Matt Turner [Thu, 14 May 2026 16:55:26 +0000 (12:55 -0400)]
linux-user/sh4: Fix setup_sigtramp to match Linux kernel trampoline pattern
QEMU used MOVW(2) (0x9300), which loads the syscall number from PC+4,
instead of the kernel's MOVW(7) (0x9305), which loads from PC+14. The
kernel uses five "or r0,r0" nop pads between TRAP_NOARG and the syscall
number word to reach that offset. libunwind's unw_is_signal_frame checks
for the exact kernel byte pattern 0xc3109305 at the frame PC, so QEMU's
compact layout was not detected, breaking unwinding through signal frames.
Expand each trampoline from 6 to 16 bytes matching the kernel layout
defined in arch/sh/kernel/signal_32.c:
#define MOVW(n) (0x9300|((n)-2)) /* Move mem word at PC+n to R3 */
#define TRAP_NOARG 0xc310 /* Syscall w/no args (NR in R3) */
#define OR_R0_R0 0x200b /* or r0,r0 (insert to avoid hardware bug) */
The first two halfwords (MOVW(7) || TRAP_NOARG = 0xc3109305) form the
32-bit value libunwind checks at the frame PC, followed by two
OR_R0_R0 halfwords (0x200b200b) at PC+4. The same layout applies to
the rt_sigreturn trampoline (lines 366-373 of signal_32.c).
Neither this fix nor the companion tuc_link fix is independently
sufficient: this fix makes signal frames detectable but register reads
remain garbage without the correct ucontext layout; that fix corrects the
ucontext layout but libunwind still cannot detect the frame without the
correct trampoline pattern. Together they fix the following libunwind
tests on a 64-bit host:
Gtest-sig-context, Gtest-trace, Ltest-init-local-signal,
Ltest-sig-context, Ltest-trace
Signed-off-by: Matt Turner <mattst88@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Thu, 14 May 2026 16:55:25 +0000 (12:55 -0400)]
linux-user/sh4: Fix target_ucontext tuc_link field type
tuc_link is declared as 'struct target_ucontext *', which is a HOST
pointer. On a 64-bit host running a 32-bit SH4 target, this is 8 bytes
instead of the 4 bytes the target expects, padding pushes tuc_mcontext
8 bytes past its correct offset.
When a signal handler receives ucontext_t *, every field accessed through
uc_mcontext (gregs[], pc, pr, ...) is read from the wrong address. In
particular the saved PC comes back as a garbage stack value, which breaks
any code that initialises a libunwind cursor from the signal context.
Fix it by using abi_ulong, which is always sized to the target ABI (4
bytes for SH4), matching the layout the kernel and glibc agree on. This
is the same pattern used by arm/signal.c.
Also remove the (unsigned long *) cast from the __put_user that zeros
tuc_link. The cast was harmless when tuc_link was pointer-sized (8
bytes matching unsigned long on a 64-bit host), but after the type
change __put_user's sizeof dispatch would select stq_le_p (8-byte write)
for a now-4-byte field, silently overwriting the start of tuc_stack.
Neither this fix nor the companion setup_sigtramp fix is independently
sufficient: this fix corrects register values read from the signal context
but libunwind still cannot detect the frame without the correct trampoline
pattern; that fix makes the frame detectable but register reads remain
garbage without the correct ucontext layout. Together they fix the
following libunwind tests on a 64-bit host:
Gtest-sig-context, Gtest-trace, Ltest-init-local-signal,
Ltest-sig-context, Ltest-trace
Signed-off-by: Matt Turner <mattst88@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Helge Deller <deller@gmx.de>
Helge Deller [Fri, 1 May 2026 10:56:12 +0000 (12:56 +0200)]
linux-user: Fix AT_EXECFN in AUXV for symlinked programs
The AT_EXECFN entry in AUXV needs to keep the value which was used when
the program was started. Especially for symlinked programs qemu should
not try to resolve the realpath.
Here is a reproducer:
(arm64-chroot)root@p100:/# cd /usr/bin
(arm64-chroot)root@p100:/usr/bin# ln -s echo testprog
(arm64-chroot)root@p100:/usr/bin# LD_SHOW_AUXV=1 ./testprog | grep AT_EXECFN
AT_EXECFN: ./testprog
In this example, "./testprog" is the correct output, and not "/usr/bin/echo".
This patch fixes parts of commit 258bec39 ("linux-user: Fix access to
/proc/self/exe").
* tag 'firmware-20260519-pull-request' of https://gitlab.com/kraxel/qemu:
hw/i386/microvm: Add IGVM support
hw/uefi: check auth.hdr_length minimum size
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Luigi Leonardi [Tue, 12 May 2026 15:14:12 +0000 (17:14 +0200)]
hw/i386/microvm: Add IGVM support
The IGVM infrastructure operates on X86MachineState and is already
machine-type-agnostic, but the "igvm-cfg" QOM property is only
registered on the PC machine type. Register it on microvm as well.
When an IGVM file is configured, the firmware image is provided as
a payload of the IGVM file so skip loading the default BIOS.
Signed-off-by: Luigi Leonardi <leonardi@redhat.com>
Message-ID: <20260512-microvm_igvm-v1-1-8b1fd8861235@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Gerd Hoffmann [Tue, 12 May 2026 06:05:23 +0000 (08:05 +0200)]
hw/uefi: check auth.hdr_length minimum size
auth.hdr_length maximum is already checked (against buffer size). The
header has some fixed fields which are included in the header length, so
there also is a minimum size which must be verified. Add a check for
that. Fixes possible integer underflow.
While being at it replace the magic number '24' with sizeof calculations
for better code documentation.
Klaus Jensen [Wed, 18 Mar 2026 09:26:58 +0000 (10:26 +0100)]
hw/nvme: fix admin cq msix setup
If MSI-X is not enabled when the admin completion queue is created,
msix_vector_use() is not called. But, if MSI-X is subsequently enabled,
msix_notify() will fail to fire the interrupt because the use count for
the vector remains at 0.
msix_vector_use/unuse should be called if MSI-X is *present*, not
*enabled*. Fix this.
Cc: qemu-stable@nongnu.org Reported-by: Andreas Hindborg <a.hindborg@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
hw/nvme: add user controlled 'firmware-version' property
This enables overriding the built in default QEMU project version string
with a user specified string. The value can be at most 8 characters
in length.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
hw/nvme: report error for oversized 'serial' parameter
The 'serial' accepted by the NVME device is at most 20 characters
long. An over-sized user supplied value should be reported rather
than silently truncated.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Stefan Hajnoczi [Sat, 16 May 2026 21:35:56 +0000 (17:35 -0400)]
Merge tag 'pull-target-arm-20260515' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* docs: Document TIMEOUT_MULTIPLIER for raising test timeouts
* meson.build: Add -fzero-init-padding-bits=all
* hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32
* tests/functional: Fix tests to not fail on a KVM-only aarch64 build
* target/arm: Rename Aarch64-specific methods
* target/arm: Extract IDAU interface to its own unit
* target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays
* target/arm/hvf: Fix WFI halting to stop idle vCPU spinning
* GICv5: Fix minor bugs spotted by Coverity
* hw/arm: Build ARM/HVF GICv3 stub once
* hw/arm: fsl-imx8mm: Don't call qdev_get_machine in init
* hw/misc/bcm2835_control.c: Don't assert on local timer zero reload value
* hw/display/exynos4210_fimd: Assume display surface is 32bpp
* hw/display/exynos4210_fimd: Use LOG_GUEST_ERROR instead of hw_error()
* hw/arm/integratorcp: Use LOG_UNIMP rather than hw_error()
* tag 'pull-target-arm-20260515' of https://gitlab.com/pm215/qemu: (23 commits)
target/arm/hvf: Fix WFI halting to stop idle vCPU spinning
tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist
tests/functional/test_tuxrun: Restrict to TCG
tests/functional/test_hotplug_pci.py: Require TCG
tests/functional/test_kvm.py: Skip if virtualization not supported
tests/functional/test_kvm.py: Use -cpu max, not cortex-a72
tests/functional/test_virt_vbsa: Skip UEFI test if virtualization not supported
hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32
hw/display/exynos4210_fimd: Assume display surface is 32bpp
hw/display/exynos4210_fimd: Use LOG_GUEST_ERROR instead of hw_error()
hw/arm/integratorcp: Use LOG_UNIMP rather than hw_error()
hw/misc/bcm2835_control.c: Don't assert on local timer zero reload value
meson.build: Add -fzero-init-padding-bits=all
hw/intc/arm_gicv5: Add missing early return in gicv5_set_handling()
hw/intc/arm_gicv5: Avoid NULL dereference in trace line
target/arm: GICv5 cpuif: Don't set HPPIV bit in GICv5PendingIrq::intid
target/arm: GICv5 cpuif: Fix overflow in left shift
target/arm/hvf: Stop pre-allocating cpreg_vmstate arrays
target/arm: Extract IDAU interface to its own unit
target/arm: Rename Aarch64-specific methods
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Sat, 16 May 2026 21:32:41 +0000 (17:32 -0400)]
Merge tag 'pbouvier/pr/target_info-20260514' of https://gitlab.com/p-b-o/qemu into staging
Changes:
- [PATCH v7 0/5] single-binary: deduplicate target_info() (Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>) Link: https://lore.kernel.org/qemu-devel/20260514172303.1484273-1-pierrick.bouvier@oss.qualcomm.com
# -----BEGIN PGP SIGNATURE-----
#
# iQGzBAABCgAdFiEEN8FWlNi6l2Sxlz/btEQ30ZwoYt8FAmoGKG4ACgkQtEQ30Zwo
# Yt/nZgv/SYp7eAW9fnFqGLQl5eRI2dR2oludlJNT5gzAleYl1LZp3d+e99OPmH+3
# 1n5kkhY2AjPFvoqAbiyYd8Y7t/kS9Skw0eMfKi6K/h2Fkldj2i0wTXOjo6dWyEEG
# E/WzZ5hs/law3R3OPPs0pDDuLgkW3hv2BgsKZBDK0gt76NGB5a+qfq8DaptPnLdh
# 4RAAwHsYxC4ljgHc7ufLqEi+Ndsic4QJkQOehBIOuWUw6eYUfjp/sfSt+EAKSz7u
# uYVYXzy+ymfORxtXDN9tjxNincyRGo8V+yY/ipCRRAgkQpvJJ34IFM2z2IlrCe28
# 1TERTC8sa5JvNVtDflOnRJRa3YjIPqmhGCk/6MiqZBxeU9+SPKAK9dlzTE0mqYU2
# /jIsGILUutrCyNOEpGGMa4K3Mj99VnycgzGhb4iCBWc8sRDaG/gK5KUsGDn7a5gJ
# JZ0DAfHHRtP+JSKcqYvFOFxln3ruNR6K1uxvGh59wWjlu+rdwg8dFuOD61keEIcW
# 1BZee4f9
# =GT1w
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 14 May 2026 15:54:22 EDT
# gpg: using RSA key 37C15694D8BA9764B1973FDBB44437D19C2862DF
# gpg: Good signature from "Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 37C1 5694 D8BA 9764 B197 3FDB B444 37D1 9C28 62DF
* tag 'pbouvier/pr/target_info-20260514' of https://gitlab.com/p-b-o/qemu:
target-info: replace target_info() in system-mode
target-info-qom: detect target from QOM
target-info: introduce TargetInfo in QOM
qom/object: initialize type_table in static ctor with fundamental QOM types
qom/object: register OBJECT and INTERFACE QOM types before main
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Scott J. Goldman [Wed, 13 May 2026 02:21:09 +0000 (22:21 -0400)]
target/arm/hvf: Fix WFI halting to stop idle vCPU spinning
Commit b5f8f77271 ("accel/hvf: Implement WFI without using pselect()")
changed hvf_wfi() from blocking the vCPU thread with pselect() to
returning EXCP_HLT, intending QEMU's main event loop to handle the
idle wait. However, cpu->halted was never set, so cpu_thread_is_idle()
always returns false and the vCPU thread spins at 100% CPU per core
while the guest is idle.
Fix this by:
1. Setting cpu->halted = 1 in hvf_wfi() so the vCPU thread sleeps on
halt_cond in qemu_process_cpu_events().
2. Arming a per-vCPU QEMU_CLOCK_VIRTUAL timer to fire when the guest's
virtual timer (CNTV_CVAL_EL0) would expire. This is necessary
because HVF only delivers HV_EXIT_REASON_VTIMER_ACTIVATED during
hv_vcpu_run(), which is not called while the CPU is halted. The
timer callback mirrors the VTIMER_ACTIVATED handler: it raises the
vtimer IRQ through the GIC and marks vtimer_masked, causing the
interrupt delivery chain to wake the vCPU via qemu_cpu_kick().
3. Clearing cpu->halted in hvf_arch_vcpu_exec() when cpu_has_work()
indicates a pending interrupt, and cancelling the WFI timer.
4. Re-arming the WFI timer from hvf_vm_state_change() on the resume
transition for any halted vCPU, since the QEMUTimer is per-instance
state and is not migrated. After cpu_synchronize_all_states() the
migrated vtimer state is mirrored in env, so we can read CNTV_CTL
and CNTV_CVAL from there. If the vtimer has already expired by the
time the destination resumes, hvf_wfi_timer_cb() is invoked
directly so the halted vCPU is woken up.
All wfi_timer handling (allocation, arming, deletion, and the resume
re-arm) is gated on !hvf_irqchip_in_kernel(): with the Apple in-kernel
vGIC, HVF owns the vtimer and delivers wake-ups itself.
Note for stable backports: this commit won't apply to 11.0 as
it has changes to handle the hvf in-kernel irqchip support that
landed after the 11.0 release. The v3 version of this commit:
https://patchew.org/QEMU/20260427195516.46256-1-scottjgo@gmail.com/
should be suitable for 11.0 backporting (it is essentially
identical except that it doesn't make the changes conditional
on !hvf_irqchip_in_kernel()).
Cc: qemu-stable@nongnu.org Fixes: b5f8f77271 ("accel/hvf: Implement WFI without using pselect()") Signed-off-by: Scott J. Goldman <scottjgo@gmail.com> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
[PMM: added note about stable backports to commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 1 May 2026 11:55:06 +0000 (12:55 +0100)]
tests/functional/qemu_test/asset.py: Don't use setxattr when it doesn't exist
The Python os.setxattr() API is Linux-specific, so trying to use
it on other OSes triggers a failure:
File "/Users/pm215/src/qemu/tests/functional/qemu_test/asset.py",
line 227, in fetch
os.setxattr(str(tmp_cache_file), "user.qemu-asset-url",
^^^^^^^^^^^
AttributeError: module 'os' has no attribute 'setxattr'
Since we only set the attributes here for informational
purposes, skip them when os.setxattr() isn't available.
Cc: qemu-stable@nongnu.org Fixes: 9903217a4ed013 ("tests/functional: add a module for handling asset download & caching") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Thomas Huth <th.huth+qemu@posteo.eu>
Message-id: 20260501115506.3792110-1-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:28 +0000 (20:47 +0100)]
tests/functional/test_tuxrun: Restrict to TCG
The tuxrun tests specify the cortex-a57 CPU; this doesn't work on a
KVM-only QEMU build, where the default accelerator is KVM but KVM
doesn't support that CPU type. Restrict the test to TCG, to avoid
failures on KVM-only AArch64 builds:
Output: qemu-system-aarch64: kvm_init_vcpu: kvm_arch_init_vcpu failed (0): Invalid argument
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260507194728.2034696-7-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:27 +0000 (20:47 +0100)]
tests/functional/test_hotplug_pci.py: Require TCG
The hotplug test asks for the cortex-a57 CPU type, so it will
fail on an AArch64 system using KVM where TCG is not compiled
into QEMU and the default accelerator is KVM:
Peter Maydell [Thu, 7 May 2026 19:47:26 +0000 (20:47 +0100)]
tests/functional/test_kvm.py: Skip if virtualization not supported
The test_kvm test runs the virt board with virtualization=on,
which will fail if run with an accelerator that doesn't
support nested virtualization. Catch the VMLaunchFailure
exception and skip the test if startup failed because
the accelerator can't support virtualization.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260507194728.2034696-5-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:25 +0000 (20:47 +0100)]
tests/functional/test_kvm.py: Use -cpu max, not cortex-a72
The test_kvm test claims to run on any accelerator supporting
nested virtualization, but it specifies the cortex-a72 CPU.
This doesn't exist for KVM-only builds. Use max instead.
This fixes a failure like
Output: qemu-system-aarch64: unable to find CPU model 'cortex-a72'
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260507194728.2034696-4-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:24 +0000 (20:47 +0100)]
tests/functional/test_virt_vbsa: Skip UEFI test if virtualization not supported
If you try to run the functional tests on an AArch64 host which doesn't
support nested virtualization in KVM, the UEFI test fails with:
Output: qemu-system-aarch64: mach-virt: host kernel KVM does
not support providing Virtualization extensions to the guest CPU
Catch the VMLaunchFailure exception and if it matches the error
messages the virt board puts out for virtualization not being
supported, skip the test.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260507194728.2034696-3-peter.maydell@linaro.org
Peter Maydell [Thu, 7 May 2026 19:47:23 +0000 (20:47 +0100)]
hw/remote/machine.c: Mark x-remote machine as OK for AArch64 and AArch32
When we updated Arm and AArch64 board types to mark them for the
target_machine_typename() filter, we forgot about the "x-remote"
machine type, which meant that it disappeared from the set of board
types exposed on the qemu-system-arm and qemu-system-aarch64
binaries. We didn't notice this, because although we have a
functional test for it, it requires the KVM accelerator and we don't
run the functional tests on an AArch64 host in CI.
Mark the machine as being OK to expose in qemu-system-arm and
qemu-system-aarch64, in the same way we do for the "none" machine
type. This fixes a check-functional failure on aarch64 host, where
it would otherwise fail with:
qemu-system-aarch64: unsupported machine type: "x-remote"
Cc: qemu-stable@nongnu.org Fixes: eb796c55513d9d39 ("hw/core: Allow ARM/Aarch64 binaries to use the 'none' machine") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260507194728.2034696-2-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:13 +0000 (17:20 +0100)]
hw/display/exynos4210_fimd: Assume display surface is 32bpp
For a long time QEMU has guaranteed that the console surface is 32bpp
and not anything else. This old display device still has code
assuming it might be something else. Remove the code that made
put_pixel_toqemu a function pointer indirection, and use
put_to_qemufb_pixel32() directly.
This removes the last hw_error() in this file.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-5-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:12 +0000 (17:20 +0100)]
hw/display/exynos4210_fimd: Use LOG_GUEST_ERROR instead of hw_error()
The exynos4210_fimd device model uses hw_error() in several places
for "the guest set this register field to something out of range";
update to the more modern LOG_GUEST_ERROR.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3405 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-4-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:11 +0000 (17:20 +0100)]
hw/arm/integratorcp: Use LOG_UNIMP rather than hw_error()
The integratorcp board has some onboard registers which can be used
to raise IRQ and FIQ to the CPU; these outputs are supposed to be
ORed together with the main ones from the PIC. We've never
implemented this obscure bit of functionality, and instead call
hw_error() if the guest does try to raise an interrupt this way.
Replace the hw_error() call with the more modern way to note
unimplemented QEMU behaviour, a LOG_UNIMP log.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3406 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-3-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 16:20:10 +0000 (17:20 +0100)]
hw/misc/bcm2835_control.c: Don't assert on local timer zero reload value
The bcm2836 local timer has a basic "counts down, fires at zero,
and reloads to programmed value to count down again" functionality,
as documented in
https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf
The documentation is very sparse and doesn't say what actually
happens if the guest programs the reload value to zero. Currently we
trip an assert in this case.
Instead, log this as a guest error and disable the timer (which seems
a reasonable guess -- effectively the timer will stop counting).
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3395 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260508162013.2751001-2-peter.maydell@linaro.org
Peter Maydell [Fri, 8 May 2026 10:47:23 +0000 (11:47 +0100)]
meson.build: Add -fzero-init-padding-bits=all
The C standard doesn't always guarantee that struct and union padding
bits are zero initialized, even if the code initializes a struct.
For QEMU, this is potentially problematic, because we often have
structs that match data structures in guest memory, where we
initialize them and then bulk copy them into the guest. If the
compiler didn't zero init the whole of the memory containing the
struct, we could potentially leak random data from the host into the
guest via the padding bytes.
We already use -ftrivial-auto-var-init=zero, which will zero out
padding in many of these cases, but -fzero-init-padding-bits=all
closes some gaps, for example cases where we initialize a
variable with a struct initializer, and cases involving unions.
Follow the Linux kernel in using both options. Compare kernel
commit dce4aab8441 ("kbuild: Use -fzero-init-padding-bits=all").
This option exists in gcc-15 and above; it's not supported
by clang, but clang documents that it guarantees zero init
of these cases always:
https://clang.llvm.org/docs/LanguageExtensions.html#union-and-aggregate-initialization-in-c
Older gcc which don't have the option behave as if it were set.
(These options are passed through the cc.get_supported_arguments()
filter, so we don't need to do anything extra to avoid passing it to
a compiler that doesn't recognize it.)
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-id: 20260508104723.2144051-1-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:56 +0000 (10:38 +0100)]
hw/intc/arm_gicv5: Add missing early return in gicv5_set_handling()
In gicv5_set_handling(), if the guest tried to set the handling mode
on a nonexistent SPI then we print a GUEST_ERROR log message.
However, we forgot to then return, so execution continues into a NULL
pointer dereference.
Add the missing "return", bringing the code structure in to line with
the equivalent parts in other functions like gicv5_set_pending() and
gicv5_set_target().
CID: 1659596 Fixes: 5beb48ab53d ("hw/intc/arm_gicv5: Make gicv5_set_* update SPI state") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260512093856.3197700-5-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:55 +0000 (10:38 +0100)]
hw/intc/arm_gicv5: Avoid NULL dereference in trace line
In the handling of writes to the IRS_SPI_RESAMPLER register,
we call a trace function, passing it information about the SPI
being resampled. However, spi could be NULL if the guest tried
to resample a nonexistent SPI or one configured for a different
domain. Move the trace statement inside the "if (spi)" block,
as it's only interesting trace if we actually did a resample
and potentially changed the state of the SPI.
CID: 1959593 Fixes: 33185e1d64e ("hw/intc/arm_gicv5: Update SPI state for CLEAR/SET events") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260512093856.3197700-4-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:54 +0000 (10:38 +0100)]
target/arm: GICv5 cpuif: Don't set HPPIV bit in GICv5PendingIrq::intid
In gic_hppi() we return the current highest priority pending
interrupt in a GICv5PendingIrq struct. We try to set up the intid
field of that struct to be the form that is used by the ICC_HPPIR
register, which has a "valid" bit in bit 33. Unfortunately the
GICv5PendingIrq defines the intid field as a uint32_t, so Coverity
points out that the bit doesn't actually fit. Move the handling of
the valid bit to the callsite, and make this function report "no
pending interrupt" with GICv5PendingIrq::prio == PRIO_IDLE,
consistently with how we use this struct in other places.
CID: 1659594 Fixes: 9edad4ff3 ("target/arm: GICv5 cpuif: Implement ICC_HPPIR_EL1") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260512093856.3197700-3-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 09:38:53 +0000 (10:38 +0100)]
target/arm: GICv5 cpuif: Fix overflow in left shift
Coverity points out that we forgot the "ULL" suffix when shifting 1
right by a bitcount in various places, so for bit counts above 31 we
end up shifting off the end of the word. Fix the three problems
Coverity noticed and one more of the same kind that it didn't.
Commit ab2ddc7b66 ("target/arm/machine: Use VMSTATE_VARRAY_INT32_ALLOC
for cpreg arrays") moved cpreg_vmstate_indexes / cpreg_vmstate_values
to be allocated by VMSTATE_VARRAY_INT32_ALLOC and added an assertion
in cpu_pre_load() that they are NULL on entry. The same commit dropped
the redundant g_renew()/array_len assignments from the kvm, whpx and
helper.c cpu init paths, but the hvf cpu init path still pre-allocates
them.
The result is that loading a snapshot or migration stream into an HVF
guest immediately aborts:
Drop the leftover cpreg_vmstate_indexes / cpreg_vmstate_values
allocations and the cpreg_vmstate_array_len assignment from
hvf_arch_init_vcpu(), matching what was already done for the other
arm accelerators.
Signed-off-by: Scott J. Goldman <scottjgo@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Move arm_gicv3_hvf_stub.c, introduced in commit 48396ad6ce9
("hw/intc: arm_gicv3_hvf: save/restore Apple GIC state"), to
the global stub_ss[] source set which holds stub files being
built once for all binaries, instead of one time per system
binary. This prevents symbol clash when trying to build a
single QEMU system binary:
clang: error: linker command failed with exit code 1 (use -v to see invocation)
duplicate symbol '_vmstate_gicv3_hvf' in:
libqemu-aarch64-softmmu.a.p/hw_intc_arm_gicv3_hvf_stub.c.o
libqemu-arm-softmmu.a.p/hw_intc_arm_gicv3_hvf_stub.c.o
ld: 1 duplicate symbols
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Message-id: 20260507135816.71171-1-philmd@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 15 May 2026 07:41:41 +0000 (08:41 +0100)]
docs: Document TIMEOUT_MULTIPLIER for raising test timeouts
Our test infrastructure allows you to set the TIMEOUT_MULTIPLIER
environment variable to raise the test timeouts if you're building
for a slow environment. (scripts/mtest2make.py reads it and sets the
meson test -t argument accordingly.)
Document this so it's not a secret feature only known to a select
few.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-id: 20260427161132.1463385-1-peter.maydell@linaro.org
Pierrick Bouvier [Thu, 14 May 2026 17:23:01 +0000 (10:23 -0700)]
target-info: introduce TargetInfo in QOM
For the single-binary, we want to be able to retrieve at runtime the
current target among the different ones available.
A consequence is that we can't rely on existing target_info() definition
since it will create a conflict once more than one target is available.
To solve this, we add TargetInfo in QOM, with this hierarchy.
We define one class "target-info-X" per target, that inherits from
abstract class "target-info". Using concrete vs abstract class ensure we
can easily filter "target-info-X" from all QOM types.
Associated TargetInfo is directly set through class initialization,
without relying on any instance.
For user mode, we simply define target_info() like it was done
previously. In this patch, we keep the same definition for system-mode
also, and it will be replaced in next commits.
We will introduce detection of target from QOM, so we need to make sure
those types are registered early.
Pierrick Bouvier [Thu, 14 May 2026 17:23:00 +0000 (10:23 -0700)]
qom/object: initialize type_table in static ctor with fundamental QOM types
This saves us having to check if it's initialized everytime we have to
access it. No other QOM type should be initialized or accessed during
static ctor calls, so we don't depend on their ordering.
Pierrick Bouvier [Thu, 14 May 2026 17:22:59 +0000 (10:22 -0700)]
qom/object: register OBJECT and INTERFACE QOM types before main
Those types are special, as they are the base of all other QOM types. In
next commit, we'll introduce an extra step in module initialization for
target-info-* types.
However, those types depend on TYPE_OBJECT, which is only registered
at MODULE_INIT_QOM step.
To avoid having to introduce another step, and modify all code calling
module_call_init(MODULE_INIT_QOM), we simply register those base types
directly in the static constructor, before anything else.
* tag 'pull-maintainers-2026-05-13' of https://repo.or.cz/qemu/armbru:
MAINTAINERS: Add myself as a reviewer for Checkpatch
MAINTAINERS: Update RDMA migration entry with M:
MAINTAINERS: Add self as maintainer for XIVE
MAINTAINERS: update HEST maintainership entries
MAINTAINERS: Add Doru Blânzeanu as MSHV reviewer
MAINTAINERS: add self as reviewer for PowerNV and PPC TCG
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 14 May 2026 14:17:26 +0000 (10:17 -0400)]
Merge tag 'hw-misc-20260512' of https://github.com/philmd/qemu into staging
Misc HW patches
- More ATI VGA fixes
- Add support for pre-setting RPMB authentication key on eMMC cards
- Fix VDPA on big-endian hosts
- Handle sub-page granularity in cpu_memory_rw_debug()
- Fix leak in pca955x_set_led()
- Mark IPv6 header structure as packed
- MAINTAINERS updates
* tag 'hw-misc-20260512' of https://github.com/philmd/qemu: (41 commits)
scripts: strip leading './' when searching MAINTAINERS file
ati-vga: fix ati_set_dirty address calculation
MAINTAINERS: update HEST maintainership entries
MAINTAINERS: Add Doru Blânzeanu as MSHV reviewer
net: mark struct ip6_header as QEMU_PACKED
hw/gpio/pca9552: fix state_str leak in pca955x_set_led
hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]
Remove cpu_get_phys_addr_debug() and cpu_get_phys_addr_attrs_debug()
plugins/api.c: Use cpu_translate_for_debug()
monitor/hmp-cmds: Use cpu_translate_for_debug()
target/xtensa/xtensa-semi: Use cpu_translate_for_debug()
hw/xtensa: Use cpu_translate_for_debug()
target/sparc: Use cpu_translate_for_debug()
hw/i386/vapic.c: Use cpu_translate_for_debug()
system/physmem: Use translate_for_debug() in cpu_memory_rw_debug()
target/arm: Implement translate_for_debug
hw/core: Implement cpu_get_phys_addr_attrs_debug() with cpu_translate_for_debug()
hw/core: Implement new cpu_translate_for_debug()
plugins/api.c: Trust cpu_get_phys_addr_debug() return address
monitor: hmp_gva2gpa: Don't page-align cpu_get_phys_addr_debug() arg and return
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Thu, 14 May 2026 13:39:54 +0000 (09:39 -0400)]
Merge tag 'pull-aspeed-20260512' of https://github.com/legoater/qemu into staging
aspeed queue:
* Security fixes for HACE hash engine and SBC OTP controller
* Bug fix of the I3C controller
* Removal of BMC machines (fby35, fp5280g2-bmc, qcom-*, sonorapass-bmc)
deprecated in QEMU 10.2
* tag 'qom-pull-request' of https://gitlab.com/marcandre.lureau/qemu: (24 commits)
target/s390x: add gen-features.h dependency to s390x_system_ss
meson: drop sphinx-build < 1.7 compatiblity check
hw/riscv/virt: free flash devices and OEM strings on finalization
hw/ppc/pnv: drop extra ref on PHB after adding as child
hw/arm/virt: free flash devices and OEM strings on finalization
hw/arm/sbsa-ref: free unrealized flash devices on finalization
hw/arm/aspeed: free fmc_model and spi_model on finalization
hw/gpio/pca9552: fix state_str leak in pca955x_set_led
hw/fsi: move OPBus qbus_init() to instance_init
hw/fsi: move OPBus address space init to realize
system/qtest: add missing qtest_finalize()
accel/kvm: free device path on finalization
scsi/pr-manager-helper: free path on finalization
backends/igvm-cfg: free filename on finalization
net/can: free ifname on socketcan finalization
hw/core/resetcontainer: free children array on finalization
hw/i386/x86: free oem_id and oem_table_id on finalization
ui/console: remove console from global list on finalization
system/ioport: Fix qom-list-properties crash on portio list obj
net/colo-compare: guard finalize against uninitialized state
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
J. Neuschäfer [Wed, 13 May 2026 15:06:40 +0000 (17:06 +0200)]
docs/devel: Fix formatting of `Error **`
Since the ReST conversion, Error ** is expressed as Error ``*````*``, which is
rendered in HTML as Error *````*. Fix it so the HTML output resembles the
intended C syntax.
Fixes: 336a7451e8 ("docs: convert README, CODING_STYLE and HACKING to RST syntax") Signed-off-by: J. Neuschäfer <j.neuschaefer@9elements.com> Tested-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Link: https://lore.kernel.org/qemu-devel/20260513-error-v1-1-49fa04bc5c22@9elements.com Signed-off-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Stefan Hajnoczi [Wed, 13 May 2026 17:51:01 +0000 (13:51 -0400)]
Merge tag 'pull-ufs-20260512-2' of https://gitlab.com/jeuk20.kim/qemu into staging
ufs mcq bug fix
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEUBfYMVl8eKPZB+73EuIgTA5dtgIFAmoCrhEACgkQEuIgTA5d
# tgL3oQ//Zjxf9360b7xJ+IB6x9WkKobW2qUB23FC9ZAEZJFQTovbu0jVS/iyKLrs
# zFeLZTPTTczTzi5awIj8qPDwcnYqxw9rTl1FkWuud0ol9sG19cWtYz6rquMssm+X
# lYhw9a+LSZXAuVBwtd3SrhkYF+ZRXQaxGHBC9jZsA41KZkEXfWtylytFtbqyApS3
# AYgN9d9xts/0s8j1xdVnzHWVAmHyAxuvdI0e0OySUjzJTDrON83orIQhLcgfK2mo
# agign40eO85GpYjXdiGHWTbKQGGmjsYjeBsf7gENjwWerMjZFt8YxqzvTGRQrXML
# ECL/dvONYfelxFe8VCefADbx46jKIgSYDAV+87mnUWrOhNmveP6vvYhfyA4Vo+eg
# NQh5hR5h5JGa5uOqHZTjaBSO7mZP3iqKFmKY+qBAMNtR9ECdZfrGF9tuC6YGnWOm
# XqHOjyR1jg03EW6o8uK/ygtiMXMbI9vcueIWt1xzWfT94ePS4fiLSIRVH+2Qldzk
# gujHDkqRu8iRLIIl5wMooaDOpXiUAvhjwwQ7fM7pkTgFuZCL3dHQfdZ0CYIalS0+
# nfAXnYZqqd0pbfKW6yC6CFsz+PSVQGiempry5dfenXFS6N0daANvK6obKLXz1GvB
# DzZZV7ptoV/xPKVqs5tpoqjE8c5qsfxmNhjfPBra5lbSsGoMnU0=
# =w+9k
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 12 May 2026 00:35:29 EDT
# gpg: using RSA key 5017D831597C78A3D907EEF712E2204C0E5DB602
# gpg: Good signature from "Jeuk Kim <jeuk20.kim@samsung.com>" [unknown]
# gpg: aka "Jeuk Kim <jeuk20.kim@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 5017 D831 597C 78A3 D907 EEF7 12E2 204C 0E5D B602
* tag 'pull-ufs-20260512-2' of https://gitlab.com/jeuk20.kim/qemu:
hw/ufs: Zero reserved bytes in REPORT LUNS response header
hw/ufs: Keep MCQ SQs alive while requests are outstanding
hw/ufs: Reject zero-depth MCQ queues
hw/ufs: Guard MCQ CQ accesses against missing queues
hw/ufs: Validate MCQ SQ references before use
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Chao Liu [Wed, 13 May 2026 07:08:30 +0000 (15:08 +0800)]
MAINTAINERS: Add myself as a reviewer for Checkpatch
Add myself as a reviewer for the Checkpatch module, so I can help
review related patches and continue maintaining it.
Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260513070830.851842-1-chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Peter Xu [Mon, 11 May 2026 14:30:26 +0000 (10:30 -0400)]
MAINTAINERS: Update RDMA migration entry with M:
We wanted to remove RDMA migration once but that didn't go further. In
reality, with the help of Zhijian it's in Odd Fixes stage, even if we just
merged one new parameter for it, for performance improvements.
Markus pointed out we'd better have at least one M: for it to match
anything that is not orphaned.
Remove the X: for Migration entry for RDMA files, then it'll start to cover
RDMA migration again. Keep the separate entry so Zhijian can keep getting
copied, and copy the M:s over to say someone is collecting patches.
Logically these M:s aren't needed after removing X:, but make it clearer.
Link: https://lore.kernel.org/r/5326b854-fcea-4af6-a479-792888a94a4d@fujitsu.com Cc: Zhijian Li (Fujitsu) <lizhijian@fujitsu.com> Cc: Markus Armbruster <armbru@redhat.com> Signed-off-by: Peter Xu <peterx@redhat.com>
Message-ID: <20260511143026.1296485-1-peterx@redhat.com> Acked-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Markus Armbruster <armbru@redhat.com> Acked-by: Li Zhijian <lizhijian@fujitsu.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
Peter Maydell [Thu, 7 May 2026 14:48:31 +0000 (15:48 +0100)]
tests/qtest/iommu-smmuv3-test: Skip if no TCG GICv3 device present
On a KVM-only (--disable-tcg) build, the iommu-smmuv3 qtest fails:
qemu-system-aarch64: QTest does not support GICv3 emulation
Broken pipe
../../tests/qtest/libqtest.c:201: kill_qemu() tried to terminate QEMU process but encountered exit status 1 (expected 0)
This is because the test runs the virt board with the qtest
accelerator and gic-version=3. In the virt board this selects the
TCG (emulated) GICv3, but in a --disable-tcg build we don't compile
that device, only the KVM GICv3 (which isn't usable with qtest).
Add a check to the test so we skip it if the arm-gicv3 device isn't
in the QEMU binary.
Cc: qemu-stable@nongnu.org Fixes: d8d19c31b220142641 ("tests/qtest: Add SMMUv3 bare-metal test using iommu-testdev") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Fabiano Rosas <farosas@suse.de> Reviewed-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Fabiano Rosas <farosas@suse.de>
scripts: strip leading './' when searching MAINTAINERS file
The following two uses of get_maintainer.pl should return the
same results, but do not:
$ ./scripts/get_maintainer.pl -f ./hw/net/vmxnet3.c
get_maintainer.pl: No maintainers found, printing recent contributors.
get_maintainer.pl: Do not blindly cc: them on patches! Use common sense.
"Philippe Mathieu-Daudé" <philmd@linaro.org> (commit_signer:4/7=57%)
"Michael S. Tsirkin" <mst@redhat.com> (commit_signer:4/7=57%)
Xiaoyao Li <xiaoyao.li@intel.com> (commit_signer:3/7=43%)
Thomas Huth <thuth@redhat.com> (commit_signer:3/7=43%)
Zhao Liu <zhao1.liu@intel.com> (commit_signer:3/7=43%)
qemu-devel@nongnu.org (open list:All patches CC here)
$ ./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
Dmitry Fleytman <dmitry.fleytman@gmail.com> (maintainer:VMware)
Jason Wang <jasowang@redhat.com> (odd fixer:Network devices)
qemu-devel@nongnu.org (open list:All patches CC here)
In the former case, the leading "./" needs to be removed before
trying to find a filename match.
Blindly stripping the "./" is valid because the script already
enforces that it is run from the QEMU git root directory, so
canonicalizing the filename vs $CWD is not required.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260511093858.82753-1-berrange@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Chad Jablonski [Wed, 6 May 2026 15:39:20 +0000 (17:39 +0200)]
ati-vga: fix ati_set_dirty address calculation
This fixes three bugs with the ati_set_dirty address calculation.
First, vbe_start_addr is a word offset. All other values in the
calculation are byte offsets. It must be converted to bytes.
Second, when setting the dirty region with memory_region_set_dirty
the vbe_start_addr is used to calculate the start of the dirty region.
This is a problem because the vbe_start_addr is the offset at which scan out
begins. This puts it in the visible screen coordinate system. The dirty
region however is in the virtual screen coordinate system. This can cause both
overmarking and missed updates. This is removed from the calculation.
Third, when the start address of a blit is outside of the bounds check
the entire blit is missed and not set to dirty. This happens even if the
blit does partially overlap with the visible screen. The fix here is to
find the intersection of the visible screen and the blit and mark only
that region as dirty.
This does not attempt to apply clipping to the blit. So there will be
overmarking in some cases.
Signed-off-by: Chad Jablonski <chad@jablonski.xyz>
[balaton: drop excess parenthesis, use offsets instead of pointers] Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <20260506153920.C6B27596978@zero.eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Tue, 5 May 2026 20:13:24 +0000 (21:13 +0100)]
net: mark struct ip6_header as QEMU_PACKED
The ip6_header is often used by network devices to examine structures in
packet data, and it's not guaranteed to be aligned. This manifests as
errors from the clang sanitizer like this one:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/net/rocker/rocker_of_dpa.c:321:37
../../hw/net/rocker/rocker_of_dpa.c:730:33: runtime error: member access within misaligned address 0x742970fe7ecd for type 'struct ip6_header', which requires 4 byte alignment
0x742970fe7ecd: note: pointer points here
00 00 02 81 00 60 00 00 00 00 38 3a ff fe 80 00 00 00 00 00 00 00 00 00 00 00 00 00 02 ff 02 00
^
Fix this by marking the ip6_header struct as QEMU_PACKED, the way we
have done to handle similar problems involving tcp_header, ip_header,
etc.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260505201324.932323-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Fri, 1 May 2026 16:26:34 +0000 (17:26 +0100)]
hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]
If the guest tries to read more bytes from our fake stub I2C device
than we have provided, we incorrectly read one byte beyond the end of
this array. Avoid this, and instead keep reporting the RXD register
as containing the last byte of the "data transfer".
Cc: qemu-stable@nongnu.org Fixes: 9d68bf564ec ("arm: Stub out NRF51 TWI magnetometer/accelerometer detection")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3408 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260501162634.4092394-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:10 +0000 (10:38 +0100)]
Remove cpu_get_phys_addr_debug() and cpu_get_phys_addr_attrs_debug()
All the callers of cpu_get_phys_addr_debug() and
cpu_get_phys_addr_attrs_debug() have now been updated to use
cpu_translate_for_debug(), so we can remove them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-26-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:09 +0000 (10:38 +0100)]
plugins/api.c: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
plugin code to use cpu_translate_for_debug() instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-25-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:08 +0000 (10:38 +0100)]
monitor/hmp-cmds: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
HMP gva2gpa command implementation to use cpu_translate_for_debug()
instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-24-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:07 +0000 (10:38 +0100)]
target/xtensa/xtensa-semi: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
xtensa semihosting code to use cpu_translate_for_debug() instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-23-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:06 +0000 (10:38 +0100)]
hw/xtensa: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
xtensa boards to use cpu_translate_for_debug() instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-22-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:05 +0000 (10:38 +0100)]
target/sparc: Use cpu_translate_for_debug()
We want to remove the cpu_get_phys_addr_debug() function; update the
sparc dump_mmu() function to use cpu_translate_for_debug() instead.
The "mmu_probe succeeds but debug translate fails" cases are probably
not possible in practice; since cpu_get_phys_addr_debug() would
return -1 in that situation we make this conversion retain that
behaviour.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-21-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:04 +0000 (10:38 +0100)]
hw/i386/vapic.c: Use cpu_translate_for_debug()
We would like to remove the cpu_get_phys_addr_debug() function, by
moving all callers to cpu_translate_for_debug(). Update the callsites
in vapic.c.
In the process we can drop the old "OR the page offset back in"
workaround that we had for when cpu_get_phys_page_addr() returned
the physaddr of the page base rather than the exact physaddr of
the input virtual address.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-20-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:03 +0000 (10:38 +0100)]
system/physmem: Use translate_for_debug() in cpu_memory_rw_debug()
Currently cpu_memory_rw_debug() assumes page-granularity for translations,
and it works in a loop where each iteration translates for the vaddr
rounded down to a page boundary and then copies up to the end of the
page boundary.
Rewrite it to use the new cpu_translate_for_debug(): we no longer want
to round down the input address, and the boundary we copy up to is now
determined by the lg_page_size it returns rather than being assumed
to be page-sized.
This, together with the implementation of translate_for_debug for
Arm targets, fixes the bug where semihosting would incorrectly
fail to access parameter blocks that were in memory where the
start of the 4K region they were in was inaccessible due to MPU
region settings, even if the parameter block itself was readable.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3292 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260417173105.1648172-18-peter.maydell@linaro.org Acked-by: Peter Xu <peterx@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-19-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:02 +0000 (10:38 +0100)]
target/arm: Implement translate_for_debug
Implement the translate_for_debug method instead of the
get_phys_addr_attrs_debug one. This allows us to pass the caller the
lg_page_size from our internal GetPhysAddrResult struct.
Awkwardly, translate_for_debug's "true on success" convention
is the opposite of the one we use internally in ptw.c, so
we have to be careful about the sense of the return values.
This corresponds to the way that arm_cpu_tlb_fill_align()
also has to return true when get_phys_addr() returns false.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-17-peter.maydell@linaro.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-18-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:01 +0000 (10:38 +0100)]
hw/core: Implement cpu_get_phys_addr_attrs_debug() with cpu_translate_for_debug()
Implement cpu_get_phys_addr_attrs_debug() with
cpu_translate_for_debug(), so that CPUs can implement only the
translate_for_debug method and have all of the wrapper functions
cpu_translate_for_debug(), cpu_get_phys_addr_attrs_debug() and
cpu_get_phys_addr_debug() work.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-17-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:38:00 +0000 (10:38 +0100)]
hw/core: Implement new cpu_translate_for_debug()
In cpu_memory_rw_debug() we need to do a virtual-to-physical address
translation for debug access. Currently we assume that the
translation is valid for an entire guest page, but this may not be
true if the target implements some protection regions that have
sub-page granularity. (Currently the only such target is the Arm
CPUs when using an MPU, as in R-profile and M-profile.)
For TCG's emulated accesses, we handle sub-page granularity by the
CPU filling in the lg_page_size field of the CPUTLBEntryFull struct
to tell us how large the region covered by the result is. But we
didn't extend this to the debug-access code path, with the result
that debug accesses might incorrectly fail because they are looking
at the mapping for the address rounded down to a page boundary.
Provide a cpu_translate_for_debug() function which reports to the
caller not just the physical address and attributes of the
translation but also the lg_page_size for which it is valid. The
fallback implementation calls cpu_get_phys_addr_attrs_debug() and
assumes target-page-sized validity.
NB: the "return true on valid access, false on failure" follows
the same convention as TCGCPUOps::tlb_fill_align() (though it
is the opposite of what we use in some other places, e.g.
in target/arm's get_phys_addr_* functions).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-15-peter.maydell@linaro.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260430093810.2762539-16-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
In qemu_plugin_translate_vaddr() we have a workaround for not all
implementations of get_phys_addr_debug returning an exact physaddr
for the input virtual address: we OR back in the page offset to the
return value.
Now that we guarantee that get_phys_addr_debug returns the exact
physaddr for the input virtual address, we can drop this workaround.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-14-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-15-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:58 +0000 (10:37 +0100)]
monitor: hmp_gva2gpa: Don't page-align cpu_get_phys_addr_debug() arg and return
In hmp_gva2gpa() we currently have a workaround for not all implementations
of get_phys_addr_debug handling non-page-aligned addresses: we round the
input address from the user down to the target page boundary before the
call and then add the page offset back to the returned value.
Now that we guarantee that all implementations will return the correct
exact physaddr for a virtual address, we can drop this handling.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Dr. David Alan Gilbert <dave@treblig.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-13-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-14-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:57 +0000 (10:37 +0100)]
target/arm: Rename arm_cpu_get_phys_page()
The internal helper function arm_cpu_get_phys_page() is named that
way because of its use in the get_phys_page_attrs_debug method. Now
we've renamed the method, rename the helper to match, since it can
handle non-page-aligned addresses.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-12-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-13-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:56 +0000 (10:37 +0100)]
hw/core: Update docs for get_phys_addr_{attrs_, }debug
Update the documentation for the get_phys_addr_{attrs_,}debug methods
and wrapper functions to state that they can handle non-page aligned
addresses and will return the corresponding exact physaddr for them.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260417173105.1648172-11-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-12-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:55 +0000 (10:37 +0100)]
target: Rename cpu_get_phys_page_{,attrs_}debug
Rename cpu_phys_page_debug() and cpu_phys_page_attrs_debug() to
cpu_phys_addr_debug() and cpu_phys_addr_attrs_debug().
Commit created with:
sed -i -e 's/cpu_get_phys_page_debug/cpu_get_phys_addr_debug/g;s/cpu_get_phys_page_attrs_debug/cpu_get_phys_addr_attrs_debug/g' $(git grep -l cpu_get_phys_page)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-10-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-11-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:54 +0000 (10:37 +0100)]
target: Rename get_phys_page_debug to get_phys_addr_debug
Now that we have ensured that all implementations of the get_phys_page_debug
method handle a non-page-aligned input and return the corresponding
non-page-aligned output, the name of the method is somewhat misleading.
Rename it to get_phys_addr_debug.
This commit was produced with the commands
sed -i -e 's/_cpu_get_phys_page_debug/_cpu_get_phys_addr_debug/g;s/\<get_phys_page_debug\>/get_phys_addr_debug/g' $(git grep -l get_phys_page_debug)
sed -i -e 's/_cpu_get_phys_page_attrs_debug/_cpu_get_phys_addr_attrs_debug/g;s/\<get_phys_page_attrs_debug\>/get_phys_addr_attrs_debug/g' $(git grep -l get_phys_page_attrs_debug)
which catches all references to the method name itself plus
the functions which each target uses as the method implementation,
but (deliberately) not the cpu_phys_get_page_debug() and
cpu_phys_get_page_attrs_debug() wrapper functions or their callers.
(We'll deal with those in the next commit.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-9-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-10-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:53 +0000 (10:37 +0100)]
target/ppc: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
The ppc_xlate() function can accept a non-page-aligned input but may
return a page-aligned output; we take the simple approach of ORing
the page offset back into the result address after calling it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-8-peter.maydell@linaro.org Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Message-ID: <20260430093810.2762539-9-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:52 +0000 (10:37 +0100)]
target/s390x: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
s390x already has an implementation of "give me the actual physical
address, not rounded down", in s390_get_phys_addr_debug(), so we can
use this for the SysemuCPUOps::get_phys_page_debug method, and merge
the s390_cpu_get_phys_page_debug() function into
s390_get_phys_addr_debug() which is now its only caller.
This leaves the function implementing the method with a name
that doesn't match the method name, but we will fix that shortly
by renaming the method to *_addr_* for all targets.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-7-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-8-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:51 +0000 (10:37 +0100)]
target/x86: Make get_phys_page_attrs_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
For x86 this is simple: we just need to stop rounding down the
input address to a TARGET_PAGE boundary when calculating the
result to return.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-6-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-7-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:50 +0000 (10:37 +0100)]
target/sparc: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
The sparc TLB lookup code can handle non-aligned input addresses but
will return page-aligned results. Rather than attempting to change
the internals of the lookup code, we take the simple approach of
ORing the page offset back into the phys_addr result.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-5-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-6-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:49 +0000 (10:37 +0100)]
target/microblaze: Make get_phys_page_attrs_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
For microblaze, we just need to remove the explicit rounding down to
the page boundary that we were doing in
mb_cpu_get_phys_page_attrs_debug() when calculating the output
physaddr from the results of the MMU lookup.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-4-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-5-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:48 +0000 (10:37 +0100)]
target/alpha: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
For alpha, the get_physical_address() function accepts arbitrary
input addresses but may return an output rounded down to a page
boundary, so in alpha_cpu_get_phys_page_debug() we OR the within-page
offset into it before returning it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-3-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:47 +0000 (10:37 +0100)]
target/riscv: Make get_phys_page_debug handle non-page-aligned addrs
Currently our implementations of SysemuCPUOps::get_phys_page_debug
and SysemuCPUOps::get_phys_page_attrs_debug are a mix of "accepts a
non-page-aligned virtual address and returns the corresponding
non-page-aligned physical address" and "only returns a page-aligned
physical address". This is awkward for callsites, which in practice
all want the physical address for an arbitrary virtual address and
have to work around the possibility of getting a page-aligned
address, and it doesn't account for protection being possibly on a
sub-page-sized granularity. We want to standardize on the
implementation having to handle non-page-aligned addresses.
The only thing in the riscv implementation that we need to fix
is the place where we explicitly round the return value down to
a page boundary before returning it. Drop that.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260417173105.1648172-2-peter.maydell@linaro.org
Message-ID: <20260430093810.2762539-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 30 Apr 2026 09:37:46 +0000 (10:37 +0100)]
hw/i386/vapic: Cope with non-page-aligned return from cpu_get_phys_page_debug()
Currently the i386 implementation of get_phys_page_debug() always
returns an address aligned to a page boundary, and the vapic.c code
assumes this: it adds back in the page offset after the call. Change
this to OR in the page offset, so that it works whether
cpu_get_phys_page_debug() returns the page address or the exact
physical address. This will mean the code continues to work when
we change the semantics to standardize on "return exact
physical address".
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260430093810.2762539-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
After commit 0caed25cd171 vhost_vdpa_net_load_vlan() started seeing
VIRTIO_NET_F_CTRL_VLAN flag and making 4096 calls to the kernel with
VIRTIO_NET_CTRL_VLAN_ADD command. However, it forgot to convert the
16-bit VLAN IDs to LE format. On BE machine, the kernel calls failed
when they saw "VLAN IDs" greater than 4095, and QEMU then said:
"unable to start vhost net: 5: falling back on userspace virtio", and
VDPA became disabled.
Convert the VLAN ID to LE before putting it into virtio queue.
Fixes: 8f7e9967484d ("vdpa: Restore vlan filtering state") Signed-off-by: Konstantin Shkolnyy <kshk@linux.ibm.com> Acked-by: Jason Wang <jasowang@redhat.com> Acked-by: Eugenio Pérez <eperezma@redhat.com> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-ID: <20260427144746.1498-1-kshk@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Christian Speich [Fri, 17 Apr 2026 09:51:40 +0000 (11:51 +0200)]
hw/sd: Update trace events for buf+len data
After switching sdbuf and sdcard over to use buf+len instead of single
byte operation, the trace events need to be updated.
This patch updates sdbus_{read,write} and sdcard_write_data to output the
buffer that is worked on.
sdcard_read_data is left unchanged, as it did not print the read byte
before anyways.
Signed-off-by: Christian Speich <c.speich@avm.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260417-sdcard-performance-b4-v4-7-119e66be10c2@avm.de> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Christian Speich [Fri, 17 Apr 2026 09:51:35 +0000 (11:51 +0200)]
hw/sd/sd: Allow multi-byte read/write for generic paths
Paths that use sd_generic_write/read_data can now write/read multiple
bytes with one call.
Signed-off-by: Christian Speich <c.speich@avm.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260417-sdcard-performance-b4-v4-2-119e66be10c2@avm.de>
[PMD: Access &sd->data[sd->data_offset] in sd_generic_read/write_data] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
projects / thirdparty / qemu.git / log
