+ } -+ -+ /* -+ * We can use IOMMU DMA mapping (IOMMU_IOAS_MAP_FILE) for : -+ * -+ * 1) Guest RAM blocks explicitly configured as shared (MAP_SHARED) -+ * 2) RAM device sub-regions (MMIO BARs) -+ * -+ * Private RAM mappings (MAP_PRIVATE) are strictly excluded. Because -+ * they are subject to copy-on-write (COW) anomalies, their underlying -+ * PFNs can permanently diverge from the backing file -+ */ -+ return qemu_ram_is_shared(rb) || memory_region_is_ram_device(mr); -+} -+ - int vfio_container_dma_map(VFIOContainer *bcontainer, - hwaddr iova, uint64_t size, - void *vaddr, bool readonly, MemoryRegion *mr) - { - VFIOIOMMUClass *vioc = VFIO_IOMMU_GET_CLASS(bcontainer); -- RAMBlock *rb = mr->ram_block; -- int mfd = rb ? qemu_ram_get_fd(rb) : -1; -+ int mfd; - -- if (mfd >= 0 && vioc->dma_map_file) { -+ if (vfio_container_can_dma_map_file(bcontainer, mr, &mfd)) { -+ RAMBlock *rb = mr->ram_block; - unsigned long start = vaddr - qemu_ram_get_host_addr(rb); - unsigned long offset = qemu_ram_get_fd_offset(rb); - diff --git a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch index 76e5fcce71..52e7ed9c50 100644 --- a/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch +++ b/debian/patches/pve/0019-PVE-block-add-the-zeroinit-block-driver-filter.patch @@ -247,7 +247,7 @@ index 0000000000..036edb17f5 + +block_init(bdrv_zeroinit_init); diff --git a/qapi/block-core.json b/qapi/block-core.json -index 496118bdc7..f0f225a3c2 100644 +index 50a0af3569..4e8bc65bdb 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3381,7 +3381,7 @@ @@ -259,7 +259,7 @@ index 496118bdc7..f0f225a3c2 100644 ## # @BlockdevOptionsFile: -@@ -4936,7 +4936,8 @@ +@@ -4940,7 +4940,8 @@ 'if': 'CONFIG_BLKIO' }, 'vmdk': 'BlockdevOptionsGenericCOWFormat', 'vpc': 'BlockdevOptionsGenericFormat', diff --git a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch index 0701eb7265..f63cc7b27b 100644 --- a/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch +++ b/debian/patches/pve/0022-PVE-Up-Config-file-posix-make-locking-optiono-on-cre.patch @@ -119,10 +119,10 @@ index 328ddaa3bd..5fd49844af 100644 }; return raw_co_create(&options, errp); diff --git a/qapi/block-core.json b/qapi/block-core.json -index f0f225a3c2..0c00aabbab 100644 +index 4e8bc65bdb..d5a2bbcff1 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json -@@ -5155,6 +5155,10 @@ +@@ -5159,6 +5159,10 @@ # @extent-size-hint: Extent size hint to add to the image file; 0 for # not adding an extent size hint (default: 1 MB, since 5.1) # @@ -133,7 +133,7 @@ index f0f225a3c2..0c00aabbab 100644 # Since: 2.12 ## { 'struct': 'BlockdevCreateOptionsFile', -@@ -5162,7 +5166,8 @@ +@@ -5166,7 +5170,8 @@ 'size': 'size', '*preallocation': 'PreallocMode', '*nocow': 'bool', diff --git a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch index d116ae3569..814b939bed 100644 --- a/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch +++ b/debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch @@ -40,10 +40,10 @@ index a21d9a5411..1373612c10 100644 system_ss.add(files('block-ram-registrar.c')) diff --git a/meson.build b/meson.build -index ab3e97eb9f..f747bc3cb2 100644 +index 51f5f2851a..a88b007017 100644 --- a/meson.build +++ b/meson.build -@@ -2149,6 +2149,8 @@ endif +@@ -2155,6 +2155,8 @@ endif has_gettid = cc.has_function('gettid') @@ -52,7 +52,7 @@ index ab3e97eb9f..f747bc3cb2 100644 # libselinux selinux = dependency('libselinux', required: get_option('selinux'), -@@ -4517,6 +4519,9 @@ if have_tools +@@ -4523,6 +4525,9 @@ if have_tools dependencies: [blockdev, qemuutil, selinux], install: true) diff --git a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch index a4ac880fa7..74ce2a426e 100644 --- a/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch +++ b/debian/patches/pve/0029-PVE-Backup-Proxmox-backup-patches-for-QEMU.patch @@ -263,10 +263,10 @@ index abebfea0e2..bc727a3a6a 100644 void hmp_device_add(Monitor *mon, const QDict *qdict); void hmp_device_del(Monitor *mon, const QDict *qdict); diff --git a/meson.build b/meson.build -index f747bc3cb2..7aa0ed1b5a 100644 +index a88b007017..684501a185 100644 --- a/meson.build +++ b/meson.build -@@ -2150,6 +2150,7 @@ endif +@@ -2156,6 +2156,7 @@ endif has_gettid = cc.has_function('gettid') libuuid = cc.find_library('uuid', required: true) @@ -1685,7 +1685,7 @@ index 0000000000..177fb851b4 + return ret; +} diff --git a/qapi/block-core.json b/qapi/block-core.json -index 0c00aabbab..4f407007b9 100644 +index d5a2bbcff1..7f1daf42fe 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -952,6 +952,248 @@ diff --git a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch index 44e42c7f6b..8344e666ed 100644 --- a/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch +++ b/debian/patches/pve/0030-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch @@ -14,10 +14,10 @@ Signed-off-by: Wolfgang Bumiller create mode 100644 pbs-restore.c diff --git a/meson.build b/meson.build -index 7aa0ed1b5a..3a57c44ade 100644 +index 684501a185..7111b47319 100644 --- a/meson.build +++ b/meson.build -@@ -4523,6 +4523,10 @@ if have_tools +@@ -4529,6 +4529,10 @@ if have_tools vma = executable('vma', files('vma.c', 'vma-reader.c') + genh, dependencies: [authz, block, crypto, io, qemuutil, qom], install: true) diff --git a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch index 8791b16dbc..1d2396f318 100644 --- a/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch +++ b/debian/patches/pve/0031-PVE-Add-PBS-block-driver-to-map-backup-archives-into.patch @@ -348,10 +348,10 @@ index 0000000000..3e41421716 + +block_init(bdrv_pbs_init); diff --git a/meson.build b/meson.build -index 3a57c44ade..eb84d64604 100644 +index 7111b47319..4115c35884 100644 --- a/meson.build +++ b/meson.build -@@ -4997,7 +4997,7 @@ summary_info += {'Query Processing Library support': qpl} +@@ -5003,7 +5003,7 @@ summary_info += {'Query Processing Library support': qpl} summary_info += {'UADK Library support': uadk} summary_info += {'qatzip support': qatzip} summary_info += {'NUMA host support': numa} @@ -361,7 +361,7 @@ index 3a57c44ade..eb84d64604 100644 summary_info += {'libdaxctl support': libdaxctl} summary_info += {'libcbor support': libcbor} diff --git a/qapi/block-core.json b/qapi/block-core.json -index 4f407007b9..84a4572625 100644 +index 7f1daf42fe..e1c659310d 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3619,6 +3619,7 @@ @@ -406,7 +406,7 @@ index 4f407007b9..84a4572625 100644 ## # @BlockdevOptionsNVMe: # -@@ -5149,6 +5177,7 @@ +@@ -5153,6 +5181,7 @@ 'nfs': 'BlockdevOptionsNfs', 'null-aio': 'BlockdevOptionsNull', 'null-co': 'BlockdevOptionsNull', diff --git a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch index 42759e606b..8c558401c8 100644 --- a/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch +++ b/debian/patches/pve/0032-PVE-redirect-stderr-to-journal-when-daemonized.patch @@ -14,10 +14,10 @@ Signed-off-by: Thomas Lamprecht 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/meson.build b/meson.build -index eb84d64604..d71baddfa6 100644 +index 4115c35884..87c765f622 100644 --- a/meson.build +++ b/meson.build -@@ -2150,6 +2150,7 @@ endif +@@ -2156,6 +2156,7 @@ endif has_gettid = cc.has_function('gettid') libuuid = cc.find_library('uuid', required: true) @@ -25,7 +25,7 @@ index eb84d64604..d71baddfa6 100644 libproxmox_backup_qemu = cc.find_library('proxmox_backup_qemu', required: true) # libselinux -@@ -3840,7 +3841,7 @@ if have_block +@@ -3846,7 +3847,7 @@ if have_block elif host_os == 'emscripten' blockdev_ss.add(files('os-wasm.c')) else diff --git a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch index ec8e4e9a4f..adb41f4572 100644 --- a/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch +++ b/debian/patches/pve/0033-PVE-Migrate-dirty-bitmap-state-via-savevm.patch @@ -58,7 +58,7 @@ index 90d62d5723..6010ccaef0 100644 'ram.c', 'savevm.c', diff --git a/migration/migration.c b/migration/migration.c -index 5c9aaa6e58..23b05a64cf 100644 +index dfc60372cf..f415448689 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -329,6 +329,7 @@ void migration_object_init(void) @@ -192,7 +192,7 @@ index 177fb851b4..7575abab7c 100644 ret->pbs_masterkey = true; ret->backup_max_workers = true; diff --git a/qapi/block-core.json b/qapi/block-core.json -index 84a4572625..4a6769c053 100644 +index e1c659310d..b314192e30 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -1112,6 +1112,11 @@ diff --git a/debian/patches/pve/0037-block-add-alloc-track-driver.patch b/debian/patches/pve/0037-block-add-alloc-track-driver.patch index 042929c527..ed5e2f5d31 100644 --- a/debian/patches/pve/0037-block-add-alloc-track-driver.patch +++ b/debian/patches/pve/0037-block-add-alloc-track-driver.patch @@ -449,7 +449,7 @@ index d023753091..a777c8079c 100644 out: diff --git a/qapi/block-core.json b/qapi/block-core.json -index 4a6769c053..8af4107bf5 100644 +index b314192e30..a8a7d227a8 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3611,7 +3611,8 @@ @@ -484,7 +484,7 @@ index 4a6769c053..8af4107bf5 100644 ## # @BlockdevOptionsPbs: # -@@ -5155,6 +5171,7 @@ +@@ -5159,6 +5175,7 @@ '*detect-zeroes': 'BlockdevDetectZeroesOptions' }, 'discriminator': 'driver', 'data': { diff --git a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch index cd27516275..5e6a4d9791 100644 --- a/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch +++ b/debian/patches/pve/0038-PVE-backup-add-fleecing-option.patch @@ -429,7 +429,7 @@ index 7575abab7c..8b83465ebd 100644 return ret; } diff --git a/qapi/block-core.json b/qapi/block-core.json -index 8af4107bf5..5c8b872000 100644 +index a8a7d227a8..977daf0191 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -1054,6 +1054,10 @@ diff --git a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch index d30aaf8f23..031eeba6b6 100644 --- a/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch +++ b/debian/patches/pve/0044-PVE-backup-implement-backup-access-setup-and-teardow.patch @@ -740,7 +740,7 @@ index 0000000000..9ebeef7c8f + +#endif /* PVE_BACKUP_H */ diff --git a/qapi/block-core.json b/qapi/block-core.json -index 5c8b872000..cf4f5ce7f1 100644 +index 977daf0191..ed37a4a22f 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -1128,6 +1128,9 @@ diff --git a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch index df9f3df96b..0c4cef7f09 100644 --- a/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch +++ b/debian/patches/pve/0046-savevm-async-reuse-migration-blocker-check-for-snaps.patch @@ -89,7 +89,7 @@ index 80b75ad5cb..f8417347a1 100644 * @migrate_add_blocker - prevent all modes of migration from proceeding * diff --git a/migration/migration.c b/migration/migration.c -index 23b05a64cf..8acd9610de 100644 +index f415448689..979fc7050e 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -1886,6 +1886,30 @@ bool migration_is_blocked(Error **errp) diff --git a/debian/patches/series b/debian/patches/series index 84c066409b..e5fabc3e49 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,23 +1,6 @@ extra/0001-monitor-qmp-fix-race-with-clients-disconnecting-earl.patch -extra/0002-ide-avoid-potential-deadlock-when-draining-during-tr.patch -extra/0003-block-io-fallback-to-bounce-buffer-if-BLKZEROOUT-is-.patch -extra/0004-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch -extra/0005-target-i386-tcg-fix-decoding-of-MOVBE-and-CRC32-in-1.patch -extra/0006-hw-display-don-t-accidentally-autofree-existing-virg.patch -extra/0007-hw-i386-vapic-restore-IRQ-polling-for-non-kernel-irq.patch -extra/0008-target-i386-fix-strList-leak-in-x86_cpu_get_unavaila.patch -extra/0009-target-i386-fix-missing-PF_INSTR-in-SIGSEGV-context.patch -extra/0010-migration-vmstate_save_state_v-fix-double-error_setg.patch -extra/0011-block-export-fuse-fix-regression-when-mmap-ing-expor.patch -extra/0012-block-export-fuse-fix-regression-with-block-device-e.patch -extra/0013-virtio-blk-add-missing-VIRTIO_BLK_T_SCSI_CMD-size-ch.patch -extra/0014-lsi53c895a-fix-use-after-free-of-cancelled-request.patch -extra/0015-lsi53c895a-clear-tag-byte-when-processing-messages.patch -extra/0016-apic-fix-delivery-bitmask-with-modified-xAPIC-ids.patch -extra/0017-block-linux-aio-bound-ioq_submit-recursion-depth.patch -extra/0018-vfio-user-reject-zero-DMA-page-size-capability.patch -extra/0019-vfio-user-reject-zero-migration-page-size-capability.patch -extra/0020-vfio-container-Restrict-dma_map_file-to-shared-RAM-o.patch +extra/0002-fdmon-io_uring-avoid-idle-event-loop-being-accounted.patch +extra/0003-block-export-fuse-fix-regression-with-block-device-e.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch diff --git a/qemu b/qemu index 98b060da3a..e545d8bb9d 160000 --- a/qemu +++ b/qemu @@ -1 +1 @@ -Subproject commit 98b060da3a4f92b2a994ead5b16a87e783baf77c +Subproject commit e545d8bb9d63e9dd61542b88463183314cff9482 -- 2.47.3