[v1.14] Expose memory mapping & dirty pages; Make memfile dump optional

CHANGELOG.md

@@ -6,6 +6,63 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.14.4]
+
+### Fixed
+
+- [#5762](https://github.com/firecracker-microvm/firecracker/pull/5762): Cap
+  virtio-rng per-request entropy to 64 KiB. Previously, a guest could construct
+  a descriptor chain that caused Firecracker to allocate more host memory than
+  the guest actually provided, potentially leading to excessive host memory
+  consumption.
+- [#5818](https://github.com/firecracker-microvm/firecracker/pull/5818): Enforce
+  the virtio device initialization sequence in the PCI transport, matching the
+  existing MMIO transport behavior. The PCI transport now validates device
+  status transitions, rejects queue configuration writes outside the FEATURES_OK
+  to DRIVER_OK window, rejects feature negotiation outside the DRIVER state,
+  blocks re-initialization after a failed reset, and sets DEVICE_NEEDS_RESET
+  when device activation fails.
+- [#5818](https://github.com/firecracker-microvm/firecracker/pull/5818): Reject
+  device status writes that clear previously set bits in the MMIO transport,
+  except for reset.
+- [#5780](https://github.com/firecracker-microvm/firecracker/pull/5780): Fixed
+  missing `/sys/devices/system/cpu/cpu*/cache/*` in aarch64 guests when running
+  on host kernels >= 6.3 with guest kernels >= 6.1.156.
+- [#5793](https://github.com/firecracker-microvm/firecracker/pull/5793): Fixed
+  virtio-mem plug/unplug skipping KVM slot updates for memory blocks not aligned
+  to a slot boundary. On plug, this could leave hotplugged memory inaccessible
+  to the guest. On unplug, the guest could retain access to memory that
+  Firecracker considered freed.
+- [#5794](https://github.com/firecracker-microvm/firecracker/pull/5794): Bound
+  balloon statistics descriptor length to prevent a guest-controlled oversized
+  descriptor from temporarily stalling the VMM event loop. Only affects microVMs
+  with `stats_polling_interval_s > 0`.
+- [#5809](https://github.com/firecracker-microvm/firecracker/pull/5809): Fixed a
+  bug on host Linux >= 5.16 for x86_64 guests using the `kvm-clock` clock source
+  causing the monotonic clock to jump on restore by the wall-clock time elapsed
+  since the snapshot was taken. Users using `kvm-clock` that want to explicitly
+  advance the clock with `KVM_CLOCK_REALTIME` can opt back in using the new
+  `clock_realtime` flag in `LoadSnapshot` API.
+
+## [1.14.3]
+
+### Fixed
+
+- [#5739](https://github.com/firecracker-microvm/firecracker/pull/5739): Fixed
+  validation of TCP SYN options length when MMDS is enabled.
+
+## [1.14.2]
+
+### Fixed
+
+- [#5698](https://github.com/firecracker-microvm/firecracker/pull/5698): Fixed
+  the possible ENXIO error which could occur during file open operation if the
+  underlying file is FIFO without active readers already attached.
+- [#5705](https://github.com/firecracker-microvm/firecracker/pull/5705): Fixed a
+  bug that caused Firecracker to corrupt the memory files of differential
+  snapshots for VMs with multiple memory slots. This affected VMs using memory
+  hot-plugging or any x86 VMs with a memory size larger than 3GiB.
+
 ## [1.14.1]
 
 ### Changed

CREDITS.md

@@ -130,6 +130,7 @@ Contributors to the Firecracker repository:
 - huang-jl <1046678590@qq.com>
 - Iggy Jackson <iggy@theiggy.com>
 - ihciah <ihciah@gmail.com>
+- Ilias Stamatis <ilstam@amazon.com>
 - Ioana Chirca <chioana@amazon.com>
 - Ishwor Gurung <me@ishworgurung.com>
 - Iulian Barbu <iul@amazon.com>

deny.toml

@@ -5,8 +5,7 @@ allow = [
     "Apache-2.0",
     "BSD-3-Clause",
     "ISC",
-    "Unicode-3.0",
-    "OpenSSL"
+    "Unicode-3.0"
 ]
 
 [[bans.deny]]

docs/RELEASE_POLICY.md

@@ -90,8 +90,8 @@ v3.1 will be patched since were the last two Firecracker releases and less than
 
 | Release | Release Date | Latest Patch | Min. end of support | Official end of Support         |
 | ------: | -----------: | -----------: | ------------------: | :------------------------------ |
-|   v1.14 |   2025-12-17 |      v1.14.0 |          2026-06-17 | Supported                       |
-|   v1.13 |   2025-08-28 |      v1.13.1 |          2026-02-28 | Supported                       |
+|   v1.14 |   2025-12-17 |      v1.14.2 |          2026-06-17 | Supported                       |
+|   v1.13 |   2025-08-28 |      v1.13.2 |          2026-02-28 | Supported                       |
 |   v1.12 |   2025-05-07 |      v1.12.1 |          2025-11-07 | 2025-12-17 (v1.14 released)     |
 |   v1.11 |   2025-03-18 |      v1.11.0 |          2025-09-18 | 2025-09-18 (end of 6mo support) |
 |   v1.10 |   2024-11-07 |      v1.10.1 |          2025-05-07 | 2025-05-07 (v1.12 released)     |

docs/design.md

@@ -118,7 +118,11 @@ and/or creating their own custom CPU templates.
 
 #### Clocksources available to guests
 
-Firecracker only exposes kvm-clock to customers.
+Firecracker exposes the following clock sources to guests:
+
+- x86_64: kvm-clock and tsc. Linux guests >=5.10 will pick tsc by default if
+  stable.
+- aarch64: arch_sys_counter
 
 ### I/O: Storage, Networking and Rate Limiting
 

docs/snapshotting/snapshot-support.md

@@ -492,6 +492,11 @@ resumed with the guest OS wall-clock continuing from the moment of the snapshot
 creation. For this reason, the wall-clock should be updated to the current time,
 on the guest-side. More details on how you could do this can be found at a
 [related FAQ](../../FAQ.md#my-guest-wall-clock-is-drifting-how-can-i-fix-it).
+When using `kvm-clock` as clock source on `x86_64`, it's possible to optionally
+set the `clock_realtime: true` in the `LoadSnapshot` request to advance the
+clock on the guest at restore time (host Linux >= 5.16 is required to support
+this feature). Note that this may cause issues within the guest as the clock
+will appear to suddenly jump.
 
 ## Provisioning host disk space for snapshots
 

resources/seccomp/x86_64-unknown-linux-musl.json

@@ -31,6 +31,9 @@
             {
                 "syscall": "mincore"
             },
+            {
+                "syscall": "pread64"
+            },
             {
                 "syscall": "writev",
                 "comment": "Used by the VirtIO net device to write to tap"

src/cpu-template-helper/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cpu-template-helper"
-version = "1.14.1"
+version = "1.14.4"
 authors = ["Amazon Firecracker team <firecracker-devel@amazon.com>"]
 edition = "2024"
 license = "Apache-2.0"