From 321b8a8d36eaee32b112cabaac21fac0f090837d Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Fri, 14 Nov 2025 07:49:21 +0100 Subject: [PATCH] * Fri Nov 14 2025 Miroslav Rezanina - 10.1.0-5 - kvm-io-move-websock-resource-release-to-close-method.patch [RHEL-120116] - kvm-io-fix-use-after-free-in-websocket-handshake-code.patch [RHEL-120116] - kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch [RHEL-126573] - kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch [RHEL-67323] - kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch [RHEL-73800] - kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch [RHEL-73800] - kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch [RHEL-73800] - kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch [RHEL-73800] - kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch [RHEL-73800] - kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch [RHEL-73800] - kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch [RHEL-73800] - kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch [RHEL-73800] - kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch [RHEL-73800] - kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch [RHEL-73800] - kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch [RHEL-73800] - kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch [] - Resolves: RHEL-120116 (CVE-2025-11234 qemu-kvm: VNC WebSocket handshake use-after-free [rhel-10.2]) - Resolves: RHEL-126573 (VFIO migration using multifd should be disabled by default) - Resolves: RHEL-67323 ([aarch64] Support ACPI based PCI hotplug on ARM) - Resolves: RHEL-73800 (NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1) --- ...bles-test-Allow-for-smmuv3-test-data.patch | 54 ++++ ...on-Check-SMMU-has-PCIe-Root-Complex-.patch | 131 ++++++++ ...hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch | 61 ++++ ...w-user-creatable-SMMUv3-dev-instanti.patch | 215 +++++++++++++ ...or-out-common-SMMUV3-dt-bindings-cod.patch | 118 +++++++ ...ACPI-PCI-hotplug-by-default-from-10..patch | 66 ++++ ...i-build-Re-arrange-SMMUv3-IORT-build.patch | 291 ++++++++++++++++++ ...-build-Update-IORT-for-multiple-smmu.patch | 170 ++++++++++ ...-pci_setup_iommu_per_bus-for-per-bus.patch | 150 +++++++++ ...ter-free-in-websocket-handshake-code.patch | 189 ++++++++++++ ...ock-resource-release-to-close-method.patch | 84 +++++ ...ns.hx-Document-the-arm-smmuv3-device.patch | 53 ++++ ...-not-run-bios-tables-test-on-aarch64.patch | 30 ++ ...s-test-Add-tests-for-legacy-smmuv3-a.patch | 160 ++++++++++ ...s-test-Update-tables-for-smmuv3-test.patch | 282 +++++++++++++++++ ...-VFIO-migration-with-MultiFD-support.patch | 47 +++ qemu-kvm.spec | 59 +++- 17 files changed, 2159 insertions(+), 1 deletion(-) create mode 100644 kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch create mode 100644 kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch create mode 100644 kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch create mode 100644 kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch create mode 100644 kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch create mode 100644 kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch create mode 100644 kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch create mode 100644 kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch create mode 100644 kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch create mode 100644 kvm-io-fix-use-after-free-in-websocket-handshake-code.patch create mode 100644 kvm-io-move-websock-resource-release-to-close-method.patch create mode 100644 kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch create mode 100644 kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch create mode 100644 kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch create mode 100644 kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch create mode 100644 kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch diff --git a/kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch b/kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch new file mode 100644 index 0000000..72136a7 --- /dev/null +++ b/kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch @@ -0,0 +1,54 @@ +From b4eeed1e8633df76598de0fe6ca5df4be359222c Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:31 +0100 +Subject: [PATCH 13/16] bios-tables-test: Allow for smmuv3 test data. + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [9/11] cf98e2e7589b794775c1d9c4f564e3cd536b886e (eauger1/centos-qemu-kvm) + +The tests to be added exercise both legacy(iommu=smmuv3) and new +-device arm-smmuv3,.. cases. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Reviewed-by: Nicolin Chen +Message-id: 20250829082543.7680-10-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit c69520c13d6ea45a69a7a49361806fa05b19046d) +Signed-off-by: Eric Auger +--- + tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev | 0 + tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy | 0 + tests/data/acpi/aarch64/virt/IORT.smmuv3-dev | 0 + tests/data/acpi/aarch64/virt/IORT.smmuv3-legacy | 0 + tests/qtest/bios-tables-test-allowed-diff.h | 4 ++++ + 5 files changed, 4 insertions(+) + create mode 100644 tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev + create mode 100644 tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy + create mode 100644 tests/data/acpi/aarch64/virt/IORT.smmuv3-dev + create mode 100644 tests/data/acpi/aarch64/virt/IORT.smmuv3-legacy + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index dfb8523c8b..2e3e3ccdce 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1 +1,5 @@ + /* List of comma-separated changed AML files to ignore */ ++"tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy", ++"tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev", ++"tests/data/acpi/aarch64/virt/IORT.smmuv3-legacy", ++"tests/data/acpi/aarch64/virt/IORT.smmuv3-dev", +-- +2.47.3 + diff --git a/kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch b/kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch new file mode 100644 index 0000000..1f0fe4a --- /dev/null +++ b/kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch @@ -0,0 +1,131 @@ +From ad929c3b2e90eeb1f81a3f7074cdaaa922b073b9 Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:23 +0100 +Subject: [PATCH 05/16] hw/arm/smmu-common: Check SMMU has PCIe Root Complex + association + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [1/11] 9e7a87070ebfef643848d31fe66f5b4e82bfe0cf (eauger1/centos-qemu-kvm) + +We only allow default PCIe Root Complex(pcie.0) or pxb-pcie based extra +root complexes to be associated with SMMU. + +Although this change does not affect functionality at present, it is +required when we add support for user-creatable SMMUv3 devices in +future patches. + +Note: Added a specific check to identify pxb-pcie to avoid matching +pxb-cxl host bridges, which are also of type PCI_HOST_BRIDGE. This +restriction can be relaxed once support for CXL devices on arm/virt +is added and validated with SMMUv3. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Nathan Chen +Tested-by: Eric Auger +Reviewed-by: Nicolin Chen +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Message-id: 20250829082543.7680-2-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit d9e6b8424fd2523a0361972d5dd841471879479c) +Signed-off-by: Eric Auger +--- + hw/arm/smmu-common.c | 31 ++++++++++++++++++++++++++--- + hw/pci-bridge/pci_expander_bridge.c | 1 - + include/hw/pci/pci_bridge.h | 1 + + 3 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c +index 0dcaf2f589..7f64ea48d0 100644 +--- a/hw/arm/smmu-common.c ++++ b/hw/arm/smmu-common.c +@@ -20,6 +20,7 @@ + #include "trace.h" + #include "exec/target_page.h" + #include "hw/core/cpu.h" ++#include "hw/pci/pci_bridge.h" + #include "hw/qdev-properties.h" + #include "qapi/error.h" + #include "qemu/jhash.h" +@@ -925,6 +926,7 @@ static void smmu_base_realize(DeviceState *dev, Error **errp) + { + SMMUState *s = ARM_SMMU(dev); + SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev); ++ PCIBus *pci_bus = s->primary_bus; + Error *local_err = NULL; + + sbc->parent_realize(dev, &local_err); +@@ -937,11 +939,34 @@ static void smmu_base_realize(DeviceState *dev, Error **errp) + g_free, g_free); + s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL); + +- if (s->primary_bus) { +- pci_setup_iommu(s->primary_bus, &smmu_ops, s); +- } else { ++ if (!pci_bus) { + error_setg(errp, "SMMU is not attached to any PCI bus!"); ++ return; ++ } ++ ++ /* ++ * We only allow default PCIe Root Complex(pcie.0) or pxb-pcie based extra ++ * root complexes to be associated with SMMU. ++ */ ++ if (pci_bus_is_express(pci_bus) && pci_bus_is_root(pci_bus) && ++ object_dynamic_cast(OBJECT(pci_bus)->parent, TYPE_PCI_HOST_BRIDGE)) { ++ /* ++ * This condition matches either the default pcie.0, pxb-pcie, or ++ * pxb-cxl. For both pxb-pcie and pxb-cxl, parent_dev will be set. ++ * Currently, we don't allow pxb-cxl as it requires further ++ * verification. Therefore, make sure this is indeed pxb-pcie. ++ */ ++ if (pci_bus->parent_dev) { ++ if (!object_dynamic_cast(OBJECT(pci_bus), TYPE_PXB_PCIE_BUS)) { ++ goto out_err; ++ } ++ } ++ pci_setup_iommu(pci_bus, &smmu_ops, s); ++ return; + } ++out_err: ++ error_setg(errp, "SMMU should be attached to a default PCIe root complex" ++ "(pcie.0) or a pxb-pcie based root complex"); + } + + /* +diff --git a/hw/pci-bridge/pci_expander_bridge.c b/hw/pci-bridge/pci_expander_bridge.c +index 3a29dfefc2..1bcceddbc4 100644 +--- a/hw/pci-bridge/pci_expander_bridge.c ++++ b/hw/pci-bridge/pci_expander_bridge.c +@@ -34,7 +34,6 @@ typedef struct PXBBus PXBBus; + DECLARE_INSTANCE_CHECKER(PXBBus, PXB_BUS, + TYPE_PXB_BUS) + +-#define TYPE_PXB_PCIE_BUS "pxb-pcie-bus" + DECLARE_INSTANCE_CHECKER(PXBBus, PXB_PCIE_BUS, + TYPE_PXB_PCIE_BUS) + +diff --git a/include/hw/pci/pci_bridge.h b/include/hw/pci/pci_bridge.h +index 8cdacbc4e1..a055fd8d32 100644 +--- a/include/hw/pci/pci_bridge.h ++++ b/include/hw/pci/pci_bridge.h +@@ -104,6 +104,7 @@ typedef struct PXBPCIEDev { + PXBDev parent_obj; + } PXBPCIEDev; + ++#define TYPE_PXB_PCIE_BUS "pxb-pcie-bus" + #define TYPE_PXB_CXL_BUS "pxb-cxl-bus" + #define TYPE_PXB_DEV "pxb" + OBJECT_DECLARE_SIMPLE_TYPE(PXBDev, PXB_DEV) +-- +2.47.3 + diff --git a/kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch b/kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch new file mode 100644 index 0000000..f511d7c --- /dev/null +++ b/kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch @@ -0,0 +1,61 @@ +From c62e5defde6f02bdd316b772169571d0de5d2d83 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Fri, 29 Aug 2025 09:25:27 +0100 +Subject: [PATCH 09/16] hw/arm/virt: Add an SMMU_IO_LEN macro + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [5/11] 72c82e228bb256db07fbe28728ad47dbd8b04dc3 (eauger1/centos-qemu-kvm) + +This is useful as the subsequent support for new SMMUv3 dev will also +use the same. + +Signed-off-by: Nicolin Chen +Reviewed-by: Donald Dutile +Reviewed-by: Eric Auger +Tested-by: Nathan Chen +Reviewed-by: Jonathan Cameron +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Nicolin Chen +Message-id: 20250829082543.7680-6-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 466197fc7a25658f9187d538c26887f5738d1ac9) +Signed-off-by: Eric Auger +--- + hw/arm/virt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index 9b95a7c9a9..b435efafe1 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -186,6 +186,9 @@ static void arm_virt_compat_set(MachineClass *mc) + #define LEGACY_RAMLIMIT_GB 255 + #define LEGACY_RAMLIMIT_BYTES (LEGACY_RAMLIMIT_GB * GiB) + ++/* MMIO region size for SMMUv3 */ ++#define SMMU_IO_LEN 0x20000 ++ + /* Addresses and sizes of our components. + * 0..128MB is space for a flash device so we can run bootrom code such as UEFI. + * 128MB..256MB is used for miscellaneous device I/O. +@@ -217,7 +220,7 @@ static const MemMapEntry base_memmap[] = { + [VIRT_FW_CFG] = { 0x09020000, 0x00000018 }, + [VIRT_GPIO] = { 0x09030000, 0x00001000 }, + [VIRT_UART1] = { 0x09040000, 0x00001000 }, +- [VIRT_SMMU] = { 0x09050000, 0x00020000 }, ++ [VIRT_SMMU] = { 0x09050000, SMMU_IO_LEN }, + [VIRT_PCDIMM_ACPI] = { 0x09070000, MEMORY_HOTPLUG_IO_LEN }, + [VIRT_ACPI_GED] = { 0x09080000, ACPI_GED_EVT_SEL_LEN }, + [VIRT_NVDIMM_ACPI] = { 0x09090000, NVDIMM_ACPI_IO_LEN}, +-- +2.47.3 + diff --git a/kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch b/kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch new file mode 100644 index 0000000..41e280e --- /dev/null +++ b/kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch @@ -0,0 +1,215 @@ +From 20b24c8ae68ff5059392188762c8d8b24c3dfa28 Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:29 +0100 +Subject: [PATCH 11/16] hw/arm/virt: Allow user-creatable SMMUv3 dev + instantiation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [7/11] 8f4a03c34d5c699023b3916f4919caf669f7a87c (eauger1/centos-qemu-kvm) + +Allow cold-plugging of an SMMUv3 device on the virt machine when no +global (legacy) SMMUv3 is present or when a virtio-iommu is specified. + +This user-created SMMUv3 device is tied to a specific PCI bus provided +by the user, so ensure the IOMMU ops are configured accordingly. + +Due to current limitations in QEMU’s device tree support, specifically +its inability to properly present pxb-pcie based root complexes and +their devices, the device tree support for the new SMMUv3 device is +limited to cases where it is attached to the default pcie.0 root complex. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Nathan Chen +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Reviewed-by: Nicolin Chen +Message-id: 20250829082543.7680-8-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 66d2f665e163cf1afccd171e3c16f8d3acb3d94a) +Signed-off-by: Eric Auger +--- + hw/arm/smmu-common.c | 8 +++++- + hw/arm/smmuv3.c | 2 ++ + hw/arm/virt.c | 51 ++++++++++++++++++++++++++++++++++++ + hw/core/sysbus-fdt.c | 3 +++ + include/hw/arm/smmu-common.h | 1 + + 5 files changed, 64 insertions(+), 1 deletion(-) + +diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c +index 7f64ea48d0..62a7612184 100644 +--- a/hw/arm/smmu-common.c ++++ b/hw/arm/smmu-common.c +@@ -961,7 +961,12 @@ static void smmu_base_realize(DeviceState *dev, Error **errp) + goto out_err; + } + } +- pci_setup_iommu(pci_bus, &smmu_ops, s); ++ ++ if (s->smmu_per_bus) { ++ pci_setup_iommu_per_bus(pci_bus, &smmu_ops, s); ++ } else { ++ pci_setup_iommu(pci_bus, &smmu_ops, s); ++ } + return; + } + out_err: +@@ -986,6 +991,7 @@ static void smmu_base_reset_exit(Object *obj, ResetType type) + + static const Property smmu_dev_properties[] = { + DEFINE_PROP_UINT8("bus_num", SMMUState, bus_num, 0), ++ DEFINE_PROP_BOOL("smmu_per_bus", SMMUState, smmu_per_bus, false), + DEFINE_PROP_LINK("primary-bus", SMMUState, primary_bus, + TYPE_PCI_BUS, PCIBus *), + }; +diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c +index ab67972353..bcf8af8dc7 100644 +--- a/hw/arm/smmuv3.c ++++ b/hw/arm/smmuv3.c +@@ -1996,6 +1996,8 @@ static void smmuv3_class_init(ObjectClass *klass, const void *data) + device_class_set_parent_realize(dc, smmu_realize, + &c->parent_realize); + device_class_set_props(dc, smmuv3_properties); ++ dc->hotpluggable = false; ++ dc->user_creatable = true; + } + + static int smmuv3_notify_flag_changed(IOMMUMemoryRegion *iommu, +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index b435efafe1..e8e64fe7fe 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -56,6 +56,7 @@ + #include "qemu/cutils.h" + #include "qemu/error-report.h" + #include "qemu/module.h" ++#include "hw/pci/pci_bus.h" + #include "hw/pci-host/gpex.h" + #include "hw/pci-bridge/pci_expander_bridge.h" + #include "hw/virtio/virtio-pci.h" +@@ -1510,6 +1511,29 @@ static void create_smmuv3_dt_bindings(const VirtMachineState *vms, hwaddr base, + g_free(node); + } + ++static void create_smmuv3_dev_dtb(VirtMachineState *vms, ++ DeviceState *dev, PCIBus *bus) ++{ ++ PlatformBusDevice *pbus = PLATFORM_BUS_DEVICE(vms->platform_bus_dev); ++ SysBusDevice *sbdev = SYS_BUS_DEVICE(dev); ++ int irq = platform_bus_get_irqn(pbus, sbdev, 0); ++ hwaddr base = platform_bus_get_mmio_addr(pbus, sbdev, 0); ++ MachineState *ms = MACHINE(vms); ++ ++ if (!(vms->bootinfo.firmware_loaded && virt_is_acpi_enabled(vms)) && ++ strcmp("pcie.0", bus->qbus.name)) { ++ warn_report("SMMUv3 device only supported with pcie.0 for DT"); ++ return; ++ } ++ base += vms->memmap[VIRT_PLATFORM_BUS].base; ++ irq += vms->irqmap[VIRT_PLATFORM_BUS]; ++ ++ vms->iommu_phandle = qemu_fdt_alloc_phandle(ms->fdt); ++ create_smmuv3_dt_bindings(vms, base, SMMU_IO_LEN, irq); ++ qemu_fdt_setprop_cells(ms->fdt, vms->pciehb_nodename, "iommu-map", ++ 0x0, vms->iommu_phandle, 0x0, 0x10000); ++} ++ + static void create_smmu(const VirtMachineState *vms, + PCIBus *bus) + { +@@ -3057,6 +3081,16 @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev, + qlist_append_str(reserved_regions, resv_prop_str); + qdev_prop_set_array(dev, "reserved-regions", reserved_regions); + g_free(resv_prop_str); ++ } else if (object_dynamic_cast(OBJECT(dev), TYPE_ARM_SMMUV3)) { ++ if (vms->legacy_smmuv3_present || vms->iommu == VIRT_IOMMU_VIRTIO) { ++ error_setg(errp, "virt machine already has %s set. " ++ "Doesn't support incompatible iommus", ++ (vms->legacy_smmuv3_present) ? ++ "iommu=smmuv3" : "virtio-iommu"); ++ } else if (vms->iommu == VIRT_IOMMU_NONE) { ++ /* The new SMMUv3 device is specific to the PCI bus */ ++ object_property_set_bool(OBJECT(dev), "smmu_per_bus", true, NULL); ++ } + } + } + +@@ -3080,6 +3114,22 @@ static void virt_machine_device_plug_cb(HotplugHandler *hotplug_dev, + virtio_md_pci_plug(VIRTIO_MD_PCI(dev), MACHINE(hotplug_dev), errp); + } + ++ if (object_dynamic_cast(OBJECT(dev), TYPE_ARM_SMMUV3)) { ++ if (!vms->legacy_smmuv3_present && vms->platform_bus_dev) { ++ PCIBus *bus; ++ ++ bus = PCI_BUS(object_property_get_link(OBJECT(dev), "primary-bus", ++ &error_abort)); ++ if (pci_bus_bypass_iommu(bus)) { ++ error_setg(errp, "Bypass option cannot be set for SMMUv3 " ++ "associated PCIe RC"); ++ return; ++ } ++ ++ create_smmuv3_dev_dtb(vms, dev, bus); ++ } ++ } ++ + if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) { + PCIDevice *pdev = PCI_DEVICE(dev); + +@@ -3286,6 +3336,7 @@ static void virt_machine_class_init(ObjectClass *oc, const void *data) + #endif + machine_class_allow_dynamic_sysbus_dev(mc, TYPE_RAMFB_DEVICE); + machine_class_allow_dynamic_sysbus_dev(mc, TYPE_UEFI_VARS_SYSBUS); ++ machine_class_allow_dynamic_sysbus_dev(mc, TYPE_ARM_SMMUV3); + #ifdef CONFIG_TPM + machine_class_allow_dynamic_sysbus_dev(mc, TYPE_TPM_TIS_SYSBUS); + #endif +diff --git a/hw/core/sysbus-fdt.c b/hw/core/sysbus-fdt.c +index 1e1966813f..673e083d31 100644 +--- a/hw/core/sysbus-fdt.c ++++ b/hw/core/sysbus-fdt.c +@@ -31,6 +31,7 @@ + #include "qemu/error-report.h" + #include "system/device_tree.h" + #include "system/tpm.h" ++#include "hw/arm/smmuv3.h" + #include "hw/platform-bus.h" + #include "hw/vfio/vfio-platform.h" + #include "hw/vfio/vfio-calxeda-xgmac.h" +@@ -518,6 +519,8 @@ static const BindingEntry bindings[] = { + #ifdef CONFIG_TPM + TYPE_BINDING(TYPE_TPM_TIS_SYSBUS, add_tpm_tis_fdt_node), + #endif ++ /* No generic DT support for smmuv3 dev. Support added for arm virt only */ ++ TYPE_BINDING(TYPE_ARM_SMMUV3, no_fdt_node), + TYPE_BINDING(TYPE_RAMFB_DEVICE, no_fdt_node), + TYPE_BINDING(TYPE_UEFI_VARS_SYSBUS, add_uefi_vars_node), + TYPE_BINDING("", NULL), /* last element */ +diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h +index e5e2d09294..80d0fecfde 100644 +--- a/include/hw/arm/smmu-common.h ++++ b/include/hw/arm/smmu-common.h +@@ -161,6 +161,7 @@ struct SMMUState { + QLIST_HEAD(, SMMUDevice) devices_with_notifiers; + uint8_t bus_num; + PCIBus *primary_bus; ++ bool smmu_per_bus; /* SMMU is specific to the primary_bus */ + }; + + struct SMMUBaseClass { +-- +2.47.3 + diff --git a/kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch b/kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch new file mode 100644 index 0000000..5935080 --- /dev/null +++ b/kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch @@ -0,0 +1,118 @@ +From 1b3c413355ee5f3917e8e39dbf7a281f8e31a0f5 Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:26 +0100 +Subject: [PATCH 08/16] hw/arm/virt: Factor out common SMMUV3 dt bindings code + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [4/11] db5d2a44f4cd1583c839b93ae551a2ddbd68b83b (eauger1/centos-qemu-kvm) + +No functional changes intended. This will be useful when we +add support for user-creatable smmuv3 device. + +Reviewed-by: Nicolin Chen +Reviewed-by: Eric Auger +Tested-by: Nathan Chen +Reviewed-by: Jonathan Cameron +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Message-id: 20250829082543.7680-5-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 7a276b7570266ec39611f9d91089741ec7e9295b) +Signed-off-by: Eric Auger +--- + hw/arm/virt.c | 54 +++++++++++++++++++++++++++------------------------ + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index 0cc9e5f068..9b95a7c9a9 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -1479,19 +1479,43 @@ static void create_pcie_irq_map(const MachineState *ms, + 0x7 /* PCI irq */); + } + ++static void create_smmuv3_dt_bindings(const VirtMachineState *vms, hwaddr base, ++ hwaddr size, int irq) ++{ ++ char *node; ++ const char compat[] = "arm,smmu-v3"; ++ const char irq_names[] = "eventq\0priq\0cmdq-sync\0gerror"; ++ MachineState *ms = MACHINE(vms); ++ ++ node = g_strdup_printf("/smmuv3@%" PRIx64, base); ++ qemu_fdt_add_subnode(ms->fdt, node); ++ qemu_fdt_setprop(ms->fdt, node, "compatible", compat, sizeof(compat)); ++ qemu_fdt_setprop_sized_cells(ms->fdt, node, "reg", 2, base, 2, size); ++ ++ qemu_fdt_setprop_cells(ms->fdt, node, "interrupts", ++ GIC_FDT_IRQ_TYPE_SPI, irq , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI, ++ GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI, ++ GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI, ++ GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI); ++ ++ qemu_fdt_setprop(ms->fdt, node, "interrupt-names", irq_names, ++ sizeof(irq_names)); ++ ++ qemu_fdt_setprop(ms->fdt, node, "dma-coherent", NULL, 0); ++ qemu_fdt_setprop_cell(ms->fdt, node, "#iommu-cells", 1); ++ qemu_fdt_setprop_cell(ms->fdt, node, "phandle", vms->iommu_phandle); ++ g_free(node); ++} ++ + static void create_smmu(const VirtMachineState *vms, + PCIBus *bus) + { + VirtMachineClass *vmc = VIRT_MACHINE_GET_CLASS(vms); +- char *node; +- const char compat[] = "arm,smmu-v3"; + int irq = vms->irqmap[VIRT_SMMU]; + int i; + hwaddr base = vms->memmap[VIRT_SMMU].base; + hwaddr size = vms->memmap[VIRT_SMMU].size; +- const char irq_names[] = "eventq\0priq\0cmdq-sync\0gerror"; + DeviceState *dev; +- MachineState *ms = MACHINE(vms); + + if (vms->iommu != VIRT_IOMMU_SMMUV3 || !vms->iommu_phandle) { + return; +@@ -1510,27 +1534,7 @@ static void create_smmu(const VirtMachineState *vms, + sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, + qdev_get_gpio_in(vms->gic, irq + i)); + } +- +- node = g_strdup_printf("/smmuv3@%" PRIx64, base); +- qemu_fdt_add_subnode(ms->fdt, node); +- qemu_fdt_setprop(ms->fdt, node, "compatible", compat, sizeof(compat)); +- qemu_fdt_setprop_sized_cells(ms->fdt, node, "reg", 2, base, 2, size); +- +- qemu_fdt_setprop_cells(ms->fdt, node, "interrupts", +- GIC_FDT_IRQ_TYPE_SPI, irq , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI, +- GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI, +- GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI, +- GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI); +- +- qemu_fdt_setprop(ms->fdt, node, "interrupt-names", irq_names, +- sizeof(irq_names)); +- +- qemu_fdt_setprop(ms->fdt, node, "dma-coherent", NULL, 0); +- +- qemu_fdt_setprop_cell(ms->fdt, node, "#iommu-cells", 1); +- +- qemu_fdt_setprop_cell(ms->fdt, node, "phandle", vms->iommu_phandle); +- g_free(node); ++ create_smmuv3_dt_bindings(vms, base, size, irq); + } + + static void create_virtio_iommu_dt_bindings(VirtMachineState *vms) +-- +2.47.3 + diff --git a/kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch b/kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch new file mode 100644 index 0000000..a30d175 --- /dev/null +++ b/kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch @@ -0,0 +1,66 @@ +From 5264d9ea8c029dab0663a3da82f4d8241ad0f1b9 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Fri, 7 Nov 2025 05:23:16 -0500 +Subject: [PATCH 04/16] hw/arm/virt: Use ACPI PCI hotplug by default from 10.2 + onwards + +RH-Author: Eric Auger +RH-MergeRequest: 422: hw/arm/virt: Use ACPI PCI hotplug by default from 10.2 onwards +RH-Jira: RHEL-67323 +RH-Acked-by: Sebastian Ott +RH-Acked-by: Cornelia Huck +RH-Acked-by: Gavin Shan +RH-Acked-by: Igor Mammedov +RH-Commit: [1/1] 4539ba6526fef80adb9893a643eb001449397447 (eauger1/centos-qemu-kvm) + +UPSTREAM: RHEL-only + +Use ACPI PCI hotplug by default from 10.2 onwards. For older +rhel10 machine types and all rhel9 machine types ACPI PCI hotplug +is kept disabled. + +Signed-off-by: Eric Auger +--- + hw/arm/virt.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index dcdd53043e..542d702513 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -94,9 +94,15 @@ + + static GlobalProperty arm_virt_compat[] = { + { TYPE_VIRTIO_IOMMU_PCI, "aw-bits", "48" }, ++ { TYPE_ACPI_GED, "acpi-pci-hotplug-with-bridge-support", "on" }, + }; + static const size_t arm_virt_compat_len = G_N_ELEMENTS(arm_virt_compat); + ++GlobalProperty arm_acpi_pci_hp_disabled_compat[] = { ++ { TYPE_ACPI_GED, "acpi-pci-hotplug-with-bridge-support", "off" }, ++}; ++static const size_t arm_acpi_pci_hp_disabled_compat_len = G_N_ELEMENTS(arm_virt_compat); ++ + /* + * RHEL9 kernels have pauth disabled while RHEL10 has it enabled, + * since qemu will setup the VM with pauth when KVM supports it we +@@ -104,6 +110,7 @@ static const size_t arm_virt_compat_len = G_N_ELEMENTS(arm_virt_compat); + */ + GlobalProperty arm_rhel9_compat[] = { + {TYPE_ARM_CPU, "pauth", "off", .optional = true}, ++ {TYPE_ACPI_GED, "acpi-pci-hotplug-with-bridge-support", "off" }, + }; + const size_t arm_rhel9_compat_len = G_N_ELEMENTS(arm_rhel9_compat); + +@@ -3701,6 +3708,8 @@ static void virt_rhel_machine_10_0_0_options(MachineClass *mc) + + /* QEMU 9.1 and earlier have only a stage-1 SMMU, not a nested s1+2 one */ + vmc->no_nested_smmu = true; ++ compat_props_add(mc->compat_props, arm_acpi_pci_hp_disabled_compat, ++ arm_acpi_pci_hp_disabled_compat_len); + compat_props_add(mc->compat_props, hw_compat_rhel_10_2, hw_compat_rhel_10_2_len); + compat_props_add(mc->compat_props, hw_compat_rhel_10_1, hw_compat_rhel_10_1_len); + } +-- +2.47.3 + diff --git a/kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch b/kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch new file mode 100644 index 0000000..e12a15d --- /dev/null +++ b/kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch @@ -0,0 +1,291 @@ +From 221e12accdd5e699d727cd862760829e973a7b2a Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:24 +0100 +Subject: [PATCH 06/16] hw/arm/virt-acpi-build: Re-arrange SMMUv3 IORT build + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [2/11] 73e2dd4f48ffaf614c79241bc73cbb0457849131 (eauger1/centos-qemu-kvm) + +Introduce a new struct AcpiIortSMMUv3Dev to hold all the information +required for SMMUv3 IORT node and use that for populating the node. + +The current machine wide SMMUv3 is named as legacy SMMUv3 as we will +soon add support for user-creatable SMMUv3 devices. These changes will +be useful to have common code paths when we add that support. + +Tested-by: Nathan Chen +Reviewed-by: Nicolin Chen +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Message-id: 20250829082543.7680-3-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 0e6a5bfb0eb17f57fb923b7905bd1435204bdd62) +Signed-off-by: Eric Auger +--- + hw/arm/virt-acpi-build.c | 137 ++++++++++++++++++++++++++------------- + hw/arm/virt.c | 1 + + include/hw/arm/virt.h | 1 + + 3 files changed, 94 insertions(+), 45 deletions(-) + +diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c +index b01fc4f8ef..bef4fabe56 100644 +--- a/hw/arm/virt-acpi-build.c ++++ b/hw/arm/virt-acpi-build.c +@@ -305,29 +305,65 @@ static int iort_idmap_compare(gconstpointer a, gconstpointer b) + return idmap_a->input_base - idmap_b->input_base; + } + ++typedef struct AcpiIortSMMUv3Dev { ++ int irq; ++ hwaddr base; ++ GArray *rc_smmu_idmaps; ++ /* Offset of the SMMUv3 IORT Node relative to the start of the IORT */ ++ size_t offset; ++} AcpiIortSMMUv3Dev; ++ ++/* ++ * Populate the struct AcpiIortSMMUv3Dev for the legacy SMMUv3 and ++ * return the total number of associated idmaps. ++ */ ++static int populate_smmuv3_legacy_dev(GArray *sdev_blob) ++{ ++ VirtMachineState *vms = VIRT_MACHINE(qdev_get_machine()); ++ AcpiIortSMMUv3Dev sdev; ++ ++ sdev.rc_smmu_idmaps = g_array_new(false, true, sizeof(AcpiIortIdMapping)); ++ object_child_foreach_recursive(object_get_root(), iort_host_bridges, ++ sdev.rc_smmu_idmaps); ++ /* ++ * There can be only one legacy SMMUv3("iommu=smmuv3") as it is a machine ++ * wide one. Since it may cover multiple PCIe RCs(based on "bypass_iommu" ++ * property), may have multiple SMMUv3 idmaps. Sort it by input_base. ++ */ ++ g_array_sort(sdev.rc_smmu_idmaps, iort_idmap_compare); ++ ++ sdev.base = vms->memmap[VIRT_SMMU].base; ++ sdev.irq = vms->irqmap[VIRT_SMMU] + ARM_SPI_BASE; ++ g_array_append_val(sdev_blob, sdev); ++ return sdev.rc_smmu_idmaps->len; ++} ++ + /* Compute ID ranges (RIDs) from RC that are directed to the ITS Group node */ +-static void create_rc_its_idmaps(GArray *its_idmaps, GArray *smmu_idmaps) ++static void create_rc_its_idmaps(GArray *its_idmaps, GArray *smmuv3_devs) + { + AcpiIortIdMapping *idmap; + AcpiIortIdMapping next_range = {0}; ++ AcpiIortSMMUv3Dev *sdev; + +- /* +- * Based on the RID ranges that are directed to the SMMU, determine the +- * bypassed RID ranges, i.e., the ones that are directed to the ITS Group +- * node and do not pass through the SMMU, by subtracting the SMMU-bound +- * ranges from the full RID range (0x0000–0xFFFF). +- */ +- for (int i = 0; i < smmu_idmaps->len; i++) { +- idmap = &g_array_index(smmu_idmaps, AcpiIortIdMapping, i); ++ for (int i = 0; i < smmuv3_devs->len; i++) { ++ sdev = &g_array_index(smmuv3_devs, AcpiIortSMMUv3Dev, i); ++ /* ++ * Based on the RID ranges that are directed to the SMMU, determine the ++ * bypassed RID ranges, i.e., the ones that are directed to the ITS ++ * Group node and do not pass through the SMMU, by subtracting the ++ * SMMU-bound ranges from the full RID range (0x0000–0xFFFF). ++ */ ++ for (int j = 0; j < sdev->rc_smmu_idmaps->len; j++) { ++ idmap = &g_array_index(sdev->rc_smmu_idmaps, AcpiIortIdMapping, j); + +- if (next_range.input_base < idmap->input_base) { +- next_range.id_count = idmap->input_base - next_range.input_base; +- g_array_append_val(its_idmaps, next_range); +- } ++ if (next_range.input_base < idmap->input_base) { ++ next_range.id_count = idmap->input_base - next_range.input_base; ++ g_array_append_val(its_idmaps, next_range); ++ } + +- next_range.input_base = idmap->input_base + idmap->id_count; ++ next_range.input_base = idmap->input_base + idmap->id_count; ++ } + } +- + /* + * Append the last RC -> ITS ID mapping. + * +@@ -341,7 +377,6 @@ static void create_rc_its_idmaps(GArray *its_idmaps, GArray *smmu_idmaps) + } + } + +- + /* + * Input Output Remapping Table (IORT) + * Conforms to "IO Remapping Table System Software on ARM Platforms", +@@ -351,9 +386,12 @@ static void + build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + { + int i, nb_nodes, rc_mapping_count; +- size_t node_size, smmu_offset = 0; ++ AcpiIortSMMUv3Dev *sdev; ++ size_t node_size; ++ int num_smmus = 0; + uint32_t id = 0; +- GArray *rc_smmu_idmaps = g_array_new(false, true, sizeof(AcpiIortIdMapping)); ++ int rc_smmu_idmaps_len = 0; ++ GArray *smmuv3_devs = g_array_new(false, true, sizeof(AcpiIortSMMUv3Dev)); + GArray *rc_its_idmaps = g_array_new(false, true, sizeof(AcpiIortIdMapping)); + + AcpiTable table = { .sig = "IORT", .rev = 3, .oem_id = vms->oem_id, +@@ -361,22 +399,21 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + /* Table 2 The IORT */ + acpi_table_begin(&table, table_data); + +- if (vms->iommu == VIRT_IOMMU_SMMUV3) { +- object_child_foreach_recursive(object_get_root(), +- iort_host_bridges, rc_smmu_idmaps); +- +- /* Sort the smmu idmap by input_base */ +- g_array_sort(rc_smmu_idmaps, iort_idmap_compare); ++ if (vms->legacy_smmuv3_present) { ++ rc_smmu_idmaps_len = populate_smmuv3_legacy_dev(smmuv3_devs); ++ } + +- nb_nodes = 2; /* RC and SMMUv3 */ +- rc_mapping_count = rc_smmu_idmaps->len; ++ num_smmus = smmuv3_devs->len; ++ if (num_smmus) { ++ nb_nodes = num_smmus + 1; /* RC and SMMUv3 */ ++ rc_mapping_count = rc_smmu_idmaps_len; + + if (vms->its) { + /* + * Knowing the ID ranges from the RC to the SMMU, it's possible to + * determine the ID ranges from RC that go directly to ITS. + */ +- create_rc_its_idmaps(rc_its_idmaps, rc_smmu_idmaps); ++ create_rc_its_idmaps(rc_its_idmaps, smmuv3_devs); + + nb_nodes++; /* ITS */ + rc_mapping_count += rc_its_idmaps->len; +@@ -411,9 +448,10 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + build_append_int_noprefix(table_data, 0 /* MADT translation_id */, 4); + } + +- if (vms->iommu == VIRT_IOMMU_SMMUV3) { +- int irq = vms->irqmap[VIRT_SMMU] + ARM_SPI_BASE; ++ for (i = 0; i < num_smmus; i++) { ++ sdev = &g_array_index(smmuv3_devs, AcpiIortSMMUv3Dev, i); + int smmu_mapping_count, offset_to_id_array; ++ int irq = sdev->irq; + + if (vms->its) { + smmu_mapping_count = 1; /* ITS Group node */ +@@ -422,7 +460,7 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + smmu_mapping_count = 0; /* No ID mappings */ + offset_to_id_array = 0; /* No ID mappings array */ + } +- smmu_offset = table_data->len - table.table_offset; ++ sdev->offset = table_data->len - table.table_offset; + /* Table 9 SMMUv3 Format */ + build_append_int_noprefix(table_data, 4 /* SMMUv3 */, 1); /* Type */ + node_size = SMMU_V3_ENTRY_SIZE + +@@ -435,7 +473,7 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + /* Reference to ID Array */ + build_append_int_noprefix(table_data, offset_to_id_array, 4); + /* Base address */ +- build_append_int_noprefix(table_data, vms->memmap[VIRT_SMMU].base, 8); ++ build_append_int_noprefix(table_data, sdev->base, 8); + /* Flags */ + build_append_int_noprefix(table_data, 1 /* COHACC Override */, 4); + build_append_int_noprefix(table_data, 0, 4); /* Reserved */ +@@ -486,21 +524,26 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + build_append_int_noprefix(table_data, 0, 3); /* Reserved */ + + /* Output Reference */ +- if (vms->iommu == VIRT_IOMMU_SMMUV3) { ++ if (num_smmus) { + AcpiIortIdMapping *range; + +- /* +- * Map RIDs (input) from RC to SMMUv3 nodes: RC -> SMMUv3. +- * +- * N.B.: The mapping from SMMUv3 to ITS Group node (SMMUv3 -> ITS) is +- * defined in the SMMUv3 table, where all SMMUv3 IDs are mapped to the +- * ITS Group node, if ITS is available. +- */ +- for (i = 0; i < rc_smmu_idmaps->len; i++) { +- range = &g_array_index(rc_smmu_idmaps, AcpiIortIdMapping, i); +- /* Output IORT node is the SMMUv3 node. */ +- build_iort_id_mapping(table_data, range->input_base, +- range->id_count, smmu_offset); ++ for (i = 0; i < num_smmus; i++) { ++ sdev = &g_array_index(smmuv3_devs, AcpiIortSMMUv3Dev, i); ++ ++ /* ++ * Map RIDs (input) from RC to SMMUv3 nodes: RC -> SMMUv3. ++ * ++ * N.B.: The mapping from SMMUv3 to ITS Group node (SMMUv3 -> ITS) ++ * is defined in the SMMUv3 table, where all SMMUv3 IDs are mapped ++ * to the ITS Group node, if ITS is available. ++ */ ++ for (int j = 0; j < sdev->rc_smmu_idmaps->len; j++) { ++ range = &g_array_index(sdev->rc_smmu_idmaps, ++ AcpiIortIdMapping, j); ++ /* Output IORT node is the SMMUv3 node. */ ++ build_iort_id_mapping(table_data, range->input_base, ++ range->id_count, sdev->offset); ++ } + } + + if (vms->its) { +@@ -525,8 +568,12 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + } + + acpi_table_end(linker, &table); +- g_array_free(rc_smmu_idmaps, true); + g_array_free(rc_its_idmaps, true); ++ for (i = 0; i < num_smmus; i++) { ++ sdev = &g_array_index(smmuv3_devs, AcpiIortSMMUv3Dev, i); ++ g_array_free(sdev->rc_smmu_idmaps, true); ++ } ++ g_array_free(smmuv3_devs, true); + } + + /* +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index 542d702513..0cc9e5f068 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -1686,6 +1686,7 @@ static void create_pcie(VirtMachineState *vms) + qemu_fdt_setprop_cells(ms->fdt, nodename, "iommu-map", + 0x0, vms->iommu_phandle, 0x0, 0x10000); + } ++ vms->legacy_smmuv3_present = true; + break; + default: + g_assert_not_reached(); +diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h +index 94c79d6c6d..98b877c8b9 100644 +--- a/include/hw/arm/virt.h ++++ b/include/hw/arm/virt.h +@@ -180,6 +180,7 @@ struct VirtMachineState { + char *oem_table_id; + bool ns_el2_virt_timer_irq; + CXLState cxl_devices_state; ++ bool legacy_smmuv3_present; + }; + + #define VIRT_ECAM_ID(high) (high ? VIRT_HIGH_PCIE_ECAM : VIRT_PCIE_ECAM) +-- +2.47.3 + diff --git a/kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch b/kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch new file mode 100644 index 0000000..7e4267a --- /dev/null +++ b/kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch @@ -0,0 +1,170 @@ +From f89d89a3758ebd8725e677431f1e7493c65381c2 Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:25 +0100 +Subject: [PATCH 07/16] hw/arm/virt-acpi-build: Update IORT for multiple smmuv3 + devices + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [3/11] 9cb15768a319676af16cd2cdef8b8fabfa7b6f13 (eauger1/centos-qemu-kvm) + +With the soon to be introduced user-creatable SMMUv3 devices for +virt, it is possible to have multiple SMMUv3 devices associated +with different PCIe root complexes. + +Update IORT nodes accordingly. + +An example IORT Id mappings for a Qemu virt machine with two +PCIe Root Complexes each assocaited with a SMMUv3 will +be something like below, + + -device arm-smmuv3,primary-bus=pcie.0,id=smmuv3.0 + -device arm-smmuv3,primary-bus=pcie.1,id=smmuv3.1 + ... + + +--------------------+ +--------------------+ + | Root Complex 0 | | Root Complex 1 | + | | | | + | Requestor IDs | | Requestor IDs | + | 0x0000 - 0x00FF | | 0x0100 - 0x01FF | + +---------+----------+ +---------+----------+ + | | + | | + | Stream ID Mapping | + v v + +--------------------+ +--------------------+ + | SMMUv3 Node 0 | | SMMUv3 Node 1 | + | | | | + | Stream IDs 0x0000- | | Stream IDs 0x0100- | + | 0x00FF mapped from | | 0x01FF mapped from | + | RC0 Requestor IDs | | RC1 Requestor IDs | + +--------------------+ +--------------------+ + | | + | | + +----------------+---------------+ + | + |Device ID Mapping + v + +----------------------------+ + | ITS Node 0 | + | | + | Device IDs: | + | 0x0000 - 0x00FF (from RC0) | + | 0x0100 - 0x01FF (from RC1) | + | 0x0200 - 0xFFFF (No SMMU) | + +----------------------------+ + +Tested-by: Nathan Chen +Reviewed-by: Nicolin Chen +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Message-id: 20250829082543.7680-4-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 01e9a18730e6f56f713ed074603a8b0f2982ed26) +Signed-off-by: Eric Auger +--- + hw/arm/virt-acpi-build.c | 64 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 64 insertions(+) + +diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c +index bef4fabe56..96830f7c4e 100644 +--- a/hw/arm/virt-acpi-build.c ++++ b/hw/arm/virt-acpi-build.c +@@ -45,6 +45,7 @@ + #include "hw/acpi/generic_event_device.h" + #include "hw/acpi/tpm.h" + #include "hw/acpi/hmat.h" ++#include "hw/arm/smmuv3.h" + #include "hw/cxl/cxl.h" + #include "hw/pci/pcie_host.h" + #include "hw/pci/pci.h" +@@ -338,6 +339,67 @@ static int populate_smmuv3_legacy_dev(GArray *sdev_blob) + return sdev.rc_smmu_idmaps->len; + } + ++static int smmuv3_dev_idmap_compare(gconstpointer a, gconstpointer b) ++{ ++ AcpiIortSMMUv3Dev *sdev_a = (AcpiIortSMMUv3Dev *)a; ++ AcpiIortSMMUv3Dev *sdev_b = (AcpiIortSMMUv3Dev *)b; ++ AcpiIortIdMapping *map_a = &g_array_index(sdev_a->rc_smmu_idmaps, ++ AcpiIortIdMapping, 0); ++ AcpiIortIdMapping *map_b = &g_array_index(sdev_b->rc_smmu_idmaps, ++ AcpiIortIdMapping, 0); ++ return map_a->input_base - map_b->input_base; ++} ++ ++static int iort_smmuv3_devices(Object *obj, void *opaque) ++{ ++ VirtMachineState *vms = VIRT_MACHINE(qdev_get_machine()); ++ GArray *sdev_blob = opaque; ++ AcpiIortIdMapping idmap; ++ PlatformBusDevice *pbus; ++ AcpiIortSMMUv3Dev sdev; ++ int min_bus, max_bus; ++ SysBusDevice *sbdev; ++ PCIBus *bus; ++ ++ if (!object_dynamic_cast(obj, TYPE_ARM_SMMUV3)) { ++ return 0; ++ } ++ ++ bus = PCI_BUS(object_property_get_link(obj, "primary-bus", &error_abort)); ++ pbus = PLATFORM_BUS_DEVICE(vms->platform_bus_dev); ++ sbdev = SYS_BUS_DEVICE(obj); ++ sdev.base = platform_bus_get_mmio_addr(pbus, sbdev, 0); ++ sdev.base += vms->memmap[VIRT_PLATFORM_BUS].base; ++ sdev.irq = platform_bus_get_irqn(pbus, sbdev, 0); ++ sdev.irq += vms->irqmap[VIRT_PLATFORM_BUS]; ++ sdev.irq += ARM_SPI_BASE; ++ ++ pci_bus_range(bus, &min_bus, &max_bus); ++ sdev.rc_smmu_idmaps = g_array_new(false, true, sizeof(AcpiIortIdMapping)); ++ idmap.input_base = min_bus << 8, ++ idmap.id_count = (max_bus - min_bus + 1) << 8, ++ g_array_append_val(sdev.rc_smmu_idmaps, idmap); ++ g_array_append_val(sdev_blob, sdev); ++ return 0; ++} ++ ++/* ++ * Populate the struct AcpiIortSMMUv3Dev for all SMMUv3 devices and ++ * return the total number of idmaps. ++ */ ++static int populate_smmuv3_dev(GArray *sdev_blob) ++{ ++ object_child_foreach_recursive(object_get_root(), ++ iort_smmuv3_devices, sdev_blob); ++ /* Sort the smmuv3 devices(if any) by smmu idmap input_base */ ++ g_array_sort(sdev_blob, smmuv3_dev_idmap_compare); ++ /* ++ * Since each SMMUv3 dev is assocaited with specific host bridge, ++ * total number of idmaps equals to total number of smmuv3 devices. ++ */ ++ return sdev_blob->len; ++} ++ + /* Compute ID ranges (RIDs) from RC that are directed to the ITS Group node */ + static void create_rc_its_idmaps(GArray *its_idmaps, GArray *smmuv3_devs) + { +@@ -401,6 +463,8 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms) + + if (vms->legacy_smmuv3_present) { + rc_smmu_idmaps_len = populate_smmuv3_legacy_dev(smmuv3_devs); ++ } else { ++ rc_smmu_idmaps_len = populate_smmuv3_dev(smmuv3_devs); + } + + num_smmus = smmuv3_devs->len; +-- +2.47.3 + diff --git a/kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch b/kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch new file mode 100644 index 0000000..b22c39f --- /dev/null +++ b/kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch @@ -0,0 +1,150 @@ +From 34d06db7ea02cd3a0a07082fef93e08bfbf0b06a Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:28 +0100 +Subject: [PATCH 10/16] hw/pci: Introduce pci_setup_iommu_per_bus() for per-bus + IOMMU ops retrieval + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [6/11] 0c41f77254cd66a3648c14c5d4ba2dfdbd396665 (eauger1/centos-qemu-kvm) + +Currently, pci_setup_iommu() registers IOMMU ops for a given PCIBus. +However, when retrieving IOMMU ops for a device using +pci_device_get_iommu_bus_devfn(), the function checks the parent_dev +and fetches IOMMU ops from the parent device, even if the current +bus does not have any associated IOMMU ops. + +This behavior works for now because QEMU's IOMMU implementations are +globally scoped, and host bridges rely on the bypass_iommu property +to skip IOMMU translation when needed. + +However, this model will break with the soon to be introduced +arm-smmuv3 device, which allows users to associate the IOMMU +with a specific PCIe root complex (e.g., the default pcie.0 +or a pxb-pcie root complex). + +For example, consider the following setup with multiple root +complexes: + +-device arm-smmuv3,primary-bus=pcie.0,id=smmuv3.0 \ +... +-device pxb-pcie,id=pcie.1,bus_nr=8,bus=pcie.0 \ +-device pcie-root-port,id=pcie.port1,bus=pcie.1 \ +-device virtio-net-pci,bus=pcie.port1 + +In Qemu, pxb-pcie acts as a special root complex whose parent is +effectively the default root complex(pcie.0). Hence, though pcie.1 +has no associated SMMUv3 as per above, pci_device_get_iommu_bus_devfn() +will incorrectly return the IOMMU ops from pcie.0 due to the fallback +via parent_dev. + +To fix this, introduce a new helper pci_setup_iommu_per_bus() that +explicitly sets the new iommu_per_bus field in the PCIBus structure. +This helper will be used in a subsequent patch that adds support for +the new arm-smmuv3 device. + +Update pci_device_get_iommu_bus_devfn() to use iommu_per_bus when +determining the correct IOMMU ops, ensuring accurate behavior for +per-bus IOMMUs. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Nathan Chen +Tested-by: Eric Auger +Reviewed-by: Nicolin Chen +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Message-id: 20250829082543.7680-7-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 951bc76fb669eab96cc60e38a50097ad4435163e) +Signed-off-by: Eric Auger +--- + hw/pci/pci.c | 31 +++++++++++++++++++++++++++++++ + include/hw/pci/pci.h | 2 ++ + include/hw/pci/pci_bus.h | 1 + + 3 files changed, 34 insertions(+) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index c70b5ceeba..0012cc12e7 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -2909,6 +2909,19 @@ static void pci_device_get_iommu_bus_devfn(PCIDevice *dev, + } + } + ++ /* ++ * When multiple PCI Express Root Buses are defined using pxb-pcie, ++ * the IOMMU configuration may be specific to each root bus. However, ++ * pxb-pcie acts as a special root complex whose parent is effectively ++ * the default root complex(pcie.0). Ensure that we retrieve the ++ * correct IOMMU ops(if any) in such cases. ++ */ ++ if (pci_bus_is_express(iommu_bus) && pci_bus_is_root(iommu_bus)) { ++ if (parent_bus->iommu_per_bus) { ++ break; ++ } ++ } ++ + iommu_bus = parent_bus; + } + +@@ -3169,6 +3182,24 @@ void pci_setup_iommu(PCIBus *bus, const PCIIOMMUOps *ops, void *opaque) + bus->iommu_opaque = opaque; + } + ++/* ++ * Similar to pci_setup_iommu(), but sets iommu_per_bus to true, ++ * indicating that the IOMMU is specific to this bus. This is used by ++ * IOMMU implementations that are tied to a specific PCIe root complex. ++ * ++ * In QEMU, pxb-pcie behaves as a special root complex whose parent is ++ * effectively the default root complex (pcie.0). The iommu_per_bus ++ * is checked in pci_device_get_iommu_bus_devfn() to ensure the correct ++ * IOMMU ops are returned, avoiding the use of the parent’s IOMMU when ++ * it's not appropriate. ++ */ ++void pci_setup_iommu_per_bus(PCIBus *bus, const PCIIOMMUOps *ops, ++ void *opaque) ++{ ++ pci_setup_iommu(bus, ops, opaque); ++ bus->iommu_per_bus = true; ++} ++ + static void pci_dev_get_w64(PCIBus *b, PCIDevice *dev, void *opaque) + { + Range *range = opaque; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 6b7d3ac8a3..6bccb25ac2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -773,6 +773,8 @@ int pci_iommu_unregister_iotlb_notifier(PCIDevice *dev, uint32_t pasid, + */ + void pci_setup_iommu(PCIBus *bus, const PCIIOMMUOps *ops, void *opaque); + ++void pci_setup_iommu_per_bus(PCIBus *bus, const PCIIOMMUOps *ops, void *opaque); ++ + pcibus_t pci_bar_address(PCIDevice *d, + int reg, uint8_t type, pcibus_t size); + +diff --git a/include/hw/pci/pci_bus.h b/include/hw/pci/pci_bus.h +index 2261312546..c738446788 100644 +--- a/include/hw/pci/pci_bus.h ++++ b/include/hw/pci/pci_bus.h +@@ -35,6 +35,7 @@ struct PCIBus { + enum PCIBusFlags flags; + const PCIIOMMUOps *iommu_ops; + void *iommu_opaque; ++ bool iommu_per_bus; + uint8_t devfn_min; + uint32_t slot_reserved_mask; + pci_set_irq_fn set_irq; +-- +2.47.3 + diff --git a/kvm-io-fix-use-after-free-in-websocket-handshake-code.patch b/kvm-io-fix-use-after-free-in-websocket-handshake-code.patch new file mode 100644 index 0000000..5c59ad0 --- /dev/null +++ b/kvm-io-fix-use-after-free-in-websocket-handshake-code.patch @@ -0,0 +1,189 @@ +From 728cf99416aaaae2cc0fca6ee88f28ccec33d697 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 4 Nov 2025 17:28:47 -0500 +Subject: [PATCH 02/16] io: fix use after free in websocket handshake code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 419: io: move websock resource release to close method +RH-Jira: RHEL-120116 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Miroslav Rezanina +RH-Commit: [2/2] acdb5414387815a8b2f0a84a151990875947e855 (jmaloy/jmaloy-qemu-kvm-2) + +JIRA: https://issues.redhat.com/browse/RHEL-120116 +CVE: CVE-2025-11234 + +commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9 +Author: Daniel P. Berrangé +Date: Tue Sep 30 12:03:15 2025 +0100 + + io: fix use after free in websocket handshake code + + If the QIOChannelWebsock object is freed while it is waiting to + complete a handshake, a GSource is leaked. This can lead to the + callback firing later on and triggering a use-after-free in the + use of the channel. This was observed in the VNC server with the + following trace from valgrind: + + ==2523108== Invalid read of size 4 + ==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296) + ==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392) + ==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105) + ==2523108== by 0x44863B4: qio_task_complete (task.c:197) + ==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588) + ==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) + ==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249) + ==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) + ==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) + ==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) + ==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) + ==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) + ==2523108== by 0x454F300: qemu_default_main (main.c:37) + ==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) + ==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd + ==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989) + ==2523108== by 0x6EDC444: g_free (gmem.c:208) + ==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153) + ==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225) + ==2523108== by 0x4042881: dpy_refresh (console.c:880) + ==2523108== by 0x4042881: gui_update (console.c:90) + ==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562) + ==2523108== by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495) + ==2523108== by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:576) + ==2523108== by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.c:663) + ==2523108== by 0x45EC765: main_loop_wait (main-loop.c:600) + ==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) + ==2523108== by 0x454F300: qemu_default_main (main.c:37) + ==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) + ==2523108== Block was alloc'd at + ==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675) + ==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133) + ==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245) + ==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54) + ==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) + ==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249) + ==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) + ==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) + ==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310) + ==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589) + ==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835) + ==2523108== by 0x454F300: qemu_default_main (main.c:37) + ==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58) + ==2523108== + + The above can be reproduced by launching QEMU with + + $ qemu-system-x86_64 -vnc localhost:0,websocket=5700 + + and then repeatedly running: + + for i in {1..100}; do + (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 & + done + + CVE-2025-11234 + Reported-by: Grant Millar | Cylo + Reviewed-by: Eric Blake + Signed-off-by: Daniel P. Berrangé + +Signed-off-by: Jon Maloy +--- + include/io/channel-websock.h | 3 ++- + io/channel-websock.c | 22 ++++++++++++++++------ + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h +index e180827c57..6700cf8946 100644 +--- a/include/io/channel-websock.h ++++ b/include/io/channel-websock.h +@@ -61,7 +61,8 @@ struct QIOChannelWebsock { + size_t payload_remain; + size_t pong_remain; + QIOChannelWebsockMask mask; +- guint io_tag; ++ guint hs_io_tag; /* tracking handshake task */ ++ guint io_tag; /* tracking watch task */ + Error *io_err; + gboolean io_eof; + uint8_t opcode; +diff --git a/io/channel-websock.c b/io/channel-websock.c +index a19b902ff9..ec5e09f9ab 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc, + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err)); + qio_task_set_error(task, err); + qio_task_complete(task); ++ wioc->hs_io_tag = 0; + return FALSE; + } + +@@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc, + trace_qio_channel_websock_handshake_complete(ioc); + qio_task_complete(task); + } ++ wioc->hs_io_tag = 0; + return FALSE; + } + trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT); +@@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc, + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err)); + qio_task_set_error(task, err); + qio_task_complete(task); ++ wioc->hs_io_tag = 0; + return FALSE; + } + if (ret == 0) { +@@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc, + error_propagate(&wioc->io_err, err); + + trace_qio_channel_websock_handshake_reply(ioc); +- qio_channel_add_watch( ++ wioc->hs_io_tag = qio_channel_add_watch( + wioc->master, + G_IO_OUT, + qio_channel_websock_handshake_send, +@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock *ioc, + + trace_qio_channel_websock_handshake_start(ioc); + trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN); +- qio_channel_add_watch(ioc->master, +- G_IO_IN, +- qio_channel_websock_handshake_io, +- task, +- NULL); ++ ioc->hs_io_tag = qio_channel_add_watch( ++ ioc->master, ++ G_IO_IN, ++ qio_channel_websock_handshake_io, ++ task, ++ NULL); + } + + +@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj) + buffer_free(&ioc->encinput); + buffer_free(&ioc->encoutput); + buffer_free(&ioc->rawinput); ++ if (ioc->hs_io_tag) { ++ g_source_remove(ioc->hs_io_tag); ++ } + if (ioc->io_tag) { + g_source_remove(ioc->io_tag); + } +@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc, + buffer_free(&wioc->encinput); + buffer_free(&wioc->encoutput); + buffer_free(&wioc->rawinput); ++ if (wioc->hs_io_tag) { ++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove); ++ } + if (wioc->io_tag) { + g_clear_handle_id(&wioc->io_tag, g_source_remove); + } +-- +2.47.3 + diff --git a/kvm-io-move-websock-resource-release-to-close-method.patch b/kvm-io-move-websock-resource-release-to-close-method.patch new file mode 100644 index 0000000..052a53e --- /dev/null +++ b/kvm-io-move-websock-resource-release-to-close-method.patch @@ -0,0 +1,84 @@ +From 9aaede253bb55035f0a1171fb1c4eda847ca9493 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 4 Nov 2025 17:23:29 -0500 +Subject: [PATCH 01/16] io: move websock resource release to close method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 419: io: move websock resource release to close method +RH-Jira: RHEL-120116 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Miroslav Rezanina +RH-Commit: [1/2] ca3067b2afed8d770626436b77fdd90bd5cb22e7 (jmaloy/jmaloy-qemu-kvm-2) + +JIRA: https://issues.redhat.com/browse/RHEL-120116 +CVE: CVE-2025-11234 + +commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63 +Author: Daniel P. Berrangé +Date: Tue Sep 30 11:58:35 2025 +0100 + + io: move websock resource release to close method + + The QIOChannelWebsock object releases all its resources in the + finalize callback. This is later than desired, as callers expect + to be able to call qio_channel_close() to fully close a channel + and release resources related to I/O. + + The logic in the finalize method is at most a failsafe to handle + cases where a consumer forgets to call qio_channel_close. + + This adds equivalent logic to the close method to release the + resources, using g_clear_handle_id/g_clear_pointer to be robust + against repeated invocations. The finalize method is tweaked + so that the GSource is removed before releasing the underlying + channel. + + Reviewed-by: Eric Blake + Signed-off-by: Daniel P. Berrangé + +Signed-off-by: Jon Maloy +--- + io/channel-websock.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/io/channel-websock.c b/io/channel-websock.c +index 08ddb274f0..a19b902ff9 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj) + buffer_free(&ioc->encinput); + buffer_free(&ioc->encoutput); + buffer_free(&ioc->rawinput); +- object_unref(OBJECT(ioc->master)); + if (ioc->io_tag) { + g_source_remove(ioc->io_tag); + } + if (ioc->io_err) { + error_free(ioc->io_err); + } ++ object_unref(OBJECT(ioc->master)); + } + + +@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc, + QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc); + + trace_qio_channel_websock_close(ioc); ++ buffer_free(&wioc->encinput); ++ buffer_free(&wioc->encoutput); ++ buffer_free(&wioc->rawinput); ++ if (wioc->io_tag) { ++ g_clear_handle_id(&wioc->io_tag, g_source_remove); ++ } ++ if (wioc->io_err) { ++ g_clear_pointer(&wioc->io_err, error_free); ++ } + return qio_channel_close(wioc->master, errp); + } + +-- +2.47.3 + diff --git a/kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch b/kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch new file mode 100644 index 0000000..a6fee5b --- /dev/null +++ b/kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch @@ -0,0 +1,53 @@ +From bf0ecadea242c05671bf057fc45d8c58862032d3 Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:30 +0100 +Subject: [PATCH 12/16] qemu-options.hx: Document the arm-smmuv3 device + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [8/11] 775310b784fd7631a58e8bab1e8fcc36973fceca (eauger1/centos-qemu-kvm) + +Now that arm,virt can have user-creatable smmuv3 devices, document it. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Reviewed-by: Nicolin Chen +Message-id: 20250829082543.7680-9-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 73d3d0187bc6b482d8b15116edce1475c7975b89) +Signed-off-by: Eric Auger +--- + qemu-options.hx | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/qemu-options.hx b/qemu-options.hx +index 3837456a61..5f146c1860 100644 +--- a/qemu-options.hx ++++ b/qemu-options.hx +@@ -1231,6 +1231,13 @@ SRST + ``aw-bits=val`` (val between 32 and 64, default depends on machine) + This decides the address width of the IOVA address space. + ++``-device arm-smmuv3,primary-bus=id`` ++ This is only supported by ``-machine virt`` (ARM). ++ ++ ``primary-bus=id`` ++ Accepts either the default root complex (pcie.0) or a ++ pxb-pcie based root complex. ++ + ERST + + DEF("name", HAS_ARG, QEMU_OPTION_name, +-- +2.47.3 + diff --git a/kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch b/kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch new file mode 100644 index 0000000..d048675 --- /dev/null +++ b/kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch @@ -0,0 +1,30 @@ +From 3b21c60b771087e7d566bf738e04e01a7a1bdf09 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Fri, 14 Nov 2025 06:46:07 +0100 +Subject: [PATCH 16/16] qtest: Do not run bios-tables-test on aarch64 + +We do several disruptive downstream only changes that make +bios-tables-test to fail. Disabling it for now. + +This is done to enable fixing RHEL-126573 and RHEL-67323. + +Signed-off-by: Miroslav Rezanina +--- + tests/qtest/meson.build | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build +index ef44ffaf78..13b52ea41a 100644 +--- a/tests/qtest/meson.build ++++ b/tests/qtest/meson.build +@@ -252,7 +252,6 @@ qtests_arm = \ + + # TODO: once aarch64 TCG is fixed on ARM 32 bit host, make bios-tables-test unconditional + qtests_aarch64 = \ +- (cpu != 'arm' and unpack_edk2_blobs ? ['bios-tables-test'] : []) + \ + (config_all_accel.has_key('CONFIG_TCG') and config_all_devices.has_key('CONFIG_TPM_TIS_SYSBUS') ? \ + ['tpm-tis-device-test', 'tpm-tis-device-swtpm-test'] : []) + \ + (config_all_devices.has_key('CONFIG_XLNX_ZYNQMP_ARM') ? ['xlnx-can-test', 'fuzz-xlnx-dp-test'] : []) + \ +-- +2.47.3 + diff --git a/kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch b/kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch new file mode 100644 index 0000000..4ab008d --- /dev/null +++ b/kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch @@ -0,0 +1,160 @@ +From 51ec91309c99a5d81b53c2762d18c073f672e45a Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:32 +0100 +Subject: [PATCH 14/16] qtest/bios-tables-test: Add tests for legacy smmuv3 and + smmuv3 device + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [10/11] 101ed34313636fdc11f7fbdedbe2f91671b84c4b (eauger1/centos-qemu-kvm) + +For the legacy SMMUv3 test, the setup includes three PCIe Root Complexes, +one of which has bypass_iommu enabled. The generated IORT table contains +a single SMMUv3 node, a Root Complex(RC) node and 1 ITS node. +RC node features 4 ID mappings, of which 2 points to SMMU node and the +remaining ones points to ITS. + + pcie.0 -> {SMMU0} -> {ITS} +{RC} pcie.1 -> {SMMU0} -> {ITS} + pcie.2 -> {ITS} + [all other ids] -> {ITS} + +For the -device arm-smmuv3,... test, the configuration also includes three +Root Complexes, with two connected to separate SMMUv3 devices. +The resulting IORT table contains 1 RC node, 2 SMMU nodes and 1 ITS node. +RC node features 4 ID mappings. 2 of them target the 2 SMMU nodes while +the others targets the ITS. + + pcie.0 -> {SMMU0} -> {ITS} +{RC} pcie.1 -> {SMMU1} -> {ITS} + pcie.2 -> {ITS} + [all other ids] -> {ITS} + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Reviewed-by: Nicolin Chen +Message-id: 20250829082543.7680-11-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit 3f8cd046c151c471d9a34181320f4a7d3f72b32a) +Signed-off-by: Eric Auger +--- + tests/qtest/bios-tables-test.c | 86 ++++++++++++++++++++++++++++++++++ + 1 file changed, 86 insertions(+) + +diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c +index 386196edc8..a384aac1be 100644 +--- a/tests/qtest/bios-tables-test.c ++++ b/tests/qtest/bios-tables-test.c +@@ -2343,6 +2343,86 @@ static void test_acpi_aarch64_virt_viot(void) + free_test_data(&data); + } + ++static void test_acpi_aarch64_virt_smmuv3_legacy(void) ++{ ++ test_data data = { ++ .machine = "virt", ++ .arch = "aarch64", ++ .tcg_only = true, ++ .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd", ++ .uefi_fl2 = "pc-bios/edk2-arm-vars.fd", ++ .ram_start = 0x40000000ULL, ++ .scan_len = 128ULL * MiB, ++ }; ++ ++ /* ++ * cdrom is plugged into scsi controller to avoid conflict ++ * with pxb-pcie. See comments in test_acpi_aarch64_virt_tcg_pxb() for ++ * details. ++ * ++ * The setup includes three PCIe root complexes, one of which has ++ * bypass_iommu enabled. The generated IORT table contains a single ++ * SMMUv3 node and a Root Complex node with three ID mappings. Two ++ * of the ID mappings have output references pointing to the SMMUv3 ++ * node and the remaining one points to ITS. ++ */ ++ data.variant = ".smmuv3-legacy"; ++ test_acpi_one(" -device pcie-root-port,chassis=1,id=pci.1" ++ " -device virtio-scsi-pci,id=scsi0,bus=pci.1" ++ " -drive file=" ++ "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2," ++ "if=none,media=cdrom,id=drive-scsi0-0-0-1,readonly=on" ++ " -device scsi-cd,bus=scsi0.0,scsi-id=0," ++ "drive=drive-scsi0-0-0-1,id=scsi0-0-0-1,bootindex=1" ++ " -cpu cortex-a57" ++ " -M iommu=smmuv3" ++ " -device pxb-pcie,id=pcie.1,bus=pcie.0,bus_nr=0x10" ++ " -device pxb-pcie,id=pcie.2,bus=pcie.0,bus_nr=0x20,bypass_iommu=on", ++ &data); ++ free_test_data(&data); ++} ++ ++static void test_acpi_aarch64_virt_smmuv3_dev(void) ++{ ++ test_data data = { ++ .machine = "virt", ++ .arch = "aarch64", ++ .tcg_only = true, ++ .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd", ++ .uefi_fl2 = "pc-bios/edk2-arm-vars.fd", ++ .ram_start = 0x40000000ULL, ++ .scan_len = 128ULL * MiB, ++ }; ++ ++ /* ++ * cdrom is plugged into scsi controller to avoid conflict ++ * with pxb-pcie. See comments in test_acpi_aarch64_virt_tcg_pxb() ++ * for details. ++ * ++ * The setup includes three PCie root complexes, two of which are ++ * connected to separate SMMUv3 devices. The resulting IORT table ++ * contains two SMMUv3 nodes and a Root Complex node with ID mappings ++ * of which two of the ID mappings have output references pointing ++ * to two different SMMUv3 nodes and the remaining ones pointing to ++ * ITS. ++ */ ++ data.variant = ".smmuv3-dev"; ++ test_acpi_one(" -device pcie-root-port,chassis=1,id=pci.1" ++ " -device virtio-scsi-pci,id=scsi0,bus=pci.1" ++ " -drive file=" ++ "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2," ++ "if=none,media=cdrom,id=drive-scsi0-0-0-1,readonly=on" ++ " -device scsi-cd,bus=scsi0.0,scsi-id=0," ++ "drive=drive-scsi0-0-0-1,id=scsi0-0-0-1,bootindex=1" ++ " -cpu cortex-a57" ++ " -device arm-smmuv3,primary-bus=pcie.0,id=smmuv3.0" ++ " -device pxb-pcie,id=pcie.1,bus=pcie.0,bus_nr=0x10" ++ " -device arm-smmuv3,primary-bus=pcie.1,id=smmuv3.1" ++ " -device pxb-pcie,id=pcie.2,bus=pcie.0,bus_nr=0x20", ++ &data); ++ free_test_data(&data); ++} ++ + #ifndef _WIN32 + # define DEV_NULL "/dev/null" + #else +@@ -2776,6 +2856,12 @@ int main(int argc, char *argv[]) + if (qtest_has_device("virtio-iommu-pci")) { + qtest_add_func("acpi/virt/viot", test_acpi_aarch64_virt_viot); + } ++ qtest_add_func("acpi/virt/smmuv3-legacy", ++ test_acpi_aarch64_virt_smmuv3_legacy); ++ if (qtest_has_device("arm-smmuv3")) { ++ qtest_add_func("acpi/virt/smmuv3-dev", ++ test_acpi_aarch64_virt_smmuv3_dev); ++ } + } + #if 0 /* Disabled for Red Hat Enterprise Linux */ + } else if (strcmp(arch, "riscv64") == 0) { +-- +2.47.3 + diff --git a/kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch b/kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch new file mode 100644 index 0000000..9273081 --- /dev/null +++ b/kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch @@ -0,0 +1,282 @@ +From d6f27731c3d469f4ba68807a4c1f8ee534cc9d57 Mon Sep 17 00:00:00 2001 +From: Shameer Kolothum +Date: Fri, 29 Aug 2025 09:25:33 +0100 +Subject: [PATCH 15/16] qtest/bios-tables-test: Update tables for smmuv3 tests + +RH-Author: Eric Auger +RH-MergeRequest: 423: hw/arm/virt: Add support for user creatable SMMUv3 device +RH-Jira: RHEL-73800 +RH-Acked-by: Gavin Shan +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Sebastian Ott +RH-Acked-by: Donald Dutile +RH-Commit: [11/11] 88cb1daec4e92b759f12a96daacd46fc4656eacd (eauger1/centos-qemu-kvm) + +For the legacy smmuv3 test case, generated IORT has a single SMMUv3 node, +a Root Complex(RC) node and 1 ITS node. +RC node features 4 ID mappings, of which 2 points to SMMU node and the +remaining ones points to ITS. + + pcie.0 -> {SMMU0} -> {ITS} +{RC} pcie.1 -> {SMMU0} -> {ITS} + pcie.2 -> {ITS} + [all other ids] -> {ITS} + +... +[030h 0048 1] Type : 00 +[031h 0049 2] Length : 0018 +[033h 0051 1] Revision : 01 +[034h 0052 4] Identifier : 00000000 +[038h 0056 4] Mapping Count : 00000000 +[03Ch 0060 4] Mapping Offset : 00000000 + +[040h 0064 4] ItsCount : 00000001 +[044h 0068 4] Identifiers : 00000000 + +[048h 0072 1] Type : 04 +[049h 0073 2] Length : 0058 +[04Bh 0075 1] Revision : 04 +[04Ch 0076 4] Identifier : 00000001 +[050h 0080 4] Mapping Count : 00000001 +[054h 0084 4] Mapping Offset : 00000044 + +[058h 0088 8] Base Address : 0000000009050000 +[060h 0096 4] Flags (decoded below) : 00000001 + COHACC Override : 1 + HTTU Override : 0 + Proximity Domain Valid : 0 +[064h 0100 4] Reserved : 00000000 +[068h 0104 8] VATOS Address : 0000000000000000 +[070h 0112 4] Model : 00000000 +[074h 0116 4] Event GSIV : 0000006A +[078h 0120 4] PRI GSIV : 0000006B +[07Ch 0124 4] GERR GSIV : 0000006D +[080h 0128 4] Sync GSIV : 0000006C +[084h 0132 4] Proximity Domain : 00000000 +[088h 0136 4] Device ID Mapping Index : 00000000 + +[08Ch 0140 4] Input base : 00000000 +[090h 0144 4] ID Count : 0000FFFF +[094h 0148 4] Output Base : 00000000 +[098h 0152 4] Output Reference : 00000030 +[09Ch 0156 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[0A0h 0160 1] Type : 02 +[0A1h 0161 2] Length : 0074 +[0A3h 0163 1] Revision : 03 +[0A4h 0164 4] Identifier : 00000002 +[0A8h 0168 4] Mapping Count : 00000004 +[0ACh 0172 4] Mapping Offset : 00000024 + +[0B0h 0176 8] Memory Properties : [IORT Memory Access Properties] +[0B0h 0176 4] Cache Coherency : 00000001 +[0B4h 0180 1] Hints (decoded below) : 00 + Transient : 0 + Write Allocate : 0 + Read Allocate : 0 + Override : 0 +[0B5h 0181 2] Reserved : 0000 +[0B7h 0183 1] Memory Flags (decoded below) : 03 + Coherency : 1 + Device Attribute : 1 +[0B8h 0184 4] ATS Attribute : 00000000 +[0BCh 0188 4] PCI Segment Number : 00000000 +[0C0h 0192 1] Memory Size Limit : 40 +[0C1h 0193 2] PASID Capabilities : 0000 +[0C3h 0195 1] Reserved : 00 + +[0C4h 0196 4] Input base : 00000000 +[0C8h 0200 4] ID Count : 000001FF +[0CCh 0204 4] Output Base : 00000000 +[0D0h 0208 4] Output Reference : 00000048 +[0D4h 0212 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[0D8h 0216 4] Input base : 00001000 +[0DCh 0220 4] ID Count : 000000FF +[0E0h 0224 4] Output Base : 00001000 +[0E4h 0228 4] Output Reference : 00000048 +[0E8h 0232 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[0ECh 0236 4] Input base : 00000200 +[0F0h 0240 4] ID Count : 00000DFF +[0F4h 0244 4] Output Base : 00000200 +[0F8h 0248 4] Output Reference : 00000030 +[0FCh 0252 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[100h 0256 4] Input base : 00001100 +[104h 0260 4] ID Count : 0000EEFF +[108h 0264 4] Output Base : 00001100 +[10Ch 0268 4] Output Reference : 00000030 +[110h 0272 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +For the smmuv3-dev test case, IORT has 2 SMMUV3 nodes, +1 RC node and 1 ITS node. +RC node features 4 ID mappings. 2 of them target the 2 +SMMU nodes while the others targets the ITS. + + pcie.0 -> {SMMU0} -> {ITS} +{RC} pcie.1 -> {SMMU1} -> {ITS} + pcie.2 -> {ITS} + [all other ids] -> {ITS} +... +[030h 0048 1] Type : 00 +[031h 0049 2] Length : 0018 +[033h 0051 1] Revision : 01 +[034h 0052 4] Identifier : 00000000 +[038h 0056 4] Mapping Count : 00000000 +[03Ch 0060 4] Mapping Offset : 00000000 + +[040h 0064 4] ItsCount : 00000001 +[044h 0068 4] Identifiers : 00000000 + +[048h 0072 1] Type : 04 +[049h 0073 2] Length : 0058 +[04Bh 0075 1] Revision : 04 +[04Ch 0076 4] Identifier : 00000001 +[050h 0080 4] Mapping Count : 00000001 +[054h 0084 4] Mapping Offset : 00000044 + +[058h 0088 8] Base Address : 000000000C000000 +[060h 0096 4] Flags (decoded below) : 00000001 + COHACC Override : 1 + HTTU Override : 0 + Proximity Domain Valid : 0 +[064h 0100 4] Reserved : 00000000 +[068h 0104 8] VATOS Address : 0000000000000000 +[070h 0112 4] Model : 00000000 +[074h 0116 4] Event GSIV : 00000090 +[078h 0120 4] PRI GSIV : 00000091 +[07Ch 0124 4] GERR GSIV : 00000093 +[080h 0128 4] Sync GSIV : 00000092 +[084h 0132 4] Proximity Domain : 00000000 +[088h 0136 4] Device ID Mapping Index : 00000000 + +[08Ch 0140 4] Input base : 00000000 +[090h 0144 4] ID Count : 0000FFFF +[094h 0148 4] Output Base : 00000000 +[098h 0152 4] Output Reference : 00000030 +[09Ch 0156 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[0A0h 0160 1] Type : 04 +[0A1h 0161 2] Length : 0058 +[0A3h 0163 1] Revision : 04 +[0A4h 0164 4] Identifier : 00000002 +[0A8h 0168 4] Mapping Count : 00000001 +[0ACh 0172 4] Mapping Offset : 00000044 + +[0B0h 0176 8] Base Address : 000000000C020000 +[0B8h 0184 4] Flags (decoded below) : 00000001 + COHACC Override : 1 + HTTU Override : 0 + Proximity Domain Valid : 0 +[0BCh 0188 4] Reserved : 00000000 +[0C0h 0192 8] VATOS Address : 0000000000000000 +[0C8h 0200 4] Model : 00000000 +[0CCh 0204 4] Event GSIV : 00000094 +[0D0h 0208 4] PRI GSIV : 00000095 +[0D4h 0212 4] GERR GSIV : 00000097 +[0D8h 0216 4] Sync GSIV : 00000096 +[0DCh 0220 4] Proximity Domain : 00000000 +[0E0h 0224 4] Device ID Mapping Index : 00000000 + +[0E4h 0228 4] Input base : 00000000 +[0E8h 0232 4] ID Count : 0000FFFF +[0ECh 0236 4] Output Base : 00000000 +[0F0h 0240 4] Output Reference : 00000030 +[0F4h 0244 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[0F8h 0248 1] Type : 02 +[0F9h 0249 2] Length : 0074 +[0FBh 0251 1] Revision : 03 +[0FCh 0252 4] Identifier : 00000003 +[100h 0256 4] Mapping Count : 00000004 +[104h 0260 4] Mapping Offset : 00000024 + +[108h 0264 8] Memory Properties : [IORT Memory Access Properties] +[108h 0264 4] Cache Coherency : 00000001 +[10Ch 0268 1] Hints (decoded below) : 00 + Transient : 0 + Write Allocate : 0 + Read Allocate : 0 + Override : 0 +[10Dh 0269 2] Reserved : 0000 +[10Fh 0271 1] Memory Flags (decoded below) : 03 + Coherency : 1 + Device Attribute : 1 +[110h 0272 4] ATS Attribute : 00000000 +[114h 0276 4] PCI Segment Number : 00000000 +[118h 0280 1] Memory Size Limit : 40 +[119h 0281 2] PASID Capabilities : 0000 +[11Bh 0283 1] Reserved : 00 + +[11Ch 0284 4] Input base : 00000000 +[120h 0288 4] ID Count : 000001FF +[124h 0292 4] Output Base : 00000000 +[128h 0296 4] Output Reference : 00000048 +[12Ch 0300 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[130h 0304 4] Input base : 00001000 +[134h 0308 4] ID Count : 000000FF +[138h 0312 4] Output Base : 00001000 +[13Ch 0316 4] Output Reference : 000000A0 +[140h 0320 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[144h 0324 4] Input base : 00000200 +[148h 0328 4] ID Count : 00000DFF +[14Ch 0332 4] Output Base : 00000200 +[150h 0336 4] Output Reference : 00000030 +[154h 0340 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +[158h 0344 4] Input base : 00001100 +[15Ch 0348 4] ID Count : 0000EEFF +[160h 0352 4] Output Base : 00001100 +[164h 0356 4] Output Reference : 00000030 +[168h 0360 4] Flags (decoded below) : 00000000 + Single Mapping : 0 + +Note: DSDT changes are not described here as it is not impacted by the +way the SMMUv3 is instantiated. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Tested-by: Nicolin Chen +Signed-off-by: Shameer Kolothum +Signed-off-by: Shameer Kolothum +Reviewed-by: Donald Dutile +Reviewed-by: Nicolin Chen +Message-id: 20250829082543.7680-12-skolothumtho@nvidia.com +Signed-off-by: Peter Maydell +(cherry picked from commit d35146a6606cf6ebb4e24bb97dfc0330f074f6e3) +Signed-off-by: Eric Auger +--- + tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev | Bin 0 -> 10230 bytes + tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy | Bin 0 -> 10230 bytes + tests/data/acpi/aarch64/virt/IORT.smmuv3-dev | Bin 0 -> 364 bytes + tests/data/acpi/aarch64/virt/IORT.smmuv3-legacy | Bin 0 -> 276 bytes + tests/qtest/bios-tables-test-allowed-diff.h | 4 ---- + 5 files changed, 4 deletions(-) + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index 2e3e3ccdce..dfb8523c8b 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1,5 +1 @@ + /* List of comma-separated changed AML files to ignore */ +-"tests/data/acpi/aarch64/virt/DSDT.smmuv3-legacy", +-"tests/data/acpi/aarch64/virt/DSDT.smmuv3-dev", +-"tests/data/acpi/aarch64/virt/IORT.smmuv3-legacy", +-"tests/data/acpi/aarch64/virt/IORT.smmuv3-dev", +-- +2.47.3 + diff --git a/kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch b/kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch new file mode 100644 index 0000000..5219676 --- /dev/null +++ b/kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch @@ -0,0 +1,47 @@ +From 66bd3c1e7702962060d23fdc3084f0ace26b94e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Thu, 6 Nov 2025 16:39:53 +0100 +Subject: [PATCH 03/16] vfio: Disable VFIO migration with MultiFD support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Cédric Le Goater +RH-MergeRequest: 421: vfio: Disable VFIO migration with MultiFD support +RH-Jira: RHEL-126573 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Thomas Huth +RH-Commit: [1/1] b3ec6731c96e5650c66ece6e3b8728a7b94353f2 (clegoate/qemu-kvm-centos) + +QEMU 10.0 extends VFIO migration with MultiFD support, which can be +controlled through the 'vfio-pci' device property +'x-migration-multifd-transfer'. By default, this property is set to +'auto', meaning its activation depends on the availability of other +related features. However, it should be set to 'off' in RHEL until +more testing has been completed. + +Signed-off-by: Cédric Le Goater +--- + hw/vfio/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c +index 9486521a90..83ecffb535 100644 +--- a/hw/vfio/pci.c ++++ b/hw/vfio/pci.c +@@ -3686,10 +3686,11 @@ static const Property vfio_pci_dev_properties[] = { + igd_legacy_mode, ON_OFF_AUTO_AUTO), + DEFINE_PROP_ON_OFF_AUTO("enable-migration", VFIOPCIDevice, + vbasedev.enable_migration, ON_OFF_AUTO_AUTO), ++ /* RHEL only. Disable VFIO migration with MultiFD support */ + DEFINE_PROP("x-migration-multifd-transfer", VFIOPCIDevice, + vbasedev.migration_multifd_transfer, + vfio_pci_migration_multifd_transfer_prop, OnOffAuto, +- .set_default = true, .defval.i = ON_OFF_AUTO_AUTO), ++ .set_default = true, .defval.i = ON_OFF_AUTO_OFF), + DEFINE_PROP_ON_OFF_AUTO("x-migration-load-config-after-iter", VFIOPCIDevice, + vbasedev.migration_load_config_after_iter, + ON_OFF_AUTO_AUTO), +-- +2.47.3 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 927e7ff..9b96db7 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -143,7 +143,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version} \ Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 10.1.0 -Release: 4%{?rcrel}%{?dist}%{?cc_suffix} +Release: 5%{?rcrel}%{?dist}%{?cc_suffix} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) @@ -226,6 +226,37 @@ Patch34: kvm-x86-create-new-rhel-10.2-specific-pc-q35-machine-typ.patch Patch35: kvm-x86-create-new-rhel-9.8-specific-pc-q35-machine-type.patch # For RHEL-101929 - enable 'usb-bot' device for proper support of USB CD-ROM drives via libvirt Patch36: kvm-rh-enable-CONFIG_USB_STORAGE_BOT.patch +# For RHEL-120116 - CVE-2025-11234 qemu-kvm: VNC WebSocket handshake use-after-free [rhel-10.2] +Patch37: kvm-io-move-websock-resource-release-to-close-method.patch +# For RHEL-120116 - CVE-2025-11234 qemu-kvm: VNC WebSocket handshake use-after-free [rhel-10.2] +Patch38: kvm-io-fix-use-after-free-in-websocket-handshake-code.patch +# For RHEL-126573 - VFIO migration using multifd should be disabled by default +Patch39: kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch +# For RHEL-67323 - [aarch64] Support ACPI based PCI hotplug on ARM +Patch40: kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch41: kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch42: kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch43: kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch44: kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch45: kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch46: kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch47: kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch48: kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch49: kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch50: kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch +# For RHEL-73800 - NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1 +Patch51: kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch +Patch52: kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch %if %{have_clang} BuildRequires: clang @@ -1305,6 +1336,32 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Fri Nov 14 2025 Miroslav Rezanina - 10.1.0-5 +- kvm-io-move-websock-resource-release-to-close-method.patch [RHEL-120116] +- kvm-io-fix-use-after-free-in-websocket-handshake-code.patch [RHEL-120116] +- kvm-vfio-Disable-VFIO-migration-with-MultiFD-support.patch [RHEL-126573] +- kvm-hw-arm-virt-Use-ACPI-PCI-hotplug-by-default-from-10..patch [RHEL-67323] +- kvm-hw-arm-smmu-common-Check-SMMU-has-PCIe-Root-Complex-.patch [RHEL-73800] +- kvm-hw-arm-virt-acpi-build-Re-arrange-SMMUv3-IORT-build.patch [RHEL-73800] +- kvm-hw-arm-virt-acpi-build-Update-IORT-for-multiple-smmu.patch [RHEL-73800] +- kvm-hw-arm-virt-Factor-out-common-SMMUV3-dt-bindings-cod.patch [RHEL-73800] +- kvm-hw-arm-virt-Add-an-SMMU_IO_LEN-macro.patch [RHEL-73800] +- kvm-hw-pci-Introduce-pci_setup_iommu_per_bus-for-per-bus.patch [RHEL-73800] +- kvm-hw-arm-virt-Allow-user-creatable-SMMUv3-dev-instanti.patch [RHEL-73800] +- kvm-qemu-options.hx-Document-the-arm-smmuv3-device.patch [RHEL-73800] +- kvm-bios-tables-test-Allow-for-smmuv3-test-data.patch [RHEL-73800] +- kvm-qtest-bios-tables-test-Add-tests-for-legacy-smmuv3-a.patch [RHEL-73800] +- kvm-qtest-bios-tables-test-Update-tables-for-smmuv3-test.patch [RHEL-73800] +- kvm-qtest-Do-not-run-bios-tables-test-on-aarch64.patch [] +- Resolves: RHEL-120116 + (CVE-2025-11234 qemu-kvm: VNC WebSocket handshake use-after-free [rhel-10.2]) +- Resolves: RHEL-126573 + (VFIO migration using multifd should be disabled by default) +- Resolves: RHEL-67323 + ([aarch64] Support ACPI based PCI hotplug on ARM) +- Resolves: RHEL-73800 + (NVIDIA:Grace-Hopper:Backport support for user-creatable nested SMMUv3 - RHEL 10.1) + * Mon Nov 03 2025 Miroslav Rezanina - 10.1.0-4 - kvm-qapi-machine-s390x-add-QAPI-event-SCLP_CPI_INFO_AVAI.patch [RHEL-104009 RHEL-105823 RHEL-73008] - kvm-tests-functional-add-tests-for-SCLP-event-CPI.patch [RHEL-104009 RHEL-105823 RHEL-73008]