Commit b7ecba0f6f6 ("docs/devel/loads-stores.rst: Document our
various load and store APIs") mentioned cpu_physical_memory_*()
methods are legacy, the replacement being address_space_*().
Propagate the address space to walk_pte(), then replace the
cpu_physical_memory_read() by address_space_read(). Since the
monitor command are run with a vCPU context, use its default
address space. As with the previous implementation, ignore
whether the memory read succeeded or failed.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20251002145742.75624-5-philmd@linaro.org>
Commit b7ecba0f6f6 ("docs/devel/loads-stores.rst: Document our
various load and store APIs") mentioned cpu_physical_memory_*()
methods are legacy, the replacement being address_space_*().
Since the SBI DBCN is handled within a vCPU context, use its
default address space. Replace using the address space API.
As with the previous implementation, ignore whether the memory
accesses succeeded or failed.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20251002145742.75624-4-philmd@linaro.org>
There is no functional change (the migration stream is not modified).
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-14-philmd@linaro.org>
The OpenRISC targets are only built as 32-bit, so tcg_gen_trunc_i64_tl
expands to tcg_gen_extrl_i64_i32(). Use the latter to simplify the
next commit mechanical change.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-13-philmd@linaro.org>
Therefore the MO_TE definition always expands to MO_BE. Use the
latter to simplify.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-12-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-11-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-10-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-9-philmd@linaro.org>
Extract the implicit MO_TE definition in order to replace
it in the next commit.
Mechanical change using:
$ for n in UW UL UQ UO SW SL SQ; do \
sed -i -e "s/MO_TE$n/MO_TE | MO_$n/" \
$(git grep -l MO_TE$n target/openrisc); \
done
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-8-philmd@linaro.org>
Remove the dead code guarded within TARGET_LONG_BITS != 32.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-7-philmd@linaro.org>
translator_use_goto_tb() expects a vaddr type since commit b1c09220b4c ("accel/tcg: Replace target_ulong with vaddr in
translator_*()").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-6-philmd@linaro.org>
target/openrisc: Remove target_ulong use in raise_mmu_exception()
TCGCPUOps::tlb_fill() handler provides a vaddr type (since commit 7510454e3e7 "cpu: Turn cpu_handle_mmu_fault() into a CPUClass hook").
Do not inline get_phys_nommu(), rely on the linker to optimize at
linking time.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-5-philmd@linaro.org>
Commit 23d45ebdb19 ("target/openrisc: Remove indirect
function calls for mmu") removed the last uses of both
cpu_openrisc_map_address_code() and
cpu_openrisc_map_address_data() helpers.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-4-philmd@linaro.org>
target/openrisc: Do not use target_ulong for @mr in MTSPR helper
OpenRISCTLBEntry::@mr field is a uint32_t type since its
introduction in commit 726fe045720 ("target-or32: Add MMU support").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-3-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010070702.51484-2-philmd@linaro.org>
target/microblaze: Convert CPUMBState::res_addr field to uint32_t type
CPUMBState::@res_addr field is used as u32 since commit cfeea807e5a ("target-microblaze: Tighten up TCGv_i32 vs
TCGv type usage"). Convert it as such, bumping the migration
version. Use the RES_ADDR_NONE definition when appropriate.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-8-philmd@linaro.org>
target/microblaze: Have do_load/store() take a TCGv_i32 address argument
All callers of do_load() and do_store() pass a TCGv_i32 address
type, have both functions take a TCGv_i32.
Suggested-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-7-philmd@linaro.org>
target/microblaze: Have compute_ldst_addr_type[ab] return TCGv_i32
Both compute_ldst_addr_typea() and compute_ldst_addr_typeb()
bodies use a TCGv_i32, so return the same type.
Suggested-by: Anton Johansson <anjo@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-6-philmd@linaro.org>
target/microblaze: Remove target_ulong use in helper_stackprot()
Since commit 36a9529e60e ("target/microblaze: Simplify
compute_ldst_addr_type{a,b}"), helper_stackprot() takes
a TCGv_i32 argument.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-5-philmd@linaro.org>
target/microblaze: Remove target_ulong use in gen_goto_tb()
translator_use_goto_tb() expects a vaddr type since commit b1c09220b4c ("accel/tcg: Replace target_ulong with vaddr in
translator_*()").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-4-philmd@linaro.org>
target/microblaze: Remove target_ulong uses in get_phys_page_attrs_debug
The CPUClass::get_phys_page_debug() handler takes a 'vaddr' address
and return a 'hwaddr' type since commit 00b941e581b ("cpu: Turn
cpu_get_phys_page_debug() into a CPUClass hook").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-3-philmd@linaro.org>
target/microblaze: Remove target_ulong use in cpu_handle_mmu_fault()
cpu_handle_mmu_fault() -- renamed in commit f429d607c71 -- expects
a vaddr type for its address argument since commit 7510454e3e7
("cpu: Turn cpu_handle_mmu_fault() into a CPUClass hook").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251015180115.97493-2-philmd@linaro.org>
Avoid registering a TCGv to write the generic CPUState::halted
field. Access it directly via @env in both STOP / HALT opcodes.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250925012454.60602-1-philmd@linaro.org>
When moving the @exception_index from each target ArchCPU
to the global CPUState in commit 27103424c40 ("cpu: Move
exception_index field from CPU_COMMON to CPUState"), the
@cpu_exception_index TCGv has been created for m68k target.
For years, no code ever used this register. Simply remove it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250924171308.53036-1-philmd@linaro.org>
target/loongarch: Do not use target_ulong type for LDDIR level
The LDDIR level page table is a 5-bit immediate. Using the
uint32_t type for it is sufficient. Avoid the target_ulong type.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-Id: <20251009201947.34643-5-philmd@linaro.org>
target/loongarch: Remove target_ulong use in gdb_write_register handler
ldq_le_p() returns a uint64_t type, big enough to also hold
ldl_le_p() return value. If we were building for a 32-bit
LoongArch target, ldq_le_p() would not fit in target_ulong.
Better stick to plain uint64_t.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-Id: <20251009201947.34643-4-philmd@linaro.org>
target/loongarch: Remove target_ulong use in gen_goto_tb()
translator_use_goto_tb() expects a vaddr type since commit b1c09220b4c ("accel/tcg: Replace target_ulong with vaddr in
translator*()").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-Id: <20251009201947.34643-3-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-Id: <20250925004327.58764-1-philmd@linaro.org>
For the fmpyadd instruction on the hppa architecture, there is a bit
used to specify whether the instruction is operating on a 32 bit or
64 bit floating point register. For most instructions, such a bit is 0
when operating on the smaller register and 1 when operating on the
larger register. However, according to page 6-57 of the PA-RISC 1.1
Architecture and Instruction Set Reference Manual, this convention is
reversed for the fmpyadd instruction specifically, meaning the bit is
1 for operations on 32 bit registers and 0 for 64 bit registers. See
also page 6-18 (fig. 6-8) and 6-19 (table 6-16), where the f field
for FMPYADD and FMPYSUB is documented. Previously, QEMU decoded this
operation as operating on the other size of register, leading to bugs
when translating the fmpyadd instruction. This patch fixes that issue.
Reported-by: Andreas Hüttel <andreas.huettel@ur.de> Signed-off-by: Gabriel Brookman <brookmangabriel@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3096 Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Helge Deller <deller@gmx.de>
Message-ID: <20251009-hppa-correct-fmpyadd-size-bit-decoding-v1-1-f63bb6c3290c@gmail.com>
[PMD: Add documentation refs mentioned by Andreas K. Huettel] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Therefore the MO_TE definition always expands to MO_BE. Use the
latter to simplify.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-10-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-9-philmd@linaro.org>
target/hppa: Conceal MO_TE within do_store_32/64()
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-8-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-7-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-6-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-5-philmd@linaro.org>
Extract the implicit MO_TE definition in order to replace
it in a commits.
Mechanical change using:
$ for n in UW UL UQ UO SW SL SQ; do \
sed -i -e "s/MO_TE$n/MO_TE | MO_$n/" \
$(git grep -l MO_TE$n target/openrisc); \
done
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-4-philmd@linaro.org>
target/hppa: Have hppa_form_gva*() return vaddr type
Return a 'vaddr' type for "guest virtual address".
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-3-philmd@linaro.org>
HPPATLBEntry::@pa is a physical address, use the appropriate type.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009101040.18378-2-philmd@linaro.org>
Commit b7ecba0f6f6 ("docs/devel/loads-stores.rst: Document our
various load and store APIs") mentioned cpu_physical_memory_*()
methods are legacy, the replacement being address_space_*().
inlining the little endianness conversion via the '_le' suffix.
As with the previous implementation, ignore whether the memory
read succeeded or failed.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20251002145742.75624-3-philmd@linaro.org>
target/i386/monitor: Propagate CPU address space to 'info mem' handlers
We want to replace the cpu_physical_memory_read() calls by
address_space_read() equivalents. Since the latter requires
an address space, and these commands are run in the context
of a vCPU, propagate its first address space. Next commit
will do the replacements.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20251002145742.75624-2-philmd@linaro.org>
All these CPUAlphaState fields are of uint64_t type (except
the @fir[] array which uses float64, expanded to the same
type definition). Use the appropriate VMSTATE_UINT64() macro.
There is no functional change (the migration stream is not
modified), because the Alpha targets are only built as 64-bit:
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20250925005137.59378-1-philmd@linaro.org>
target/alpha: Access CPUState::cpu_index via helper
CPUState::cpu_index is a target agnostic field, meant
for common code (i.e. accel/ and system/ folders).
Target specific code should use the CPUClass::get_arch_id()
helper, even if there is a 1:1 mapping.
In preparation of generic changes around CPU indexing,
introduce the whoami helper to access the generic
CPUState::cpu_index field.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250925010438.59755-1-philmd@linaro.org>
accel/tcg: Name gen_goto_tb()'s TB slot index as @tb_slot_idx
tcg_gen_goto_tb() takes an unsigned index to the TB slot (0 or 1).
Declare the argument as unsigned and rename it as @tb_slot_idx
(which is more descriptive than @n) on all targets.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-Id: <20251010031745.37528-1-philmd@linaro.org>
Merge tag 'pull-loongarch-20251015' of https://github.com/bibo-mao/qemu into staging
loongarch queue
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQQNhkKjomWfgLCz0aQfewwSUazn0QUCaO8QRQAKCRAfewwSUazn
# 0UxeAQCM8zwwTBnAWbDJpxPWTVD5yz+Bv2YP+IbDc24BkzEvJwD/Z+5u+gEuBtum
# U8tTU/huVLezwpbwqgpTAYI2wJAOygw=
# =XZMy
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 14 Oct 2025 08:08:53 PM PDT
# gpg: using EDDSA key 0D8642A3A2659F80B0B3D1A41F7B0C1251ACE7D1
# gpg: Good signature from "bibo mao <maobibo@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7044 3A00 19C0 E97A 31C7 13C4 8E86 8FB7 A176 9D4C
# Subkey fingerprint: 0D86 42A3 A265 9F80 B0B3 D1A4 1F7B 0C12 51AC E7D1
* tag 'pull-loongarch-20251015' of https://github.com/bibo-mao/qemu:
hw/loongarch/virt: Sort order by hardware device base address
hw/loongarch/virt: Remove header file ls7a.h
target/loongarch: Skip global TLB when calculating replaced TLB
target/loongarch: Add missing TLB flush with different asid
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Bibo Mao [Mon, 13 Oct 2025 06:35:16 +0000 (14:35 +0800)]
hw/loongarch/virt: Sort order by hardware device base address
With header file include/hw/loongarch/virt.h, hardware device definition
order is sorted by its base address. Add remove unused macro
VIRT_IOAPIC_REG_BASE and VIRT_MISC_REG_BASE.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Mon, 13 Oct 2025 06:35:15 +0000 (14:35 +0800)]
hw/loongarch/virt: Remove header file ls7a.h
LoongArch virt machine uses GPEX PCIE host bridge rather than 7A host
bridge. Remove header file ls7a.h and put hardware information to file
include/hw/loongarch/virt.h
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Song Gao <gaosong@loongson.cn>
Bibo Mao [Thu, 9 Oct 2025 02:59:31 +0000 (10:59 +0800)]
target/loongarch: Add missing TLB flush with different asid
If asid is changed in function helper_csrwr_asid(), qemu TLB is flushed,
however loongArch TLB is still valid. So loongArch TLB need be invalidated
in function invalidate_tlb() with different asid and bit effective need
be cleared.
Signed-off-by: Bibo Mao <maobibo@loongson.cn> Reviewed-by: Song Gao <gaosong@loongson.cn>
Merge tag 'pull-tcg-20251014' of https://gitlab.com/rth7680/qemu into staging
linux-user: Support MADV_DONTDUMP, MADV_DODUMP
accel/tcg: Hoist first page lookup above pointer_wrap
# -----BEGIN PGP SIGNATURE-----
#
# iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmjuhtYdHHJpY2hhcmQu
# aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9pEAgAty/bDw2U0l2Vnqxc
# xhDOcShpmIjelk9i8QtLve6uy0VS9FZBlQS2PbICI0Y2U5wpPsjFtyOyguSjrtrw
# tzVQwFsBme+ChdE8WrmYeKtp5eTk2jeXhGKH96nLDoEJU0R6Ul01FHYe6eWDRAmv
# ojsM/1Fl9YyHKR1U0R10Ijf09Id14Rq7BGDvi0UvVXO3yGT44oZqCtCLeLbXya0E
# 3rx5l/Mc5T6ycsF3kuooWq/cguFiH87Z3jU/wZe4xFANEeXDadlS5bUO/Ee9/TU8
# +ANInpHN7d9CEqkOpjHZEpvPJV1aNfGPMuyT84ebS2Xy7PC4drVi9t7P6DrJDO3h
# g7cFFA==
# =hVWM
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 14 Oct 2025 10:22:30 AM PDT
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [ultimate]
* tag 'pull-tcg-20251014' of https://gitlab.com/rth7680/qemu:
accel/tcg: Hoist first page lookup above pointer_wrap
linux-user: Support MADV_DONTDUMP, MADV_DODUMP
accel/tcg: Add clear_flags argument to page_set_flags
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
accel/tcg: Hoist first page lookup above pointer_wrap
For strict alignment targets we registered cpu_pointer_wrap_notreached,
but generic code used it before recognizing the alignment exception.
Hoist the first page lookup, so that the alignment exception happens first.
Cc: qemu-stable@nongnu.org Buglink: https://bugs.debian.org/1112285 Fixes: a4027ed7d4be ("target: Use cpu_pointer_wrap_notreached for strict align targets") Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jon Wilson [Wed, 24 Sep 2025 01:52:28 +0000 (18:52 -0700)]
linux-user: Support MADV_DONTDUMP, MADV_DODUMP
Set and clear PAGE_DONTDUMP, and honor that in vma_dump_size.
Signed-off-by: Jon Wilson <jonwilson030981@gmail.com>
[rth: Use new page_set_flags semantics; also handle DODUMP] Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* rust: fix nightly warnings
* target/i386: a smattering of fixes
* monitor: add "info accelerators"
* kvm: cleanups to kvm_cpu_synchronize_put()
* target/i386: Add TSA attack variants and verw-clear feature flag
* async: tsan bottom half fixes
* rust: migration state wrappers with support for BQL-free devices
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmjuRZYUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroPTFgf+LRXCvGJwrlJwD4cAS/TBzhzpOAMZ
# v75RZ/s2tF7nYRhT28MDtZWsXeVrjO/nrSXaThxe6WHfmKK2W+16a+BgfhbeTEGt
# wBnK3JMb84i7T2Foy91jVCc4k0igwZu6Wmnf3rOP9gpdjAK6FYLje1KWvF7FrJO1
# ackAzJJ+TiZmc5QpXLW8sjaIidmefveXsdHwMVRz67LDvlDANEhp4rixjTVmKe0Z
# UL3tzrEj/b15vvElkh3a1IrVAttexay425J94R5i3Xpz3fEBqmIdpJt4eiCt9j0L
# zL7TOXwSJWiOX+mec6aJwYh8y4ikD6Yq4f4Hc9xFBEZRcICaxx4uoOscYA==
# =FroL
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 14 Oct 2025 05:44:06 AM PDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [unknown]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (28 commits)
rust: migration: implement ToMigrationState as part of impl_vmstate_bitsized
timer: constify some functions
rust: qemu-macros: add ToMigrationState derive macro
rust: migration: add high-level migration wrappers
rust: move VMState from bql to migration
rust: migration: extract vmstate_fields_ref
rust: migration: validate termination of subsection arrays
rust: migration: do not store raw pointers into VMStateSubsectionsWrapper
rust: migration: do not pass raw pointer to VMStateDescription::fields
rust: bql: add BqlRefCell::get_mut()
accel/kvm: Factor kvm_cpu_synchronize_put() out
accel/kvm: Introduce KvmPutState enum
monitor: generalize query-mshv/"info mshv" to query-accelerators/"info accelerators"
monitor: clarify "info accel" help message
target/i386: user: do not set up a valid LDT on reset
async: access bottom half flags with qatomic_read
target/i386: fix access to the T bit of the TSS
target/i386: fix x86_64 pushw op
i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit
i386/cpu: Prevent delivering SIPI during SMM in TCG mode
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'hw-misc-20251013' of https://github.com/philmd/qemu into staging
Misc HW patches
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmjtUDsACgkQ4+MsLN6t
# wN79jg/+IUcN3tRk39XeLMyJvTBbv1Q/25llZPuCwkPz1kkS9QEtgck0ZluWxiqG
# Uql2mb3mnxR3pQaQ38gim058XfTFnc1W76/cprYq/0HeZuk8XlVVgnU+wjEYFYvD
# nGfdXJdCytGnDjcr4OQGKjsIo20b++QNtB/Jgy+gQNcFc/dg0BHG8sJoeIL/0IRz
# qpJZ3ACcmurlMdfYm3o0U9tRn7I9fmOOZbM5INnA9OBuhrSc95ObXiOKbUd9QTaX
# Fzminv85ZULIx5sX515l6vbiMRaAy/toj40OyWrG6qV6zMv/T8Snpad53NyOEalc
# QHEmx2t7ae0g0o8NB4EEA8JOy/RT9l2nu8xiPeDCcmI6/E4M6mQDovEgMsbhKiYd
# /YbAPifdLyNy4p2D9S0xjXsihNRNshvH0ce7x5sDxRMITrvHWrPQ3WzSxw8oeaVd
# aczm4plm777GSzioIP4zz0hVy48vc9c0Bzsw6CwTJjFI2f8ThuKtDRc/FWabr/cp
# OCA2pBWYSoKCEm8WE+RTpCVu87oPQ/HNj8ekDszFStnPkz62B4Xq8EGriSMM56xX
# R9wn6IRepQ6gc0ObWl8ofgdvuXh+F1wFC2EvhQ6n93Bq1YXKFSccNf9tX84zEMdn
# Dpx6SrKeYA53Qm0fHoOWQeCw2rjwK6hR9Pd5dZB9cK+2XGbfPtQ=
# =nIym
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 13 Oct 2025 12:17:15 PM PDT
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20251013' of https://github.com/philmd/qemu:
hw/hppa: Reduce variables scope in common_init()
hw/hppa: Factor QOM HPPA_COMMON_MACHINE out
hw/hppa: Convert type_init() -> DEFINE_TYPES()
hw/loongarch/boot: Remove unnecessary cast to target_ulong
hw/vmapple: include missing headers
hw/s390x/sclp: Do not ignore address_space_read/write() errors
hw/arm/aspeed: Don't set 'auto_create_sdcard'
hw/net/can/xlnx-versal-canfd: remove unused include directives
hw/sparc/leon3: Remove unnecessary CPU() QOM cast
hw/xtensa/xtfpga: Have xtfpga_init() only initialize MMU
hw/ppc: Do not open-code cpu_resume() in spin_kick()
hw/display/xenfb: Replace unreachable code by g_assert_not_reached()
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-aspeed-20251013' of https://github.com/legoater/qemu into staging
aspeed queue:
* Introduce AspeedCoprocessor class and base implementation
* Remove redudant functional tests to optimize for CI resources
* Deprecate fp5280g2-bmc, qcom-dc-scm-v1-bmc, qcom-firework-bmc and
sonorapass-bmc machines
* Bump ASPEED SDK to v09.08
* Add PCIe and network tests
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmjs8/YACgkQUaNDx8/7
# 7KFjzw//dL7SV3fVdq5faOLVheXTj5IpgtsCaqcBl/KUSprkCV/PHE5wYUN0pKjA
# TBd9waKBt5yg9ppZC/5o20SLkKyrYLa3+2af6X+c0eHo1ALXMUC+Cupws514eEoe
# y9sq1TO+yag5OczUi6h0UCmz3ELK2KHRf8e3ca/0S8zLry5bcwYAu6BHig2wqKnN
# qOkIwz9lSIAem9IvXDbWN15x7nO8eKBlDUfnu9psPToVtRthXifwSgUGAMSndAh9
# Sq9Qjf5Uy5QEocRuCq82xidpAwPRw/ulAe/1nMujHnWuZXx++uJ6PCtL2+pvzkV/
# DZXP1J2elMfjRH+iy1NW/8TIZedv9mHR2qJ4XI7D/IZjpZN2NpjQSjVDapKs/SmX
# LI3kofQRT4OfZ98bhIMsZ7E0MA2i+SGtQSSfKPUqYT6298c6LefHINk9zZsMO8bR
# M4XKDS4yX9gNpM/j2LyxkL/gkMToHKVxmBJFNbC9DAo9AOJ/+iMnUFYT9F7J67jW
# LZwr490K73I1bORbrYStqnAnw0OEuzGVcehOrj7CzIuoy6nGc0yx1YeVDA8HT83Z
# WjCej+TOiDfKnq450VJ5r+CXBDMvwMzls5q5SVEjRN0vtQ04eXPNteUSHrvPLx7q
# tCTs7nzge5hUUZ5Yx5/uIs+341iMMq+U9JMLF71IFEqeIYUxHA0=
# =ubfO
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 13 Oct 2025 05:43:34 AM PDT
# gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full]
# gpg: aka "Cédric Le Goater <clg@kaod.org>" [full]
* tag 'pull-aspeed-20251013' of https://github.com/legoater/qemu: (29 commits)
hw/arm/aspeed_ast27x0-{ssp,tsp}: Fix coding style
hw/arm/aspeed_ast27x0-tsp: Rename type to TYPE_ASPEED27X0TSP_COPROCESSOR
hw/arm/aspeed_ast27x0-ssp: Rename type to TYPE_ASPEED27X0SSP_COPROCESSOR
hw/arm/aspeed_ast27x0-tsp: Change to use Aspeed27x0CoprocessorState
hw/arm/aspeed_ast27x0-ssp: Change to use Aspeed27x0CoprocessorState
hw/arm/aspeed_ast27x0-tsp: Make AST27x0 TSP inherit from AspeedCoprocessor instead of AspeedSoC
hw/arm/aspeed_ast27x0-ssp: Make AST27x0 SSP inherit from AspeedCoprocessor instead of AspeedSoC
hw/arm/aspeed: Introduce AspeedCoprocessor class and base implementation
hw/arm/aspeed: Remove the aspeed_soc_get_irq and class get_irq hook
hw/arm/aspeed: Remove AspeedSoCState dependency from aspeed_soc_uart_realize() API
hw/arm/aspeed: Remove AspeedSoCState dependency from aspeed_mmio_map_unimplemented() API
hw/arm/aspeed: Remove AspeedSoCState dependency from aspeed_mmio_map() API
hw/arm/aspeed: Remove AspeedSoCClass dependency from aspeed_soc_cpu_type() API
hw/arm/aspeed: Remove AspeedSoCState dependency from aspeed_soc_uart_set_chr() API
hw/arm/aspeed: Remove AspeedSoCClass dependency from aspeed_uart_last() API
hw/arm/aspeed: Remove AspeedSoCState dependency from aspeed_uart_first() API
test/functional/aarch64: Split the ast2700a1-evb OpenBMC boot test
test/functional/aarch64: Remove test for the ast2700a0-evb machine
aspeed: Deprecate the fp5280g2-bmc machine
aspeed: Deprecate the qcom-dc-scm-v1-bmc and qcom-firework-bmc machines
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Instead of dealing with pre/post callbacks, allow devices to
implement a snapshot/restore mechanism; this has two main
advantages:
- it can be easily implemented via procedural macros
- there can be generic implementations to deal with various
kinds of interior-mutable containers, from BqlRefCell to Mutex,
so that C code does not see Rust concepts such as Mutex<>.
Using it is easy; you can implement the snapshot/restore trait
ToMigrationState and declare your state like:
regs: Migratable<Mutex<MyDeviceRegisters>>
Migratable<> allows dereferencing to the underlying object with
no run-time cost.
Note that Migratable<> actually does not accept ToMigrationState,
only the similar ToMigrationStateShared trait that the user will mostly
not care about. This is required by the fact that pre/post callbacks
take a &self, and ensures that the argument is a Mutex or BqlRefCell
(including an array or Arc<> thereof).
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Thu, 9 Oct 2025 08:24:54 +0000 (10:24 +0200)]
rust: move VMState from bql to migration
The high-level wrapper Migratable<T> will contain a BqlCell,
which would introduce a circular dependency betwen the bql and
migration crates. Move the implementation of VMState for cells
to "migration", together with the implementation for std types.
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Wed, 17 Sep 2025 10:37:59 +0000 (12:37 +0200)]
rust: migration: extract vmstate_fields_ref
This is useful when building a VMState for generic structs, because you have
to avoid nested statics. Using vmstate_fields! will fail in the likely case
where the _FIELDS static uses Self from an outer item, because that is
forbidden.
The separate macros are needed because you cannot just do
The value returned by vmstate_fields_ref! is not promoted to static, which is
unfortunate but intentional (https://github.com/rust-lang/rust/issues/60502):
error[E0716]: temporary value dropped while borrowed
--> rust/hw/char/pl011/libpl011.rlib.p/structured/device.rs:743:17
|
738 | / VMStateDescriptionBuilder::<PL011State>::new()
739 | | .name(c"pl011/clock")
740 | | .version_id(1)
741 | | .minimum_version_id(1)
742 | | .needed(&PL011State::clock_needed)
743 | | .fields(vmstate_fields_ref! {
| | _________________^
744 | || vmstate_of!(PL011State, clock),
745 | || })
| ||_________^- argument requires that borrow lasts for `'static`
| |_________|
| creates a temporary value which is freed while still in use
746 | .build();
| - temporary value is freed at the end of this statement
Thus it is necessary to use the "static", whether explicitly or hidden by
vmstate_fields.
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Thu, 25 Sep 2025 08:32:23 +0000 (10:32 +0200)]
rust: migration: do not store raw pointers into VMStateSubsectionsWrapper
Raw pointers were used to insert a NULL one at the end of the array.
However, Option<&...> has the same layout and does not remove Sync
from the type of the array.
As an extra benefit, this enables validation of the terminator of the
subsection array, because is_null() in const context would not be stable
until Rust 1.84.
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Thu, 25 Sep 2025 08:13:29 +0000 (10:13 +0200)]
rust: migration: do not pass raw pointer to VMStateDescription::fields
Pass a slice instead; a function that accepts a raw pointer should
arguably be declared as unsafe.
But since it is now much easier to forget vmstate_fields!, validate the
value (at least to some extent) before passing it to C. (Unfortunately,
doing the same for subsections would require const ptr::is_null(), which
is only stable in Rust 1.84).
Suggested-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 13 Oct 2025 10:49:04 +0000 (12:49 +0200)]
monitor: generalize query-mshv/"info mshv" to query-accelerators/"info accelerators"
The recently-introduced query-mshv command is a duplicate of query-kvm,
and neither provides a full view of which accelerators are supported
by a particular binary of QEMU and which is in use.
KVM was the first accelerator added to QEMU, predating QOM and TYPE_ACCEL,
so it got a pass. But now, instead of adding a badly designed copy, solve
the problem completely for all accelerators with a command that provides
the whole picture:
Cc: Praveen K Paladugu <prapal@microsoft.com> Cc: Magnus Kulke <magnuskulke@linux.microsoft.com> Suggested-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 13 Oct 2025 16:34:28 +0000 (18:34 +0200)]
target/i386: user: do not set up a valid LDT on reset
In user-mode emulation, QEMU uses the default setting of the LDT base
and limit, which places it at the bottom 64K of virtual address space.
However, by default there is no LDT at all in Linux processes, and
therefore the limit should be 0.
This is visible as a NULL pointer dereference in LSL and LAR instructions
when they try to read the LDT at an unmapped address.
Resolves: #1376 Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 13 Oct 2025 16:24:54 +0000 (18:24 +0200)]
async: access bottom half flags with qatomic_read
Running test-aio-multithread under TSAN reveals data races on bh->flags.
Because bottom halves may be scheduled or canceled asynchronously,
without taking a lock, adjust aio_compute_bh_timeout() and aio_ctx_check()
to use a relaxed read to access the flags.
Use an acquire load to ensure that anything that was written prior to
qemu_bh_schedule() is visible.
Closes: https://gitlab.com/qemu-project/qemu/-/issues/2749 Closes: https://gitlab.com/qemu-project/qemu/-/issues/851 Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Mon, 13 Oct 2025 16:08:12 +0000 (18:08 +0200)]
target/i386: fix access to the T bit of the TSS
The T bit is bit 0 of the 16-bit word at offset 100 of the TSS. However,
accessing it with a 32-bit word is not really correct, because bytes
102-103 contain the I/O map base address (relative to the base of the
TSS) and bits 1-15 are reserved. In particular, any task switch to a TSS that
has a nonzero I/O map base address is broken.
This fixes the eventinj and taskswitch tests in kvm-unit-tests.
Cc: qemu-stable@nongnu.org Fixes: ad441b8b791 ("target/i386: implement TSS trap bit", 2025-05-12) Reported-by: Thomas Huth <thuth@redhat.com> Closes: https://gitlab.com/qemu-project/qemu/-/issues/3101 Tested-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit
do_smm_enter and helper_rsm sets the env->dr, but does not sync the
values with cpu_x86_update_dr7. A malicious kernel may control the
instruction pointer in SMM by setting a breakpoint on the SMI
entry point, and after do_smm_enter cpu->breakpoints contains the
stale breakpoint; and because IDT is not reloaded upon SMI entry,
the debug exception handler controlled by the malicious kernel
is invoked.
A different sequence, SMI INIT SIPI, is also buggy in TCG because
INIT is not blocked or latched during SMM. However, it is not
vulnerable to an instruction pointer control in the same way because
x86_cpu_exec_reset clears env->hflags, exiting SMM.
Fixes: a9bad65d2c1f ("target-i386: wake up processors that receive an SMI") Analyzed-by: YiFei Zhu <zhuyifei@google.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Jon Kohler [Wed, 8 Oct 2025 20:25:57 +0000 (13:25 -0700)]
i386/kvm: Expose ARCH_CAP_FB_CLEAR when invulnerable to MDS
Newer Intel hardware (Sapphire Rapids and higher) sets multiple MDS
immunity bits in MSR_IA32_ARCH_CAPABILITIES but lacks the hardware-level
MSR_ARCH_CAP_FB_CLEAR (bit 17):
ARCH_CAP_MDS_NO
ARCH_CAP_TAA_NO
ARCH_CAP_PSDP_NO
ARCH_CAP_FBSDP_NO
ARCH_CAP_SBDR_SSDP_NO
This prevents VMs with fb-clear=on from migrating from older hardware
(Cascade Lake, Ice Lake) to newer hardware, limiting live migration
capabilities. Note fb-clear was first introduced in v8.1.0 [1].
Expose MSR_ARCH_CAP_FB_CLEAR for MDS-invulnerable systems to enable
seamless migration between hardware generations.
Note: There is no impact when a guest migrates to newer hardware as
the existing bit combinations already mark the host as MMIO-immune and
disable FB_CLEAR operations in the kernel (see Linux's
arch_cap_mmio_immune() and vmx_update_fb_clear_dis()). See kernel side
discussion for [2] for additional context.
[1] 22e1094ca82 ("target/i386: add support for FB_CLEAR feature")
[2] https://patchwork.kernel.org/project/kvm/patch/20250401044931.793203-1-jon@nutanix.com/
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Suggested-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Jon Kohler <jon@nutanix.com> Link: https://lore.kernel.org/r/20251008202557.4141285-1-jon@nutanix.com Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Mathias Krause [Thu, 12 Jun 2025 14:21:55 +0000 (16:21 +0200)]
target/i386: Fix CR2 handling for non-canonical addresses
Commit 3563362ddfae ("target/i386: Introduce structures for mmu_translate")
accidentally modified CR2 for non-canonical address exceptions while these
should lead to a #GP / #SS instead -- without changing CR2.
Transient Scheduler Attacks (TSA) are new speculative side channel attacks
related to the execution timing of instructions under specific
microarchitectural conditions. In some cases, an attacker may be able to
use this timing information to infer data from other contexts, resulting in
information leakage
CPUID Fn8000_0021 EAX[5] (VERW_CLEAR). If this bit is 1, the memory form of
the VERW instruction may be used to help mitigate TSA.
target/i386: Add TSA attack variants TSA-SQ and TSA-L1
Transient Scheduler Attacks (TSA) are new speculative side channel attacks
related to the execution timing of instructions under specific
microarchitectural conditions. In some cases, an attacker may be able to
use this timing information to infer data from other contexts, resulting in
information leakage.
AMD has identified two sub-variants two variants of TSA.
CPUID Fn8000_0021 ECX[1] (TSA_SQ_NO).
If this bit is 1, the CPU is not vulnerable to TSA-SQ.
CPUID Fn8000_0021 ECX[2] (TSA_L1_NO).
If this bit is 1, the CPU is not vulnerable to TSA-L1.
Add the new feature word FEAT_8000_0021_ECX and corresponding bits to
detect TSA variants.
Paolo Bonzini [Mon, 13 Oct 2025 14:49:12 +0000 (16:49 +0200)]
rust: hpet: fix fw_cfg handling
HPET ids for fw_cfg are not assigned correctly, because there
is a read but no write. This is caught by nightly Rust as
an unused-assignments warning, so fix it.
Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Paolo Bonzini [Fri, 10 Oct 2025 14:57:56 +0000 (16:57 +0200)]
rust: bits: disable double_parens check
It is showing in the output of the bits! macro when using the nightly
toolchain, though it's not clear if it is intentional or a bug.
Shut it up for now.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251010061836.45739-4-philmd@linaro.org>
B160L and C3700 share a lot of common code. Factor it out
as an abstract HPPA_COMMON_MACHINE QOM parent.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009143106.22724-4-philmd@linaro.org>
Prefer DEFINE_TYPES() macro over type_init() to register
multiple QOM types.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009143106.22724-3-philmd@linaro.org>
hw/loongarch/boot: Remove unnecessary cast to target_ulong
Reduce initrd_size scope. It is already of signed type (ssize_t),
no need to cast to unsigned for the comparison.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251009201947.34643-2-philmd@linaro.org>
../hw/vmapple/vmapple.c:276:39: error: use of undeclared identifier 'GTIMER_VIRT'
276 | qdev_connect_gpio_out(cpudev, GTIMER_VIRT,
| ^
../hw/vmapple/vmapple.c:479:54: error: use of undeclared identifier 'QEMU_PSCI_CONDUIT_HVC'
479 | object_property_set_int(cpu, "psci-conduit", QEMU_PSCI_CONDUIT_HVC,
| ^
../hw/vmapple/vmapple.c:556:13: error: call to undeclared function 'arm_build_mp_affinity'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
556 | arm_build_mp_affinity(n, GICV3_TARGETLIST_BITS);
| ^
3 errors generated.
pretty quickly.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251007203153.30136-2-mohamed@unpredictable.fr> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/s390x/sclp: Do not ignore address_space_read/write() errors
If address_space_read() fails, return PGM_ADDRESSING. In the
unlikely case address_space_write() fails (we already checked
the address is readable), return PGM_PROTECTION.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Jason J. Herne <jjherne@linux.ibm.com>
Message-Id: <20251007015802.24748-1-philmd@linaro.org>
The Aspeed machines inherited from a 'no_sdcard' attribute when first
introduced in QEMU. This attribute was later renamed to
'auto_create_sdcard' by commit cdc8d7cadaac ("hw/boards: Rename
no_sdcard -> auto_create_sdcard") and set to 'true'. This has the
indesirable efect to automatically create SD cards at init time.
Remove 'auto_create_sdcard' to avoid creating a SD card device.
Cc: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251003103024.1863551-1-clg@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Luc Michel [Thu, 2 Oct 2025 07:34:14 +0000 (09:34 +0200)]
hw/net/can/xlnx-versal-canfd: remove unused include directives
Drop unecessary include directives in xlnx-versal-canfd.c.
Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Francisco Iglesias <francisco.iglesias@amd.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com> Signed-off-by: Luc Michel <luc.michel@amd.com>
Message-ID: <20251002073418.109375-6-luc.michel@amd.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/xtensa/xtfpga: Have xtfpga_init() only initialize MMU
cpu_reset() should not be used with an unrealized CPU.
Here we simply want to initialize the MMU, not the CPU,
so just call reset_mmu().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Max Filippov <jcmvbkbc@gmail.com>
Message-Id: <20250925013513.67780-1-philmd@linaro.org>
hw/ppc: Do not open-code cpu_resume() in spin_kick()
In order to make the code easier to follow / review,
use the cpu_resume() helper instead of open-coding it.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250924173028.53658-2-philmd@linaro.org>
hw/display/xenfb: Replace unreachable code by g_assert_not_reached()
xenfb_mouse_event() has a switch statement whose controlling
expression move->axis is an enum InputAxis. The enum values are
INPUT_AXIS_X and INPUT_AXIS_Y, encoded as 0 and 1. The switch has a
case for both axes. In addition, it has an unreachable default label.
This convinces Coverity that move->axis can be greater than 1. It
duly reports a buffer overrun when it is used to subscript an array
with two elements.
Replace the unreachable code by g_assert_not_reached().
Resolves: Coverity CID 1613906 Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250729111226.3627499-1-armbru@redhat.com>
[PMD: s/abort/g_assert_not_reached/] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jamin Lin [Mon, 13 Oct 2025 05:43:27 +0000 (13:43 +0800)]
hw/arm/aspeed_ast27x0-tsp: Rename type to TYPE_ASPEED27X0TSP_COPROCESSOR
Rename the AST27x0 TSP type from TYPE_ASPEED27X0TSP_SOC to
TYPE_ASPEED27X0TSP_COPROCESSOR to align with the naming convention used
for the SSP coprocessor (TYPE_ASPEED27X0SSP_COPROCESSOR).
This change clarifies that TSP is implemented as a coprocessor rather than
a full SoC.
This ensures consistent terminology between SSP and TSP components and
improves clarity within the coprocessor subsystem code.
Jamin Lin [Mon, 13 Oct 2025 05:43:26 +0000 (13:43 +0800)]
hw/arm/aspeed_ast27x0-ssp: Rename type to TYPE_ASPEED27X0SSP_COPROCESSOR
Rename the AST27x0 SSP type from TYPE_ASPEED27X0SSP_SOC to
TYPE_ASPEED27X0SSP_COPROCESSOR to better reflect its role as a coprocessor
rather than a standalone SoC. This aligns naming conventions with the
coprocessor-based design introduced in earlier refactors.
This change improves naming consistency across SSP and TSP coprocessor
implementations and clarifies their relationship to the unified
Aspeed27x0CoprocessorState.
Jamin Lin [Mon, 13 Oct 2025 05:43:25 +0000 (13:43 +0800)]
hw/arm/aspeed_ast27x0-tsp: Change to use Aspeed27x0CoprocessorState
Refactor the AST27x0 TSP implementation to use the unified
Aspeed27x0CoprocessorState, matching the prior SSP change and removing the
duplicated Aspeed27x0TSPSoCState.
Key updates:
- Delete Aspeed27x0TSPSoCState and reuse Aspeed27x0CoprocessorState.
Update Ast2700FCState to declare tsp as Aspeed27x0CoprocessorState.
This aligns TSP with SSP on a single coprocessor state type, reducing code
duplication and simplifying maintenance.
Jamin Lin [Mon, 13 Oct 2025 05:43:24 +0000 (13:43 +0800)]
hw/arm/aspeed_ast27x0-ssp: Change to use Aspeed27x0CoprocessorState
Refactor the AST27x0 SSP implementation to use the unified
Aspeed27x0CoprocessorState structure shared between SSP and TSP.
Previously, SSP and TSP each defined separate state structures
(Aspeed27x0SSPSoCState and Aspeed27x0TSPSoCState), which contained
identical members and caused unnecessary code duplication.
This change removes Aspeed27x0SSPSoCState and replaces it with
Aspeed27x0CoprocessorState, consolidating shared coprocessor state fields
into a single definition in aspeed_coprocessor.h.
This refactor unifies SSP and TSP under the same coprocessor state type,
improving code maintainability and consistency across Aspeed coprocessor
implementations.
Jamin Lin [Mon, 13 Oct 2025 05:43:23 +0000 (13:43 +0800)]
hw/arm/aspeed_ast27x0-tsp: Make AST27x0 TSP inherit from AspeedCoprocessor instead of AspeedSoC
Refactor the AST27x0 TSP implementation to derive from the newly introduced
AspeedCoprocessor base class rather than AspeedSoC. The AspeedSoC class
includes SoC-level infrastructure and peripheral definitions that are not
applicable to lightweight coprocessor subsystems such as TSP, resulting in
unnecessary coupling and complexity.
This change moves the Aspeed27x0TSPSoCState structure definition into
aspeed_coprocessor.h and updates all related references in
aspeed_ast27x0-tsp.c and aspeed_ast27x0-fc.c to use
AspeedCoprocessorState and AspeedCoprocessorClass.
Key updates include:
- Replace inheritance from AspeedSoC -> AspeedCoprocessor.
- Update type casts and macros from ASPEED_SOC_* to ASPEED_COPROCESSOR_*
This refactor improves modularity, reduces memory footprint, and prepares
for future coprocessor variants to share a lighter-weight common base.
projects / thirdparty / qemu.git / log
