qemu-7.1.0-150500.49.24.1

- Update to version 9.1.1:
  Full changelog here:
  https://lore.kernel.org/qemu-devel/7f0561ec-3564-4860-bacf-a98071a5ce52@tls.msk.ru/
  Some of the most notable features:
  * ui/dbus: fix filtering all update messages
  * ui/win32: fix potential use-after-free with dbus shared memory
  * ui/dbus: fix leak on message filtering
  * hw/audio/hda: fix memory leak on audio setup
  * hw/audio/hda: free timer on exit
  * hw/char/pl011: Use correct masks for IBRD and FBRD
  * hw/intc/arm_gicv3_cpuif: Add cast to match the documentation
  * hw/intc/arm_gicv3: Add cast to match the documentation
  * hw/intc/arm_gicv3: Add cast to match the documentation
  * meson: ensure -mcx16 is passed when detecting ATOMIC128
  * meson: define qemu_isa_flags
  * meson: fix machine option for x86_version
  * target/m68k: Always return a temporary from gen_lea_mode
  * tcg/ppc: Use TCG_REG_TMP2 for scratch index in prepare_host_addr
  * tcg/ppc: Use TCG_REG_TMP2 for scratch tcg_out_qemu_st
  * linux-user: Fix parse_elf_properties GNU0_MAGIC check
  * linux-user/flatload: Take mmap_lock in load_flt_binary()
  * vnc: fix crash when no console attached
  * testing: bump mips64el cross to bookworm and fix package list
  * hw/sd/sdcard: Fix handling of disabled boot partitions
  * target/arm: Avoid target_ulong for physical address lookups
  * block/reqlist: allow adding overlapping requests
  * util/timer: avoid deadlock when shutting down
  * hw/mips/jazz: fix typo in in-built NIC alias
  * tcg: Fix iteration step in 32-bit gvec operation
  * hw/loongarch/virt: Add description for virt machine type
  * migration/multifd: Fix p->iov leak in multifd-uadk.c
  * target/ppc: Fix migration of CPUs with TLB_EMB TLB type
  * target/hppa: Fix random 32-bit linux-user crashes
  * target/arm: Correct ID_AA64ISAR1_EL1 value for neoverse-v1
  * hw/char/stm32l4x5_usart.c: Enable USART ACK bit response
  * migration/multifd: Fix rb->receivedmap cleanup race
  * mac_dbdma: Remove leftover `dma_memory_unmap` calls

- Fix bsc#1230915, CVE-2024-8612:
  * softmmu: Support concurrent bounce buffers (bsc#1230915, CVE-2024-8612)
  * system/physmem: Per-AddressSpace bounce buffering (bsc#1230915, CVE-2024-8612)
  * system/physmem: Propagate AddressSpace to MapClient helpers (bsc#1230915, CVE-2024-8612)
  * system/physmem: Replace qemu_mutex_lock() calls with QEMU_LOCK_GUARD (bsc#1230915, CVE-2024-8612)

- Support for Intel TDX (jsc#PED-9266)
  A list of backported patches (so far) is:
  i386/tdx: Build TDX only for 64-bit target
  i386/tdx: Clarify the error message of mrconfigid/mrowner/mrownerconfig
  i386/tdx: Fix the typo of the comment of struct TdxGuest
  i386/cpu: Rename enable_cpuid_0x1f to force_cpuid_0x1f
  i386/tdx: Error and exit when named cpu model is requested
  i386/cpu: Warn about why CPUID_EXT_PDCM is not available
  i386/tdvf: Fix build on 32-bit host
  i386/tdx: Fix build on 32-bit host
  x86/loader: Don't update kernel header for CoCo VMs
  docs: Add TDX documentation
  i386/tdx: Validate phys_bits against host value
  i386/tdx: Make invtsc default on
  i386/tdx: Don't treat SYSCALL as unavailable
  i386/tdx: Fetch and validate CPUID of TD guest
  target/i386: Print CPUID subleaf info for unsupported feature
  i386: Remove unused parameter "uint32_t bit" in feature_word_description()
  i386/cgs: Introduce x86_confidential_guest_check_features()
  i386/tdx: Define supported KVM features for TDX
  i386/tdx: Add XFD to supported bit of TDX
  i386/tdx: Add supported CPUID bits relates to XFAM
  i386/tdx: Add supported CPUID bits related to TD Attributes
  i386/tdx: Add TDX fixed1 bits to supported CPUIDs
  i386/tdx: Implement adjust_cpuid_features() for TDX
  i386/cgs: Rename *mask_cpuid_features() to *adjust_cpuid_features()
  cpu: Don't set vcpu_dirty when guest_state_protected
  i386/apic: Skip kvm_apic_put() for TDX
  i386/tdx: Only configure MSR_IA32_UCODE_REV in kvm_init_msrs() for TDs
  i386/tdx: Don't synchronize guest tsc for TDs
  i386/tdx: Set and check kernel_irqchip mode for TDX
  i386/tdx: Disable PIC for TDX VMs
  i386/tdx: Disable SMM for TDX VMs
  i386/tdx: Set kvm_readonly_mem_enabled to false for TDX VM
  i386/tdx: Force exposing CPUID 0x1f
  i386/cpu: Introduce enable_cpuid_0x1f to force exposing CPUID 0x1f
  i386/tdx: implement tdx_cpu_instance_init()
  i386/cpu: introduce x86_confidential_guest_cpu_instance_init()
  kvm: Check KVM_CAP_MAX_VCPUS at vm level
  i386/tdx: Wire TDX_REPORT_FATAL_ERROR with GuestPanic facility
  i386/tdx: Handle KVM_SYSTEM_EVENT_TDX_FATAL
  i386/tdx: Enable user exit on KVM_HC_MAP_GPA_RANGE
  i386/tdx: Finalize TDX VM
  i386/tdx: Call KVM_TDX_INIT_VCPU to initialize TDX vcpu
  i386/tdx: Add TDVF memory via KVM_TDX_INIT_MEM_REGION
  i386/tdx: Setup the TD HOB list
  headers: Add definitions from UEFI spec for volumes, resources, etc...
  i386/tdx: Track RAM entries for TDX VM
  i386/tdx: Track mem_ptr for each firmware entry of TDVF
  i386/tdx: Don't initialize pc.rom for TDX VMs
  i386/tdx: Parse TDVF metadata for TDX VM
  i386/tdvf: Introduce function to parse TDVF metadata
  i386/tdx: load TDVF for TD guest
  i386/tdx: Implement user specified tsc frequency
  i386/tdx: Set APIC bus rate to match with what TDX module enforces
  i386/tdx: Support user configurable mrconfigid/mrowner/mrownerconfig
  i386/tdx: Validate TD attributes
  i386/tdx: Wire CPU features up with attributes of TD guest
  i386/tdx: Make sept_ve_disable set by default
  i386/tdx: Add property sept-ve-disable for tdx-guest object
  i386/tdx: Initialize TDX before creating TD vcpus
  kvm: Introduce kvm_arch_pre_create_vcpu()
  i386/tdx: Introduce is_tdx_vm() helper and cache tdx_guest object
  i386/tdx: Get tdx_capabilities via KVM_TDX_CAPABILITIES
  i386/tdx: Implement tdx_kvm_init() to initialize TDX VM context
  i386/tdx: Implement tdx_kvm_type() for TDX
  i386: Introduce tdx-guest object
  linux-headers: update from 6.15 + kvm/next
  linux-headers: Update to Linux v6.15-rc3

- Update to version 10.0.4:
  Full backport list:
  https://lore.kernel.org/qemu-devel/1748499690.323471.13081.nullmailer@localhost/
  A selection of them is reported below:
  hvf: arm: Emulate ICC_RPR_EL1 accesses properly
  target/arm: Correct encoding of Debug Communications Channel registers
  ui: fix setting client_endian field defaults
  hw/net/npcm_gmac.c: Send the right data for second packet in a row
  target/i386: do not expose ARCH_CAPABILITIES on AMD CPU
  i386/cpu: Honor maximum value for CPUID.8000001DH.EAX[25:14]
  i386/cpu: Fix overflow of cache topology fields in CPUID.04H
  i386/cpu: Fix cpu number overflow in CPUID.01H.EBX[23:16]
  ui/vnc: Do not copy z_stream
  vhost: Fix used memslot tracking when destroying a vhost device
  roms: re-remove execute bit from hppa-firmware*
  file-posix: Fix aio=threads performance regression after enablign FUA
  amd_iommu: Fix truncation of oldval in amdvi_writeq
  amd_iommu: Remove duplicated definitions
  amd_iommu: Fix the calculation for Device Table size
  amd_iommu: Fix mask to retrieve Interrupt Table Root Pointer from DTE
  amd_iommu: Fix masks for various IOMMU MMIO Registers
  amd_iommu: Update bitmasks representing DTE reserved fields
  amd_iommu: Fix Device ID decoding for INVALIDATE_IOTLB_PAGES command
  amd_iommu: Fix Miscellaneous Information Register 0 encoding
  virtio-net: Add queues for RSS during migration
  net: fix buffer overflow in af_xdp_umem_create()
  accel/kvm: Adjust the note about the minimum required kernel version
  linux-user: Use qemu_set_cloexec() to mark pidfd as FD_CLOEXEC
  migration: Don't sync volatile memory after migration completes
  linux-user: Hold the fd-trans lock across fork
  linux-user: Check for EFAULT failure in nanosleep
  linux-user: Implement fchmodat2 syscall
  hw/arm/fsl-imx8mp: Wire VIRQ and VFIQ
  target/arm: Don't enforce NSE,NS check for EL3->EL3 returns
  target/i386: fix TB exit logic in gen_movl_seg() when writing to SS
  target/arm: Fix bfdotadd_ebf vs nan selection
  target/arm: Fix f16_dotadd vs nan selection
  target/arm: Fix PSEL size operands to tcg_gen_gvec_ands
  target/arm: Fix 128-bit element ZIP, UZP, TRN
  target/arm: Fix sve_access_check for SME
  target/arm: Fix SME vs AdvSIMD exception priority
  hw/s390x/ccw-device: Fix memory leak in loadparm setter
  virtio-gpu: support context init multiple timeline
  target/arm: Correct KVM & HVF dtb_compatible value
  target/arm: Make RETA[AB] UNDEF when pauth is not implemented
  tcg: Fix constant propagation in tcg_reg_alloc_dup
  target/loongarch: fix vldi/xvldi raise wrong error
  target/loongarch: add check for fcond
  linux-user/arm: Fix return value of SYS_cacheflush
  hw/arm/mps2: Configure the AN500 CPU with 16 MPU regions
  qemu-options.hx: Fix reversed description of icount sleep behavior
  hw/arm/virt: Check bypass iommu is not set for iommu-map DT property
  hw/loongarch/virt: Fix big endian support with MCFG table
  hw/core/qdev-properties-system: Add missing return in set_drive_helper()
  iotests: fix 240
  target/i386: Remove FRED dependency on WRMSRNS
  hw/audio/asc: fix SIGSEGV in asc_realize()
  audio: fix size calculation in AUD_get_buffer_size_out()
  audio: fix SIGSEGV in AUD_get_buffer_size_out()
  hw/i386/amd_iommu: Fix xtsup when vcpus < 255
  hw/i386/amd_iommu: Fix device setup failure when PT is on.

- Resolve a repo-has-moved service running issue:
  * .gitmodules: move u-boot mirrors to qemu-project-mirrors

- Fix bsc#1230042:
  * [openSUSE] rpm/spec: qemu-vgabios is required on ppc (bsc#1230042)

- Fix build issues due to Python version:
  * mkvenv: Support pip 25.2 (bsc#1247972)

- Bug and CVE fixes:
  * tests: Avoid dependency on padding on signal messages (boo#1246830)
  * pcie_sriov: Fix configuration and state synchronization (bsc#1246992 CVE-2025-54566 CVE-2025-54567)
  * [openSUSE][RPM] linux-user: restart systemd-binfmt upon changes (bsc#1247443)

- Update to stable release 10.0.3:
  Full list of backports here:
  https://lore.kernel.org/qemu-devel/1748499690.323471.13081.nullmailer@localhost/
  A selection of them is reported here too:
  hvf: arm: Emulate ICC_RPR_EL1 accesses properly
  target/arm: Correct encoding of Debug Communications Channel registers
  ui: fix setting client_endian field defaults
  hw/net/npcm_gmac.c: Send the right data for second packet in a row
  target/i386: do not expose ARCH_CAPABILITIES on AMD CPU
  i386/cpu: Honor maximum value for CPUID.8000001DH.EAX[25:14]
  i386/cpu: Fix overflow of cache topology fields in CPUID.04H
  i386/cpu: Fix cpu number overflow in CPUID.01H.EBX[23:16]
  ui/vnc: Do not copy z_stream
  vhost: Fix used memslot tracking when destroying a vhost device
  roms: re-remove execute bit from hppa-firmware*
  file-posix: Fix aio=threads performance regression after enablign FUA
  amd_iommu: Fix truncation of oldval in amdvi_writeq
  amd_iommu: Remove duplicated definitions
  amd_iommu: Fix the calculation for Device Table size
  amd_iommu: Fix mask to retrieve Interrupt Table Root Pointer from DTE
  amd_iommu: Fix masks for various IOMMU MMIO Registers
  amd_iommu: Update bitmasks representing DTE reserved fields
  amd_iommu: Fix Device ID decoding for INVALIDATE_IOTLB_PAGES command
  amd_iommu: Fix Miscellaneous Information Register 0 encoding
  virtio-net: Add queues for RSS during migration
  net: fix buffer overflow in af_xdp_umem_create()
  accel/kvm: Adjust the note about the minimum required kernel version
  ...

- Fix bsc#1246566:
  * [roms] seabios: include "pciinit: don't misalign large BARs" (bsc#1246566)

- Add Live migration support for QEMU-emulated AMD IOMMU (jsc#PED-13144):
  * hw/i386/amd_iommu: Allow migration when explicitly create the AMDVI-PCI device (jsc#PED-PED-13144)
  * hw/i386/amd_iommu: Isolate AMDVI-PCI from amd-iommu device to allow full control over the PCI device creation (jsc#PED-13144)

- Update to stable release 10.0.2:
  Full list of backports here:
  https://lore.kernel.org/qemu-devel/1748499690.323471.13081.nullmailer@localhost/
  A selection of them is reported here too:
  Revert "Drop support for Python 3.8"
  Update version for 10.0.1 release
  Drop support for Python 3.8
  target/hppa: Fix FPE exceptions
  linux-user/hppa: Send proper si_code on SIGFPE exception
  target/hppa: Copy instruction code into fr1 on FPU assist fault
  migration: Allow caps to be set when preempt or multifd cap enabled
  migration/multifd: Don't send device state packets with zerocopy flag
  qapi/misc-target: Fix the doc to distinguish query-sgx and query-sgx-capabilities
  hw/pci-host: Remove unused pci_host_data_be_ops
  hw/pci-host/gt64120: Fix endianness handling
  i386/hvf: Make CPUID_HT supported
  i386/tcg: Make CPUID_HT and CPUID_EXT3_CMP_LEG supported
  target/riscv/kvm: do not read unavailable CSRs
  target/riscv/kvm: add kvm_csr_cfgs[]
  target/riscv/kvm: turn kvm_riscv_reg_id_ulong() into a macro
  target/riscv/kvm: turn u32/u64 reg functions into macros
  target/riscv/kvm: fix leak in kvm_riscv_init_multiext_cfg()
  target/riscv/kvm: minor fixes/tweaks
  target/riscv: Fix vslidedown with rvv_ta_all_1s
  target/riscv: Fix the rvv reserved encoding of unmasked instructions
  ...

- Continue trying to fix building with GCC15:
  * roms/edk2: continue to try fixing building with GCC15 (bsc#1241473)
  * roms/ipxe: fix building with GCC15 (bsc#1241473)

- Fix building opensbi with gcc-15:
  * [openSUSE] Fix bsc#1241473 (in opensbi)

- Fixes for bsc#1241240 and bsc#1243585:
  * vfio/spapr: Fix L2 crash with PCI device passthrough and memory > 128G (bsc#1241240)
  * vfio/spapr: Enhance error handling in vfio_spapr_create_window() (bsc#1241240)
  * tests/functional: Use -no-shutdown in the hppa_seabios test (bsc#1243585)

- Update to latest stable release (10.0.0)
  Full changelog here:
  https://wiki.qemu.org/ChangeLog/10.0
  Highlights include:
  * block: virtio-scsi multiqueue support for using different I/O threads
    to process requests for each queue (similar to the virtio-blk multiqueue
    support that was added in QEMU 9.2)
  * VFIO: improved support for IGD passthrough on all Intel Gen 11/12
    devices
  * Documentation: significant improvement/overhaul of documentation for
    QEMU Machine Protocol to make it clearer and more organized, including
    all commands/events/types now being cross-reference-able via click-able
    links in generated documentation
  * ARM: emulation support for EL2 physical and virtual timers
  * ARM: emulation support for FEAT_AFP, FEAT_RPRES, and FEAT_XS
    architecture features
  * ARM: new board models for NPCM8445 Evaluation and i.MX 8M Plus EVK
    boards
  * HPPA: new SeaBIOS-hppa version 18 with lots of fixes and enhancements
  * HPPA: translation speed and virtual CPU reset improvements
  * HPPA: emulation support for Diva GSP BMC boards
  * LoongArch: support for CPU hotplug, paravirtual IPIs, KVM steal time
    accounting, and virtual 'extioi' interrupt routing.
  * RISC-V: ISA/extension support for riscv-iommu-sys devices, 'svukte',
    'ssstateen', 'smrnmi', 'smdbltrp'/'ssdbltrp', 'supm'/'sspm', and
    IOMMU translation tags
  * RISC-V: emulation support for Ascalon and RV64 Xiangshan Nanhu CPUs,
    and Microblaze V boards.
  * s390x: add CPU model support for the generation 17 mainframe CPU
  * s930x: add support for virtio-mem and for bypassing IOMMU to improve
    PCI device performance
  * x86: CPU model support for Clearwater Forest and Sierra Forest v2
  * x86: faster emulation of string instructions
  * and lots more...
  Have a look at the list of deprecated features too, especially if you're
  still interested in using 32bits systems as hosts:
  * https://qemu-project.gitlab.io/qemu/about/deprecated.html
- Post-update improvements and fixes:
  * [openSUSE]: fix SLOF not building with gcc15 (bsc#1241473)
  * [openSUSE][RPM]: *.spec: improve the %check phases
  * docs: Don't define duplicate label in qemu-block-drivers.rst.inc
  * [openSUSE] tests: workaround expected failures of func-x86_64-mem_addr_space
  * [openSUSE]: tests/functional increase the timeout of func_hppa_seabios
  * [openSUSE] tests/unit increase the timeouts for tlssession tests

- Fix bsc#1229929, bsc#1230140 (patch already submitted upstream):
  * [openSUSE] target/ppc: Fix lxvx/stxvx facility check (bsc#1229929)

- Fix bsc#1230140 (and bsc#1229814 & bsc#1230008):
  * target/ppc: Fix lxv/stxv MSR facility check (bsc#1230140, bsc#1229814, bsc#1230008)
- Fix a build issue of ipxe with newer binutils:
  * [openSUSE] roms/ipxe: Backport patches to fix the build with binutils 2.41
- Misc:
  * [openSUSE] Update hash of the sgabios submodule

- Fix bsc#1229007, CVE-2024-7409:
  * nbd/server: CVE-2024-7409: Close stray clients at server-stop (bsc#1229007)
  * nbd/server: CVE-2024-7409: Drop non-negotiating clients (bsc#1229007)
  * nbd/server: CVE-2024-7409: Cap default max-connections to 100 (bsc#1229007)
  * nbd/server: Plumb in new args to nbd_client_add() (bsc#1229007, CVE-2024-7409)
  * nbd: Minor style and typo fixes (bsc#1229007, CVE-2024-7409)

- Backports and bugfixes:
  * hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() (bsc#1222841, CVE-2024-3567)
  * hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446)
  * hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446)
  * hw/display/virtio-gpu: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446)
  * hw/virtio: Introduce virtio_bh_new_guarded() helper (bsc#1222843, CVE-2024-3446)
  * hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set (bsc#1222845, CVE-2024-3447)
  * hw/nvme: Use pcie_sriov_num_vfs() (bsc#1220065, CVE-2024-26328)

- Bugs and CVEs fixes:
  * hw/nvme: Use pcie_sriov_num_vfs() (bsc#1220065, CVE-2024-26328)
  * pcie: Introduce pcie_sriov_num_vfs (bsc#1220065, CVE-2024-26328)
  * virtio-net: correctly copy vnet header when flushing TX (bsc#1218484, CVE-2023-6693)
  * hw/pvrdma: Protect against buggy or malicious guest driver (bsc#1209554, CVE-2023-1544)
  * pcie_sriov: Validate NumVFs (bsc#1220062, CVE-2024-26327)
  * esp: restrict non-DMA transfer length to that of available data (bsc#1220134, CVE-2024-24474)
  * s390x/ap: Wire up the device request notifier interface (bsc#1205316)
  * linux-headers: update to v6.5-rc1 (bsc#1205316)
  * Update linux headers to v6.3rc5 (bsc#1205316)
  * linux-headers: Update to v6.2-rc8 (bsc#1205316)
  * linux-headers: Update to v6.1 (bsc#1205316)
- Backport of SapphireRapids CPU Models (jsc#PED-8113):
  * target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE
  * target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
  * docs: re-generate x86_64 ABI compatibility CSV
  * target/i386: Add new CPU model GraniteRapids
  * target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model
  * target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
  * target/i386: Allow MCDT_NO if host supports
  * target/i386: Add support for MCDT_NO in CPUID enumeration
  * target/i386: Adjust feature level according to FEAT_7_1_EDX
  * target/i386: Add support for PREFETCHIT0/1 in CPUID enumeration
  * target/i386: Add support for AVX-NE-CONVERT in CPUID enumeration
  * target/i386: Add support for AVX-VNNI-INT8 in CPUID enumeration
  * target/i386: Add support for AVX-IFMA in CPUID enumeration
  * target/i386: Add support for AMX-FP16 in CPUID enumeration
  * target/i386: Add support for CMPCCXADD in CPUID enumeration
  * target/i386: add support for FB_CLEAR feature
  * target/i386: add support for FLUSH_L1D feature
  * i386: Add new CPU model SapphireRapids
  * target/i386: KVM: allow fast string operations if host supports them
  * target/i386: add FZRM, FSRS, FSRC
  * target/i386: add FSRM to TCG
- Backport of EPYC-Genoa CPU Model (jsc#PED-7366):
  * target/i386: Add EPYC-Genoa model to support Zen 4 processor series
  * target/i386: Add VNMI and automatic IBRS feature bits
  * target/i386: Add missing feature bits in EPYC-Milan model
  * target/i386: Add feature bits for CPUID_Fn80000021_EAX
  * target/i386: Add a couple of feature bits in 8000_0008_EBX
  * target/i386: Add new EPYC CPU versions with updated cache_info
  * target/i386: allow versioned CPUs to specify new cache_info