June 2025 - Devel - libvirt List Archives

[libvirt PATCH v2 REBASED 0/7] qemu: introduce amd-iommu support
by Ján Tomko 23 Jun '25

23 Jun '25

Ján Tomko (7): qemu: introduce QEMU_CAPS_AMD_IOMMU qemu: introduce QEMU_CAPS_PCI_ID qemu: add IOMMU model amd docs: formatdomain: document intel-only IOMMU attributes conf: add passthrough and xtsup attributes for IOMMU conf: reject some attributes not applicable to intel IOMMU qemu: format pt and xstup on the command line docs/formatdomain.rst | 22 +++- src/conf/domain_conf.c | 31 +++++ src/conf/domain_conf.h | 3 + src/conf/domain_validate.c | 22 ++++ src/conf/schemas/domaincommon.rng | 11 ++ src/qemu/qemu_capabilities.c | 12 ++ src/qemu/qemu_capabilities.h | 4 + src/qemu/qemu_command.c | 30 +++++ src/qemu/qemu_domain_address.c | 4 + src/qemu/qemu_validate.c | 22 ++++ .../caps_10.0.0_x86_64+amdsev.replies | 102 +++++++++++------ .../caps_10.0.0_x86_64+amdsev.xml | 1 + .../caps_10.0.0_x86_64.replies | 106 ++++++++++++------ .../caps_10.0.0_x86_64.xml | 2 + .../caps_6.2.0_x86_64.replies | 102 +++++++++++------ .../caps_6.2.0_x86_64.xml | 1 + .../caps_7.0.0_x86_64.replies | 80 +++++++------ .../caps_7.0.0_x86_64.xml | 1 + .../caps_7.1.0_x86_64.replies | 102 +++++++++++------ .../caps_7.1.0_x86_64.xml | 1 + .../caps_7.2.0_x86_64+hvf.replies | 102 +++++++++++------ .../caps_7.2.0_x86_64+hvf.xml | 1 + .../caps_7.2.0_x86_64.replies | 102 +++++++++++------ .../caps_7.2.0_x86_64.xml | 1 + .../caps_8.0.0_x86_64.replies | 80 +++++++------ .../caps_8.0.0_x86_64.xml | 1 + .../caps_8.1.0_x86_64.replies | 102 +++++++++++------ .../caps_8.1.0_x86_64.xml | 1 + .../caps_8.2.0_x86_64.replies | 102 +++++++++++------ .../caps_8.2.0_x86_64.xml | 1 + .../caps_9.0.0_x86_64.replies | 80 +++++++------ .../caps_9.0.0_x86_64.xml | 1 + .../caps_9.1.0_x86_64.replies | 102 +++++++++++------ .../caps_9.1.0_x86_64.xml | 1 + .../caps_9.2.0_x86_64+amdsev.replies | 102 +++++++++++------ .../caps_9.2.0_x86_64+amdsev.xml | 1 + .../caps_9.2.0_x86_64.replies | 102 +++++++++++------ .../caps_9.2.0_x86_64.xml | 1 + .../amd-iommu.x86_64-latest.args | 35 ++++++ .../amd-iommu.x86_64-latest.xml | 1 + tests/qemuxmlconfdata/amd-iommu.xml | 39 +++++++ tests/qemuxmlconftest.c | 2 + 42 files changed, 1165 insertions(+), 454 deletions(-) create mode 100644 tests/qemuxmlconfdata/amd-iommu.x86_64-latest.args create mode 120000 tests/qemuxmlconfdata/amd-iommu.x86_64-latest.xml create mode 100644 tests/qemuxmlconfdata/amd-iommu.xml -- 2.49.0

2 14

[PATCH] util: workaround libxml2 lack of thread safe initialization
by Daniel P. Berrangé 23 Jun '25

23 Jun '25

From: Daniel P. Berrangé <berrange(a)redhat.com> The main XML parser code global initializer historically had a mutex protecting it, and more recently uses a pthread_once. The RelaxNG code, however, relies on three other global initializers that are not thread safe, just relying on setting an integer "initialized" flag. Calling the relevant initializers from libvirt in a protected global initializer will protect libvirt's own concurrent usage, however, it cannot protect against other libraries loaded in process that might be using libxml2's schema code. Fortunately: * The chances of other loaded non-libvirt code using libxml is relatively low * The chances of other loaded non-libvirt code using the schema validation / catalog functionality inside libxml is even lower * The chances of both libvirt and the non-libvirt usage having their *1st* usage of libxml2 be concurrent is tiny IOW, in practice, although our solution doesn't fully fix the thread safety, it is good enough. libxml2 should none the less still be fixed to make its global initializers be thread safe without special actions by its API consumers. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/788 Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com> --- src/util/virxml.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/util/virxml.c b/src/util/virxml.c index 9d46e5f32f..c2d5a109dc 100644 --- a/src/util/virxml.c +++ b/src/util/virxml.c @@ -26,6 +26,8 @@ #include <libxml/xmlsave.h> #include <libxml/xpathInternals.h> +#include <libxml/xmlschemastypes.h> +#include <libxml/catalog.h> #include "virerror.h" #include "virxml.h" @@ -35,6 +37,7 @@ #include "virstring.h" #include "virutil.h" #include "viruuid.h" +#include "virthread.h" #include "configmake.h" #define VIR_FROM_THIS VIR_FROM_XML @@ -50,6 +53,25 @@ struct virParserData { }; +static int virXMLSchemaOnceInit(void) +{ + if (xmlSchemaInitTypes() < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unable to initialize libxml2 schema types")); + return -1; + } + if (xmlRelaxNGInitTypes() < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unable to initialize libxml2 RelaxNG data")); + return -1; + } + /* No return value, it just ignores errors :-( */ + xmlInitializeCatalog(); + return 0; +} + +VIR_ONCE_GLOBAL_INIT(virXMLSchema); + static xmlXPathContextPtr virXMLXPathContextNew(xmlDocPtr xml) { @@ -1603,6 +1625,9 @@ virXMLValidatorInit(const char *schemafile) { g_autoptr(virXMLValidator) validator = NULL; + if (virXMLSchemaInitialize() < 0) + return NULL; + validator = g_new0(virXMLValidator, 1); validator->schemafile = g_strdup(schemafile); -- 2.49.0

2 3

[PATCH] NEWS: mention console type in domain capabilities
by Roman Bogorodskiy 20 Jun '25

20 Jun '25

Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com> --- NEWS.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index 7d7df72a50..184df16547 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -47,6 +47,17 @@ v11.5.0 (unreleased) * **Improvements** + * Include supported console types in domain capabilities + + Domain capabilities now include information about supported console types, such as:: + + <console supported='yes'> + <enum name='type'> + <value>pty</value> + <value>tcp</value> + </enum> + </console> + * **Bug fixes** -- 2.49.0

2 1

[PATCH] qemu: Remove redundant kvm group config in sysusers.d
by fossdd 19 Jun '25

19 Jun '25

It's already defined by default in systemd: https://github.com/systemd/systemd/blob/v257.6/sysusers.d/basic.conf.in#L32 Adding it again here in libvirt-qemu.sysusers.conf causes the following warning by validating it with sd-sysuers: /usr/lib/sysusers.d/libvirt-qemu.conf:1: Conflict with earlier configuration for group 'kvm' in /usr/lib/sysusers.d/basic.conf:32, ignoring line. I don't know if the GID is important, but from simple grepping around it doesn't seem that way. Signed-off-by: fossdd <fossdd(a)pwned.life> --- src/qemu/libvirt-qemu.sysusers.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/src/qemu/libvirt-qemu.sysusers.conf b/src/qemu/libvirt-qemu.sysusers.conf index 3189191e73..05c35f94d8 100644 --- a/src/qemu/libvirt-qemu.sysusers.conf +++ b/src/qemu/libvirt-qemu.sysusers.conf @@ -1,4 +1,3 @@ -g kvm 36 g qemu 107 u qemu 107:qemu "qemu user" - - m qemu kvm -- 2.50.0

1 0

[PATCH 0/2] qemu: prefer GICv3 on TCG ARM VMs
by Heinrich Schuchardt 19 Jun '25

19 Jun '25

Emulating ARM machines with more than 8 CPUs requires GICv3. Currently libvirt defaults to GICv2 on TCG emulated VMs. This due to a deficiency existing in QEMU in 2017. There are no issues running virtual machine with <features> <gic version='3'/> </features> using current QEMU. Heinrich Schuchardt (2): tests: use virt-6.2 for aarch64 TCG qemu: prefer GICv3 on TCG ARM VMs src/qemu/qemu_postparse.c | 14 ------- ...fault-cpu-tcg-virt-4.2.aarch64-latest.args | 36 ---------------- ...efault-cpu-tcg-virt-4.2.aarch64-latest.xml | 42 ------------------- .../aarch64-default-cpu-tcg-virt-4.2.xml | 20 --------- ...fault-cpu-tcg-virt-6.2.aarch64-latest.args | 36 ++++++++++++++++ ...efault-cpu-tcg-virt-6.2.aarch64-latest.xml | 42 +++++++++++++++++++ .../aarch64-default-cpu-tcg-virt-6.2.xml | 20 +++++++++ .../aarch64-gic-none-tcg.aarch64-latest.args | 2 +- .../aarch64-gic-none-tcg.aarch64-latest.xml | 2 +- .../aarch64-pci-serial.aarch64-latest.args | 2 +- .../aarch64-pci-serial.aarch64-latest.xml | 2 +- ...arch64-traditional-pci.aarch64-latest.args | 2 +- ...aarch64-traditional-pci.aarch64-latest.xml | 2 +- ...aarch64-usb-controller.aarch64-latest.args | 2 +- .../aarch64-usb-controller.aarch64-latest.xml | 2 +- .../aarch64-video-default.aarch64-latest.args | 2 +- .../aarch64-video-default.aarch64-latest.xml | 2 +- ...4-video-virtio-gpu-pci.aarch64-latest.args | 2 +- ...64-video-virtio-gpu-pci.aarch64-latest.xml | 2 +- ...ault-models.aarch64-latest.abi-update.args | 2 +- ...fault-models.aarch64-latest.abi-update.xml | 2 +- ...64-virt-default-models.aarch64-latest.args | 2 +- ...h64-virt-default-models.aarch64-latest.xml | 2 +- ...rch64-virt-default-nic.aarch64-latest.args | 2 +- ...arch64-virt-default-nic.aarch64-latest.xml | 2 +- .../aarch64-virt-graphics.aarch64-latest.args | 2 +- .../aarch64-virt-graphics.aarch64-latest.xml | 2 +- ...h64-virt-headless-mmio.aarch64-latest.args | 2 +- ...ch64-virt-headless-mmio.aarch64-latest.xml | 2 +- .../aarch64-virt-headless.aarch64-latest.args | 2 +- .../aarch64-virt-headless.aarch64-latest.xml | 2 +- ...irt-minimal.aarch64-latest.abi-update.args | 2 +- ...virt-minimal.aarch64-latest.abi-update.xml | 2 +- .../aarch64-virt-minimal.aarch64-latest.args | 2 +- .../aarch64-virt-minimal.aarch64-latest.xml | 2 +- .../aarch64-virt-virtio.aarch64-latest.args | 2 +- .../aarch64-virt-virtio.aarch64-latest.xml | 2 +- ...o-pci-manual-addresses.aarch64-latest.args | 2 +- ...io-pci-manual-addresses.aarch64-latest.xml | 2 +- .../balloon-mmio-deflate.aarch64-latest.args | 2 +- .../balloon-mmio-deflate.aarch64-latest.xml | 2 +- .../cpu-topology5.aarch64-latest.args | 2 +- .../cpu-topology5.aarch64-latest.xml | 2 +- ...efi-aarch64.aarch64-latest.abi-update.args | 2 +- ...-efi-aarch64.aarch64-latest.abi-update.xml | 2 +- ...mware-auto-efi-aarch64.aarch64-latest.args | 2 +- ...rmware-auto-efi-aarch64.aarch64-latest.xml | 2 +- ...-loader-raw.aarch64-latest.abi-update.args | 2 +- ...t-loader-raw.aarch64-latest.abi-update.xml | 2 +- ...-efi-format-loader-raw.aarch64-latest.args | 2 +- ...o-efi-format-loader-raw.aarch64-latest.xml | 2 +- ...i-aarch64-legacy-paths.aarch64-latest.args | 2 +- ...fi-aarch64-legacy-paths.aarch64-latest.xml | 2 +- ...anual-efi-acpi-aarch64.aarch64-latest.args | 2 +- ...manual-efi-acpi-aarch64.aarch64-latest.xml | 2 +- ...ual-efi-noacpi-aarch64.aarch64-latest.args | 2 +- ...nual-efi-noacpi-aarch64.aarch64-latest.xml | 2 +- ...l-noefi-noacpi-aarch64.aarch64-latest.args | 2 +- ...al-noefi-noacpi-aarch64.aarch64-latest.xml | 2 +- .../iommu-smmuv3.aarch64-latest.args | 2 +- .../iommu-smmuv3.aarch64-latest.xml | 2 +- ...ch-virt-console-native.aarch64-latest.args | 2 +- ...ach-virt-console-native.aarch64-latest.xml | 2 +- ...ch-virt-console-virtio.aarch64-latest.args | 2 +- ...ach-virt-console-virtio.aarch64-latest.xml | 2 +- ...-serial+console-native.aarch64-latest.args | 2 +- ...t-serial+console-native.aarch64-latest.xml | 2 +- ...ach-virt-serial-compat.aarch64-latest.args | 2 +- ...mach-virt-serial-compat.aarch64-latest.xml | 2 +- ...ach-virt-serial-native.aarch64-latest.args | 2 +- ...mach-virt-serial-native.aarch64-latest.xml | 2 +- .../mach-virt-serial-pci.aarch64-latest.args | 2 +- .../mach-virt-serial-pci.aarch64-latest.xml | 2 +- .../mach-virt-serial-usb.aarch64-latest.args | 2 +- .../mach-virt-serial-usb.aarch64-latest.xml | 2 +- ...e-expander-bus-aarch64.aarch64-latest.args | 2 +- ...ie-expander-bus-aarch64.aarch64-latest.xml | 2 +- .../pcihole64-virt.aarch64-latest.args | 2 +- .../pcihole64-virt.aarch64-latest.xml | 2 +- .../pvpanic-pci-aarch64.aarch64-latest.args | 2 +- .../pvpanic-pci-aarch64.aarch64-latest.xml | 2 +- ...pci-no-address-aarch64.aarch64-latest.args | 2 +- ...-pci-no-address-aarch64.aarch64-latest.xml | 2 +- .../virtio-iommu-aarch64.aarch64-latest.args | 2 +- .../virtio-iommu-aarch64.aarch64-latest.xml | 2 +- tests/qemuxmlconftest.c | 2 +- 86 files changed, 177 insertions(+), 191 deletions(-) delete mode 100644 tests/qemuxmlconfdata/aarch64-default-cpu-tcg-virt-4.2.aarch64-latest.args delete mode 100644 tests/qemuxmlconfdata/aarch64-default-cpu-tcg-virt-4.2.aarch64-latest.xml delete mode 100644 tests/qemuxmlconfdata/aarch64-default-cpu-tcg-virt-4.2.xml create mode 100644 tests/qemuxmlconfdata/aarch64-default-cpu-tcg-virt-6.2.aarch64-latest.args create mode 100644 tests/qemuxmlconfdata/aarch64-default-cpu-tcg-virt-6.2.aarch64-latest.xml create mode 100644 tests/qemuxmlconfdata/aarch64-default-cpu-tcg-virt-6.2.xml -- 2.48.1

1 4

[PATCH] cpu_map: Add more -noTSX x86 CPU models (Sapphire and Granite rapids)
by Hector Cao 18 Jun '25

18 Jun '25

Several Intel CPU models with TSX technology (HLE & RTM features) are affected by the vulnerability TAA[1]. One of the mitigation methods for TAA is to disable TSX support on the host system. For that purpose, in 2021, Intel published a microcode update to disable TSX. Linux kernel also disables TSX globally by default. Even though TSX can be activated via the kernel command line (tsx=on), many Linux distributions stick with this default behavior and have TSX disabled. This makes existing CPU models that have HLE and RTM enabled not correctly detected by libvirt. This commit adds 2 remaining -noTSX models: - SapphireRapids-noTSX - GraniteRapids-noTSX Hopefully, this is the last effort on adding noTSX variants since Granite Rapids should be the last CPU model to have the TSX feature and is consequently affected by TAA. Indeed, SierraForest does not have RTM and HLE enabled. References: [1] TAA, TSX asynchronous Abort: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.… --- src/cpu_map/index.xml | 2 + src/cpu_map/meson.build | 2 + src/cpu_map/x86_GraniteRapids-noTSX.xml | 197 +++++++++++++++++++++++ src/cpu_map/x86_SapphireRapids-noTSX.xml | 190 ++++++++++++++++++++++ 4 files changed, 391 insertions(+) create mode 100644 src/cpu_map/x86_GraniteRapids-noTSX.xml create mode 100644 src/cpu_map/x86_SapphireRapids-noTSX.xml diff --git a/src/cpu_map/index.xml b/src/cpu_map/index.xml index 87db338cee..03a2c73ba5 100644 --- a/src/cpu_map/index.xml +++ b/src/cpu_map/index.xml @@ -116,10 +116,12 @@ <include filename='x86_Snowridge-v3.xml'/> <include filename='x86_Snowridge-v4.xml'/> <include filename='x86_SapphireRapids.xml'/> + <include filename='x86_SapphireRapids-noTSX.xml'/> <include filename='x86_SapphireRapids-v1.xml'/> <include filename='x86_SapphireRapids-v2.xml'/> <include filename='x86_SapphireRapids-v3.xml'/> <include filename='x86_GraniteRapids.xml'/> + <include filename='x86_GraniteRapids-noTSX.xml'/> <include filename='x86_GraniteRapids-v1.xml'/> <include filename='x86_GraniteRapids-v2.xml'/> <include filename='x86_SierraForest.xml'/> diff --git a/src/cpu_map/meson.build b/src/cpu_map/meson.build index dee8441a13..414cad7352 100644 --- a/src/cpu_map/meson.build +++ b/src/cpu_map/meson.build @@ -80,6 +80,7 @@ cpumap_data = [ 'x86_features.xml', 'x86_GraniteRapids-v1.xml', 'x86_GraniteRapids-v2.xml', + 'x86_GraniteRapids-noTSX.xml', 'x86_GraniteRapids.xml', 'x86_Haswell-IBRS.xml', 'x86_Haswell-noTSX-IBRS.xml', @@ -148,6 +149,7 @@ cpumap_data = [ 'x86_SapphireRapids-v1.xml', 'x86_SapphireRapids-v2.xml', 'x86_SapphireRapids-v3.xml', + 'x86_SapphireRapids-noTSX.xml', 'x86_SapphireRapids.xml', 'x86_SierraForest-v1.xml', 'x86_SierraForest.xml', diff --git a/src/cpu_map/x86_GraniteRapids-noTSX.xml b/src/cpu_map/x86_GraniteRapids-noTSX.xml new file mode 100644 index 0000000000..085b012f83 --- /dev/null +++ b/src/cpu_map/x86_GraniteRapids-noTSX.xml @@ -0,0 +1,197 @@ +<cpus> + <model name='GraniteRapids-noTSX'> + <check partial='compat'/> + <decode host='on' guest='off'/> + <signature family='6' model='173'/> + <vendor name='Intel'/> + <feature name='3dnowprefetch'/> + <feature name='abm'/> + <feature name='adx'/> + <feature name='aes'/> + <feature name='amx-bf16'/> + <feature name='amx-fp16'/> + <feature name='amx-int8'/> + <feature name='amx-tile'/> + <feature name='apic'/> + <feature name='arat'/> + <feature name='arch-capabilities'/> + <feature name='avx'/> + <feature name='avx-vnni'/> + <feature name='avx2'/> + <feature name='avx512-bf16'/> + <feature name='avx512-fp16'/> + <feature name='avx512-vpopcntdq'/> + <feature name='avx512bitalg'/> + <feature name='avx512bw'/> + <feature name='avx512cd'/> + <feature name='avx512dq'/> + <feature name='avx512f'/> + <feature name='avx512ifma'/> + <feature name='avx512vbmi'/> + <feature name='avx512vbmi2'/> + <feature name='avx512vl'/> + <feature name='avx512vnni'/> + <feature name='bmi1'/> + <feature name='bmi2'/> + <feature name='bus-lock-detect'/> + <feature name='clflush'/> + <feature name='clflushopt'/> + <feature name='clwb'/> + <feature name='cmov'/> + <feature name='cx16'/> + <feature name='cx8'/> + <feature name='de'/> + <feature name='erms'/> + <feature name='f16c'/> + <feature name='fbsdp-no'/> + <feature name='fma'/> + <feature name='fpu'/> + <feature name='fsgsbase'/> + <feature name='fsrc'/> + <feature name='fsrm'/> + <feature name='fsrs'/> + <feature name='fxsr'/> + <feature name='fzrm'/> + <feature name='gfni'/> + <feature name='ibrs-all'/> + <feature name='invpcid'/> + <feature name='la57'/> + <feature name='lahf_lm'/> + <feature name='lm'/> + <feature name='mca'/> + <feature name='mcdt-no'/> + <feature name='mce'/> + <feature name='mds-no'/> + <feature name='mmx'/> + <feature name='movbe'/> + <feature name='msr'/> + <feature name='mtrr'/> + <feature name='nx'/> + <feature name='pae'/> + <feature name='pat'/> + <feature name='pbrsb-no'/> + <feature name='pcid'/> + <feature name='pclmuldq'/> + <feature name='pdpe1gb'/> + <feature name='pge'/> + <feature name='pku'/> + <feature name='pni'/> + <feature name='popcnt'/> + <feature name='prefetchiti'/> + <feature name='pschange-mc-no'/> + <feature name='psdp-no'/> + <feature name='pse'/> + <feature name='pse36'/> + <feature name='rdctl-no'/> + <feature name='rdpid'/> + <feature name='rdrand'/> + <feature name='rdseed'/> + <feature name='rdtscp'/> + <feature name='sbdr-ssdp-no'/> + <feature name='sep'/> + <feature name='serialize'/> + <feature name='sha-ni'/> + <feature name='skip-l1dfl-vmentry'/> + <feature name='smap'/> + <feature name='smep'/> + <feature name='spec-ctrl'/> + <feature name='ssbd'/> + <feature name='sse'/> + <feature name='sse2'/> + <feature name='sse4.1'/> + <feature name='sse4.2'/> + <feature name='ssse3'/> + <feature name='syscall'/> + <feature name='taa-no'/> + <feature name='tsc'/> + <feature name='tsc-deadline'/> + <feature name='tsx-ldtrk'/> + <feature name='umip'/> + <feature name='vaes'/> + <feature name='vme'/> + <feature name='vmx-activity-hlt'/> + <feature name='vmx-apicv-register'/> + <feature name='vmx-apicv-vid'/> + <feature name='vmx-apicv-x2apic'/> + <feature name='vmx-apicv-xapic'/> + <feature name='vmx-cr3-load-noexit'/> + <feature name='vmx-cr3-store-noexit'/> + <feature name='vmx-cr8-load-exit'/> + <feature name='vmx-cr8-store-exit'/> + <feature name='vmx-desc-exit'/> + <feature name='vmx-entry-ia32e-mode'/> + <feature name='vmx-entry-load-efer'/> + <feature name='vmx-entry-load-pat'/> + <feature name='vmx-entry-load-perf-global-ctrl'/> + <feature name='vmx-entry-noload-debugctl'/> + <feature name='vmx-ept'/> + <feature name='vmx-ept-1gb'/> + <feature name='vmx-ept-2mb'/> + <feature name='vmx-ept-execonly'/> + <feature name='vmx-eptad'/> + <feature name='vmx-eptp-switching'/> + <feature name='vmx-exit-ack-intr'/> + <feature name='vmx-exit-load-efer'/> + <feature name='vmx-exit-load-pat'/> + <feature name='vmx-exit-load-perf-global-ctrl'/> + <feature name='vmx-exit-nosave-debugctl'/> + <feature name='vmx-exit-save-efer'/> + <feature name='vmx-exit-save-pat'/> + <feature name='vmx-exit-save-preemption-timer'/> + <feature name='vmx-flexpriority'/> + <feature name='vmx-hlt-exit'/> + <feature name='vmx-ins-outs'/> + <feature name='vmx-intr-exit'/> + <feature name='vmx-invept'/> + <feature name='vmx-invept-all-context'/> + <feature name='vmx-invept-single-context'/> + <feature name='vmx-invlpg-exit'/> + <feature name='vmx-invpcid-exit'/> + <feature name='vmx-invvpid'/> + <feature name='vmx-invvpid-all-context'/> + <feature name='vmx-invvpid-single-addr'/> + <feature name='vmx-invvpid-single-context-noglobals'/> + <feature name='vmx-io-bitmap'/> + <feature name='vmx-io-exit'/> + <feature name='vmx-monitor-exit'/> + <feature name='vmx-movdr-exit'/> + <feature name='vmx-msr-bitmap'/> + <feature name='vmx-mtf'/> + <feature name='vmx-mwait-exit'/> + <feature name='vmx-nmi-exit'/> + <feature name='vmx-page-walk-4'/> + <feature name='vmx-page-walk-5'/> + <feature name='vmx-pause-exit'/> + <feature name='vmx-pml'/> + <feature name='vmx-posted-intr'/> + <feature name='vmx-preemption-timer'/> + <feature name='vmx-rdpmc-exit'/> + <feature name='vmx-rdrand-exit'/> + <feature name='vmx-rdseed-exit'/> + <feature name='vmx-rdtsc-exit'/> + <feature name='vmx-rdtscp-exit'/> + <feature name='vmx-secondary-ctls'/> + <feature name='vmx-shadow-vmcs'/> + <feature name='vmx-store-lma'/> + <feature name='vmx-true-ctls'/> + <feature name='vmx-tsc-offset'/> + <feature name='vmx-unrestricted-guest'/> + <feature name='vmx-vintr-pending'/> + <feature name='vmx-vmfunc'/> + <feature name='vmx-vmwrite-vmexit-fields'/> + <feature name='vmx-vnmi'/> + <feature name='vmx-vnmi-pending'/> + <feature name='vmx-vpid'/> + <feature name='vmx-wbinvd-exit'/> + <feature name='vmx-xsaves'/> + <feature name='vpclmulqdq'/> + <feature name='wbnoinvd'/> + <feature name='x2apic'/> + <feature name='xfd'/> + <feature name='xgetbv1'/> + <feature name='xsave'/> + <feature name='xsavec'/> + <feature name='xsaveopt'/> + <feature name='xsaves'/> + </model> +</cpus> diff --git a/src/cpu_map/x86_SapphireRapids-noTSX.xml b/src/cpu_map/x86_SapphireRapids-noTSX.xml new file mode 100644 index 0000000000..de56826741 --- /dev/null +++ b/src/cpu_map/x86_SapphireRapids-noTSX.xml @@ -0,0 +1,190 @@ +<cpus> + <model name='SapphireRapids-noTSX'> + <check partial='compat'/> + <decode host='on' guest='off'/> + <signature family='6' model='143'/> + <vendor name='Intel'/> + <feature name='3dnowprefetch'/> + <feature name='abm'/> + <feature name='adx'/> + <feature name='aes'/> + <feature name='amx-bf16'/> + <feature name='amx-int8'/> + <feature name='amx-tile'/> + <feature name='apic'/> + <feature name='arat'/> + <feature name='arch-capabilities'/> + <feature name='avx'/> + <feature name='avx-vnni'/> + <feature name='avx2'/> + <feature name='avx512-bf16'/> + <feature name='avx512-fp16'/> + <feature name='avx512-vpopcntdq'/> + <feature name='avx512bitalg'/> + <feature name='avx512bw'/> + <feature name='avx512cd'/> + <feature name='avx512dq'/> + <feature name='avx512f'/> + <feature name='avx512ifma'/> + <feature name='avx512vbmi'/> + <feature name='avx512vbmi2'/> + <feature name='avx512vl'/> + <feature name='avx512vnni'/> + <feature name='bmi1'/> + <feature name='bmi2'/> + <feature name='bus-lock-detect'/> + <feature name='clflush'/> + <feature name='clflushopt'/> + <feature name='clwb'/> + <feature name='cmov'/> + <feature name='cx16'/> + <feature name='cx8'/> + <feature name='de'/> + <feature name='erms'/> + <feature name='f16c'/> + <feature name='fma'/> + <feature name='fpu'/> + <feature name='fsgsbase'/> + <feature name='fsrc'/> + <feature name='fsrm'/> + <feature name='fsrs'/> + <feature name='fxsr'/> + <feature name='fzrm'/> + <feature name='gfni'/> + <feature name='ibrs-all'/> + <feature name='invpcid'/> + <feature name='la57'/> + <feature name='lahf_lm'/> + <feature name='lm'/> + <feature name='mca'/> + <feature name='mce'/> + <feature name='mds-no'/> + <feature name='mmx'/> + <feature name='movbe'/> + <feature name='msr'/> + <feature name='mtrr'/> + <feature name='nx'/> + <feature name='pae'/> + <feature name='pat'/> + <feature name='pcid'/> + <feature name='pclmuldq'/> + <feature name='pdpe1gb'/> + <feature name='pge'/> + <feature name='pku'/> + <feature name='pni'/> + <feature name='popcnt'/> + <feature name='pschange-mc-no'/> + <feature name='pse'/> + <feature name='pse36'/> + <feature name='rdctl-no'/> + <feature name='rdpid'/> + <feature name='rdrand'/> + <feature name='rdseed'/> + <feature name='rdtscp'/> + <feature name='sep'/> + <feature name='serialize'/> + <feature name='sha-ni'/> + <feature name='skip-l1dfl-vmentry'/> + <feature name='smap'/> + <feature name='smep'/> + <feature name='spec-ctrl'/> + <feature name='ssbd'/> + <feature name='sse'/> + <feature name='sse2'/> + <feature name='sse4.1'/> + <feature name='sse4.2'/> + <feature name='ssse3'/> + <feature name='syscall'/> + <feature name='taa-no'/> + <feature name='tsc'/> + <feature name='tsc-deadline'/> + <feature name='tsx-ldtrk'/> + <feature name='umip'/> + <feature name='vaes'/> + <feature name='vme'/> + <feature name='vmx-activity-hlt' added='yes'/> + <feature name='vmx-apicv-register' added='yes'/> + <feature name='vmx-apicv-vid' added='yes'/> + <feature name='vmx-apicv-x2apic' added='yes'/> + <feature name='vmx-apicv-xapic' added='yes'/> + <feature name='vmx-cr3-load-noexit' added='yes'/> + <feature name='vmx-cr3-store-noexit' added='yes'/> + <feature name='vmx-cr8-load-exit' added='yes'/> + <feature name='vmx-cr8-store-exit' added='yes'/> + <feature name='vmx-desc-exit' added='yes'/> + <feature name='vmx-entry-ia32e-mode' added='yes'/> + <feature name='vmx-entry-load-efer' added='yes'/> + <feature name='vmx-entry-load-pat' added='yes'/> + <feature name='vmx-entry-load-perf-global-ctrl' added='yes'/> + <feature name='vmx-entry-noload-debugctl' added='yes'/> + <feature name='vmx-ept' added='yes'/> + <feature name='vmx-ept-1gb' added='yes'/> + <feature name='vmx-ept-2mb' added='yes'/> + <feature name='vmx-ept-execonly' added='yes'/> + <feature name='vmx-eptad' added='yes'/> + <feature name='vmx-eptp-switching' added='yes'/> + <feature name='vmx-exit-ack-intr' added='yes'/> + <feature name='vmx-exit-load-efer' added='yes'/> + <feature name='vmx-exit-load-pat' added='yes'/> + <feature name='vmx-exit-load-perf-global-ctrl' added='yes'/> + <feature name='vmx-exit-nosave-debugctl' added='yes'/> + <feature name='vmx-exit-save-efer' added='yes'/> + <feature name='vmx-exit-save-pat' added='yes'/> + <feature name='vmx-exit-save-preemption-timer' added='yes'/> + <feature name='vmx-flexpriority' added='yes'/> + <feature name='vmx-hlt-exit' added='yes'/> + <feature name='vmx-ins-outs' added='yes'/> + <feature name='vmx-intr-exit' added='yes'/> + <feature name='vmx-invept' added='yes'/> + <feature name='vmx-invept-all-context' added='yes'/> + <feature name='vmx-invept-single-context' added='yes'/> + <feature name='vmx-invlpg-exit' added='yes'/> + <feature name='vmx-invpcid-exit' added='yes'/> + <feature name='vmx-invvpid' added='yes'/> + <feature name='vmx-invvpid-all-context' added='yes'/> + <feature name='vmx-invvpid-single-addr' added='yes'/> + <feature name='vmx-invvpid-single-context-noglobals' added='yes'/> + <feature name='vmx-io-bitmap' added='yes'/> + <feature name='vmx-io-exit' added='yes'/> + <feature name='vmx-monitor-exit' added='yes'/> + <feature name='vmx-movdr-exit' added='yes'/> + <feature name='vmx-msr-bitmap' added='yes'/> + <feature name='vmx-mtf' added='yes'/> + <feature name='vmx-mwait-exit' added='yes'/> + <feature name='vmx-nmi-exit' added='yes'/> + <feature name='vmx-page-walk-4' added='yes'/> + <feature name='vmx-page-walk-5' added='yes'/> + <feature name='vmx-pause-exit' added='yes'/> + <feature name='vmx-pml' added='yes'/> + <feature name='vmx-posted-intr' added='yes'/> + <feature name='vmx-preemption-timer' added='yes'/> + <feature name='vmx-rdpmc-exit' added='yes'/> + <feature name='vmx-rdrand-exit' added='yes'/> + <feature name='vmx-rdseed-exit' added='yes'/> + <feature name='vmx-rdtsc-exit' added='yes'/> + <feature name='vmx-rdtscp-exit' added='yes'/> + <feature name='vmx-secondary-ctls' added='yes'/> + <feature name='vmx-shadow-vmcs' added='yes'/> + <feature name='vmx-store-lma' added='yes'/> + <feature name='vmx-true-ctls' added='yes'/> + <feature name='vmx-tsc-offset' added='yes'/> + <feature name='vmx-unrestricted-guest' added='yes'/> + <feature name='vmx-vintr-pending' added='yes'/> + <feature name='vmx-vmfunc' added='yes'/> + <feature name='vmx-vmwrite-vmexit-fields' added='yes'/> + <feature name='vmx-vnmi' added='yes'/> + <feature name='vmx-vnmi-pending' added='yes'/> + <feature name='vmx-vpid' added='yes'/> + <feature name='vmx-wbinvd-exit' added='yes'/> + <feature name='vmx-xsaves' added='yes'/> + <feature name='vpclmulqdq'/> + <feature name='wbnoinvd'/> + <feature name='x2apic'/> + <feature name='xfd'/> + <feature name='xgetbv1'/> + <feature name='xsave'/> + <feature name='xsavec'/> + <feature name='xsaveopt'/> + <feature name='xsaves'/> + </model> +</cpus> -- 2.45.2

3 7

[PATCH] security_manager: Don't leak seclabel in virSecurityManagerGenLabel()
by Michal Privoznik 18 Jun '25

18 Jun '25

From: Michal Privoznik <mprivozn(a)redhat.com> When a domain is being started, seclabels are generated for it. This is handled in virSecurityManagerGenLabel() which can either find pre-existing seclabel in domain def or generate a new one. At any rate, domainGenSecurityLabel() callback is called and if it fails then the seclabel is removed from domain definition using VIR_DELETE_ELEMENT(). While this shrinks down the seclabels array, it does not free individual item. It has to be freed manually. 80 bytes in 2 blocks are definitely lost in loss record 1,359 of 1,876 at 0x484CEF3: calloc (vg_replace_malloc.c:1675) by 0x4F19B29: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.8200.5) by 0x49E4953: virSecurityLabelDefNew (virseclabel.c:59) by 0x4BDE0A4: virSecurityManagerGenLabel (security_manager.c:638) by 0xBA029B7: qemuProcessPrepareDomain (qemu_process.c:6760) by 0xBA07DF2: qemuProcessStart (qemu_process.c:8369) by 0xB93DAC0: qemuDomainObjStart (qemu_driver.c:6371) by 0xB93DE08: qemuDomainCreateWithFlags (qemu_driver.c:6420) by 0xB93DE86: qemuDomainCreate (qemu_driver.c:6438) by 0x4CECEA8: virDomainCreate (libvirt-domain.c:7142) Now, you might think this may lead to a double free, because @seclabel is freed under the 'cleanup' label (if @generated is true). But if @generated is true, then just before calling the callback there's VIR_APPEND_ELEMENT() which clears @seclabel out turning the free under 'cleanup' label into a NOP. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- src/security/security_manager.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/security/security_manager.c b/src/security/security_manager.c index c2460eae37..5fc4eb4872 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -669,9 +669,14 @@ virSecurityManagerGenLabel(virSecurityManager *mgr, VIR_APPEND_ELEMENT(vm->seclabels, vm->nseclabels, seclabel); if (sec_managers[i]->drv->domainGenSecurityLabel(sec_managers[i], vm) < 0) { + virSecurityLabelDef *tmp = vm->seclabels[vm->nseclabels - 1]; + if (VIR_DELETE_ELEMENT(vm->seclabels, - vm->nseclabels -1, vm->nseclabels) < 0) + vm->nseclabels - 1, vm->nseclabels) < 0) { vm->nseclabels--; + } + + virSecurityLabelDefFree(tmp); goto cleanup; } -- 2.49.0

3 2

Plans for 11.5.0 release (freeze on 2025-06-24)
by Jiri Denemark 18 Jun '25

18 Jun '25

We are getting close to 11.5.0 release of libvirt. To aim for the release on Tuesday 01 Jul I suggest entering the freeze on Tuesday 24 Jun and tagging RC2 on Friday 27 Jun. I hope this works for everyone. Jirka

1 0

[PATCH] virSocketAddrPrefixToNetmask: Prevent undefined behaviour on bitshifts on signed integer
by Peter Krempa 18 Jun '25

18 Jun '25

From: Peter Krempa <pkrempa(a)redhat.com> Shifting bits into the sign bit is undefined behaviour in C although both gcc and clang handle it as expected. Since the value is used as unsigned convert it to unsigned int. For code readability use 'if' statement instead of a ternary. Closes: https://gitlab.com/libvirt/libvirt/-/issues/785 Signed-off-by: Peter Krempa <pkrempa(a)redhat.com> --- src/util/virsocketaddr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virsocketaddr.c b/src/util/virsocketaddr.c index a2e6701670..f53768878e 100644 --- a/src/util/virsocketaddr.c +++ b/src/util/virsocketaddr.c @@ -1144,12 +1144,14 @@ virSocketAddrPrefixToNetmask(unsigned int prefix, netmask->data.stor.ss_family = AF_UNSPEC; /* assume failure */ if (family == AF_INET) { - int ip; + unsigned int ip = 0; if (prefix > 32) return -1; - ip = prefix ? ~((1 << (32 - prefix)) - 1) : 0; + if (prefix > 0) + ip = ~((1U << (32 - prefix)) - 1); + netmask->data.inet4.sin_addr.s_addr = htonl(ip); netmask->data.stor.ss_family = AF_INET; netmask->len = sizeof(struct sockaddr_in); -- 2.49.0

2 1

[PATCH] qemu: Be more forgiving when acquiring QUERY job when formatting domain XML
by Michal Privoznik 18 Jun '25

18 Jun '25

From: Michal Privoznik <mprivozn(a)redhat.com> In my previous commit of v11.0.0-rc1~115 I've made QEMU driver implementation for virDomainGetXMLDesc() (qemuDomainGetXMLDesc()) acquire QERY job. See its commit message for more info. But this unfortunately broke apps witch fetch domain XML for incoming migration (like virt-manager). The reason is that for incoming migration the VIR_ASYNC_JOB_MIGRATION_IN async job is set, but the mask of allowed synchronous jobs is empty (because QEMU can't talk on monitor really). This makes virDomainObjBeginJob() fail which in turn makes qemuDomainGetXMLDesc() fail too. It makes sense for qemuDomainGetXMLDesc() to acquire the job (e.g. so that it's coherent with another thread that might be in the middle of a MODIFY job). But failure to dump XML may be treated as broken daemon (e.g. virt-manager does so). Therefore, still try to acquire the QUERY job (if job mask permits it) but, do not treat failure as an error. Fixes: 6cc93bf28842526be2fd596a607ebca796b7fb2e Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2369243 Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com> --- src/qemu/qemu_driver.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index b3b0ee66f8..9b583ad7aa 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6182,6 +6182,7 @@ static char { virQEMUDriver *driver = dom->conn->privateData; virDomainObj *vm; + bool hasJob = false; char *ret = NULL; virCheckFlags(VIR_DOMAIN_XML_COMMON_FLAGS | VIR_DOMAIN_XML_UPDATE_CPU, @@ -6193,8 +6194,10 @@ static char if (virDomainGetXMLDescEnsureACL(dom->conn, vm->def, flags) < 0) goto cleanup; - if (virDomainObjBeginJob(vm, VIR_JOB_QUERY) < 0) - goto cleanup; + if (virDomainNestedJobAllowed(vm->job, VIR_JOB_QUERY) && + virDomainObjBeginJob(vm, VIR_JOB_QUERY) >= 0) { + hasJob = true; + } qemuDomainUpdateCurrentMemorySize(vm); @@ -6210,7 +6213,8 @@ static char ret = qemuDomainFormatXML(driver, vm, flags); - virDomainObjEndJob(vm); + if (hasJob) + virDomainObjEndJob(vm); cleanup: virDomainObjEndAPI(&vm); -- 2.49.0

2 1