When spice_qxl_gl_scanout2() isn't available, the fallback code
incorrectly handles NULL arguments to disable the scanout, leading to:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 spice_server_gl_scanout (qxl=0x55a25ce57ae8, fd=0x0, width=0, height=0, offset=0x0, stride=0x0, num_planes=0, format=0, modifier=72057594037927935, y_0_top=0)
at ../ui/spice-display.c:983
983 if (num_planes <= 1) {
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2391334 Fixes: 98a050ca93afd8 ("ui/spice: support multi plane dmabuf scanout") Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20250903193818.2460914-1-marcandre.lureau@redhat.com>
Weifeng Liu [Mon, 14 Jul 2025 14:17:54 +0000 (22:17 +0800)]
gtk: Skip drawing if console surface is NULL
In gtk draw/render callbacks, add an early NULL check for the console
surface and skip drawing if it's NULL. Otherwise, attempting to fetch
its width and height crash. This change fixes Coverity CID 1610328.
In practice, this case wouldn't happen at all because we always install
a placeholder surface to the console when there is nothing to display.
* Support for PowerNV11 and PPE42 CPU/Machines.
* Deprecation of Power8E and Power8NVL
* Decodetree patches for some floating-point instructions
* Minor bug fixes, improvements in ppc/spapr/xive/xics.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmjZgYQACgkQRUTplPnW
# j7uNJQ/8Cbr3xqyCyyqL+MM+Ze1PbXe4xSgdg13A1sNU3IHTffB77DCQVOxjudUS
# uo+XHVFssc4SKDZYjEzXFnYpzRpbZzfcuhG4kgn9QQ3VyKP+2xe6kWLleDbB6ds1
# e9ZAW6Ryk4R3ZFLnZzGfEdltliaoIn6zy4R25oJfJUgIRt0Xz++GBxll+Tdr8Exy
# qstvvyyjeTiIS3kA1zk6fbhDRJKKBsA0L1G1Pk6AuTMKa1RRTCniA36idnGVFAuY
# ef8WCEQYQS0do9Ytai06Tp1QNRVMG2y+AsKbSQRMi92lFfn+qhvA29OJd5TNvXtp
# LNiIfXHo3jLjGBUP13iVN8b8udWdis9BayvA/OwDaKWgononEHb9nqJgzVJR4n7t
# DxxUxcSCiEXOpObtklrKhi1nDt16nXPZ/bnnreMSWzxHBZK1My7qnI3S0hA7c11z
# YgssB5wJbRaETaEVzQfWfAcSaPpXBzBEXOAJcbd+Ni6w9SxXz2OrhckTOvfrXpmI
# XQ1KFUCkmTtXF1qB+oEihlrvG2qjdGuleRZdyiktaM2psBFgN/2gHl3S+JjL9kiY
# 9FdBffr/2K604l7EQkAYWixe2WMMsjHVHpuxJ7opG7MMSXJZq9cXKIK+tbkSNoRO
# Ia6Qr6eWJWjFF3y4OZCbYAOVU77ez6lo7kRj0e99fOjxfI+UuWU=
# =Fjdq
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Sep 2025 11:42:12 AM PDT
# gpg: using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <harsh.prateek.bora@gmail.com>" [undefined]
# gpg: aka "Harsh Prateek Bora <harshpb@linux.ibm.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D 2142 4544 E994 F9D6 8FBB
* tag 'pull-ppc-for-20250928-20250929' of https://gitlab.com/harshpb/qemu: (27 commits)
target/ppc: use MAKE_64BIT_MASK for mcrfs exception clear mask
target/ppc: Deprecate Power8E and Power8NVL
target/ppc: Introduce macro for deprecating PowerPC CPUs
target/ppc: Move remaining floating-point move instructions to decodetree.
target/ppc: Move floating-point move instructions to decodetree.
target/ppc: Move floating-point compare instructions to decodetree.
target/ppc: Move floating-point rounding and conversion instructions to decodetree.
ppc/xive2: Fix integer overflow warning in xive2_redistribute()
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
hw/intc/xics: Add missing call to register vmstate_icp_server
tests/functional: Add test for IBM PPE42 instructions
hw/ppc: Add a test machine for the IBM PPE42 CPU
hw/ppc: Support for an IBM PPE42 CPU decrementer
target/ppc: Add IBM PPE42 special instructions
target/ppc: Support for IBM PPE42 MMU
target/ppc: Add IBM PPE42 exception model
target/ppc: IBM PPE42 exception flags and regs
target/ppc: Add IBM PPE42 family of processors
target/ppc: IBM PPE42 general regs and flags
tests/powernv: Add PowerNV test for Power11
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
target/ppc: use MAKE_64BIT_MASK for mcrfs exception clear mask
In gen_mcrfs() the FPSCR nibble mask is computed as:
`~((0xF << shift) & FP_EX_CLEAR_BITS)`
Here, 0xF is of type int, so the left shift is performed in
32-bit signed arithmetic. For bfa=0 we get shift=28,
and (0xF << 28) = 0xF0000000, which is not representable as a 32-bit
signed int. Static analyzers flag this as a potential integer
overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Aditya Gupta [Sat, 7 Jun 2025 11:04:11 +0000 (16:34 +0530)]
target/ppc: Introduce macro for deprecating PowerPC CPUs
QEMU has a way to deprecate CPUs by setting the 'deprecation_note' in
CPUClass.
Currently PowerPC CPUs don't use this deprecation process.
Introduce 'POWERPC_DEPRECATED_CPU' macro to deprecate particular PowerPC
CPUs in future.
With the change, QEMU will print a warning like below when the
deprecated CPU/Chips are used (example output if power8nvl is deprecated):
$ ./build/qemu-system-ppc64 -M powernv8 --cpu power8nvl -nographic
qemu-system-ppc64: warning: CPU model power8nvl_v1.0-powerpc64-cpu is deprecated -- CPU is unmaintained.
...
Also, print '(deprecated)' for deprecated CPUs in 'qemu-system-ppc64
--cpu ?' (example output if power8nvl is deprecated):
$ ./build/qemu-system-ppc64 --cpu help
...
power8e (alias for power8e_v2.1)
power8nvl_v1.0 PVR 004c0100 (deprecated)
power8nvl (alias for power8nvl_v1.0)
power8_v2.0 PVR 004d0200
...
Suggested-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Aditya Gupta <adityag@linux.ibm.com> Tested-by: Anushree Mathur <anushree.mathur@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Link: https://lore.kernel.org/r/20250607110412.2342511-2-adityag@linux.ibm.com
Message-ID: <20250607110412.2342511-2-adityag@linux.ibm.com>
Chinmay Rath [Thu, 19 Jun 2025 09:58:39 +0000 (15:28 +0530)]
target/ppc: Move remaining floating-point move instructions to decodetree.
Move below instructions to decodetree specification:
fcpsgn, fmrg{e, o}w : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Chinmay Rath [Thu, 19 Jun 2025 09:58:38 +0000 (15:28 +0530)]
target/ppc: Move floating-point move instructions to decodetree.
Move below instructions to decodetree specification:
f{mr, neg, abs, nabs} : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Chinmay Rath [Thu, 19 Jun 2025 09:58:37 +0000 (15:28 +0530)]
target/ppc: Move floating-point compare instructions to decodetree.
Move below instructions to decodetree specification :
fcmp{u, o} : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Chinmay Rath [Thu, 19 Jun 2025 09:58:36 +0000 (15:28 +0530)]
target/ppc: Move floating-point rounding and conversion instructions to decodetree.
Move below instructions to decodetree specification :
fr{sp, in, iz, im}[s][.],
fcti{w, d}[u, z, uz][s][.],
fcfid[s, u, us][s][.] : X-form
The changes were verified by validating that the tcg ops generated by
those instructions remain the same, which were captured with the '-d
in_asm,op' flag.
Gautam Menghani [Mon, 11 Aug 2025 07:49:11 +0000 (13:19 +0530)]
ppc/xive2: Fix integer overflow warning in xive2_redistribute()
Coverity reported an integer overflow warning in xive2_redistribute()
where the code does a left shift operation "0xffffffff << crowd". Fix the
warning by using a 64 byte integer type. Also refactor the calculation
into dedicated routines.
Resolves: Coverity CID 1612608 Fixes: 555e446019f5 ("ppc/xive2: Support redistribution of group interrupts") Reviewed-by: Glenn Miles <milesg@linux.ibm.com> Signed-off-by: Gautam Menghani <gautam@linux.ibm.com> Reviewed-by: Amit Machhiwal <amachhiw@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Link: https://lore.kernel.org/r/20250811074912.162774-1-gautam@linux.ibm.com
Message-ID: <20250811074912.162774-1-gautam@linux.ibm.com>
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
lrdr-capacity contains phys field which communicates the maximum address
in bytes and therefore, the most memory that can be allocated to this
partition. This is usually populated when maxmem is provided alongwith
memory size on qemu command line. However since maxmem is an optional
param, this leads to bits being set to 0 in absence of maxmem param.
Fix this by initializing the respective bits as per total mem size in
such case.
Reported-by: Gaurav Batra <gbatra@us.ibm.com> Tested-by: David Christensen <drc@linux.ibm.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Reviewed-by: Shivaprasad G Bhat <sbhat@linux.ibm.com> Link: https://lore.kernel.org/r/20250506042903.76250-1-harshpb@linux.ibm.com
Message-ID: <20250506042903.76250-1-harshpb@linux.ibm.com>
Glenn Miles [Thu, 25 Sep 2025 20:17:47 +0000 (15:17 -0500)]
tests/functional: Add test for IBM PPE42 instructions
Adds a functional test for the IBM PPE42 instructions which
downloads a test image from a public github repo and then
loads and executes the image.
(see https://github.com/milesg-github/ppe42-tests for details)
Test status is checked by periodically issuing 'info register'
commands and checking the NIP value. If the NIP is 0xFFF80200
then the test successfully executed to completion. If the
machine stops before the test completes or if a 90 second
timeout is reached, then the test is marked as having failed.
This test does not test any PowerPC instructions as it is
expected that these instructions are well covered in other
tests. Only instructions that are unique to the IBM PPE42
processor are tested.
Glenn Miles [Thu, 25 Sep 2025 20:17:46 +0000 (15:17 -0500)]
hw/ppc: Add a test machine for the IBM PPE42 CPU
Adds a test machine for the IBM PPE42 processor, including a
DEC, FIT, WDT and 512 KiB of ram.
The purpose of this machine is only to provide a generic platform
for testing instructions of the recently added PPE42 processor
model which is used extensively in the IBM Power9, Power10 and
future Power server processors.
Glenn Miles [Thu, 25 Sep 2025 20:17:45 +0000 (15:17 -0500)]
hw/ppc: Support for an IBM PPE42 CPU decrementer
The IBM PPE42 processors support a 32-bit decrementer
that can raise an external interrupt when DEC[0]
transitions from a 0 to a -1 (a non-negative value to a
negative value). It also continues decrementing
even after this condition is met.
The BookE timer is slightly different in that it
raises an interrupt when the DEC value reaches 0
and stops decrementing at that point.
Support a PPE42 version of the BookE timer by
adding a new PPC_TIMER_PPE flag that has the timer
code look for the transition from a non-negative value
to a negative value and allows the value to
continue decrementing.
Glenn Miles [Thu, 25 Sep 2025 20:17:43 +0000 (15:17 -0500)]
target/ppc: Support for IBM PPE42 MMU
The IBM PPE42 processor only supports real mode
addressing and does not distinguish between
problem and supervisor states. It also uses
the IR and DR MSR bits for other purposes.
Therefore, add a check for PPE42 when we update
hflags and cause it to ignore the IR and DR bits
when calculating MMU indexes.
Glenn Miles [Thu, 25 Sep 2025 20:17:42 +0000 (15:17 -0500)]
target/ppc: Add IBM PPE42 exception model
Add support for the IBM PPE42 exception model including
new exception vectors, exception priorities and setting
of PPE42 SPRs for determining the cause of an exception.
Glenn Miles [Thu, 25 Sep 2025 20:17:40 +0000 (15:17 -0500)]
target/ppc: Add IBM PPE42 family of processors
Adds the IBM PPE42 family of 32-bit processors supporting
the PPE42, PPE42X and PPE42XM processor versions. These
processors are used as embedded processors in the IBM
Power9, Power10 and Power12 processors for various
tasks. It is basically a stripped down version of the
IBM PowerPC 405 processor, with some added instructions
for handling 64-bit loads and stores.
For more information on the PPE 42 processor please visit:
Does not yet support exceptions, new PPE42 instructions and
does not prevent access to some invalid instructions and
registers (currently allows access to invalid GPR's and CR
fields).
tests/powernv: Switch to buildroot images instead of op-build
As op-build images haven't been updated from long time (and may not get
updated in future), use buildroot images provided by cedric [1].
Use existing nvme device being used in the test to mount the initrd.
Also replace the check for "zImage loaded message" to skiboot's message
when it starts the kernel: "Starting kernel at", since we are no longer
using zImage from op-build
This is required for newer processor tests such as Power11, as the
op-build kernel image is old and doesn't support Power11.
ppc/pnv: Add PnvChipClass handler to get reference to interrupt controller
Existing code in XIVE2 assumes the chip to be a Power10 Chip.
Instead add a handler to get reference to the interrupt controller (XIVE)
for a given Power Chip.
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com> Tested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Link: https://lore.kernel.org/r/20250925173049.891406-4-adityag@linux.ibm.com
Message-ID: <20250925173049.891406-4-adityag@linux.ibm.com>
The Powernv11 machine doesn't have XIVE & PHBs as of now
XIVE2 interface and PHB5 added in later patches to Powernv11 machine
Also add mention of Power11 to powernv documentation
Note: A difference from P10's and P11's machine_class_init is, in P11
different number of PHBs cannot be used on the command line, ie. the
following line does NOT exist in pnv_machine_power11_class_init, which
existed in case of Power10:
Merge tag 'pull-loongarch-20250928' of https://github.com/bibo-mao/qemu into staging
loongarch queue
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQQNhkKjomWfgLCz0aQfewwSUazn0QUCaNjtuwAKCRAfewwSUazn
# 0Z9VAQDuqEzBEj0I3L7AtJgwRxSau+sw9FqUdAjQguM9mA29ggD7BOBFwHpjx68t
# 8MMstQuZN2mFRwzfukIdLDZclPCKkAM=
# =L9oL
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Sep 2025 01:11:39 AM PDT
# gpg: using EDDSA key 0D8642A3A2659F80B0B3D1A41F7B0C1251ACE7D1
# gpg: Good signature from "bibo mao <maobibo@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7044 3A00 19C0 E97A 31C7 13C4 8E86 8FB7 A176 9D4C
# Subkey fingerprint: 0D86 42A3 A265 9F80 B0B3 D1A4 1F7B 0C12 51AC E7D1
* tag 'pull-loongarch-20250928' of https://github.com/bibo-mao/qemu:
target/loongarch: Only flush one TLB entry in helper_invtlb_page_asid()
target/loongarch: Only flush one TLB entry in helper_invtlb_page_asid_or_g()
target/loongarch: Invalid tlb entry in invalidate_tlb()
target/loongarch: Use loongarch_tlb_search_cb in helper_invtlb_page_asid
target/loongarch: Use loongarch_tlb_search_cb in helper_invtlb_page_asid_or_g
target/loongarch: Change return value type with loongarch_tlb_search_cb()
target/loongarch: Add common API loongarch_tlb_search_cb()
target/loongarch: Add tlb search callback in loongarch_tlb_search()
target/loongarch: Fix page size set issue with CSR_STLBPS
target/loongarch: Update TLB index selection method
target/loongarch: Reduce TLB flush with helper_tlbwr
target/loongarch: Add parameter tlb pointer with fill_tlb_entry
target/loongarch: Use mmu idx bitmap method when flush TLB
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEIAB0WIQTKRzxE1qCcGJoZP81FK5aFKyaCFgUCaNkDHQAKCRBFK5aFKyaC
# Fn06A/0SQKLVcktq2lX+aRurdGw/LKt/1mtSFJes6s5VVCrNuFFzmkXzjs/m0CcX
# scgDF67Z+PhJpLtNLRV8FiJ+z3bOH/j+yRHqj1xnvvITb+i5bUYbt+A81wrzX6Bi
# J/Ayqu49oQj33hX3lqTcTBmwYDBc2v7nu0PfvFqOUi9bTvYgfA==
# =C4NB
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Sep 2025 02:42:53 AM PDT
# gpg: using RSA key CA473C44D6A09C189A193FCD452B96852B268216
# gpg: Good signature from "Song Gao <gaosong@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CA47 3C44 D6A0 9C18 9A19 3FCD 452B 9685 2B26 8216
* tag 'pull-loongarch-20250928' of https://github.com/gaosong715/qemu:
hw/loongarch: Implement DINTC plug/unplug interfaces
target/loongarch:Implement csrrd CSR_MSGIR register
target/loongarch: Add CSR_ESTAT.bit15 and CSR_ECFG.bit15 for msg interrupts.
hw/loongarch: Implement dintc set irq
hw/loongarch: Implement dintc realize and unrealize
hw/loongarch: DINTC add a MemoryRegion
target/loongarch: add msg interrupt CSR registers
loongarch: add a direct interrupt controller device
hw/loongarch: add misc register support dmsi
hw/loongarch: add virt feature dmsi support
target/loongarch: move some machine define to virt.h
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Song Gao [Tue, 16 Sep 2025 12:21:00 +0000 (20:21 +0800)]
hw/loongarch: add virt feature dmsi support
dmsi feature is added in LoongArchVirtMachinState, and it is used
to check whether virt machine supports the directy Message-Interrupts.
and by default set dmsi with ON_OFF_AUTO_AUTO.
LoongArchVirtMachineState adds misc_feature and misc_status for misc
features and status. and set the default dintc feature bit.
Msgint feature is added in LoongArchCPU, and it is used to check
whether th cpu supports the Message-Interrupts and by default set
mesgint with ON_OFF_AUTO_AUTO.
Signed-off-by: Song Gao <gaosong@loongson.cn> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-3-gaosong@loongson.cn>
Bibo Mao [Thu, 4 Sep 2025 11:16:57 +0000 (19:16 +0800)]
target/loongarch: Only flush one TLB entry in helper_invtlb_page_asid()
With function helper_invtlb_page_asid(), only one TLB entry in
LoongArch emulated TLB is invalidated. so with QEMU TLB, it is not
necessary to flush all QEMU TLB, only flush address range specified
LoongArch emulated TLB is ok. Here invalidate_tlb_entry() is called
so that only QEMU TLB entry with specified address range is flushed.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Thu, 4 Sep 2025 11:11:25 +0000 (19:11 +0800)]
target/loongarch: Only flush one TLB entry in helper_invtlb_page_asid_or_g()
With function helper_invtlb_page_asid_or_g(), only one TLB entry in
LoongArch emulated TLB is invalidated. so with QEMU TLB, it is not
necessary to flush all QEMU TLB, only flush address range specified
LoongArch emulated TLB is ok. Here invalidate_tlb_entry() is called
so that only QEMU TLB entry with specified address range is flushed.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Thu, 4 Sep 2025 09:52:03 +0000 (17:52 +0800)]
target/loongarch: Use loongarch_tlb_search_cb in helper_invtlb_page_asid
With function helper_invtlb_page_asid(), currently it is to search
TLB entry one by one. Instead STLB can be searched at first with hash
method, and then search MTLB with one by one method
Here common API loongarch_tlb_search_cb() is used in function
helper_invtlb_page_asid()
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Thu, 4 Sep 2025 09:46:12 +0000 (17:46 +0800)]
target/loongarch: Use loongarch_tlb_search_cb in helper_invtlb_page_asid_or_g
With function helper_invtlb_page_asid_or_g(), currently it is to
search TLB entry one by one. Instead STLB can be searched at first
with hash method, and then search MTLB with one by one method.
Here common API loongarch_tlb_search_cb() is used in function
helper_invtlb_page_asid_or_g().
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Thu, 4 Sep 2025 09:32:05 +0000 (17:32 +0800)]
target/loongarch: Change return value type with loongarch_tlb_search_cb()
With function loongarch_tlb_search_cb(), change return value type from
bool type to pointer LoongArchTLB *, the pointer type can be use directly
in future.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Sat, 2 Aug 2025 02:58:40 +0000 (10:58 +0800)]
target/loongarch: Add tlb search callback in loongarch_tlb_search()
With function loongarch_tlb_search(), it is to search TLB entry with
speficied virtual address, the difference is selection with asid and
global bit. Here add selection callback with asid and global bit.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Wed, 30 Jul 2025 02:32:54 +0000 (10:32 +0800)]
target/loongarch: Update TLB index selection method
With function helper_tlbfill(), since there is no suitable TLB entry,
new TLB will be added and flush one old TLB entry. The old TLB entry
index is selected randomly now, instead it can be optimized as
following:
1. invalid TLB entry can be selected at first.
2. TLB entry with other ASID can be selected secondly
3. random method is used by last.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Thu, 24 Jul 2025 12:34:35 +0000 (20:34 +0800)]
target/loongarch: Reduce TLB flush with helper_tlbwr
With function helper_tlbwr(), specified LoongArch TLB entry will be
updated. There are two PTE pages in one TLB entry called even/odd
pages. Supposing even/odd page is normal/none state, when odd page
is added, TLB entry is changed as normal/normal state and even page
keeps unchanged.
In this situation, it is not necessary to flush QEMU TLB since even
page keep unchanged and odd page is newly changed. Here check whether
PTE page is the same or not, TLB flush can be skipped if both are the
same or newly added.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Thu, 24 Jul 2025 11:57:34 +0000 (19:57 +0800)]
target/loongarch: Add parameter tlb pointer with fill_tlb_entry
With function fill_tlb_entry(), it will update LoongArch emulated
TLB information. Here parameter tlb pointer is added so that TLB
entry will be updated based on relative TLB CSR registers.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Wed, 3 Sep 2025 02:46:01 +0000 (10:46 +0800)]
target/loongarch: Use mmu idx bitmap method when flush TLB
With API tlb_flush_range_by_mmuidx(), bitmap of mmu idx should be used
rather than itself. Also bitmap of MMU_KERNEL_IDX and MMU_USER_IDX are
used rather than that of current running mmu idx when flush TLB.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-target-arm-20250926' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* reimplement VHE alias register handling
* replace magic GIC values by proper definitions
* convert power control DPRINTF() uses to trace events
* better reset related tracepoints
* implement ID_AA64PFR2_EL1
* hw/usb/hcd-uhci: don't assert for SETUP to non-0 endpoint
* net/passt: Fix build failure due to missing GIO dependency
# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmjWnkUZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3upeD/4x0k6ciiJ2wRE1PFUA2KHZ
# bS12+j6Um5BNdcZtRV1aT3x3xOrW3X0JTcmhb9/UdpEPki/krQQgQX50tOiLCeU2
# U4lZke5160Gk3ThdkpELlQDnCVDuNR0wxYgy1GBgAInCa/T/qFnyWwaWBIooCCUh
# +UMJ9tP4XWKvKlkzw9ONFYChxerY2enpOewEbnfSU4NPg9pU8OEZ3yeFWaLZ3Tnl
# 0bei/iFFeuN8RtgJEkuqWI6oENEZZbxGtJ+J/+wvggAfOzfy0I6CmW6y9tQMmKe8
# fTnCQ837uHmlRPWQ615M2wWydbJ1ffdEIYDb5U6UsbfG8sMt5+qg38yo0AyDs6RK
# qJkTceuhqFTDIoi92o2+NFnohCTfASeYaCHjODgcdjGUtbZO7LZ31fOKQrdsHc5e
# chAOnzNxCu9Bt4UqpUmb+ED0fXWDahV1tmgazFS2LORYxnr2q+/WJEdwSgHXNzVy
# 2rdyUx7v7U1finhRE1nAdy8XwJTCQ3gDwDbPGBrH9mhR9DnK6eotFCljI2XnDtAE
# f1i0w/47cnyRW6KsBVK6dJObiOfBRrRYqe3Rt4nA4xjeCNmWcr5IcytpnL/2YT1p
# 1vj+RklbcK7Ns+kWH3H2a9b44zKQrtGGXf8fcNyAqT1YrzrrLUqaiKTfesGfjWit
# ekMWOulOe6UePnoC3SJHFw==
# =+Aj+
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 26 Sep 2025 07:08:05 AM PDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [unknown]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [unknown]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [unknown]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20250926' of https://gitlab.com/pm215/qemu: (44 commits)
target/arm: Implement ID_AA64PFR2_EL1
target/arm: Move ID register field defs to cpu-features.h
target/arm: Trace vCPU reset call
target/arm: Trace emulated firmware reset call
target/arm: Convert power control DPRINTF() uses to trace events
target/arm: Replace magic GIC values by proper definitions
target/arm: Remove define_arm_vh_e2h_redirects_aliases
target/arm: Rename some cpreg to their aarch64 names
target/arm: Redirect VHE FOO_EL12 to FOO_EL1 during translation
target/arm: Redirect VHE FOO_EL1 -> FOO_EL2 during translation
target/arm: Split out redirect_cpreg
target/arm: Rename TBFLAG_A64_NV2_MEM_E20 with *_E2H
target/arm: Move endianness fixup for 32-bit registers
target/arm: Move writeback of CP_ANY fields
target/arm: Move alias setting for wildcards
target/arm: Remove name argument to alloc_cpreg
target/arm: Hoist the allocation of ARMCPRegInfo
target/arm: Split out alloc_cpreg
target/arm: Add key parameter to add_cpreg_to_hashtable
target/arm: Move cpreg elimination to define_one_arm_cp_reg
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-10.2-maintainer-260925-1' of https://gitlab.com/stsquad/qemu into staging
September maintainer updates (scripts, semihosting, plugins)
- new gitlab-failure-analysis script
- tweak checkpath to ignore license in removed lines
- refactor semihosting to build once
- add explicit assert to execlog for coverity
- new uftrace plugin
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmjWWJYACgkQ+9DbCVqe
# KkS1sgf+LsP0jsc1wKhzBhO4WarXXacWCDxK22riJ3aolm+gJ+b0WI4ds18A0e3R
# z/J8VJVxBZ+6Hid+tOCQwfZ+Hb1p9IofzBdZryGUvwguviNdlpEChhXXnoZkicym
# aGcC/jYRkhTx42dKRdZrSzPd3ccipqop9RvGx57bjCSBAEHYNz679p4z91kNR5a9
# UfcCzIQHbBUPZo0F9gQkNnBrjsJQhvF+gXPmmsmBI1pby6gNRQvFshrTQ1C32VpL
# VgXNc9cZ6vaREWlgb6izNjsMP7cYTMH2Ppxty/FyEMg7GTfWRjI6Ec8fJKjPFtKr
# ZbCNNAeJ9uLK6pJfTk2YxYabxx3JuQ==
# =cR9e
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 26 Sep 2025 02:10:46 AM PDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-10.2-maintainer-260925-1' of https://gitlab.com/stsquad/qemu: (24 commits)
contrib/plugins/uftrace: add documentation
contrib/plugins/uftrace_symbols.py
contrib/plugins/uftrace: implement x64 support
contrib/plugins/uftrace: generate additional files for uftrace
contrib/plugins/uftrace: implement privilege level tracing
contrib/plugins/uftrace: implement tracing
contrib/plugins/uftrace: track callstack
contrib/plugins/uftrace: define cpu operations and implement aarch64
contrib/plugins/uftrace: skeleton file
contrib/plugins/execlog: Explicitly check for qemu_plugin_read_register() failure
semihosting/arm-compat-semi: compile once in system and per target for user mode
semihosting/arm-compat-semi: remove dependency on cpu.h
semihosting/arm-compat-semi: eradicate target_long
semihosting/arm-compat-semi: replace target_ulong
semihosting/arm-compat-semi: eradicate sizeof(target_ulong)
include/semihosting/common-semi: extract common_semi API
target/{arm, riscv}/common-semi-target: eradicate target_ulong
target/riscv/common-semi-target: remove sizeof(target_ulong)
semihosting/arm-compat-semi: change common_semi_sys_exit_extended
semihosting/guestfd: compile once for system/user
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
* tag 'pull-vfio-20250926' of https://github.com/legoater/qemu: (29 commits)
include/hw/vfio/vfio-device.h: fix include header guard name
vfio-user/pci.c: rename vfio_user_pci_dev_info to vfio_user_pci_info
vfio-user/pci.c: rename vfio_user_instance_finalize() to vfio_user_pci_finalize()
vfio-user/pci.c: rename vfio_user_instance_init() to vfio_user_pci_init()
vfio-user/pci.c: rename vfio_user_pci_dev_properties[] to vfio_user_pci_properties[]
vfio-user/pci.c: rename vfio_user_pci_dev_class_init() to vfio_user_pci_class_init()
vfio/pci.c: rename vfio_pci_nohotplug_dev_info to vfio_pci_nohotplug_info
vfio/pci.c: rename vfio_pci_nohotplug_dev_class_init() to vfio_pci_nohotplug_class_init()
vfio/pci.c: rename vfio_pci_dev_nohotplug_properties[] to vfio_pci_nohotplug_properties[]
vfio/pci.c: rename vfio_pci_dev_properties[] to vfio_pci_properties[]
vfio/pci.c: rename vfio_pci_base_dev_info to vfio_pci_device_info
vfio/pci.c: rename vfio_pci_base_dev_class_init() to vfio_pci_device_class_init()
hw/vfio/types.h: rename TYPE_VFIO_PCI_BASE to TYPE_VFIO_PCI_DEVICE
vfio/pci.c: rename vfio_pci_dev_info to vfio_pci_info
vfio/pci.c: rename vfio_pci_dev_class_init() to vfio_pci_class_init()
vfio/pci.c: rename vfio_instance_finalize() to vfio_pci_finalize()
vfio/pci.c: rename vfio_instance_init() to vfio_pci_init()
vfio/spapr.c: rename VFIOContainer bcontainer field to parent_obj
vfio/spapr.c: use QOM casts where appropriate
vfio/vfio-iommufd.h: rename VFIOContainer bcontainer field to parent_obj
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Tue, 23 Sep 2025 17:57:51 +0000 (18:57 +0100)]
target/arm: Implement ID_AA64PFR2_EL1
Currently we define the ID_AA64PFR2_EL1 encoding as reserved (with
the required RAZ behaviour for unassigned system registers in the ID
register encoding space). Newer architecture versions start to
define fields in this ID register, so define the appropriate
constants and implement it as an ID register backed by a field in
cpu->isar. Since none of our CPUs set that isar field to non-zero,
there is no behavioural change here (other than the name exposed to
the user via the gdbstub), but this paves the way for implementing
the new features that use fields in this register.
The fields here are the ones documented in rev L.b of the Arm ARM.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Tue, 23 Sep 2025 17:57:50 +0000 (18:57 +0100)]
target/arm: Move ID register field defs to cpu-features.h
Currently we define constants for the ID register fields in cpu.h.
This means they're defined for a lot more code in QEMU than actually
needs them. Move them to cpu-features.h, which is where we define
the feature functions that test fields in these registers.
There's only one place where we need to use some of these macro
definitions that we weren't already including cpu-features.h:
linux-user/arm/target_proc.h. Otherwise this patch is a pure
movement of code from one file to the other.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Convert power control DPRINTF() uses to trace events
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
target/arm: Replace magic GIC values by proper definitions
Prefer the FIELD_DP64() macro and self-describing GIC
definitions over magic values.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
contrib/plugins/uftrace: generate additional files for uftrace
Beyond traces per cpu, uftrace expect to find some specific files.
- info: contains information about machine/program run
those values are not impacting uftrace behaviour (only reported by
uftrace info), and we simply added empty strings.
- memory mapping: how every binary is mapped in memory. For system mode,
we generate an empty mapping (uftrace_symbols.py, coming in future
commit, will take care of that). For user mode, we copy current
/proc/self/maps. We don't need to do any special filtering, as
reported addresses will necessarily concern guest program, and not
QEMU and its libraries.
- task: list of tasks. We present every vcpu/privilege level as a
separate process, as it's the best view we can have when generating a
(visual) chrome trace. Using threads is less convenient in terms of
UI.
We add new option trace-privilege-level=bool, which will create a
separate trace for each privilege level.
This allows to follow changes of privilege during execution.
We implement aarch64 operations to track current privilege level
accordingly.
We implement tracing, following uftrace format.
Trace is flushed every 32 MB, so file operations don't impact
performance at runtime.
A different trace is generated per cpu, and we ensure they have a unique
name, based on vcpu_index, while keeping room for privilege level coming
in next commit.
Uftrace format is not officially documented, but it can be found here:
https://github.com/namhyung/uftrace/blob/v0.18/libmcount/record.c#L909
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250902075042.223990-5-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-21-alex.bennee@linaro.org>
We now track callstack, based on frame pointer analysis. We can detect
function calls, returns, and discontinuities.
We implement a frame pointer based unwinding that is used for
discontinuities.
We define a scoreboard that will hold our data per cpu. As well, we
define a buffer per cpu that will be used to read registers and memories
in a thread-safe way.
For now, we just instrument all instructions with an empty callback.
Peter Maydell [Mon, 22 Sep 2025 09:37:01 +0000 (10:37 +0100)]
contrib/plugins/execlog: Explicitly check for qemu_plugin_read_register() failure
In insn_check_regs() we don't explicitly check whether
qemu_plugin_read_register() failed, which confuses Coverity into
thinking that sz can be -1 in the memcmp(). In fact the assertion
that sz == reg->last->len means this can't happen, but it's clearer
to both humans and Coverity if we explicitly assert that sz > 0, as
we already do in init_vcpu_register().
Coverity: CID 1611901, 1611902 Fixes: af6e4e0a22c1 ("contrib/plugins: extend execlog to track register changes") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250710144543.1187715-1-peter.maydell@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-17-alex.bennee@linaro.org>
include/semihosting/common-semi: extract common_semi API
We transform target/{arm,riscv}/common-semi-target.h headers to proper
compilation units, and use them in arm-compat-semi.c.
This way, we can include only the declaration header (which is target
agnostic), and selectively link the appropriate implementation based on
current target.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-8-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-11-alex.bennee@linaro.org>
We now check only is sys_exit is extended.
This allows to break dependency to TARGET_SYS_EXIT_EXTENDED which will
not be available anymore from this code.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-5-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-8-alex.bennee@linaro.org>
semihosting/syscalls: compile once in system and per target for user mode
We replace target_ulong mechanically by uint64_t.
We can't compile (easily) this code once for user, as it relies on
various target/function types, so leave it in specific_ss for user mode.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250822150058.18692-2-pierrick.bouvier@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-5-alex.bennee@linaro.org>
When running the license check, if we are updating a license it is
possible for the checkpatch script to test against old license lines
instead of newer ones, since the removal lines appear before the
addition lines in a .patch file.
Fix this by skipping over lines that start with "-" in the checkpatch
script.
Signed-off-by: Nabih Estefan <nabihestefan@google.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250916165928.10048-1-nabihestefan@google.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-4-alex.bennee@linaro.org>
Alex Bennée [Mon, 22 Sep 2025 09:36:47 +0000 (10:36 +0100)]
scripts/ci: add gitlab-failure-analysis script
This is a script designed to collect data from multiple pipelines and
analyse the failure modes they have. By default it will probe the last
3 failed jobs on the staging branch. However this can all be
controlled by the CLI:
./scripts/ci/gitlab-failure-analysis --count 2 --branch=testing/next --id 39915562 --status=
running pipeline 2028486060, total jobs 125, skipped 5, failed 0, 39742 tests, 0 failed tests
success pipeline 2015018135, total jobs 125, skipped 5, failed 0, 49219 tests, 0 failed tests
You can also skip failing jobs and just dump the tests:
./scripts/ci/gitlab-failure-analysis --branch= --id 39915562 --status= --skip-jobs --pipeline 19462024911919542960
failed pipeline 1946202491, total jobs 127, skipped 5, failed 26, 38742 tests, 278 skipped tests, 2 failed tests
Failed test qemu.qemu:qtest+qtest-s390x / qtest-s390x/boot-serial-test, check-system-opensuse, 1 /s390x/boot-serial/s390-ccw-virtio - FATAL-ERROR: Failed to find expected string. Please check '/tmp/qtest-boot-serial-sW77EA3'
Failed test qemu.qemu:qtest+qtest-aarch64 / qtest-aarch64/arm-cpu-features, check-system-opensuse, 1 /aarch64/arm/query-cpu-model-expansion - ERROR:../tests/qtest/arm-cpu-features.c:459:test_query_cpu_model_expansion: assertion failed (_error == "The CPU type 'host' requires KVM"): ("The CPU type 'host' requires hardware accelerator" == "The CPU type 'host' requires KVM")
failed pipeline 1919542960, total jobs 127, skipped 5, failed 2, 48753 tests, 441 skipped tests, 1 failed tests
Failed test qemu.qemu:unit / test-aio, msys2-64bit, 12 /aio/timer/schedule - ERROR:../tests/unit/test-aio.c:413:test_timer_schedule: assertion failed: (aio_poll(ctx, true))
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20250922093711.2768983-3-alex.bennee@linaro.org>
projects / thirdparty / qemu.git / log
