With all MPIPL support in place, export a "dump" node in device tree,
signifying that PowerNV QEMU platform supports MPIPL
Also, export fw-load-area dt node, which has details about where the
kernel & initrd were loaded, so that kernel can verify whether the
kernel/initrd images were loaded within the boot memory region. QEMU
just exports these details in fw-load-area, the check for boot memory
region is done in kernel.
Since now device tree can change at pnv_reset, hence regenerate device
tree during pnv_reset
pnv/mpipl: Set thread entry size to be allocated by firmware
Set the "Thread Register State Entry Size" that is required by firmware
(OPAL), to know size of memory to allocate to capture CPU state, in the
event of a crash
pnv/mpipl: Preserve memory regions as per MDST/MDDT tables
Implement copying of memory region, as mentioned by MDST and MDDT
tables.
Copy the memory regions from source to destination in chunks of 32MB
Note, qemu can fail preserving a particular entry due to any reason,
such as:
* region length mis-matching in MDST & MDDT
* failed copy due to access/decode/etc memory issues
HDAT doesn't specify any field in MDRT to notify host about such errors.
Though HDAT section "15.3.1.3 Memory Dump Results Table (MDRT)" says:
The Memory Dump Results Table is a list of the memory ranges that
have been included in the dump
Based on above statement, it looks like MDRT should include only those
regions which are successfully captured in the dump, hence, regions
which qemu fails to dump, just get skipped, and will not have a
corresponding entry in MDRT
Fix this by handling the command in PowerNV SBE, and sending a response so
skiboot knows SBE has handled the STASH command
The stashed skiboot base is later used to access the relocated MDST/MDDT
tables when MPIPL is implemented.
The purpose of stashing relocated base address is explained in following
skiboot commit:
author Vasant Hegde <hegdevasant@linux.vnet.ibm.com> Fri Jul 12 16:47:51 2019 +0530
committer Oliver O'Halloran <oohall@gmail.com> Thu Aug 15 17:53:39 2019 +1000
SBE: Send OPAL relocated base address to SBE
OPAL relocates itself during boot. During memory preserving IPL hostboot needs
to access relocated OPAL base address to get MDST, MDDT tables. Hence send
relocated base address to SBE via 'stash MPIPL config' chip-op. During next
IPL SBE will send stashed data to hostboot... so that hostboot can access
these data.
During MPIPL (aka fadump), after a kernel crash, the kernel does
opal_cec_reboot2 opal call, signifying an abnormal termination.
When OPAL receives this opal call, it further triggers SBE S0 interrupt,
to trigger a MPIPL boot.
Currently S0 interrupt is unimplemented in QEMU.
Implement S0 interrupt as 'pause_vcpus' + 'guest_reset' in QEMU, as the
SBE's implementation of S0 seems to be basically "stop all clocks" and
then "host reset".
pause_vcpus is done in a later patch when register preserving support is
added
See 'stopClocksS0' in SBE source code for more information.
ppc/pnv: Move SBE host doorbell function to top of file
Moved 'pnv_sbe_set_host_doorbell' as-it-is to above
'pnv_sbe_power9_xscom_ctrl_write'.
This is done since in a future patch, S0 interrupt implementation uses
'pnv_sbe_set_host_doorbell', hence the host doorbell function needs to
be declared/defined before 'pnv_sbe_power9_xscom_ctrl_write' where we
implement the S0 interrupt.
Jaehoon Kim [Thu, 23 Apr 2026 19:59:18 +0000 (14:59 -0500)]
qapi/iothread: introduce poll-weight parameter for aio-poll
Introduce a configurable poll-weight parameter for adaptive polling
in IOThread. This parameter replaces the hardcoded POLL_WEIGHT_SHIFT
constant, allowing runtime control over how much the most recent
event interval affects the next polling duration calculation.
The poll-weight parameter uses a shift value where larger values
decrease the weight of the current interval, enabling more gradual
adjustments. When set to 0, a default value of 3 is used (meaning
the current interval contributes approximately 1/8 to the weighted
average).
This patch also removes the hardcoded default value checks from
adjust_polling_time(). Instead, poll-grow, poll-shrink, and
poll-weight now use default values initialized in iothread.c
during IOThread creation.
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260423195918.661299-4-jhkim@linux.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Jaehoon Kim [Thu, 23 Apr 2026 19:59:17 +0000 (14:59 -0500)]
aio-poll: refine iothread polling using weighted handler intervals
Improve adaptive polling by updating each AioHandler's poll.ns
every loop iteration using weighted averages. This reduces CPU
consumption while minimizing performance impact.
Background:
Starting from QEMU 10.0, poll.ns was introduced per event handler
to mitigate excessive fluctuations in IOThread polling times
observed in earlier versions (QEMU 9.x). However, the current
design has limitations:
1. poll.ns is updated only when an event occurs, making it
difficult to treat block_ns as a reliable event interval.
2. The IOThread's next polling time is determined by the maximum
poll.ns among all AioHandlers, meaning idle AioHandlers with
high poll.ns can have an outsized impact on polling duration.
3. For io_uring, idle AioHandlers are cleared after
POLL_IDLE_INTERVAL_NS (7s), but for ppoll/epoll there is no
such mechanism, leading to increased CPU consumption from idle
nodes.
Implementation:
This patch treats block_ns as an event interval and updates each
AioHandler's poll.ns in every loop iteration:
- Active handlers (with events): poll.ns is updated using a
weighted average of the current block_ns and previous poll.ns,
smoothing out adjustments and preventing excessive fluctuations.
- Inactive handlers (no events): poll.ns accumulates block_ns
without weighting, allowing rapid isolation of idle nodes. When
poll.ns exceeds poll_max_ns, it resets to 0, preventing
sporadically active handlers from unnecessarily prolonging
iothread polling.
- The iothread polling duration is set based on the largest poll.ns
among active handlers. The shrink divider defaults to 2, matching
the grow rate, to reduce frequent poll_ns resets for slow devices.
The implementation renames poll_idle_timeout to last_dispatch_timestamp
for use as an active handler identifier.
Testing:
POLL_WEIGHT_SHIFT=3 (12.5% weight) was selected based on testing
comparing baseline vs weight=2/3 across various workloads:
Performance results (RHEL 10.1 + QEMU 10.0.0, FCP/FICON, 1-8 iothreads,
numjobs 1/4/8 averaged):
| poll-weight=2 | poll-weight=3
--------------------|--------------------|-----------------
Throughput avg | -2.4% (all tests) | -2.2% (all tests)
CPU consumption avg | -10.9% (all tests) | -9.4% (all tests)
Both configurations achieve ~10% CPU reduction with minimal throughput
impact (~2%). Weight=3 is chosen as default for slightly better
throughput while maintaining substantial CPU savings.
Additional validation testing on s390x SSD with fio (bs=8k, iodepth=8,
numjobs=1) shows how poll_weight affects polling time (poll.ns)
behavior:
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
Message-ID: <20260423195918.661299-3-jhkim@linux.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Jaehoon Kim [Thu, 23 Apr 2026 19:59:16 +0000 (14:59 -0500)]
aio-poll: avoid unnecessary polling time computation
Nodes are no longer added to poll_aio_handlers when adaptive polling is
disabled, preventing unnecessary try_poll_mode() calls. This avoids
iterating over all nodes to compute max_ns unnecessarily when polling
is disabled.
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20260423195918.661299-2-jhkim@linux.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Peter Maydell [Mon, 27 Apr 2026 15:00:07 +0000 (16:00 +0100)]
tests/qtest: Make qtest_get_arch() cleverer
The qtest_get_arch() function tries to determine the architecture
under test by extracting it from the binary name as provided in
QTEST_QEMU_BINARY. The current logic finds the last '-' in the
string and assumes everything beyond it is the architecture name.
Although we also look for the substring "-system-", the only effect
this check has is that we will exit with an error if it is not
present.
Because the logic at the moment is very simplistic, although
it is possible to provide more complex commands than a bare
QEMU binary path, such as:
QTEST_QEMU_BINARY='rr record ./qemu-system-x86_64'
it is not possible to provide extra arguments to QEMU, such as:
QTEST_QEMU_BINARY='./qemu-system-x86_64 -d trace:foo'
Because the "-system-" check and the "find the architecture" check
are not the same, the latter example will pass the "we found
-system-" check and not notice that the "architecture name" it has
found starts further on in the string; so rather than printing an
error it will return "d trace:foo" to the test.
Improve the "find the architecture name" logic to look for the
rightmost occurrence of the substring "-system-" in
QTEST_QEMU_BINARY, and take the architecture name as starting there
and continuing until the first whitespace character or the end of the
string.
Because we now need to potentially modify the environment variable
string to terminate the architecture name if it is not the last part
of the string, we make a copy of it which we cache in a static
variable. This lets us avoid having to modify all the callers to get
them to take ownership of the returned string.
Fengyuan Yu [Wed, 25 Mar 2026 07:09:06 +0000 (15:09 +0800)]
tests/qtest: Add Intel IOMMU bare-metal test
Add a qtest suite for the Intel IOMMU (VT-d) device on the Q35 machine.
The test exercises both Legacy and Scalable translation modes using
iommu-testdev and the qos-intel-iommu helpers, without requiring any
guest kernel or firmware.
The test validates:
- Legacy-mode Root Entry Table and Context Entry Table configuration
- Scalable-mode Context Entry, PASID Directory, and PASID Table setup
- Legacy-mode 4-level page table walks for 48-bit address translation
- Scalable-mode second-level and first-level 4-level page table walks
- Pass-through mode in both Legacy and Scalable modes
- DMA transaction execution with memory content verification
Introduce a libqos helper module for Intel IOMMU (VT-d) bare-metal
testing via iommu-testdev. The helper provides routines to:
- Build Legacy-mode structures: Root Entry Tables, Context Entry Tables,
and 4-level page tables for 48-bit address translation
- Build Scalable-mode structures: Scalable Context Entries, PASID
Directory Entries, PASID Table Entries, and 4-level page tables for
both second-level and first-level translation
- Program VT-d registers (Root Table Address, Invalidation Queue,
Fault Event MSI, Global Command) following the VT-d specification,
with GSTS read-back verification for each step
- Execute DMA translations through iommu-testdev and verify results
by reading back guest memory
The module supports all major VT-d translation modes through the
QVTDTransMode enum:
- Legacy pass-through
- Legacy translated with 4-level paging
- Scalable pass-through
- Scalable Second-Level Translation
- Scalable First-Level Translation
Stefan Hajnoczi [Wed, 29 Apr 2026 13:22:50 +0000 (09:22 -0400)]
Merge tag 'pull-riscv-to-apply-20260429-1' of https://github.com/alistair23/qemu into staging
RISC-V PR for 11.1.
* Use standard EN_PRI bit for PRI IOMMU
* Add draft RISC-V Zbr ext as xbr0p93
* Forbid to use legacy native endianness API
* Fix irq_overflow_left residual value bug in IOMMU
* Add IPSR.PMIP RW1C support to IOMMU
* Use kvm timer frequency when kvm enabled
* Fix stale ptshift and base on page walk restart
* Fix heap OOB in ACLINT MTIMER multi-socket
* Reject RISC-V HTIF invalid signature ranges
* Fix RV32 henvcfg/stateen CSR handling
* Add Zvfbfa extension support
* Allow fractional LMUL on vector SHA instructions
* Add Tenstorrent mvendorid
* Warn if a ELF format file is loaded as a binary
* Initialize riscv_excp_names[] and riscv_intr_names[] using designated initializer
* Mask xepc[0] only when Zc* extension is enabled
* Generate access fault if sc comparison fails
* Don't OR mip.SEIP when mvien is one
* Use ELEN for Fractional LMUL check
* Fix Zjpm implementation
* Handle mask/source overlap of vector reduction instructions
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmnxjOkACgkQr3yVEwxT
# gBMf6Q/+IdCh9/rzqJFyBcHxkbQGMncGzBsmLHmeCIgUc7gPxF8Cw6zFbJ3p2H3m
# ry4pnrqp8juKlDfuDcQyXgoQSWJ5MqkrQZaxUUomEhZPoJr3XrWXcp9nVPAOOtni
# WQR/AW0rsm97ujaAN/OSQKUFOfUVzRSOrSZg0xSg3fmYTia7CEKVKByQnfNlKLvk
# 6RRax8Dlcmmn2Q9AXWV5oaEH8ZDorC6GRN2p805LLzdEWmkY5wMKaHAnTXs8qErm
# wK4E+CWmFW2f5h1Mg0MvuV5Ko6TDFD7wghSM/HV7Aykdvwg2bO2MUmEt0zMQwtMU
# OOx/UihFDcPBDLjnrVTsLEf02ol98W6gkqAxhpiGez5PGzfYX7xNMFHHj6RqA/dC
# kThR5CfThVY+Daw9F26b8kovq/xlaeM6nZM5L4qtMpZbojZbZ414H15prBlJoYF9
# R1amO14+VNuZBrPIXFOLbPk8T5DmM8Km9V/oaV6Ra/vkSF43tmiqrV/s4+NbBIZB
# H42JDlruats9kTFeMggZS4VVkgkNgelM4cvvfK8KAhp6sdmub/cPxlZcYsnuOuD3
# lJEBWO3bDNpEHsHCLrwYVlS3dZQXWo+KifHElK8lMOW3b/93rjlzgLRERvdaVxpb
# NlCOjGwGxfb/Z7r1ylcrbK2DONP0kuoZDpVfacqZ8UXbxnyvosg=
# =oT5a
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 29 Apr 2026 00:45:29 EDT
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20260429-1' of https://github.com/alistair23/qemu: (51 commits)
target/riscv: rvv: Handle mask/source overlap of vector reduction instructions
target/riscv: Fix pointer masking translation mode check bug
target/riscv: Rename riscv_pm_get_virt_pmm() to riscv_pm_get_vm_ldst_pmm()
target/riscv: Fix pointer masking for virtual-machine load/store insns
target/riscv: Fix pointer masking PMM field selection logic
target/riscv: Add a helper to return the current effective priv mode
target/riscv: fix address masking
target/riscv: Use ELEN for Fractional LMUL check
target/riscv: Don't OR mip.SEIP when mvien is one
target/riscv: Generate access fault if sc comparison fails
target/riscv: Mask xepc[0] only when Zc* extension is enabled
target/riscv: Initialize riscv_excp_names[] and riscv_intr_names[] using designated initializer
target/riscv: fix RV32 stateen CSR handling
hw/riscv/boot: Warn if a ELF format file is loaded as a binary
target/riscv: tt-ascalon: Add Tenstorrent mvendorid
target/riscv: rvv: Allow fractional LMUL on vector SHA instructions
target/riscv: Expose Zvfbfa extension as a cpu property
target/riscv: rvv: Support Zvfbfa vector bf16 operations
target/riscv: Introduce BF16 canonical NaN for Zvfbfa extension
target/riscv: Introduce altfmt into DisasContext
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Anton Blanchard [Fri, 17 Apr 2026 12:06:26 +0000 (12:06 +0000)]
target/riscv: rvv: Handle mask/source overlap of vector reduction instructions
Masked vector reduction instructions must not use v0 as a source register.
Check rs1 and rs2 against the mask register when vm=0.
Signed-off-by: Anton Blanchard <antonb@tenstorrent.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260417120626.77415-1-antonb@tenstorrent.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
When running with virtualization in VS/VU mode, or when executing the
virtual-machine load/store instructions (HLV.* and HSV.*), the type of
address that determines which pointer masking rules apply should be
checked against vsatp rather than satp.
As a result, sign extension also applies to the virtual-machine
load/store instructions.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Radim Krčmář <rkrcmar@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-7-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 09:37:14 +0000 (17:37 +0800)]
target/riscv: Rename riscv_pm_get_virt_pmm() to riscv_pm_get_vm_ldst_pmm()
Rename riscv_pm_get_virt_pmm() to riscv_pm_get_vm_ldst_pmm() to better
reflect its actual usage. This function is used when checking the PMM
field for virtual-machine load/store instructions (HLV.* and HSV.*),
rather than for VS/VU modes.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-6-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 09:37:13 +0000 (17:37 +0800)]
target/riscv: Fix pointer masking for virtual-machine load/store insns
The effective privilege of explicit memory accesses made by
virtual-machine load/store instructions (HLV.* and HSV.*) is controlled
by hstatus.SPVP. mstatus.MPRV does not affect these virtual-machine
load/store instructions.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-5-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-4-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 09:37:11 +0000 (17:37 +0800)]
target/riscv: Add a helper to return the current effective priv mode
This helper returns the current effective privilege mode.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-3-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Yong-Xuan Wang [Tue, 21 Apr 2026 09:37:10 +0000 (17:37 +0800)]
target/riscv: fix address masking
The pmlen should get the corresponding value before shifting address.
Signed-off-by: Yong-Xuan Wang <yongxuan.wang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-2-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Alistair Francis [Wed, 15 Apr 2026 23:37:39 +0000 (09:37 +1000)]
target/riscv: Don't OR mip.SEIP when mvien is one
The RISC-V spec states that
"""
But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
is simply the supervisor external interrupt signal from the hart’s
external interrupt controller (APLIC or IMSIC).
"""
As such let's mark the mip.SEIP in rmw_mip64().
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828 Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Message-ID: <20260415233740.3027321-4-alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 07:49:40 +0000 (15:49 +0800)]
target/riscv: Mask xepc[0] only when Zc* extension is enabled
IALIGN is 16 when the CPU supports the Zc* extension. Only xepc[0]
should be masked when the Zc* extension is enabled.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421074940.2916287-1-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 07:11:07 +0000 (15:11 +0800)]
target/riscv: Initialize riscv_excp_names[] and riscv_intr_names[] using designated initializer
Use designated initializers to initialize riscv_excp_names[] and
riscv_intr_names[] so that we don't have to explicitly add "reserved"
items. Also, add the missing trap names: sw_check, hw_error,
virt_illegal_instruction, semihost, s_guest_external, and
counter_overflow.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Max Chou <max.chou@sifive.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421071107.2848439-1-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bruno Sa [Fri, 10 Apr 2026 11:08:42 +0000 (12:08 +0100)]
target/riscv: fix RV32 stateen CSR handling
The RV32 stateen CSRs are split between the low-half CSR and the
corresponding xH CSR, but the current implementation still handles some
upper-half bits through the low-half write paths and also accepts the
xH CSRs on RV64.
Fix this by:
- rejecting mstateen*h and hstateen*h accesses on RV64
- keeping the RV64-only writable bits in the low-half write paths
- handling the RV32 upper-half writable bits in write_mstateen0h() and
write_hstateen0h()
- dropping unsupported writable bits from write_sstateen0()
Signed-off-by: Bruno Sa <bruno.vilaca.sa@gmail.com>
Message-ID: <20260410110928.1014170-1-bruno.vilaca.sa@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Nicholas Piggin [Wed, 15 Apr 2026 06:48:35 +0000 (16:48 +1000)]
hw/riscv/boot: Warn if a ELF format file is loaded as a binary
It is possible that an ELF file can not be loaded, in that
case the loader falls back to loading the file as a binary
blob. Print a warning in this case because it is likely that
it is not intended.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260415064838.652297-4-joel@jms.id.au> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Michael Ellerman <mpe@oss.tenstorrent.com>
Message-ID: <20260114020516.982305-1-joel@jms.id.au> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Anton Blanchard [Sun, 4 Jan 2026 23:37:24 +0000 (23:37 +0000)]
target/riscv: rvv: Allow fractional LMUL on vector SHA instructions
Vector SHA instructions incorrectly raise an illegal instruction exception
when LMUL < 1. The ISA only states that LMUL*VLEN >= EGW:
For element-group instructions, LMUL*VLEN must always be at least as
large as EGW, otherwise an illegal-instruction exception is raised, even
if vl=0.
There is already a check for this:
MAXSZ(s) >= egw_bytes
so just remove the check for a fractional LMUL.
Signed-off-by: Anton Blanchard <antonb@tenstorrent.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260104233724.192886-1-antonb@tenstorrent.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:34 +0000 (20:52 +0800)]
target/riscv: Expose Zvfbfa extension as a cpu property
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-10-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:33 +0000 (20:52 +0800)]
target/riscv: rvv: Support Zvfbfa vector bf16 operations
According to the Zvfbfa ISA spec v0.1, the following vector floating
point instructions have different behaviors depend on the ALTFMT and
VSEW fields of VTYPE CSR.
When altfmt=1 and SEW=8, all vector floating-point instructions become
reserved, except for the following, which are redefined to use the
BF16 format for any operand that would otherwise have used the FP16
format:
- vfwcvt.f.x[u].v, vfncvt.x[u].f.w, vfncvt.rtz.x[u].f.w
When altfmt=1 and SEW=16, all vector floating-point instructions become
reserved, except for the following, which are redefined to use the
BF16 format for any operand that would otherwise have used the FP16
format:
- vfadd.v[vf], vfsub.v[vf], vfmin.v[vf], vfmax.v[vf], vmfeq.v[vf],
vmfle.v[vf], vmflt.v[vf], vmfne.v[vf], vmfgt.vf, vmfge.vf,
vfmul.v[vf], vfrsub.vf, vfmadd.v[vf], vfnmadd.v[vf], vfmsub.v[vf],
vfnmsub.v[vf], vfmacc.v[vf], vfnmacc.v[vf], vfmsac.v[vf],
vfnmsac.v[vf], vfwadd.v[vf], vfwsub.v[vf], vfwadd.w[vf],
vfwsub.w[vf], vfwmul.v[vf], vfwmacc.v[vf], vfwnmacc.v[vf],
vfwmsac.v[vf], vfwnmsac.v[vf], vfwcvt.f.f.v, vfncvt.f.f.w,
vfncvt.rod.f.f.w, vfrsqrt7.v, vfrec7.v, vfclass.v
The following instructions marked with * have the same semantics
regardless of altfmt.
*- vfmv.f.s,
vfwmaccbf16.v[vf] (only if Zvfbfwma is implemented)
vfwcvtbf16.f.f.v (only if Zvfbfmin is implemented)
vfncvtbf16.f.f.w (only if Zvfbfmin is implemented)
The following instructions marked with ** differ only in that
improperly NaN-boxed f-register operands must substitute the BF16
canonical NaN instead of the FP16 canonical NaN.
**- vfsgnj.v[vf], vfsgnjn.v[vf], vfsgnjx.v[vf], vfslide1up.vf,
vfslide1down.vf, vfmv.v.f, vfmerge.vfm, vfmv.s.f
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-9-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:32 +0000 (20:52 +0800)]
target/riscv: Introduce BF16 canonical NaN for Zvfbfa extension
According to the Zvfbfa ISA spec (v0.1), improperly NaN-boxed
f-register operands must substitute the BF16 canonical NaN instead of
the FP16 canonical NaN for some vector floating-point instructions.
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-8-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:31 +0000 (20:52 +0800)]
target/riscv: Introduce altfmt into DisasContext
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-7-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:30 +0000 (20:52 +0800)]
target/riscv: Use the tb->cs_base as the extend tb flags
We have more than 32-bits worth of state per TB, so use the
tb->cs_base, which is otherwise unused for RISC-V, as the extend flag.
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-6-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:29 +0000 (20:52 +0800)]
target/riscv: rvv: Introduce reset_ill_vtype to reset illegal vtype CSR
Replace the same vill reset flow by reset_ill_vtype function.
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-5-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:28 +0000 (20:52 +0800)]
target/riscv: rvv: Add new VTYPE CSR field - altfmt
According to the Zvfbfa ISA spec v0.1, the vtype CSR adds a new field:
altfmt for BF16 support.
This update changes the layout of the vtype CSR fields.
- Removed VEDIV field (bits 8-9) since EDIV extension is not planned to
be part of the base V extension
- Added ALTFMT field at bit 8
- Changed RESERVED field to start from bit 9 instead of bit 10
When Zvfbfa is disabled, bits 8+ are treated as reserved (preserving
existing behavior for altfmt bit). When Zvfbfa is enabled, only bits 9+
are reserved.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-4-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:27 +0000 (20:52 +0800)]
target/riscv: Add the Zvfbfa extension implied rule
According to the Zvfbfa isa spec:
The Zvfbfa extension requires the Zve32f and Zfbfmin extensions.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-3-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:26 +0000 (20:52 +0800)]
target/riscv: Add cfg properties for Zvfbfa extensions
The Zvfbfa extension adds more complete BF16 vector compute support
and requires the Zve32f and Zfbfmin extensions.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-2-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bruno Sa [Thu, 9 Apr 2026 15:53:42 +0000 (16:53 +0100)]
target/riscv: preserve RV32 henvcfgh on henvcfg writes
On RV32, STCE/ADUE/PBMTE/DTE are implemented in henvcfgh. A write to
henvcfg should therefore only update the low 32 bits of env->henvcfg.
The current write_henvcfg() path overwrites env->henvcfg with the
low-half value and clears any bits previously written via henvcfgh.
Preserve the upper 32 bits on RV32 henvcfg writes and keep the existing
RV64 behaviour unchanged.
Signed-off-by: Bruno Sa <bruno.vilaca.sa@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260409155344.2849233-2-bruno.vilaca.sa@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Prevents huge allocations and crashes caused by malformed HTIF signature
addresses.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3205 Signed-off-by: Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251209085349.61510-1-munkhuu0825@gmail.com>
[ Squashed with following commit to fix build failures
hw/char/riscv_htif: Fix format specifier for uint64_t
Message-ID: <20260415134826.1742308-1-chao.liu.zevorn@gmail.com> Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
] Tested-by: Tao Tang <tangtao1634@phytium.com.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
hw/intc: fix heap OOB in ACLINT MTIMER multi-socket
The MMIO read/write handlers index timecmp[] with the absolute hartid
(hartid_base + offset) but the array is allocated with num_harts
elements. In multi-socket configurations with hartid_base > 0 this
causes heap OOB access in the QEMU process.
Fix by using the relative offset for array indexing.
Cc: qemu-security@nongnu.org Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-2-sebasjosue84@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: fix stale ptshift and base on page walk restart
When the atomic compare-and-swap for updating A/D bits in the page
table entry fails due to a concurrent PTE modification by another
vCPU, get_physical_address() jumps to the 'restart' label to re-walk
the page table from the root.
However, neither 'ptshift' nor 'base' are re-initialized before the
restart. After the walk completes, ptshift has been decremented to
its final value and base has been overwritten with an inner PTE PPN.
On goto restart, the for loop resets i=0 but ptshift and base remain
stale, causing the restarted walk to compute incorrect PTE addresses.
In an SMP guest with MTTCG and Svadu active, this can result in
incorrect physical address mappings or guest crashes.
Fix by saving the root base address and re-initializing both ptshift
and base on each restart.
Fixes: 0c3e702aca ("RISC-V CPU Helpers") Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-1-sebasjosue84@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Yicong Yang [Wed, 25 Mar 2026 08:13:14 +0000 (16:13 +0800)]
hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled
The timer frequency is decided by the host(kvm) rather than a fixed
RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ on kvm accelerated VM. So build
RCHT with KVM provided timer frequency if KVM is enabled, just like
how we build the timer node on DT based VM.
Fixes: ebfd39289370 ("hw/riscv/virt: virt-acpi-build.c: Add RHCT Table") Signed-off-by: Yicong Yang <yang.yicong@picoheart.com> Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-ID: <20260325081314.57089-1-yang.yicong@picoheart.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jay Chang [Wed, 25 Mar 2026 05:00:11 +0000 (13:00 +0800)]
hw/riscv/riscv-iommu: Add IPSR.PMIP RW1C support
Add proper RW1C (Read/Write 1 to Clear) support for the IPSR.PMIP
(Performance Monitor Interrupt Pending) bit, which was missing from
the IPSR register implementation.
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260325050011.66722-3-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jay Chang [Wed, 25 Mar 2026 05:00:10 +0000 (13:00 +0800)]
hw/riscv/riscv-iommu-hpm: Fix irq_overflow_left residual value bug
Reset irq_overflow_left to 0 before setting up a new timer. Without
this fix, a stale irq_overflow_left value from a previous timer setup
could cause incorrect timer behavior.
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260325050011.66722-2-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
configs/targets: Forbid RISC-V to use legacy native endianness APIs
All RISC-V related binaries are buildable without a single
use of the legacy "native endian" API. Set the transitional
TARGET_USE_LEGACY_NATIVE_ENDIAN_API definition to forbid
further uses of the legacy API.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-17-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
RISC-V instructions are always little-endian regardless of the data
endianness mode configured via mstatus SBE/MBE/UBE bits.
Currently, instruction fetches in decode_opc() and the page boundary
check use mo_endian(ctx), which returns MO_TE. This happens to work
today because RISC-V targets are little-endian only, but is
semantically incorrect and will break once mo_endian() is updated to
respect runtime data endianness for big-endian support.
Use MO_LE explicitly for all instruction fetch paths. Data memory
operations (AMOs, loads/stores via mxl_memop) continue to use
mo_endian(ctx) as they should respect the configured data endianness.
Not-Signed-off-by: Djordje Todorovic <Djordje.Todorovic@htecgroup.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260311115910.564481-3-djordje.todorovic@htecgroup.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260318103122.97244-16-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
We only build the RISC-V target using little endianness order,
therefore the MO_TE definitions expand to the little endian
one. Use the latter which is more explicit.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-15-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Replace MO_TE by mo_endian (Zalasr extension)
Replace compile-time MO_TE evaluation by runtime mo_endian()
one, which expand target endianness from DisasContext.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-14-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Replace MO_TE by mo_endian (Zilsd extension)
Replace compile-time MO_TE evaluation by runtime mo_endian()
one, which expand target endianness from DisasContext.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-13-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Replace MO_TE by mo_endian (MIPS extension)
Replace compile-time MO_TE evaluation by runtime mo_endian()
one, which expand target endianness from DisasContext.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-12-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Have gdbstub consider CPU endianness
Consider CPU endianness when accessing registers.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-11-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Move mo_endian_env() definition to "internals.h" for re-use.
Do not restrict to system emulation only because this will
also be used by user emulation code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-10-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-9-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
In preparation of having this helper handle CPU runtime
endianness changes, factor the ldn() helper out.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-8-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_ALIGN|MO_TE within load_acquire / store_release
All callers of gen_load_acquire() and gen_store_release() set both
the MO_ALIGN|MO_TE flags. Set them once in each callee.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-7-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Following commit 73ae67fd4e6, extract the implicit MO_TE
definition in order to replace it.
Mechanical change using:
$ for n in UW UL UQ UO SW SL SQ; do \
sed -i -e "s/MO_TE$n/MO_TE | MO_$n/" \
$(git grep -l MO_TE$n target/riscv); \
done
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-6-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frédéric Pétrot [Wed, 18 Mar 2026 10:31:09 +0000 (11:31 +0100)]
target/riscv: Remove MTTCG check for x-rv128 CPU model
We had to check that mttcg was not used when executing QEMU with
-cpu x-rv128 as a single 128-bit access was done as two distinct
64-bit accesses.
Now that we use the 128-bit ld/st that access the data atomically,
this check is no longer necessary.
Signed-off-by: Frédéric Pétrot <frederic.petrot@univ-grenoble-alpes.fr>
Message-ID: <20260101181442.2489496-3-frederic.petrot@univ-grenoble-alpes.fr> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-5-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frédéric Pétrot [Wed, 18 Mar 2026 10:31:08 +0000 (11:31 +0100)]
target/riscv: Make LQ and SQ use 128-bit ld/st
The lq and sq helpers for the experimental rv128 architecture
currently use direct memory accesses.
Replace these direct accesses with the standard
tcg_gen_qemu_{ld,st}_i128 TCG helpers that handle endianness
issues.
Reported-by: Philippe Mathieu-Daudé <philmd@linaro.org> Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Frédéric Pétrot <frederic.petrot@univ-grenoble-alpes.fr>
Message-ID: <20260101181442.2489496-2-frederic.petrot@univ-grenoble-alpes.fr> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-4-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Use explicit little-endian LD/ST API
We only build our RISC-V targets as little-endian, therefore
the LD/ST API expands to its little-endian variant. Directly
use the latter.
Mechanical change running:
$ for a in uw w l q; do \
sed -i -e "s/ld${a}_p(/ld${a}_le_p(/" \
$(git grep -wlE '(ld|st)u?[wlq]_p' target/riscv);
done
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318103122.97244-3-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260320134254.217123-4-james.wainwright@lowrisc.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Emmanuel Blot [Fri, 20 Mar 2026 13:42:53 +0000 (13:42 +0000)]
target/riscv: add draft RISC-V Zbr ext as xbr0p93
This extension was not ratified with the Zb[abcs] bitmanip extensions.
This is the latest draft version (0.93) as implemented by the Ibex core.
These instructions are in the reserved encoding space but have not been
ratified and could conflict with future ratified instructions. For this
reason they are added as a vendor extension to support Ibex's impl.
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260320134254.217123-3-james.wainwright@lowrisc.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Emmanuel Blot [Fri, 20 Mar 2026 13:42:52 +0000 (13:42 +0000)]
util: export CRC32[C] lookup tables
These are needed for the xlrbr CRC32 instructions which pre-XOR the data
into the CRC state before the instruction is executed, making the zlib
crc32 and QEMU crc32c implementations inappropriate.
Signed-off-by: James Wainwright <james.wainwright@lowrisc.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260320134254.217123-2-james.wainwright@lowrisc.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jay Chang [Wed, 25 Mar 2026 01:48:56 +0000 (09:48 +0800)]
hw/riscv/riscv-iommu: Use standard EN_PRI bit for PRI
Replace the temporary custom extension bit (TC[32]) with the
standard EN_PRI bit defined in RISC-V IOMMU specification.
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260325014856.58948-1-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Clang warns for the uint32_t clip_ instantiations because HALF cannot be
represented with mixeng_real:
[1115/2559] Compiling C object libqemuaudio.a.p/audio_mixeng.c.o
In file included from ../../qemu/audio/mixeng.c:147:
../../qemu/audio/mixeng_template.h:68:70: warning: implicit conversion from 'unsigned int' to 'float' changes value from 2147483647 to 2147483648 [-Wimplicit-const-int-float-conversion]
68 | return ENDIAN_CONVERT((IN_T)((v * ((mixeng_real)IN_MAX / 2.f)) + HALF));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~
../../qemu/audio/mixeng_template.h:31:22: note: expanded from macro 'HALF'
31 | #define HALF (IN_MAX >> 1)
| ^
../../qemu/audio/mixeng.c:146:28: note: expanded from macro 'ENDIAN_CONVERT'
146 | #define ENDIAN_CONVERT(v) (v)
| ^
In file included from ../../qemu/audio/mixeng.c:152:
../../qemu/audio/mixeng_template.h:68:70: warning: implicit conversion from 'unsigned int' to 'float' changes value from 2147483647 to 2147483648 [-Wimplicit-const-int-float-conversion]
68 | return ENDIAN_CONVERT((IN_T)((v * ((mixeng_real)IN_MAX / 2.f)) + HALF));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~
../../qemu/audio/mixeng_template.h:31:22: note: expanded from macro 'HALF'
31 | #define HALF (IN_MAX >> 1)
| ^
../../qemu/audio/mixeng.c:151:36: note: expanded from macro 'ENDIAN_CONVERT'
151 | #define ENDIAN_CONVERT(v) bswap32 (v)
| ~~~~~~~~~^~
/Users/person/v/qemu/include/qemu/bswap.h:10:39: note: expanded from macro 'bswap32'
10 | #define bswap32(_x) __builtin_bswap32(_x)
| ^~
2 warnings generated.
HALF is not the right value here anyway. IN_MAX is odd, so the integer
sample range has two middle codes. Unsigned PCM normally uses the upper
middle code as the "bias": 0x80, 0x8000, or 0x80000000. HALF is instead
defined as the lower middle code: 0x7f, 0x7fff, or 0x7fffffff.
Replace HALF with BIAS, defined as the upper middle code. This fixes the
warnings, since the value can be exactly represented with mixeng_real.
clip_*_uint32_t() returns 0 when v == 1.f because it computes the result
as (IN_T)((v * ((mixeng_real)IN_MAX / 2.f)) + HALF):
- (v * ((mixeng_real)IN_MAX / 2.f)) + HALF == 0x100000000.f, which does
not fit in uint32_t.
- (v * ((mixeng_real)IN_MAX / 2.f)) == 0x80000000.f
- ((mixeng_real)IN_MAX / 2.f) == 0x80000000.f
- (mixeng_real)IN_MAX == 0x100000000.f because 0xffffffff cannot be
represented exactly in float.
- HALF == 0x7fffffff, which is implicitly converted to 0x80000000.f.
ui/dbus: fix warning for clients without "Interfaces" property
The "Interfaces" property is not strictly required. We can just assume
the peer doesn't implement the given interface. Fix warning:
GLib: g_strv_contains: assertion 'strv != NULL' failed
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
ui/console: move console_handle_touch_event() to input
The function uses input.c functions to provide a simpler abstraction for
touch events. Let's move it from the already overloaded console.c, and
to avoid some unnecessary dependency from console.c on input.c.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui/console: return completion status from gfx_update callback
Replace the two-field design (gfx_update void callback + gfx_update_async
flag) with a single bool return value from gfx_update. Returning true
means the update completed synchronously and graphic_hw_update_done()
should be called by the console layer. Returning false means the update
is deferred and the device will call graphic_hw_update_done() itself
later (as done by QXL/SPICE and Apple GFX).
This simplifies the interface and makes the async contract explicit at
each call site rather than relying on a separate struct field.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Drop the bookkeeping, we can simply afford an empty "foreach".
Notice that dpy_gfx_update_texture() is now called even when there are
no listeners. This is more correct, as the texture is not fully
refreshed when a listener connects, so it may be outdated/garbaged.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The function is a trivial wrapper around qemu_default_pixman_format()
and qemu_pixelformat_from_pixman(), so make it static inline in
qemu-pixman.h instead of a standalone function in console.c, allowing to
be easily reused.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
ui: move DisplaySurface functions to display-surface.c
Extract DisplaySurface creation and destruction functions from console.c
into their own file to reduce the size of console.c and improve code
organization.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Since those values are related to the VGA font, it make sense to move
them here.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Stefan Hajnoczi [Mon, 27 Apr 2026 16:57:33 +0000 (12:57 -0400)]
Merge tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa into staging
linux-user: Pull request
This patch series adds myself as linux-user maintainer, and includes some
patches which have piled up for linux-user during the last few weeks.
Please apply.
Thanks!
Helge
* tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa:
linux-user: Flush errors by using exit() instead of _exit() in error path
linux-user: Use abi_int for imr_ifindex in ip_mreqn struct
linux-user: Fix CLONE_PARENT_SETTID when using fork-like clone
linux-user: Add getsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
linux-user: Add setsockopt() for SO_RCVTIMEO_NEW and SO_SNDTIMEO_NEW
linux-user: Define SO_TIMESTAMP*_NEW and SO_RCVTIMEIO_NEW
linux-user/mips: sync k0 TLS for EF_MIPS_MACH_OCTEON userlands
linux-user/strace: Use pointer type for read and write values
linux-user/arm/nwfpe: Use thread-local storage for qemufpa
linux-user/arm/nwfpe: Replace user_registers with current_cpu
linux-user: Don't define target_stat64 struct for loongarch64
linux-user: fix off-by-one in host_to_target_for_each_rtattr()
linux-user/ppc: Fix ppc64 rt_sigframe stack offset
MAINTAINERS: Add myself as maintainer for linux-user
[I have confirmed with Laurent, the current maintainer, that he would
like Helge to help.
-- Stefan] Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Conflicts:
MAINTAINERS
Pierrick's email address changed.
Stefan Hajnoczi [Mon, 27 Apr 2026 15:45:45 +0000 (11:45 -0400)]
Merge tag 'pull-target-arm-20260427' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
docs/system: add FEAT_AA32 and FEAT_AA64 to emulation list
hw/arm: Add the i.MX 8MM EVK(Evaluation Kit) board
target/arm: Build M-profile helper code once only
hw/arm: Remove hw_error() for the unimplemented CM_LMBUSCNT register
hw: Move ARM_SYSCTL_GPIO definitions to arm sysctl specific header
target/arm: Allow 'aarch64=off' to be set for TCG CPUs
target/arm: Allow some sysregs to not have to be an exact match for migration
hw/arm/raspi4b: NOP all DTB nodes when removing unimplemented devices
hw/arm/fsl-imx6ul: Implement LCDIF display device
target/arm: Refactor syndrome value code to use registerfields
target/arm: Report the register in WFxT syndromes
* tag 'pull-target-arm-20260427' of https://gitlab.com/pm215/qemu: (63 commits)
target/arm: report register in WFIT syndromes
target/arm: remove old syndrome defines
target/arm: use syndrome helpers to query VNCR bit
target/arm: use syndrome helpers in merge_syn_data_abort
target/arm: make hvf use syndrome helpers for decode
target/arm: make whpx use syndrome helpers for decode
target/arm: use syndrome helpers to set SAME_EL EC bit
target/arm: use syndrome helpers in arm_cpu_do_interrupt_aarch32_hyp
target/arm: migrate check_hcr_el2_trap to use syndrome helper
target/arm: migrate memory op syndromes to registerfields
target/arm: migrate gcs syndromes to registerfields
target/arm: migrate wfx syndromes to registerfields
target/arm: migrate debug syndromes to registerfields
target/arm: migrate fault syndromes to registerfields
target/arm: migrate Granule Protection traps to registerfields
target/arm: migrate BXJ trap syndromes to registerfields
target/arm: migrate BTI trap syndromes to registerfields
target/arm: migrate PAC trap syndromes to registerfields
target/arm: migrate SME trap syndromes to registerfields
target/arm: migrate eret trap syndromes to registerfields
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Mon, 27 Apr 2026 15:45:10 +0000 (11:45 -0400)]
Merge tag 'pull-request-2026-04-27' of https://gitlab.com/thuth/qemu into staging
* Bump the minimum GCC version to v10.4
* Make SMM code ready for the QEMU universal binary
* Convert TABs to spaces according to QEMU's coding style
* Fix use of pthread_get_name_np on OpenBSD
* Silence some warnings from pylint in the functional tests
* Fix a regression in the "register-array" device
* malloc cleanups
* tag 'pull-request-2026-04-27' of https://gitlab.com/thuth/qemu:
tests/functional/ppc/test_ppe42: Fix warning from the latest version of pylint
target/xtensa: Replace malloc() with g_strdup_printf()
hw/i386/fw_cfg: Use g_new() and g_new0() instead of g_malloc()
hw/core/register: add register_array_get_owner
tests/functional/qemu_test: Silence warnings from pylint in tesseract.py
util: fix use of pthread_get_name_np on OpenBSD
target: convert TABS indentation to spaces for consistency
target/i386/tcg/sysemu: Allow 32-bit SMM code to be used in the 64-bit binary
target/i386/tcg/sysemu: Move target specific SMM code to separate functions
meson.build: Bump the minimum GCC version to v10.4
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Alex Bennée [Wed, 22 Apr 2026 12:52:40 +0000 (13:52 +0100)]
target/arm: report register in WFIT syndromes
Pass the register number (rd) to the wfit helper and report it in the
syndrome ISS.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-24-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:39 +0000 (13:52 +0100)]
target/arm: remove old syndrome defines
Now everything is defined with registerfields we can drop the old
defines.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-23-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:38 +0000 (13:52 +0100)]
target/arm: use syndrome helpers to query VNCR bit
These are only valid for data abort syndromes.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-22-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:37 +0000 (13:52 +0100)]
target/arm: use syndrome helpers in merge_syn_data_abort
One more step to removing the old defines.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-21-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:36 +0000 (13:52 +0100)]
target/arm: make hvf use syndrome helpers for decode
Rather than open coding a bunch of shifts and masks we can use the
syndrome definitions.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260422125250.1303100-20-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:35 +0000 (13:52 +0100)]
target/arm: make whpx use syndrome helpers for decode
Rather than open coding a bunch of shifts and masks we can use the
syndrome definitions. While we are at it assert it really is a
EC_DATAABORT.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-19-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:34 +0000 (13:52 +0100)]
target/arm: use syndrome helpers to set SAME_EL EC bit
This removes the last use of ARM_EL_EC_SHIFT.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-18-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:33 +0000 (13:52 +0100)]
target/arm: use syndrome helpers in arm_cpu_do_interrupt_aarch32_hyp
One more step towards dropping the old #defines.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-17-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:32 +0000 (13:52 +0100)]
target/arm: migrate check_hcr_el2_trap to use syndrome helper
It shares the same COPROC_ISS encoding as the other CP traps although
not all the fields are used.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-16-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:31 +0000 (13:52 +0100)]
target/arm: migrate memory op syndromes to registerfields
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-15-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Alex Bennée [Wed, 22 Apr 2026 12:52:30 +0000 (13:52 +0100)]
target/arm: migrate gcs syndromes to registerfields
Tweak arg names to make it clear raddr is the data address register
number.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260422125250.1303100-14-alex.bennee@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
