[PULL 00/11] vfio queue

[PULL 00/11] vfio queue

[Cédric Le Goater]

The following changes since commit e89049b3ba5f1f0468bc0d294173345597514a1b:

  Merge tag 'for-upstream' of https://repo.or.cz/qemu/kevin into staging (2026-05-19 15:23:10 -0400)

are available in the Git repository at:

  https://github.com/legoater/qemu/ tags/pull-vfio-20260520

for you to fetch changes up to b9638e2faa58dea98b0797cbb6c1c2ae04902028:

  scripts/update-linux-headers: Add typelimits.h (2026-05-20 15:05:20 +0200)

----------------------------------------------------------------
vfio queue:

* Fix IRQ notifier return value in vfio/ap and vfio/ccw
* Fix vfio-user: reject malformed migration capabilities and avoid
  leaking a duplicate device name
* Report overflow in migration size queries
* Fix s390x cpu_models build regression
* Update libvfio-user subproject to fix compilation on newer compilers
* Update update-linux-headers.sh to support typelimits.h and inject
  VIRTIO_RING_NO_LEGACY in virtio_ring.h to fix the Windows build
* Replace abort() with g_assert_not_reached() in the vfio/pci
  interrupt handling path
* Drop superfluous inclusion of hw-error.h from vfio device files

----------------------------------------------------------------
Avihai Horon (1):
      scripts/update-linux-headers: Add typelimits.h

Cédric Le Goater (3):
      vfio/pci: Replace abort() with g_assert_not_reached()
      update-linux-headers: Inject VIRTIO_RING_NO_LEGACY in virtio_ring.h
      vfio/migration: Detect and report overflow in migration size queries

Eric Farman (1):
      target/s390x: restore cpu_models for system builds

GuoHan Zhao (4):
      vfio-user: avoid leaking duplicate device name
      vfio-user: reject malformed migration capabilities
      vfio/ap: Return false when IRQ notifier setup fails
      vfio/ccw: Return false when IRQ notifier setup fails

John Levon (1):
      hw/remote: update libvfio-user subproject

Thomas Huth (1):
      hw/vfio: Drop superfluous inclusion of hw-error.h

 hw/remote/vfio-user-obj.c       |  3 ++-
 hw/vfio-user/pci.c              |  2 --
 hw/vfio-user/proxy.c            |  4 ++--
 hw/vfio/ap.c                    |  1 +
 hw/vfio/ccw.c                   |  1 +
 hw/vfio/device.c                |  1 -
 hw/vfio/helpers.c               |  1 -
 hw/vfio/igd.c                   |  1 -
 hw/vfio/kvm-helpers.c           |  1 -
 hw/vfio/migration.c             | 32 ++++++++++++++++++++++++++++----
 hw/vfio/pci.c                   |  7 ++++++-
 scripts/update-linux-headers.sh |  3 +++
 subprojects/libvfio-user.wrap   |  2 +-
 target/s390x/meson.build        |  6 +++++-
 14 files changed, 49 insertions(+), 16 deletions(-)

[PULL 01/11] target/s390x: restore cpu_models for system builds

[Cédric Le Goater]

From: Eric Farman <farman@linux.ibm.com>

Commit 0b83acf2f05 stated:

    Introduce a source set common to system / user. Start it
    with the files built in both sets: 'cpu_models_user.c'
    and 'gdbstub.c' No logical change intended.

Except that's not true:

    git show 0b83acf2f0 | grep cpu_models
        with the files built in both sets: 'cpu_models_user.c'
    +  'cpu_models_user.c',
    -  'cpu_models_system.c',
    -  'cpu_models_user.c',

Restore the s390x_user_ss section, move "cpu_models_user.c" back
into it, and re-add "cpu_models_system.c" to the common_system
section.

Reported-by: Cédric Le Goater <clg@redhat.com>
Fixes: 0b83acf2f05 ("target/s390x: Introduce common system/user meson source set")
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260511163541.192533-1-farman@linux.ibm.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 target/s390x/meson.build | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/target/s390x/meson.build b/target/s390x/meson.build
index bc4459e8ed7b036e2ee5668dd338c5785a364fc0..c2cb4aca469ab49a43c22800c996cf94b09fd572 100644
--- a/target/s390x/meson.build
+++ b/target/s390x/meson.build
@@ -22,7 +22,6 @@ gen_features_h = custom_target('gen-features.h',
 
 s390x_common_ss.add(gen_features_h)
 s390x_common_ss.add(files(
-  'cpu_models_user.c',
   'gdbstub.c',
 ))
 
@@ -39,6 +38,11 @@ s390x_common_system_ss.add(files(
   'mmu_helper.c',
   'sigp.c',
   'cpu-system.c',
+  'cpu_models_system.c',
+))
+
+s390x_user_ss.add(files(
+  'cpu_models_user.c',
 ))
 
 subdir('tcg')
-- 
2.54.0

[PULL 02/11] hw/vfio: Drop superfluous inclusion of hw-error.h

[Cédric Le Goater]

From: Thomas Huth <thuth@redhat.com>

None of these files use the hw_error() function, so there is no
need to include hw-error.h here.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Link: https://lore.kernel.org/qemu-devel/20260428163702.3224323-1-thuth@redhat.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio/device.c      | 1 -
 hw/vfio/helpers.c     | 1 -
 hw/vfio/igd.c         | 1 -
 hw/vfio/kvm-helpers.c | 1 -
 4 files changed, 4 deletions(-)

diff --git a/hw/vfio/device.c b/hw/vfio/device.c
index 3ffd69a579b8ac135ef729d3d836c8545e36786b..ccf14743e954bdf23b76d4e4c3ab2647a428f050 100644
--- a/hw/vfio/device.c
+++ b/hw/vfio/device.c
@@ -24,7 +24,6 @@
 #include "hw/vfio/vfio-device.h"
 #include "hw/vfio/pci.h"
 #include "hw/core/iommu.h"
-#include "hw/core/hw-error.h"
 #include "trace.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
diff --git a/hw/vfio/helpers.c b/hw/vfio/helpers.c
index 65c6dba0428954170ce8a889edffa34ce9b24b13..c719864b92fb5b73170218a10c1eb66fdbe2edaa 100644
--- a/hw/vfio/helpers.c
+++ b/hw/vfio/helpers.c
@@ -24,7 +24,6 @@
 
 #include "exec/cpu-common.h"
 #include "hw/vfio/vfio-device.h"
-#include "hw/core/hw-error.h"
 #include "qapi/error.h"
 #include "vfio-helpers.h"
 
diff --git a/hw/vfio/igd.c b/hw/vfio/igd.c
index 6aacf27284f86da401fdd67e359500dd0545222b..e091f21b6a3aea0013e0b3094d2ca13588200c98 100644
--- a/hw/vfio/igd.c
+++ b/hw/vfio/igd.c
@@ -16,7 +16,6 @@
 #include "qapi/error.h"
 #include "qapi/qmp/qerror.h"
 #include "hw/core/boards.h"
-#include "hw/core/hw-error.h"
 #include "hw/nvram/fw_cfg.h"
 #include "pci.h"
 #include "pci-quirks.h"
diff --git a/hw/vfio/kvm-helpers.c b/hw/vfio/kvm-helpers.c
index d71c9590aaa53dc4e436987a34575f57a6397c6b..5e73dddc418b51475c78489189bd1ba8f2b3038d 100644
--- a/hw/vfio/kvm-helpers.c
+++ b/hw/vfio/kvm-helpers.c
@@ -25,7 +25,6 @@
 #include "system/kvm.h"
 #include "exec/cpu-common.h"
 #include "hw/vfio/vfio-device.h"
-#include "hw/core/hw-error.h"
 #include "qapi/error.h"
 #include "vfio-helpers.h"
 
-- 
2.54.0

[PULL 03/11] vfio-user: avoid leaking duplicate device name

[Cédric Le Goater]

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

vfio_user_pci_realize() assigns vbasedev->name before connecting to the
server, then assigns the same name again after installing the request
handler.  The second assignment overwrites the first allocation, so only
the second string can be freed later by vfio_device_free_name().

Drop the duplicate assignment and keep the first name allocation, which is
also available on connection failures for error reporting.

Fixes: 36227628d824 ("vfio-user: implement message send infrastructure")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: John Levon <john.levon@nutanix.com>
Link: https://lore.kernel.org/qemu-devel/20260424032209.297458-1-zhaoguohan@kylinos.cn
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio-user/pci.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/hw/vfio-user/pci.c b/hw/vfio-user/pci.c
index facc79727acb82c35fec5b4bef79e78b3878531a..e7573d4a9f088c1afc8ed2709932842247abf6ac 100644
--- a/hw/vfio-user/pci.c
+++ b/hw/vfio-user/pci.c
@@ -280,8 +280,6 @@ static void vfio_user_pci_realize(PCIDevice *pdev, Error **errp)
     vbasedev->proxy = proxy;
     vfio_user_set_handler(vbasedev, vfio_user_pci_process_req, vdev);
 
-    vbasedev->name = g_strdup_printf("vfio-user:%s", sock_name);
-
     if (udev->send_queued) {
         proxy->flags |= VFIO_PROXY_FORCE_QUEUED;
     }
-- 
2.54.0

[PULL 04/11] vfio-user: reject malformed migration capabilities

[Cédric Le Goater]

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

check_migr() sets an error when the migration capability is not an object,
but still returns true.  This lets version negotiation continue with an
Error set and reports the wrong capability name in the diagnostic.

Return false for the malformed capability, and report the migration
capability name.

Fixes: 36227628d824 ("vfio-user: implement message send infrastructure")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: John Levon <john.levon@nutanix.com>
Link: https://lore.kernel.org/qemu-devel/20260424031259.289211-1-zhaoguohan@kylinos.cn
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio-user/proxy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/vfio-user/proxy.c b/hw/vfio-user/proxy.c
index 314dfd23d8af385532bb87219fb3153961942cba..8b7cc36231ab276493e252064b560dcea13ae749 100644
--- a/hw/vfio-user/proxy.c
+++ b/hw/vfio-user/proxy.c
@@ -1190,8 +1190,8 @@ static bool check_migr(VFIOUserProxy *proxy, QObject *qobj, Error **errp)
     QDict *qdict = qobject_to(QDict, qobj);
 
     if (qdict == NULL) {
-        error_setg(errp, "malformed %s", VFIO_USER_CAP_MAX_FDS);
-        return true;
+        error_setg(errp, "malformed %s", VFIO_USER_CAP_MIGR);
+        return false;
     }
     return caps_parse(proxy, qdict, caps_migr, errp);
 }
-- 
2.54.0

[PULL 05/11] hw/remote: update libvfio-user subproject

[Cédric Le Goater]

From: John Levon <john.levon@nutanix.com>

The currently wrapped version of libvfio-user has compilation issues on
newer compilers; bump the library version.

Signed-off-by: John Levon <john.levon@nutanix.com>
Reviewed-by: Jagannathan Raman <jag.raman@oracle.com>
Reviewed-by: Mark Cave-Ayland <mark.caveayland@nutanix.com>
Link: https://lore.kernel.org/qemu-devel/20260422140244.2147400-1-john.levon@nutanix.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/remote/vfio-user-obj.c     | 3 ++-
 subprojects/libvfio-user.wrap | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/remote/vfio-user-obj.c b/hw/remote/vfio-user-obj.c
index 49bf5ecae0c44c6a9432fefceec964139b5fb309..87fa7b65722e4d917481bd1bd8116cfd39b98261 100644
--- a/hw/remote/vfio-user-obj.c
+++ b/hw/remote/vfio-user-obj.c
@@ -800,7 +800,8 @@ static void vfu_object_init_ctx(VfuObject *o, Error **errp)
         goto fail;
     }
 
-    ret = vfu_setup_device_dma(o->vfu_ctx, &dma_register, &dma_unregister);
+    ret = vfu_setup_device_dma(o->vfu_ctx, LIBVFIO_USER_MAX_DMA_REGIONS,
+                               &dma_register, &dma_unregister);
     if (ret < 0) {
         error_setg(errp, "vfu: Failed to setup DMA handlers for %s",
                    o->device);
diff --git a/subprojects/libvfio-user.wrap b/subprojects/libvfio-user.wrap
index 416955ca4515c7da8080986681f69629046a749b..11db795f8abe9bf86e0405651970160629ed3f30 100644
--- a/subprojects/libvfio-user.wrap
+++ b/subprojects/libvfio-user.wrap
@@ -1,4 +1,4 @@
 [wrap-git]
 url = https://gitlab.com/qemu-project/libvfio-user.git
-revision = 0b28d205572c80b568a1003db2c8f37ca333e4d7
+revision = 4d9f663450fa80ff375612dbbafe073700e3d3d8
 depth = 1
-- 
2.54.0

[PULL 06/11] vfio/pci: Replace abort() with g_assert_not_reached()

[Cédric Le Goater]

This check was originally introduced in commit b3ebc10c373e
("vfio-pci: Add debug config options to disable MSI/X KVM support") as
part of a debug block to retrieve the MSI/MSIX message, and was later
moved by commit 0de70dc7bab1 ("vfio/pci: Rename MSI/X functions for
easier tracing") into the main interrupt handling path, becoming
production code.

Under normal conditions, this code path cannot be reached because the
BQL serializes all handler registration, vdev->interrupt updates, and
handler removal. Replace abort() with g_assert_not_reached(), which is
preferred nowdays, and add a comment clarifying the purpose.

Cc: Alex Williamson <alex@shazbot.org>
Acked-by: Alex Williamson <alex@shazbot.org>
Link: https://lore.kernel.org/qemu-devel/20260506152353.1657838-1-clg@redhat.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio/pci.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index b2a07f6bb4217bcacead194ce75b359b1896ef3a..9c06b25e6370d8bbea2828bfae64a3d14fe68219 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -451,7 +451,12 @@ static void vfio_msi_interrupt(void *opaque)
         get_msg = msi_get_message;
         notify = msi_notify;
     } else {
-        abort();
+        /*
+         * Interrupt state transitions (MSI/MSI-X -> NONE/INTx) are
+         * protected by the BQL, and eventfd handlers are strictly
+         * unregistered before vdev->interrupt is modified.
+         */
+        g_assert_not_reached();
     }
 
     msg = get_msg(pdev, nr);
-- 
2.54.0

[PULL 07/11] vfio/ap: Return false when IRQ notifier setup fails

[Cédric Le Goater]

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

vfio_ap_register_irq_notifier() cleans up the fd handler and EventNotifier
when vfio_device_irq_set_signaling() fails, but still returns true to its
caller.

Return false after cleanup so the caller can handle the failed
registration path instead of treating it as a successful notifier setup.

Fixes: cbd470f0aac5 ("vfio/ap: Make vfio_ap_register_irq_notifier() return a bool")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: Anthony Krowiak <akrowiak@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260510084353.58263-2-zhaoguohan@kylinos.cn
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio/ap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c
index 276ae8c207bf2a1d7a0d5c0fc7f2ef98cec695d1..6e2a1223ea8d9ea0697d1f29ae746cf39419cde0 100644
--- a/hw/vfio/ap.c
+++ b/hw/vfio/ap.c
@@ -193,6 +193,7 @@ static bool vfio_ap_register_irq_notifier(VFIOAPDevice *vapdev,
                                        errp)) {
         qemu_set_fd_handler(fd, NULL, NULL, vapdev);
         event_notifier_cleanup(notifier);
+        return false;
     }
 
     return true;
-- 
2.54.0

[PULL 08/11] vfio/ccw: Return false when IRQ notifier setup fails

[Cédric Le Goater]

From: GuoHan Zhao <zhaoguohan@kylinos.cn>

vfio_ccw_register_irq_notifier() cleans up the fd handler and EventNotifier
when vfio_device_irq_set_signaling() fails, but still returns true to its
caller.

Return false after cleanup so the caller can handle the failed
registration path instead of treating it as a successful notifier setup.

Fixes: 8aaeff97acee ("vfio/ccw: Make vfio_ccw_register_irq_notifier() return a bool")
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260510084353.58263-3-zhaoguohan@kylinos.cn
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio/ccw.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c
index ff6ab9a7408f01b9e64ba06f2c8da4a69fa1f9ff..c3dc7c19623556ea452344b8e4b76fb9a56206c7 100644
--- a/hw/vfio/ccw.c
+++ b/hw/vfio/ccw.c
@@ -431,6 +431,7 @@ static bool vfio_ccw_register_irq_notifier(VFIOCCWDevice *vcdev,
                                        VFIO_IRQ_SET_ACTION_TRIGGER, fd, errp)) {
         qemu_set_fd_handler(fd, NULL, NULL, vcdev);
         event_notifier_cleanup(notifier);
+        return false;
     }
 
     return true;
-- 
2.54.0

[PULL 09/11] update-linux-headers: Inject VIRTIO_RING_NO_LEGACY in virtio_ring.h

[Cédric Le Goater]

The kernel commit 3c4629b68dbe ("virtio: uapi: avoid usage of libc
types") changed the virtio_ring.h header and this breaks the build on
Windows which requires the uintptr_t type to cast from pointer to
integer.

Inject '#define VIRTIO_RING_NO_LEGACY' at the top of the synced header
via the update script after the include guard. This discards the code
section incompatible with Windows.

Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260511111913.3327672-1-clg@redhat.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 scripts/update-linux-headers.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/update-linux-headers.sh b/scripts/update-linux-headers.sh
index 386d7a38e7af939291d20d34ced17af823771bf7..0dea7c9551d2eb1e84aef90e82be92a872318706 100755
--- a/scripts/update-linux-headers.sh
+++ b/scripts/update-linux-headers.sh
@@ -103,6 +103,7 @@ cp_portable() {
         -e 's/__kernel_ulong_t/unsigned long/' \
         -e 's/struct ethhdr/struct eth_header/' \
         -e '/\#define _LINUX_ETHTOOL_H/a \\n\#include "net/eth.h"' \
+        -e '/\#define _LINUX_VIRTIO_RING_H/a \\n\#define VIRTIO_RING_NO_LEGACY' \
         "$f" > "$to/$header";
 }
 
-- 
2.54.0

[PULL 10/11] vfio/migration: Detect and report overflow in migration size queries

[Cédric Le Goater]

VFIO migration ioctls (VFIO_DEVICE_FEATURE_MIG_DATA_SIZE and
VFIO_MIG_GET_PRECOPY_INFO) return device-estimated migration sizes as
uint64_t values. A misbehaving kernel driver could return values that
are unreasonably large, which would corrupt the size accounting used
to decide migration convergence.

This misbehavior occurred a few times when testing migration of a VM
with an assigned NVIDIA vGPU and an MLX5 VF. In some of the save
iterations, the reported precopy and stopcopy sizes were unreasonably
large (close to UINT64_MAX):

  vfio_state_pending  (4fbce62c-8ce2-4cc9-b429-41635bc94f24) stopcopy size 0 precopy initial size 18446744073708667040 precopy dirty size 0
  vfio_save_iterate   (4fbce62c-8ce2-4cc9-b429-41635bc94f24) precopy initial size 18446744073707618464 precopy dirty size 0
  vfio_state_pending  (4fbce62c-8ce2-4cc9-b429-41635bc94f24) stopcopy size 18446744073708503040 precopy initial size 18446744073707618464 precopy dirty size 0
  vfio_state_pending  (4fbce62c-8ce2-4cc9-b429-41635bc94f24) stopcopy size 0 precopy initial size 18446744073707618464 precopy dirty size 0
  vfio_state_pending  (0000:b1:01.0) stopcopy size 18446744073709543408 precopy initial size 0 precopy dirty size 1008

This had the effect of corrupting migration convergence, as reported
by the HMP migrate command:

  (qemu) info migrate
  Status:                 active
  Time (ms):              total=21140, setup=86, exp_down=152455434886355
  Remaining:              16 EiB
  RAM info:
    Throughput (Mbps):    967.98
    Sizes:                pagesize=4 KiB, total=4 GiB
    Transfers:            transferred=2.29 GiB, remain=4.7 MiB
      Channels:           precopy=1.91 GiB, multifd=0 B, postcopy=0 B, vfio=387 MiB
      Page Types:         normal=499427, zero=559708
    Page Rates (pps):     transfer=0, dirty=1892
    Others:               dirty_syncs=3

Add a helper to detect values that exceed INT64_MAX, which is far
beyond any realistic device state size, and report them with an error
message. Return -ERANGE from the query functions so callers can abort
the migration rather than proceeding with corrupted estimates.
However, the callers don't yet check the return value to actually stop
the migration.

Cc: Avihai Horon <avihaih@nvidia.com>
Cc: Peter Xu <peterx@redhat.com>
Reviewed-by: Avihai Horon <avihaih@nvidia.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260513094522.346314-1-clg@redhat.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio/migration.c | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/hw/vfio/migration.c b/hw/vfio/migration.c
index 150e28656e97c5e8198541e5b6dfc4ed4102d143..fb12b9717f773fdde657911517de9d74c1eb3931 100644
--- a/hw/vfio/migration.c
+++ b/hw/vfio/migration.c
@@ -320,6 +320,18 @@ static void vfio_migration_cleanup(VFIODevice *vbasedev)
     migration->data_fd = -1;
 }
 
+static bool vfio_migration_check_overflow(VFIODevice *vbasedev, uint64_t size,
+                                          const char *name)
+{
+    if (size > INT64_MAX) {
+        error_report("%s: Estimated %s size overflow: 0x%"PRIx64,
+                     vbasedev->name, name, size);
+        return true;
+    }
+
+    return false;
+}
+
 static int vfio_query_stop_copy_size(VFIODevice *vbasedev)
 {
     uint64_t buf[DIV_ROUND_UP(sizeof(struct vfio_device_feature) +
@@ -329,7 +341,7 @@ static int vfio_query_stop_copy_size(VFIODevice *vbasedev)
     struct vfio_device_feature_mig_data_size *mig_data_size =
         (struct vfio_device_feature_mig_data_size *)feature->data;
     VFIOMigration *migration = vbasedev->migration;
-    int ret;
+    int ret = 0;
 
     feature->argsz = sizeof(buf);
     feature->flags =
@@ -347,7 +359,10 @@ static int vfio_query_stop_copy_size(VFIODevice *vbasedev)
                          vbasedev->name, ret);
     } else {
         migration->stopcopy_size = mig_data_size->stop_copy_length;
-        ret = 0;
+        if (vfio_migration_check_overflow(vbasedev, migration->stopcopy_size,
+                                          "stop copy size")) {
+            ret = -ERANGE;
+        }
     }
 
     trace_vfio_query_stop_copy_size(vbasedev->name,
@@ -361,7 +376,7 @@ static int vfio_query_precopy_size(VFIOMigration *migration)
     struct vfio_precopy_info precopy = {
         .argsz = sizeof(precopy),
     };
-    int ret;
+    int ret = 0;
 
     if (ioctl(migration->data_fd, VFIO_MIG_GET_PRECOPY_INFO, &precopy)) {
         migration->precopy_init_size = 0;
@@ -370,9 +385,18 @@ static int vfio_query_precopy_size(VFIOMigration *migration)
         warn_report_once("VFIO device %s ioctl(VFIO_MIG_GET_PRECOPY_INFO) "
                          "failed (%d)", migration->vbasedev->name, ret);
     } else {
+        bool overflow;
+
         migration->precopy_init_size = precopy.initial_bytes;
         migration->precopy_dirty_size = precopy.dirty_bytes;
-        ret = 0;
+
+        overflow  = vfio_migration_check_overflow(migration->vbasedev,
+                         migration->precopy_init_size,  "precopy init size");
+        overflow |= vfio_migration_check_overflow(migration->vbasedev,
+                         migration->precopy_dirty_size, "precopy dirty size");
+        if (overflow) {
+            ret = -ERANGE;
+        }
     }
 
     trace_vfio_query_precopy_size(migration->vbasedev->name,
-- 
2.54.0

[PULL 11/11] scripts/update-linux-headers: Add typelimits.h

[Cédric Le Goater]

From: Avihai Horon <avihaih@nvidia.com>

Upstream Linux added include/uapi/linux/typelimits.h and includes it
from ethtool.h [1][2].

Teach update-linux-headers.sh to install that header into
standard-headers to be able to update kernel headers to versions that
include the above changes.

[1] ca9d74eb5f6a ("uapi: add INT_MAX and INT_MIN constants")
[2] a8a11e5237ae ("ethtool: uapi: Use UAPI definition of INT_MAX")

Signed-off-by: Avihai Horon <avihaih@nvidia.com>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Link: https://lore.kernel.org/qemu-devel/20260505081423.28326-2-avihaih@nvidia.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 scripts/update-linux-headers.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/update-linux-headers.sh b/scripts/update-linux-headers.sh
index 0dea7c9551d2eb1e84aef90e82be92a872318706..3c3a0e9394d277766e613dd5ef4e9c7407ec0033 100755
--- a/scripts/update-linux-headers.sh
+++ b/scripts/update-linux-headers.sh
@@ -60,6 +60,7 @@ cp_portable() {
                                      -e 'drm.h' \
                                      -e 'limits' \
                                      -e 'linux/const' \
+                                     -e 'linux/typelimits' \
                                      -e 'linux/kernel' \
                                      -e 'linux/sysinfo' \
                                      -e 'asm/setup_data.h' \
@@ -251,6 +252,7 @@ for i in "$hdrdir"/include/linux/*virtio*.h \
          "$hdrdir/include/linux/pci_regs.h" \
          "$hdrdir/include/linux/ethtool.h" \
          "$hdrdir/include/linux/const.h" \
+         "$hdrdir/include/linux/typelimits.h" \
          "$hdrdir/include/linux/kernel.h" \
          "$hdrdir/include/linux/kvm_para.h" \
          "$hdrdir/include/linux/vhost_types.h" \
-- 
2.54.0

Re: [PULL 00/11] vfio queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 00/11] vfio queue

[Cédric Le Goater]

The following changes since commit 2ff49e96accc8fd9a38e9abd16f0cfa0adab1605:

  Merge tag 'pull-tcg-20230709' of https://gitlab.com/rth7680/qemu into staging (2023-07-09 15:01:43 +0100)

are available in the Git repository at:

  https://github.com/legoater/qemu/ tags/pull-vfio-20230710

for you to fetch changes up to 9495bf68dd2fe305f5e95a53ae146ca523dc2a02:

  vfio/pci: Enable AtomicOps completers on root ports (2023-07-10 09:46:09 +0200)

----------------------------------------------------------------
vfio queue:

* Fixes in error handling paths of VFIO PCI devices
* Improvements of reported errors for VFIO migration
* Linux header update
* Enablement of AtomicOps completers on root ports
* Fix for unplug of passthrough AP devices

----------------------------------------------------------------
Alex Williamson (3):
      hw/vfio/pci-quirks: Sanitize capability pointer
      pcie: Add a PCIe capability version helper
      vfio/pci: Enable AtomicOps completers on root ports

Avihai Horon (1):
      vfio: Fix null pointer dereference bug in vfio_bars_finalize()

Cédric Le Goater (1):
      linux-headers: update to v6.5-rc1

Tony Krowiak (1):
      s390x/ap: Wire up the device request notifier interface

Zhenzhong Duan (5):
      vfio/pci: Disable INTx in vfio_realize error path
      vfio/migration: Change vIOMMU blocker from global to per device
      vfio/migration: Free resources when vfio_migration_realize fails
      vfio/migration: Remove print of "Migration disabled"
      vfio/migration: Return bool type for vfio_migration_realize()

 hw/vfio/pci.h                                  |   1 +
 include/hw/pci/pcie.h                          |   1 +
 include/hw/vfio/vfio-common.h                  |   5 +-
 include/standard-headers/drm/drm_fourcc.h      |  43 ++++++++
 include/standard-headers/linux/const.h         |   2 +-
 include/standard-headers/linux/pci_regs.h      |   1 +
 include/standard-headers/linux/vhost_types.h   |  16 +++
 include/standard-headers/linux/virtio_blk.h    |  18 ++--
 include/standard-headers/linux/virtio_config.h |   6 ++
 include/standard-headers/linux/virtio_net.h    |   1 +
 linux-headers/asm-arm64/bitsperlong.h          |  23 -----
 linux-headers/asm-arm64/kvm.h                  |  33 ++++++
 linux-headers/asm-generic/bitsperlong.h        |  13 ++-
 linux-headers/asm-generic/unistd.h             | 134 +++++++------------------
 linux-headers/asm-mips/unistd_n32.h            |   1 +
 linux-headers/asm-mips/unistd_n64.h            |   1 +
 linux-headers/asm-mips/unistd_o32.h            |   1 +
 linux-headers/asm-powerpc/unistd_32.h          |   1 +
 linux-headers/asm-powerpc/unistd_64.h          |   1 +
 linux-headers/asm-riscv/bitsperlong.h          |  13 ---
 linux-headers/asm-riscv/kvm.h                  | 134 ++++++++++++++++++++++++-
 linux-headers/asm-riscv/unistd.h               |   9 ++
 linux-headers/asm-s390/unistd_32.h             |   2 +
 linux-headers/asm-s390/unistd_64.h             |   2 +
 linux-headers/asm-x86/kvm.h                    |   3 +
 linux-headers/asm-x86/unistd_32.h              |   1 +
 linux-headers/asm-x86/unistd_64.h              |   1 +
 linux-headers/asm-x86/unistd_x32.h             |   1 +
 linux-headers/linux/const.h                    |   2 +-
 linux-headers/linux/kvm.h                      |  18 +++-
 linux-headers/linux/mman.h                     |  14 +++
 linux-headers/linux/psp-sev.h                  |   7 ++
 linux-headers/linux/userfaultfd.h              |  17 +++-
 linux-headers/linux/vfio.h                     |  27 +++++
 linux-headers/linux/vhost.h                    |  31 ++++++
 hw/pci/pcie.c                                  |   7 ++
 hw/vfio/ap.c                                   | 113 +++++++++++++++++++++
 hw/vfio/common.c                               |  51 +---------
 hw/vfio/migration.c                            |  51 +++++++---
 hw/vfio/pci-quirks.c                           |  10 +-
 hw/vfio/pci.c                                  |  91 ++++++++++++++++-
 41 files changed, 678 insertions(+), 229 deletions(-)

Re: [PULL 00/11] vfio queue

[Cédric Le Goater]

On 7/10/23 09:48, Cédric Le Goater wrote:
> The following changes since commit 2ff49e96accc8fd9a38e9abd16f0cfa0adab1605:
> 
>    Merge tag 'pull-tcg-20230709' of https://gitlab.com/rth7680/qemu into staging (2023-07-09 15:01:43 +0100)
> 
> are available in the Git repository at:
> 
>    https://github.com/legoater/qemu/ tags/pull-vfio-20230710
> 
> for you to fetch changes up to 9495bf68dd2fe305f5e95a53ae146ca523dc2a02:
> 
>    vfio/pci: Enable AtomicOps completers on root ports (2023-07-10 09:46:09 +0200)
> 
> ----------------------------------------------------------------
> vfio queue:
> 
> * Fixes in error handling paths of VFIO PCI devices
> * Improvements of reported errors for VFIO migration
> * Linux header update
> * Enablement of AtomicOps completers on root ports
> * Fix for unplug of passthrough AP devices
> 
> ----------------------------------------------------------------
> Alex Williamson (3):
>        hw/vfio/pci-quirks: Sanitize capability pointer
>        pcie: Add a PCIe capability version helper
>        vfio/pci: Enable AtomicOps completers on root ports
> 
> Avihai Horon (1):
>        vfio: Fix null pointer dereference bug in vfio_bars_finalize()
> 
> Cédric Le Goater (1):
>        linux-headers: update to v6.5-rc1

I pushed this patch with an broken S-o-b tag. I will repush the tree.

Sorry about that,

C.


> 
> Tony Krowiak (1):
>        s390x/ap: Wire up the device request notifier interface
> 
> Zhenzhong Duan (5):
>        vfio/pci: Disable INTx in vfio_realize error path
>        vfio/migration: Change vIOMMU blocker from global to per device
>        vfio/migration: Free resources when vfio_migration_realize fails
>        vfio/migration: Remove print of "Migration disabled"
>        vfio/migration: Return bool type for vfio_migration_realize()
> 
>   hw/vfio/pci.h                                  |   1 +
>   include/hw/pci/pcie.h                          |   1 +
>   include/hw/vfio/vfio-common.h                  |   5 +-
>   include/standard-headers/drm/drm_fourcc.h      |  43 ++++++++
>   include/standard-headers/linux/const.h         |   2 +-
>   include/standard-headers/linux/pci_regs.h      |   1 +
>   include/standard-headers/linux/vhost_types.h   |  16 +++
>   include/standard-headers/linux/virtio_blk.h    |  18 ++--
>   include/standard-headers/linux/virtio_config.h |   6 ++
>   include/standard-headers/linux/virtio_net.h    |   1 +
>   linux-headers/asm-arm64/bitsperlong.h          |  23 -----
>   linux-headers/asm-arm64/kvm.h                  |  33 ++++++
>   linux-headers/asm-generic/bitsperlong.h        |  13 ++-
>   linux-headers/asm-generic/unistd.h             | 134 +++++++------------------
>   linux-headers/asm-mips/unistd_n32.h            |   1 +
>   linux-headers/asm-mips/unistd_n64.h            |   1 +
>   linux-headers/asm-mips/unistd_o32.h            |   1 +
>   linux-headers/asm-powerpc/unistd_32.h          |   1 +
>   linux-headers/asm-powerpc/unistd_64.h          |   1 +
>   linux-headers/asm-riscv/bitsperlong.h          |  13 ---
>   linux-headers/asm-riscv/kvm.h                  | 134 ++++++++++++++++++++++++-
>   linux-headers/asm-riscv/unistd.h               |   9 ++
>   linux-headers/asm-s390/unistd_32.h             |   2 +
>   linux-headers/asm-s390/unistd_64.h             |   2 +
>   linux-headers/asm-x86/kvm.h                    |   3 +
>   linux-headers/asm-x86/unistd_32.h              |   1 +
>   linux-headers/asm-x86/unistd_64.h              |   1 +
>   linux-headers/asm-x86/unistd_x32.h             |   1 +
>   linux-headers/linux/const.h                    |   2 +-
>   linux-headers/linux/kvm.h                      |  18 +++-
>   linux-headers/linux/mman.h                     |  14 +++
>   linux-headers/linux/psp-sev.h                  |   7 ++
>   linux-headers/linux/userfaultfd.h              |  17 +++-
>   linux-headers/linux/vfio.h                     |  27 +++++
>   linux-headers/linux/vhost.h                    |  31 ++++++
>   hw/pci/pcie.c                                  |   7 ++
>   hw/vfio/ap.c                                   | 113 +++++++++++++++++++++
>   hw/vfio/common.c                               |  51 +---------
>   hw/vfio/migration.c                            |  51 +++++++---
>   hw/vfio/pci-quirks.c                           |  10 +-
>   hw/vfio/pci.c                                  |  91 ++++++++++++++++-
>   41 files changed, 678 insertions(+), 229 deletions(-)
>