Hanna Czenczek [Tue, 24 Mar 2026 08:43:36 +0000 (09:43 +0100)]
io-uring: Resubmit tails of short writes
Short writes can happen, too, not just short reads. The difference to
aio=native is that the kernel will actually retry the tail of short
requests internally already -- so it is harder to reproduce. But if the
tail of a short request returns an error to the kernel, we will see it
in userspace still. To reproduce this, apply the following patch on top
of the one shown in HEAD^ (again %s/escaped // to apply):
QEMU_BUILD_BUG_ON(FUSE_MAX_WRITE_BYTES > BDRV_REQUEST_MAX_BYTES);
/* Limited by max_write, should not happen */
I know this is a bit artificial because to produce this, there must be
an I/O error somewhere anyway, but if it does happen, qemu will
understand it to mean ENOSPC for short writes, which is incorrect. So I
believe we need to resubmit the tail to maybe have it succeed now, or at
least get the correct error code.
So short reads already work (because there is code for that), but short
writes incorrectly produce ENOSPC. This patch fixes that by
resubmitting not only the tail of short reads but short writes also.
(And this patch uses the opportunity to make it so qemu_iovec_destroy()
is called only if req->resubmit_qiov.iov is non-NULL. Functionally a
non-op, but this is how the code generally checks whether the
resubmit_qiov has been set up or not.)
Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-4-hreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Tue, 24 Mar 2026 08:43:35 +0000 (09:43 +0100)]
linux-aio: Resubmit tails of short reads/writes
Short reads/writes can happen. One way to reproduce them is via our
FUSE export, with the following diff applied (%s/escaped // to apply --
if you put plain diffs in commit messages, git-am will apply them, and I
would rather avoid breaking FUSE accidentally via this patch):
if (in->major != 7) {
error_report("FUSE major version mismatch: We have 7, but kernel has %"
@@ -1060,6 +1060,8 @@ fuse_co_read(FuseExport *exp, void **bufptr, uint64_t offset, uint32_t size)
void *buf;
int ret;
+ size = MIN(size, 4096);
+
/* Limited by max_read, should not happen */
if (size > FUSE_MAX_READ_BYTES) {
return -EINVAL;
@@ -1110,6 +1112,8 @@ fuse_co_write(FuseExport *exp, struct fuse_write_out *out,
int64_t blk_len;
int ret;
+ size = MIN(size, 4096);
+
QEMU_BUILD_BUG_ON(FUSE_MAX_WRITE_BYTES > BDRV_REQUEST_MAX_BYTES);
/* Limited by max_write, should not happen */
if (size > FUSE_MAX_WRITE_BYTES) {
But with aio=native, it does not:
$ ./qemu-io --image-opts -c 'read -P 23 0 8k' \
driver=file,filename=test.raw,cache.direct=on,aio=native
Pattern verification failed at offset 0, 8192 bytes
read 8192/8192 bytes at offset 0
8 KiB, 1 ops; 00.00 sec (86.155 MiB/sec and 11027.7900 ops/sec)
$ ./qemu-io --image-opts -c 'write -P 42 0 8k' \
driver=file,filename=test.raw,cache.direct=on,aio=native
write failed: No space left on device
$ hexdump -C test.raw 00000000 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a |****************|
* 00001000 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 17 |................|
* 00002000
This patch fixes that.
Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-3-hreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Hanna Czenczek [Tue, 24 Mar 2026 08:43:34 +0000 (09:43 +0100)]
linux-aio: Put all parameters into qemu_laiocb
Put all request parameters into the qemu_laiocb struct, which will allow
re-submitting the tail of short reads/writes.
Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-ID: <20260324084338.37453-2-hreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
GuoHan Zhao [Fri, 20 Mar 2026 06:30:16 +0000 (14:30 +0800)]
block/curl: free s->password in cleanup paths
When password-secret is used, curl_open() resolves it with
qcrypto_secret_lookup_as_utf8() and stores the returned buffer in
s->password.
Unlike s->proxypassword, s->password is not freed either in the open
failure path or in curl_close(), so the resolved secret leaks once it
has been allocated.
Free s->password in both cleanup paths.
Fixes: 1bff96064290 ('curl: add support for HTTP authentication parameters') Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
Message-ID: <20260320063016.262954-1-zhaoguohan_salmon@163.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* tag 'pull-target-arm-20260324' of https://gitlab.com/pm215/qemu:
qemu-options.hx: Document arm-smmuv3 device's accel properties
hw/arm/smmuv3-accel: Change "oas" property type to OasMode
qdev: Add an OasMode property type
hw/arm/smmuv3-accel: Change "ssidsize" property type to SsidSizeMode
qdev: Add a SsidSizeMode property type
hw/arm/smmuv3-accel: Change "ril" property type to OnOffAuto
hw/arm/smmuv3-accel: Change "ats" property type to OnOffAuto
hw/arm/smmuv3-accel: Check ATS compatibility between host and guest
hw/dma/pl080: Fix transfer logic in PL080
linux-user/i386/signal.c: Correct definition of target_fpstate_32
target/arm: fix s2prot not set for two-stage PMSA translations
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-aspeed-20260324' of https://github.com/legoater/qemu:
hw/i2c/aspeed_i2c: Remove assert
hw/ssi/aspeed_smc: Convert mem ops to read/write_with_attrs for error handling
tests/functional/aarch64/test_aspeed: Disable kernel crypto self-tests in AST2700 boot tests
MAINTAINERS: Add Kane Chen as reviewer for Aspeed machines
hw/i2c/aspeed: fix lost interrupts on back-to-back commands
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 24 Mar 2026 15:13:52 +0000 (15:13 +0000)]
Merge tag 's390x-20260324' of https://gitlab.com/cohuck/qemu into staging
s390x maintainer and mailmap updates
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQRpo7U29cv8ZSCAJsHeiLtWQd5mwQUCacKAvBIcY29odWNrQHJl
# ZGhhdC5jb20ACgkQ3oi7VkHeZsE0xAEAmTo6hXLZS9uOsZ/fvKBPkmKFP4JptdLA
# JrIZp1BqOEMBAP6XoTzHg60UcimvnAtAquyMlw/GNAbJh/5pk1kC/2oJ
# =IX9E
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 24 12:17:00 2026 GMT
# gpg: using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1
# gpg: issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [marginal]
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg: aka "Cornelia Huck <cohuck@kernel.org>" [marginal]
# gpg: aka "Cornelia Huck <cohuck@redhat.com>" [marginal]
# gpg: WARNING: The key's User ID is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF
# Subkey fingerprint: 69A3 B536 F5CB FC65 2080 26C1 DE88 BB56 41DE 66C1
* tag 's390x-20260324' of https://gitlab.com/cohuck/qemu:
mailmap: Update email for Nina Schoetterl-Glausch
MAINTAINERS: S390 CPU topology: Change maintainer
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Document arm-smmuv3 properties for setting HW-acceleration,
Range Invalidation, and Address Translation Services support, as
well as setting Output Address size and Substream ID size.
Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-9-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:30 +0000 (14:02 +0000)]
hw/arm/smmuv3-accel: Change "oas" property type to OasMode
Change accel SMMUv3 OAS property from uint8_t to OasMode. The
'auto' value is not implemented, as this commit is meant to
set the property to the correct type and avoid breaking JSON/QMP
when the auto mode is introduced. A future patch will implement
resolution of 'auto' value to match the host SMMUv3 OAS value.
The conversion of the "oas" property type to OnOffAuto is an
incompatible change for JSON/QMP when a uint8_t value is expected for
"oas", but this property is new in 11.0 and this patch is
submitted as a fix to the property type.
Fixes: a015ac990fd3 ("hw/arm/smmuv3-accel: Add property to specify OAS bits") Tested-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-8-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
qdev: Add an OasMode property type
Introduce a new enum type property allowing to set an Output Address
Size. Values are auto, 32, 36, 40, 42, 44, 48, 52, and 56, where a
value of N specifies an N-bit OAS.
Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-7-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
hw/arm/smmuv3-accel: Change "ssidsize" property type to SsidSizeMode
Change accel SMMUv3 SSIDSIZE property from uint8_t to SsidSizeMode.
The 'auto' value is not implemented, as this commit is meant to set the
property to the correct type and avoid breaking JSON/QMP when the auto
mode is introduced. A future patch will implement resolution of 'auto'
value to match the host SMMUv3 SSIDSIZE value.
The conversion of the "ssidsize" property type to OnOffAuto is an
incompatible change for JSON/QMP when a uint8_t value is expected for
"ssidsize", but this property is new in 11.0 and this patch is
submitted as a fix to the property type.
Fixes: b8c6f8a69d27 ("hw/arm/smmuv3-accel: Make SubstreamID support configurable") Tested-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-6-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
qdev: Add a SsidSizeMode property type
Introduce a new enum type property allowing to set a Substream ID size
for HW-accelerated smmuv3. Values are auto and 0..20. The auto value
allows SSID size property to be derived from host IOMMU capabilities.
A value of 0 disables SubstreamID, while non-zero values specify the
SSID size in bits.
Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-5-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
hw/arm/smmuv3-accel: Change "ril" property type to OnOffAuto
Change accel SMMUv3 RIL property from bool to OnOffAuto. The 'auto'
value is not implemented, as this commit is meant to set the property
to the correct type and avoid breaking JSON/QMP when the auto mode is
introduced. A future patch will implement resolution of the 'auto'
value to match the host SMMUv3 RIL support.
The conversion of the RIL property type to OnOffAuto is an
incompatible change for JSON/QMP when a bool value is expected for
"ril", but the "ril" property is new in 11.0 and this patch is
submitted as a fix to the property type.
Fixes: bd715ff5bda9 ("hw/arm/smmuv3-accel: Add a property to specify RIL support") Tested-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-4-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
hw/arm/smmuv3-accel: Change "ats" property type to OnOffAuto
Change accel SMMUv3 ATS property from bool to OnOffAuto. The 'auto'
value is not implemented, as this commit is meant to set the property
to the correct type and avoid breaking JSON/QMP when the auto mode is
introduced. A future patch will implement resolution of the 'auto'
value to match the host SMMUv3 ATS support.
The conversion of the ATS property type to OnOffAuto is an
incompatible change for JSON/QMP when a bool value is expected for
"ats", but the "ats" property is new in 11.0 and this patch is
submitted as a fix to the property type.
Fixes: f7f5013a55a3 ("hw/arm/smmuv3-accel: Add support for ATS") Tested-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-3-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Nathan Chen [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
hw/arm/smmuv3-accel: Check ATS compatibility between host and guest
Compare the host SMMUv3 ATS support bit with the guest SMMUv3 ATS support
bit in IDR0 and fail the compatibility check if ATS support is opted as
enabled on the guest SMMUv3 when it is not supported on host SMMUv3.
Fixes: f7f5013a55a3 ("hw/arm/smmuv3-accel: Add support for ATS") Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Shameer Kolothum <skolothumtho@nvidia.com> Tested-by: Shameer Kolothum <skolothumtho@nvidia.com> Signed-off-by: Nathan Chen <nathanc@nvidia.com>
Message-id: 20260323182454.1416110-2-nathanc@nvidia.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tao Ding [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
hw/dma/pl080: Fix transfer logic in PL080
The logic in the PL080 for transferring data has multiple bugs:
* The TransferSize field in the channel control register counts
in units of the source width; because our loop may do multiple
source loads if the destination width is greater than the
source width, we need to decrement it by (xsize / swidth),
not by 1, each loop
* It is documented in the TRM that it is a software error to program
the source and destination width such that SWidth < DWidth and
TransferSize * SWidth is not a multiple of DWidth. (This would
mean that there isn't enough data to do a full final destination
write.) We weren't doing anything sensible with this case.
The TRM doesn't document what the hardware actually does (though
it drops some hints that suggest that it probably over-reads
from the source).
* In the loop to write to the destination, each loop adds swidth
to ch->dest for each loop and also uses (ch->dest + n) as the
destination address. This moves the destination address on
further than we should each time round the loop, and also
is incrementing ch->dest by swidth when it should be dwidth.
This patch fixes these problems:
* decrement TransferSize by the correct amount
* log and ignore the transfer size mismatch case
* correct the loop logic for the destination writes
A repro case which exercises some of this is as follows. It
configures swidth to 1 byte, dwidth to 4 bytes, and transfer size 4,
for a transfer from 0x00000000 to 0x000010000. Examining the
destination memory in the QEMU monitor should show that the
source data 0x44332211 has all been copied, but before this
fix it is not:
Without this patch the QEMU monitor shows:
(qemu) xp /1wx 0x00001000 00001000: 0x00002211
Correct result:
(qemu) xp /1wx 0x00001000 00001000: 0x44332211
Cc: qemu-stable@nongnu.org Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Tao Ding <dingtao0430@163.com>
[PMM: Wrote up what we are fixing in the commit message] Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
linux-user/i386/signal.c: Correct definition of target_fpstate_32
Our definition of the target_fpstate_32 struct doesn't match the
kernel's version. We only use this struct definition in the
definition of 'struct sigframe', where it is used in a field that is
present only for legacy reasons to retain the offset of the following
'extramask' field. So really all that matters is its length, and we
do get that right; but our previous definition using
X86LegacySaveArea implicitly added an extra alignment constraint
(because X86LegacySaveArea is tagged as 16-aligned) which the real
target_fpstate_32 does not have. Because we allocate and use a
'struct sigframe' on the guest's stack with the guest's alignment
requirements, this resulted in the undefined-behaviour sanitizer
complaining during 'make check-tcg' for i386-linux-user:
../../linux-user/i386/signal.c:471:35: runtime error: member access within misaligned address 0x1000c07f75ec for type 'struct sigframe', which requires 16 byte alignment
0x1000c07f75ec: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
../../linux-user/i386/signal.c:808:5: runtime error: member access within misaligned address 0x1000c07f75f4 for type 'struct target_sigcontext_32', which requires 8 byte alignment
0x1000c07f75f4: note: pointer points here
0a 00 00 00 33 00 00 00 00 00 00 00 2b 00 00 00 2b 00 00 00 40 05 80 40 f4 7f 10 08 58 05 80 40
^
and various similar errors.
Replace the use of X86LegacyXSaveArea with a set of fields that match
the kernel _fpstate_32 struct, and assert that the length is correct.
We could equally have used
uint8_t legacy_area[512];
but following the kernel is probably less confusing overall.
Since in target/i386/cpu.h we assert that X86LegacySaveArea is 512
bytes, and in linux-user/i386/signal.c we assert that
target_fregs_state is (32 + 80) bytes, the new assertion confirms
that we didn't change the size of target_fpstate_32 here, only its
alignment requirements.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260305161739.1775232-1-peter.maydell@linaro.org
Jose Martins [Tue, 24 Mar 2026 14:02:29 +0000 (14:02 +0000)]
target/arm: fix s2prot not set for two-stage PMSA translations
Commit a811c5dafb7 ("target/arm: Implement get_S2prot_indirect")
changed get_phys_addr_twostage() to combine stage 1 and stage 2
permissions using the new s2prot field:
result->f.prot = s1_prot & result->s2prot;
The LPAE stage 2 path sets result->s2prot explicitly, but the PMSA
stage 2 path (get_phys_addr_pmsav8) only sets result->f.prot, leaving
s2prot at zero. This causes the combined permission to be zero,
resulting in addr_read being set to -1 in the TLB entry and triggering
an assertion in atomic_mmu_lookup() when the guest executes an atomic
instruction on a two-stage PMSA platform (e.g. Cortex-R52 with EL2).
Set s2prot from f.prot after the PMSA stage 2 lookup, consistent with
what the LPAE path does.
Cc: qemu-stable@nongnu.org Fixes: a811c5dafb7 ("target/arm: Implement get_S2prot_indirect") Signed-off-by: Jose Martins <josemartins90@gmail.com>
[PMM: refer to the right commit in the commit message] Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321231916.2852653-1-josemartins90@gmail.com Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
Fix several typos in documentation (found by codespell)
docs: Update GitHub URL of libu2f-emu
Fix include statement for u2f-emu.h
tests: fix typo in char unit test comment
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Cédric Le Goater [Mon, 23 Mar 2026 12:55:45 +0000 (13:55 +0100)]
hw/i2c/aspeed_i2c: Remove assert
According to the Aspeed datasheet, the RX_BUF_LEN_W1T and
TX_BUF_LEN_W1T bits of the A_I2CS_DMA_LEN (0x2c) register allow
firmware to program the TX and RX DMA length (TX_BUF_LEN and
RX_BUF_LEN fields of the same register) separately without the need to
read/modify/write the value. If RX_BUF_LEN_W1T and TX_BUF_LEN_W1T
bits are 0, then both TX and RX DMA length will be written.
When setting the RX_BUF_LEN field, the TX_BUF_LEN field being set is
not an invalid condition. Remove the assert.
Jamin Lin [Mon, 16 Mar 2026 08:15:50 +0000 (08:15 +0000)]
tests/functional/aarch64/test_aspeed: Disable kernel crypto self-tests in AST2700 boot tests
Disable the kernel crypto self-tests in the AST2700 functional tests by
appending "cryptomgr.notests=1" to the U-Boot bootargs before booting
the kernel.
The ASPEED SDK enables crypto self-tests during kernel startup to
validate the hardware crypto engine. However, the current QEMU
implementation of the AST2700 HACE/crypto engine is still incomplete.
As a result, the kernel crypto self-tests trigger multiple warnings
during boot when running under QEMU.
Typical examples observed in the kernel log include failures for
several cipher modes such as DES/TDES/AES in ECB/CBC/CTR modes:
alg: self-tests for ctr(des) using aspeed-ctr-des failed (rc=-22)
alg: self-tests for ecb(des3_ede) using aspeed-ecb-tdes failed (rc=-22)
alg: self-tests for cbc(aes) using aspeed-cbc-aes failed (rc=-22)
...
To reduce noise in the functional test logs, the tests now append
the following parameter to the kernel bootargs:
cryptomgr.notests=1
This disables the kernel crypto self-tests when running the functional
tests under QEMU.
For validating the HACE implementation, we should instead rely on the
dedicated QEMU unit tests located in:
tests/qtest/ast2700-hace-test.c
Once the QEMU implementation of the ASPEED HACE/crypto model has
progressed further and supports the missing crypto modes, we can
reassess whether enabling the kernel crypto self-tests again in the
functional tests is appropriate.
Jithu Joseph [Wed, 11 Mar 2026 02:37:12 +0000 (19:37 -0700)]
hw/i2c/aspeed: fix lost interrupts on back-to-back commands
QEMU executes I2C commands synchronously inside the CMD register write
handler. On real hardware each command takes time on the bus, so the
ISR can clear the previous interrupt status before the next completion
arrives. In QEMU, when the guest ISR handles a TX_ACK and immediately
issues the next command by writing to CMD, that command completes
instantly — before the ISR returns to W1C-clear the first TX_ACK.
Since the bit is already set, setting it again is a no-op. The ISR
then clears it, wiping both completions at once. No interrupt fires
for the second command and the driver stalls.
This affects any multi-step I2C transaction: register reads, SMBus
word reads, and PMBus device probes all fail ("Error: Read failed"
from i2cget, -ETIMEDOUT from kernel drivers).
The issue is exposed when the guest kernel includes commit "i2c:
aspeed: Acknowledge Tx done with and without ACK irq late" [1] which
defers W1C acknowledgment of TX_ACK until after the ISR has issued
the next command. This means the old TX_ACK is still set when the
next command completes synchronously, and the subsequent W1C wipes
both completions at once.
The trace below shows `i2cget -y 15 0x50 0x00` (read EEPROM register
0x00) failing without the fix. The first START+TX sets TX_ACK. The
ISR handles it and issues a second TX to send the register address.
That TX completes synchronously while TX_ACK is still set:
The driver sees INTR_STS=0 and never proceeds to the read phase.
Fix this by tracking interrupt bits that collide with already-pending
bits. Before calling aspeed_i2c_bus_handle_cmd(), save and clear
INTR_STS so that only freshly set bits are visible after the call.
Any overlap between the old and new bits is saved in pending_intr_sts.
When the ISR later W1C-clears the old bits, re-apply the saved
pending bits so the ISR sees them on its next loop iteration.
With the fix, the same operation completes successfully:
Peter Maydell [Mon, 23 Mar 2026 16:58:15 +0000 (16:58 +0000)]
Merge tag 'hw-misc-20260323' of https://github.com/philmd/qemu into staging
Misc HW patches
- Fix guest-triggerable abort in FTGMAC100 Gigabit Ethernet
- Fix uninitialized value in DesignWare I3C controller
- Clear dangling GLib event source tag in virtio-console
- Mark RISC-V specific peripherals as little-endian
- Correct virtual address formatting in monitor
- Improve error handling path in core loader
- Improve error hints in IOMMU FD
- Prevent hang in USB OHCI
- ATI VGA, HyperV & CXL fixes
* tag 'hw-misc-20260323' of https://github.com/philmd/qemu: (27 commits)
hw/hyperv: add QEMU_PACKED to uapi structs
monitor: Correctly display virtual addresses while dumping memory
hw/net/ftgmac100: Improve DMA error handling
ati-vga: Make sure hardware cursor data is within vram
ati-vga: Simplify pointer image handling
ati-vga: Add work around for fuloong2e
ati-vga: Fix display updates in non-32 bit modes
ati-vga: Avoid warnings about sign extension
ati-vga: Do not add crtc offset to src and dst data address
ati-vga: Also switch mode on HW cursor enable bit change
ati-vga: Fix colors when frame buffer endianness does not match host
hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop
hw/hyperv: Fix SynIC not initialized except on first vCPU
hw/vfio/iommufd: report hint to user when vfio-dev/vfio*/dev is missing
backends/iommufd: report error when /dev/iommu is not available
hw/cxl: Exclude Discovery from Media Operation Discovery output
hw/cxl: Respect Media Operation max ops discovery semantics
hw/i386/hyperv: add stubs for synic enablement
hw/i386/pc_sysfw: stub out x86_firmware_configure
hw/pci/msix: fix error handling for msix_init callers
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 23 Mar 2026 16:58:07 +0000 (16:58 +0000)]
Merge tag 'pull-11.0-testing-updates-230326-1' of https://gitlab.com/stsquad/qemu into staging
testing updates: tcg, functional, lcitool
- add TCG_TEST_FILTER to filter check-tcg runs
- use portable version of dirent64 in linux-test
- add VBSA linux tests
- drop python3-sqlite from deps
- update openSUSE to version 16
- replace ncat with socat for migration tests
* tag 'pull-11.0-testing-updates-230326-1' of https://gitlab.com/stsquad/qemu:
tests: Replace ncat with socat in migration test and drop ncat from containers
tests/docker: Update the opensuse-leap container file to version 16
tests/lcitool: Update openSUSE to version 16
tests/lcitool: Remove python3-sqlite3 from the list of needed packages
tests/functional: add VBSA linux tests
tests/functional: allow tests to define decompression target
tests/tcg/multiarch/linux-test: use portable alternative for dirent64
tests/tcg: allow filtering of TCG tests
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Weil [Thu, 19 Mar 2026 18:34:53 +0000 (19:34 +0100)]
Fix several typos in documentation (found by codespell)
Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
[Mjt: add 2 fixes suggested by Peter: "as a" and "deactivate"] Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Magnus Kulke [Mon, 23 Mar 2026 12:06:13 +0000 (13:06 +0100)]
hw/hyperv: add QEMU_PACKED to uapi structs
The uapi definitions are marked with __packed hints in the kernel
headers, since we want to keep the contract of the Microsoft Hypervisor
ABI explicit, we should also added them in our vendored files, with a
few notable exceptions where the attribute is a noop.
Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260323120613.355019-1-magnuskulke@linux.microsoft.com>
[PMD: Do not include "qemu/compiler.h"] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
$ qemu-system-ppc64 -monitor stdio -S
QEMU 10.2.90 monitor - type 'help' for more information
(qemu) x/x 0
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000: 0x00000000
Correct the format width to restore the previous behavior:
$ qemu-system-ppc -monitor stdio -S
QEMU 10.2.90 monitor - type 'help' for more information
(qemu) x/x 0 00000000: 0x00000000
$ qemu-system-ppc64 -monitor stdio -S
QEMU 10.2.90 monitor - type 'help' for more information
(qemu) x/x 0 0000000000000000: 0x00000000
Fixes: 6ad593a75a8 ("monitor/hmp: Use plain uint64_t @addr argument in memory_dump()") Reported-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260323095020.66658-1-philmd@linaro.org>
Cédric Le Goater [Sun, 22 Mar 2026 21:57:31 +0000 (22:57 +0100)]
hw/net/ftgmac100: Improve DMA error handling
Currently, DMA memory operation errors in the ftgmac100 model are not
all tested and this can lead to a guest-triggerable denial of service
as described in https://gitlab.com/qemu-project/qemu/-/work_items/3335.
To fix this, check the return value of ftgmac100_write_bd() in the TX
path and exit the TX loop on error to prevent further processing. In
the event of a DMA error, also set FTGMAC100_INT_AHB_ERR interrupt
flag as appropriate.
The FTGMAC100_INT_AHB_ERR interrupt status bit only applies to the
AST2400 SoC; on newer Aspeed SoCs, it is a reserved bit.
Nevertheless, since it is supported by the Linux driver and it should
be safe to use in the QEMU implementation across all SoCs.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3335 Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260322215732.387383-3-clg@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:18 +0000 (17:30 +0100)]
ati-vga: Simplify pointer image handling
Rewrite reading of mouse pointer image. I am not sure this is entirely
correct but appears to work at least on little endian host with PPC
guests using little or big endian frame buffer (MorphOS and MacOS) but
still produces broken pointer image with Linux where I am not sure if
it is a guest driver bug or still missing something.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-ID: <b9de530074b954d661a0eb9b8b4ad82a66085456.1774110169.git.balaton@eik.bme.hu>
[PMD: Replaced BIT() -> BIT_ULL() in ati_cursor_draw_line()] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:17 +0000 (17:30 +0100)]
ati-vga: Add work around for fuloong2e
With the linear aperture size fixed to match real card fuloong2e no
longer works due to running out of PCI memory because only one PCI bus
is emulated on that machine. Add a property to allow fuloong2e to set
a smaller linear aperture size to work around that problem until the
machine model is improved.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <47cbdc7ad2291f22467f9fc86e7287eb8983c927.1774110169.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:16 +0000 (17:30 +0100)]
ati-vga: Fix display updates in non-32 bit modes
The memory_region_set_dirty used to mark changes should use stride
value in vram which is normally only the same as surface_stride in 32
bit modes. This caused missed updates in 8 and 16 bit modes.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <6e1b83ef3fe7a1ebc246b474eb2b0c7cd05d5deb.1774110169.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:15 +0000 (17:30 +0100)]
ati-vga: Avoid warnings about sign extension
Coverity reports several possible sign extension errors (latest is CID 1645615). These cannot happen because the values are limited when
writing the registers and only 32 bits of the return value matter but
change type of the variable storing the return value to uint32_t to
avoid these warnings. Also change DEFAULT_SC_BOTTOM_RIGHT register
read to match what other similar registers do for consistency.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <9a3263a06bc72aa5a56bafe0a11ad189d5f60528.1774110169.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:13 +0000 (17:30 +0100)]
ati-vga: Do not add crtc offset to src and dst data address
Drivers seem to program these registers with values that already
include the crtc offset so this is not needed. This fixes blit outside
of vram errors with non-0 crtc offset.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <7d96c67f864845893d4903b988a4da7c7b010f66.1774110169.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:12 +0000 (17:30 +0100)]
ati-vga: Also switch mode on HW cursor enable bit change
This does nothing for most drivers but works around issue and fixes
output with the Solaris R128 driver that only sets display parameters
after enabling CRT controller which we would miss otherwise.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <ad3f415749178984c764f4ba810c663d1299ddfd.1774110169.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Sat, 21 Mar 2026 16:30:11 +0000 (17:30 +0100)]
ati-vga: Fix colors when frame buffer endianness does not match host
When writing pixels we have to take into account if the frame buffer
endianness matches the host endianness or we need to swap to correct
endianness. This caused wrong colors e.g. with PPC Linux guest that
uses big endian frame buffer when running on little endian host.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Tested-by: Chad Jablonski <chad@jablonski.xyz> Reviewed-by: Chad Jablonski <chad@jablonski.xyz>
Message-ID: <759ed5e3b019cce94e9a4ef003f1fc2e0cea2ec1.1774110169.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/usb/hcd-ohci: check for MPS=0 to avoid infinite loop
When a guest sets MaxPacketSize to 0 in an OHCI Endpoint Descriptor,
ohci_service_td() transfers 0 bytes per iteration. The Transfer
Descriptor never completes because CBP never advances toward BE,
causing ohci_service_ed_list() to loop indefinitely and hang QEMU.
Add a check for MPS==0 after extracting the field from ED flags.
If MPS is zero, call ohci_die() to reset the controller and return
an error, preventing the infinite loop.
Sourav Poddar [Fri, 20 Mar 2026 15:47:52 +0000 (21:17 +0530)]
hw/hyperv: Fix SynIC not initialized except on first vCPU
hyperv_is_synic_enabled() is a global flag that returns true after the
first CPU initializes SynIC. With -smp N, all subsequent CPUs skip
hyperv_x86_synic_add(), leaving them without a synic object. This causes
get_synic() to return NULL, making hyperv_sint_route_new() fail and
triggering an assertion crash in hyperv_testdev.
Fix by introducing hyperv_is_synic_present() which checks per-CPU
whether a synic object is already attached instead of using the global
flag.
Fixes: c4cf32fc63f1 ("kvm/hyperv: add synic feature to CPU only if its not enabled") Reported-by: Xudong Hao <xudong.hao@intel.com> Co-authored-by: Ani Sinha <anisinha@redhat.com> Signed-off-by: Sourav Poddar <souravpoddar93042@gmail.com> Tested-by: Xudong Hao <xudong.hao@intel.com>
Message-ID: <20260320154752.204725-1-anisinha@redhat.com>
[PMD: Reworded subject] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Pierrick Bouvier [Thu, 19 Mar 2026 20:59:41 +0000 (13:59 -0700)]
backends/iommufd: report error when /dev/iommu is not available
In case current kernel does not support /dev/iommu, qemu will probably
fail first because /sys/bus/pci/devices/*/vfio-dev/ is not present,
since QEMU opens it before /dev/iommu.
Instead, report an error directly when completing an iommufd object, to
inform user that kernel does not support it, with a hint about missing
CONFIG_IOMMUFD. We can't do this from initialize as there is no way to
return an error, and we don't want to abort at this step.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Message-ID: <20260319205942.367705-2-pierrick.bouvier@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Davidlohr Bueso [Thu, 19 Mar 2026 18:42:56 +0000 (11:42 -0700)]
hw/cxl: Exclude Discovery from Media Operation Discovery output
Per CXL 4.0 Table 8-331, the Discovery operation "returns a list of
all Media Operations that the device supports, with the exception of
the Discovery operation (Class=0, Subclass=0)."
Filter out Discovery entries when building the output list and adjust
total_supported_operations accordingly.
Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3)") Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Message-ID: <20260319184256.3762391-3-dave@stgolabs.net> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Davidlohr Bueso [Thu, 19 Mar 2026 18:42:55 +0000 (11:42 -0700)]
hw/cxl: Respect Media Operation max ops discovery semantics
The Discovery rejects requests where start_index + num_ops
exceeds the total number of supported operations. Per CXL 4.0
Table 8-332, num_ops is the "Maximum number of Media Operation to
return" - a maximum, not an exact count. The device should return
up to that many entries, not reject the request.
Cap num_ops to the available entries from start_index instead of
erroring the command.
Fixes: 77a8e9fe0ecb ("hw/cxl/cxl-mailbox-utils: Add support for Media operations discovery commands cxl r3.2 (8.2.10.9.5.3)") Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Message-ID: <20260319184256.3762391-2-dave@stgolabs.net> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Ani Sinha [Thu, 19 Mar 2026 12:21:36 +0000 (17:51 +0530)]
hw/i386/hyperv: add stubs for synic enablement
Add a new call hyperv_enable_synic() that can be called whether or not
CONFIG_HYPERV is enabled. This way genetic code in i396/kvm.c can call this
function to enable synic for hyperv. For non-hyperv cases, the stub will
be a noop.
Reported-by: Michale Tokarev <mjt@tls.msk.ru> Signed-off-by: Ani Sinha <anisinha@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20260319122137.142178-3-anisinha@redhat.com> Tested-by: Xudong Hao <xudong.hao@intel.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Trieu Huynh [Wed, 18 Mar 2026 14:14:13 +0000 (23:14 +0900)]
hw/pci/msix: fix error handling for msix_init callers
Check return value of msix_init() and return early on
failure instead of continuing with invalid state.
- Use ret < 0 to handle negative return value.
- Use errp parameter to handle failure instead of NULL.
- No functional changes.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/413 Signed-off-by: Trieu Huynh <vikingtc4@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260318141415.8538-5-vikingtc4@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Trieu Huynh [Wed, 18 Mar 2026 14:14:12 +0000 (23:14 +0900)]
util/event_notifier: fix error handling for event_notifier_init callers
Check return value of event_notifier_init() and return early on
failure instead of continuing with invalid state.
- Use ret < 0 to handle negative return value.
- No functional changes.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/413 Signed-off-by: Trieu Huynh <vikingtc4@gmail.com> Acked-by: Anthony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Jagannathan Raman <jag.raman@oracle.com> Reviewed-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com> # for the Hyper-V part Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-ID: <20260318141415.8538-4-vikingtc4@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Trieu Huynh [Wed, 18 Mar 2026 14:14:10 +0000 (23:14 +0900)]
hw/core/loader: fix error handling for load_image_targphys callers
Use QEMU's Error API to handle load_image_targphys() failures
consistently across callers.
- Use &error_fatal for callers that previously passed NULL, ensuring
the process exits early on failure instead of continuing in an invalid
state.
- No functional changes.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/413 Signed-off-by: Trieu Huynh <vikingtc4@gmail.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20260318141415.8538-2-vikingtc4@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Jamin Lin [Wed, 11 Mar 2026 02:13:20 +0000 (02:13 +0000)]
hw/i3c/dw-i3c: Fix uninitialized data use in short transfer
Coverity reports that dw_i3c_short_transfer() may pass an
uninitialized buffer to dw_i3c_send().
The immediate cause is the use of `data[len] += arg.byte0`, which
reads from an uninitialized element of the buffer. Replace this with
a simple assignment.
Additionally, avoid calling dw_i3c_send() when the constructed payload
length is zero. In that case the transfer has no data phase, so the
controller can transition to the idle state directly.
This resolves the Coverity UNINIT warning and clarifies the handling
of zero-length short transfers.
Resolves: Coverity CID 1645555 Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Nabih Estefan <nabihestefan@google.com> Reviewed-by: Cédric Le Goater <clg@redhat.com>
Message-ID: <20260311021319.1053774-1-jamin_lin@aspeedtech.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Matthew Penney [Thu, 5 Mar 2026 21:33:32 +0000 (21:33 +0000)]
hw/char/virtio-console: clear dangling GLib event source tag
Clear dangling GLib event source tag when virtio-console is
unrealized. This prevents a stale tag from being used, and
maintains consistency with the rest of virtio-console.
Signed-off-by: Matthew Penney <matt@matthewpenney.net> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20260305213308.96441-1-matt@matthewpenney.net> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Alireza Sanaee [Wed, 4 Feb 2026 15:00:00 +0000 (15:00 +0000)]
hw/cxl: Use HPA in cxl_cfmws_find_device() rather than offset in window.
This function will shortly be used to help find if there is a route to a
device, serving an HPA, under a particular fixed memory window. Rather than
having that new use case subtract the base address in the caller, only to
add it again in cxl_cfmws_find_device(), push the responsibility for
calculating the HPA to the caller.
This also reduces the inconsistency in the meaning of the hwaddr addr
parameter between this function and the calls made within it that access
the HDM decoders that operating on HPA.
Reviewed-by: Li Zhijian <lizhijian@fujitsu.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Gregory Price <gourry@gourry.net> Tested-by: Gregory Price <gourry@gourry.net> Signed-off-by: Alireza Sanaee <alireza.sanaee@huawei.com>
Message-ID: <20260318171918.146-2-alireza.sanaee@huawei.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/riscv: Mark RISC-V specific peripherals as little-endian
These devices are only used by the RISC-V targets, which are
only built as little-endian. Therefore the DEVICE_NATIVE_ENDIAN
definition expand to DEVICE_LITTLE_ENDIAN (besides, the
DEVICE_BIG_ENDIAN case isn't tested). Simplify directly
using DEVICE_LITTLE_ENDIAN.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260318103122.97244-2-philmd@linaro.org>
Thomas Huth [Fri, 20 Mar 2026 15:51:07 +0000 (15:51 +0000)]
tests: Replace ncat with socat in migration test and drop ncat from containers
nmap / ncat has a somewhat problematic license (e.g. saying claiming
that derived work is also considered for software that "is designed
specifically to execute Covered Software and parse the results", e.g.
by executing ncat from your own program, you might already fall into
this category) - so for example in openSUSE 16, you can only find it
in the "non-OSS" repository.
We are currently only using it in the migration functional test, and
that likely does not fall into this "derived work" category yet (since
it is also doing some other stuff), but still, to be safe, we should
move away from using it now.
Unfortunately, switching to one of the other flavors of netcat is
also not a real option (see commit f700abbbeb6ab68a3446d1fb168a934d),
but socat should be a solid replacement here instead.
To avoid that someone else easily uses ncat again, let's also remove
it from our container files now.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> Acked-by: Peter Xu <peterx@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260316183016.239526-1-thuth@redhat.com>
Message-ID: <20260320155107.2143191-9-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Thomas Huth [Fri, 20 Mar 2026 15:51:05 +0000 (15:51 +0000)]
tests/lcitool: Update openSUSE to version 16
The first version of openSUSE 15 has been released in 2018, and
according to our support policy, we "support the most recent major
version at all times for up to five years after its initial release."
Since openSUSE 16 has been released a while ago, and openSUSE is
clearly older than 5 years already, it's time to update to version 16
now.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20260316135407.209072-3-thuth@redhat.com>
Message-ID: <20260320155107.2143191-7-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Thomas Huth [Fri, 20 Mar 2026 15:51:04 +0000 (15:51 +0000)]
tests/lcitool: Remove python3-sqlite3 from the list of needed packages
According to commit 7485508341f4 ("tests/docker: Add sqlite3 module to
openSUSE Leap container") that introduced this line, the sqlite3 package
was only required for Avocado. We don't use Avocado in QEMU anymore since
a while, so we can drop this package now from our list again.
Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20260316135407.209072-2-thuth@redhat.com>
Message-ID: <20260320155107.2143191-6-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Fri, 20 Mar 2026 15:51:03 +0000 (15:51 +0000)]
tests/functional: add VBSA linux tests
This extends the VBSA test to run the linux tests. The sysarch-acs
test suite does provide some pre-built images which is good because
the tests require a patched kernel. However due to the structure of
the image we need to jump one or two hoops to get something useful:
- download and double decompress (zip then xz) the image
- navigate grub to launch the Linux Execution Environment
- shutdown the system once tests are done
- extract the logs from the MSDOS file system and parse them
It does make the code a bit ugly but it works for me at least. So far
the subset of tests run is limited but that might be solved by adding
some more devices to the PCIe bus to exercise the SMMU behaviour.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260320155107.2143191-5-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Fri, 20 Mar 2026 15:51:02 +0000 (15:51 +0000)]
tests/functional: allow tests to define decompression target
When dealing with multi-stage decompression we want to specify the
target file name lest we just overload the cache name. It also allows
for something is little more friendly than the cache hash.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260320155107.2143191-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
tests/tcg/multiarch/linux-test: use portable alternative for dirent64
dirent64 and readdir64 are glibc-specific and not portable to other
C libraries such as musl. Define _FILE_OFFSET_BITS=64 instead, which
portably instructs all libc implementations to use 64-bit file offsets,
making readdir() and struct dirent equivalent to their 64-bit variants.
Alex Bennée [Fri, 20 Mar 2026 15:51:00 +0000 (15:51 +0000)]
tests/tcg: allow filtering of TCG tests
We have a lot of TCG tests now which can be fiddly if we just want to
check one particular test type across the targets. Introduce
TCG_TEST_FILTER to allow this:
make check-tcg TCG_TEST_FILTER=gdb
to run all the gdb tests across the suites.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260320155107.2143191-2-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Peter Maydell [Mon, 23 Mar 2026 10:55:20 +0000 (10:55 +0000)]
Merge tag 'pull-target-arm-20260323' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* tests/qtest/arm-cpu-features: Fix thinko in g_strdup_printf() call
* configure: Remove unused variable default_cflags
* whpx: arm: Various fixes, notably making '-cpu host' work
* configs/targets: Restrict the legacy ldst_phys() API on ARM / Aarch64
* hw/isa/piix: Embed i8259 irq in device state instead of allocating
* tag 'pull-target-arm-20260323' of https://gitlab.com/pm215/qemu:
hw/isa/piix: Embed i8259 irq in device state instead of allocating
configs/targets: Restrict the legacy ldst_phys() API on ARM / Aarch64
whpx: arm: fix ID_AA64MMFR3_EL1 host feature register index
target/arm: cpu: alter error message for host CPU type
whpx: arm: remove comment bit that is no longer accurate
whpx: arm: enable more enlightenments
whpx: arm: add EC_DATAABORT assert for WHvRunVpExitReasonGpaIntercept/UnmappedGpa
whpx: arm: fix -cpu host
configure: Remove unused variable default_cflags
tests/qtest/arm-cpu-features: Fix thinko in g_strdup_printf() call
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-request-2026-03-23' of https://gitlab.com/thuth/qemu:
tests/functional: remove heuristics for finding build dir
tests/functional: fix log placement when run directly
hw/sparc64/sun4u_iommu: Fix crash when introspecting sun4u-iommu from the CLI
hw/sparc/sun4m_iommu: Fix crash when introspecting sun4m-iommu from the CLI
hw/display/cg3: Fix crash when introspecting cgthree from the CLI
hw/pci-host/raven: Fix crash when introspecting raven-pcihost from the CLI
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* tag 'pull-hex-20260320' of https://github.com/quic/qemu:
tests/tcg/hexagon: add test for predicated .new branch LSB evaluation
target/hexagon: use TCG_COND_TSTEQ/TSTNE for predicate branches
target/hexagon: fix J2_jumptnew/pt predicate check to use LSB
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 23 Mar 2026 09:51:01 +0000 (09:51 +0000)]
hw/isa/piix: Embed i8259 irq in device state instead of allocating
The pci_piix_realize() function's use of qemu_allocate_irqs()
results in a memory leak:
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x61045c7a1a43 in malloc (/home/pm215/qemu/build/san/qemu-system-mips+0x16f8a43) (BuildId: aa43d3865e0f1991b1fc04422b5570fe522b6fa7)
#1 0x724cc3095ac9 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x62ac9) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x61045db72134 in qemu_extend_irqs /home/pm215/qemu/build/san/../../hw/core/irq.c:77:51
#3 0x61045cd7bf49 in pci_piix_realize /home/pm215/qemu/build/san/../../hw/isa/piix.c:318:35
#4 0x61045cf4533e in pci_qdev_realize /home/pm215/qemu/build/san/../../hw/pci/pci.c:2308:9
#5 0x61045db6cbca in device_set_realized /home/pm215/qemu/build/san/../../hw/core/qdev.c:523:13
#6 0x61045db86bd9 in property_set_bool /home/pm215/qemu/build/san/../../qom/object.c:2376:5
#7 0x61045db81c5e in object_property_set /home/pm215/qemu/build/san/../../qom/object.c:1450:5
#8 0x61045db8e2fc in object_property_set_qobject /home/pm215/qemu/build/san/../../qom/qom-qobject.c:28:10
#9 0x61045db8258f in object_property_set_bool /home/pm215/qemu/build/san/../../qom/object.c:1520:15
#10 0x61045db687aa in qdev_realize_and_unref /home/pm215/qemu/build/san/../../hw/core/qdev.c:283:11
#11 0x61045d892e21 in mips_malta_init /home/pm215/qemu/build/san/../../hw/mips/malta.c:1239:5
(The i386 PC sets the has-pic property to 'false', so this only
affects the MIPS Malta board.)
Fix this by embedding the i8259 irq in the device state instead of
allocating it. This is a similar fix to the one we used for vt82c686
in commit 2225dc562a93dc, except that we use qemu_init_irq_child()
instead of qemu_init_irq(). The behaviour is identical except that
the _child() version avoids what would be a leak if we ever
unrealized the device.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Bernhard Beschow <shentey@gmail.com>
Message-id: 20260309171258.1905205-1-peter.maydell@linaro.org
configs/targets: Restrict the legacy ldst_phys() API on ARM / Aarch64
Commit d751921cffd ("hw/arm/omap1: Remove omap_badwidth_*
implementations") removed the last use of the legacy ldst_phys()
API. Set the TARGET_NOT_USING_LEGACY_LDST_PHYS_API variable to
hide the legacy API to the ARM / Aarch64 binaries, avoiding further
API uses to creep in.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260319104414.66367-1-philmd@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Osama Abdelkader [Mon, 23 Mar 2026 09:51:01 +0000 (09:51 +0000)]
whpx: arm: fix ID_AA64MMFR3_EL1 host feature register index
IdAa64Mmfr3El1 was stored in idregs[ID_AA64MMFR2_EL1_IDX], overwriting
MMFR2 and leaving MMFR3 never set. Use ID_AA64MMFR3_EL1_IDX so the host
MMFR3 value is stored in the correct slot.
Mohamed Mediouni [Mon, 23 Mar 2026 09:51:01 +0000 (09:51 +0000)]
whpx: arm: enable more enlightenments
Unconditionally enable some more enlightenments for whpx. In
particular, linux uses AccessVpRegs without checking availability and
panics if it's not there, so it's important to expose it.
We also had a duplicate line where we set AccessHypercallRegs = 1
twice; remove the duplicate.
Microsoft’s VMM exposes SyncContext on arm64 and FastHypercallOutput
regardless of architecture unconditionally, so add those two to match
that configuration.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Message-id: 20260314221529.47841-4-mohamed@unpredictable.fr Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Mohamed Mediouni [Mon, 23 Mar 2026 09:51:01 +0000 (09:51 +0000)]
whpx: arm: fix -cpu host
"hw/arm/virt: Register valid CPU types dynamically" went under my
radar, so fix this for WHPX.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Stefan Weil <sw@weilnetz.de>
Message-id: 20260314221529.47841-2-mohamed@unpredictable.fr Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Mon, 23 Mar 2026 09:51:01 +0000 (09:51 +0000)]
configure: Remove unused variable default_cflags
configure has a variable default_cflags, which was originally added
in commit bafe78ad3bc4c ("contrib/plugins: use an independent
makefile") as part of it setting up the build environment for
contrib/plugins, which at the time used make. However, we now build
the plugins with meson, and in commit 55c84a72aba4 ("contrib/plugins:
remove Makefile for contrib/plugins") we dropped the logic from
configure that does that makefile setup, leaving default_cflags
as an unused variable.
shellcheck helpfully reports this:
default_cflags='-O0 -g'
^------------^ SC2034 (warning): default_cflags appears unused. Verify use (or export if used externally).
Remove the unused variable.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260317120215.2075164-1-peter.maydell@linaro.org
Peter Maydell [Mon, 23 Mar 2026 09:51:01 +0000 (09:51 +0000)]
tests/qtest/arm-cpu-features: Fix thinko in g_strdup_printf() call
In commit 62272f9f8891 we changed some uses of fixed char arrays
to call g_strdup_printf() instead. In one place I made a silly
error where in changing
sprintf(name, "fmt string", ...)
to
name = g_strdup_printf("fmt string", ...)
I forgot to delete "name" from the argument list.
Luckily Coverity spotted this (as CID 1645771) because at this
point "name" is NULL and passing g_strdup_printf() a NULL first
argument is not valid.
We didn't notice the mistake in testing or CI because this bit of
code is only run if on an AArch64 host with KVM and SVE available.
Correct the error by removing the stray function argument.
Fixes: 62272f9f8891 ("tests/qtest/arm-cpu-features: Use g_strdup_printf() instead of char arrays") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com>
Message-id: 20260317111121.2062455-1-peter.maydell@linaro.org
tests/functional: remove heuristics for finding build dir
Currently some heuristics are used to locate the build dir, if the
MESON_BUILD_ROOT environment variable is not set. These are not
entirely accurate, however, especially if the developer is using
nested sub-dirs under $PWD/build/...
Since the introduction of the 'run' script, we can ensure any
direct execution of the tests will have MESON_BUILD_ROOT set.
Meanwhile when meson runs the test it will also have this env
set. The only gap is when running pre-caching, and that is easily
fixed to set MESON_BUILD_ROOT.
It can thus be assumed that MESON_BUILD_ROOT will always be set
in any supported execution scenario, which allows the heuristics
to be removed.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260310114756.146083-3-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
tests/functional: fix log placement when run directly
When running functional tests directly there are some heuristics
to figure out where the build directory lives, along with the
possibility to override the logic by setting the QEMU_BUILD_DIR
env variable. This env var is set as part of the test env when
run via Meson but not when run directly.
A particular flaw with the currently logic is that it silently
uses the wrong location when the build directory is a sub-dir
under "./build", which is a common usage scenario for some devs.
With the recent introduction of the 'run' script, we now have
the MESON_BUILD_ROOT env variable set unconditionally, so we
can rely on that from the functional tests to get the correct
location in all scenarios.
Reported-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260310114756.146083-2-berrange@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
There does not seem to be a compelling reason for initializing the
memory regions from the instance_init function, so let's simply move
the code into a realize() function instead to fix this issue.
Reported-by: Markus Armbruster <armbru@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260317085839.445178-1-thuth@redhat.com>
There does not seem to be a compelling reason for initializing the
memory regions from the instance_init function, so let's simply move
the code into a realize() function instead to fix this issue.
Reported-by: Markus Armbruster <armbru@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260317084450.442071-1-thuth@redhat.com>
This happens because the memory_region_init_rom() function internally
calls qemu_ram_alloc_internal() that needs the current_machine pointer
to be set up - which is not the case here since the machine has not
been created yet.
There does not seem to be a compelling reason for initializing the
memory regions from the instance_init function, so let's simply move
the code into the realize() function instead to fix this issue.
Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260317080623.438230-1-thuth@redhat.com>
This happens because the raven_pcihost_initfn instance init function
calls get_system_memory(), but that is not available here yet.
There does not seem to be a compelling reason for initializing the
memory regions from the instance init function, so let's simply move
the code into the realize() function instead to fix this issue.
Tested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260317074049.436460-1-thuth@redhat.com>
Brian Cain [Tue, 3 Mar 2026 05:29:01 +0000 (21:29 -0800)]
tests/tcg/hexagon: add test for predicated .new branch LSB evaluation
Test for predicated .new branches with non-standard predicate values
(non-all-0, non-all-1). Hexagon predicates are 8 bits wide but conditional
branches evaluate only the LSB.
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Brian Cain [Tue, 3 Mar 2026 05:29:00 +0000 (21:29 -0800)]
target/hexagon: use TCG_COND_TSTEQ/TSTNE for predicate branches
Replace TCG_COND_EQ/NE comparisons against 0 with TCG_COND_TSTEQ/TSTNE
comparisons against 1 for all predicate-conditional branches. This tests
bit 0 of the predicate register directly, eliminating redundant andi
operations that previously extracted the LSB before the comparison.
For predicate-conditional jumps (jumpt, jumpf, jumptnew, etc.) and
jump-register variants (jumprt, jumprf, etc.), pass the raw predicate
value directly instead of going through fLSBOLD/fLSBNEW extraction.
For callers that produce a 0/1 result via setcond (compare-and-jump,
jumprz, etc.), the TSTEQ/TSTNE test on bit 0 is equivalent to the
previous EQ/NE test against 0.
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Brian Cain [Tue, 3 Mar 2026 05:28:59 +0000 (21:28 -0800)]
target/hexagon: fix J2_jumptnew/pt predicate check to use LSB
J2_jumptnew and J2_jumptnewpt passed the raw predicate value to
gen_cond_jump(), checking if the full 8-bit value was non-zero.
Refer to PRM Section 6.1.2 "predicate-consuming instructions examine
only the least-significant bit".
This inconsistency caused if (p0.new) jumps and if (p0.new) loads
within the same packet to disagree when the predicate had values
other than the ones generated by predicate-generating instructions
(e.g. 0x80 or 0xAA where bit 0 is clear but the value is
non-zero): the jump would be taken while the loads were skipped.
Fix by routing both macros through fGEN_TCG_cond_jumpt(fLSBNEW(PuN)),
matching the pattern used by every other predicated jump.
Discovered-by: Alexey Karyakin <akaryaki@qti.qualcomm.com> Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com> Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
Peter Maydell [Fri, 20 Mar 2026 10:04:48 +0000 (10:04 +0000)]
Merge tag 'hppa-fixes-for-v11-pull-request' of https://github.com/hdeller/qemu-hppa into staging
HPPA fixes for v11
Some late fixes for QEMU-v11
Various fixes in SeaBIOS-hppa and qemu code, most importantly
this fixes boot of the C3700, which broke while we added
support for CPUs with 40 and 44 bits physical address space.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCabxmmwAKCRD3ErUQojoP
# X5z0AP4h0hBe/jDlQ8VLs0LtdG4bBnyPSVl+4rahw10mmgkvZwD7B/wimiCUBOJZ
# Jj9nKpNWtgZRXwRIM4XOl/a6pYcbCw8=
# =MzWS
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Mar 19 21:11:55 2026 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-fixes-for-v11-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 23
hw/hppa: Fix crash of 64-bit HP-UX 11 while flushing caches
hw/pci-host/astro: Use proper region names
target/hppa: Always map 64-bit firmware at 0xfffffff0f0000000
hw/hppa: Adjust physical addresses of Astro and Elroy
hw/hppa: Fix description of the HP A400-44 server
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 20 Mar 2026 10:04:40 +0000 (10:04 +0000)]
Merge tag 'pull-riscv-to-apply-20260320' of https://github.com/alistair23/qemu into staging
RISC-V PR for 11.
* Fix integer overflow in cm_base calculation
* Fix null pointer dereference in cpu_set_exception_base
* Update Daniel Henrique Barboza's email
* Add Chao Liu as reviewer
* Set SiFive PDMA done bit upon completion
* Remove deprecated 'riscv, delegate' device-tree property
* Fix OCP FP8 E4M3 conversion issues
* Fix IOMMU instance_init allocations in instance_finalize
* Support Smpmpmt extension
* Fix SiFive UART spurious IRQ issue and misc updates
* Fix missing flags merge in probe_pages for cross-page accesses
* Fix page probe issues in vext_ldff
* Fix scountovf CSR behavior in VS-mode and M-mode
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmm8ha4ACgkQr3yVEwxT
# gBMKOBAAsB6CwDSsi+DmuCD5r25kaLtvFg7hqc6iYpzjuwUE+uHu3LWMky19Div1
# mpMLZi1an/NbIKX8N9KS1G87hzteqvxY4wKVoMn1mF/3yQ5r6OJ2SfZoDiiJyAva
# UIhaiRUbmg78OX0YCBYCWaRbqN7rbV6XJnB8oGUyhVNwtfJ/pZppfCflsd5+E3KD
# U7sKMVaytfeQCQGXeNYgZBvYvDQ7/t21eLytLYGhUNy89N8mo7V5egFJEN45BE8O
# Zh+Oa7bN+lUOg0eUTj98zwXXXeOZMEKbn5I01XuUH1gn5aO+CeEvFEqDssF1fKle
# mq00WkK1Tk9kZOTLhMR4pdW2kXkom/mEmXI9jU0CInmF63+r8/SugimPS8LyLE3N
# qZodmmEeckOPsE+RnmBOHww2Y+g668+C/sTcSAuHsWUXJLDty+DyO0RU4d0ioRHa
# zyOf2cNoSVV8EWJ5uHk9Et2eimq0Q83n/tVpkKyq877rOGLQzoDIKJEwIO7nI59x
# NF437R7hWKOZ0JLE22wuLWNW8LohxaFkzYRGFDH2/qKlsEv7mSkutTU4y6g0XKok
# iTjBaibmwsaDeMrf5JYHTGMSvF/3lIXyeJiBCq6uQac3fFXKKeehttaU4F+KW0KE
# gO6oUdJWExp7Tt+9nx5KqFxlJPNd/JV3gDCKRjQskW3bT4H1cco=
# =chEj
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Mar 19 23:24:30 2026 GMT
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20260320' of https://github.com/alistair23/qemu:
target/riscv: Fix scountovf CSR behavior in VS-mode and M-mode
target/riscv: rvv: Fix page probe issues in vext_ldff
target/riscv: rvv: Fix missing flags merge in probe_pages for cross-page accesses
hw/char: sifive_uart: Remove ip variable
hw/char: sifive_uart: Update IRQ when rxctrl is written
hw/char: sifive_uart: Sync txwm interrupt pending status after TX FIFO enqueue
hw/char: sifive_uart: Implement txctrl.txen and rxctrl.rxen
target/riscv: Support Smpmpmt extension
hw/riscv/riscv-iommu: Free instance_init allocations in instance_finalize
fpu: Fix unexpected exception flags when converting infinity to OCP E4M3
fpu: Fix repacking issues in the uncanonical step for E4M3 overflow
hw/riscv: Remove deprecated 'riscv, delegate' device-tree property
hw/dma: sifive_pdma: Set done bit upon completion
MAINTAINERS: Add myself as a reviewer for RISC-V TCG CPUs
MAINTAINERS: update my email
target/riscv: Fix null pointer dereference in cpu_set_exception_base
hw/riscv: Fix integer overflow in cm_base calculation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Fri, 20 Mar 2026 10:04:21 +0000 (10:04 +0000)]
Merge tag 'staging-pull-request' of https://gitlab.com/peterx/qemu into staging
mem pull for 11.0-rc1
Two fixes included:
- Xiaoyao's fix on recent coco guest boot failure
- BALATON's fix on recent sparce device-introspect-test failure
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCabwC2xIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wYozgEAg32MCV/R9xs5krn9mSpBLLoVZCAIDp2C
# 4hLW7aEnf4UBALeUmJY/pLWEGwFc6LVzPe4kZ5BLl0j72jtcVP1BcmoG
# =Zd1r
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Mar 19 14:06:19 2026 GMT
# gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg: issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [marginal]
# gpg: aka "Peter Xu <peterx@redhat.com>" [marginal]
# gpg: WARNING: The key's User ID is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706
* tag 'staging-pull-request' of https://gitlab.com/peterx/qemu:
hw/display/tcx: Init memory regions in realize
memory: Set mr->ram before RAM Block allocation
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jim Shu [Wed, 18 Mar 2026 02:42:34 +0000 (10:42 +0800)]
target/riscv: Fix scountovf CSR behavior in VS-mode and M-mode
From Sscofpmf spec [1]:
- In M-mode, scountovf bit X is always readable.
- in VS mode, scountovf bit X is readable when mcounteren bit X and
hcounteren bit X are both set, and otherwise reads as zero.
Signed-off-by: Jim Shu <jim.shu@sifive.com> Signed-off-by: Max Chou <max.chou@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318024234.2772480-1-jim.shu@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Wed, 18 Mar 2026 01:38:05 +0000 (09:38 +0800)]
target/riscv: rvv: Fix page probe issues in vext_ldff
Commit 17288e38bebf ("optimize the memory probing for vector
fault-only-first loads") introduced an optimization that moved from
per-element probing to a fast-path broad probe. Unfortunately it
introduced following bugs in cross-page handling:
- Wrong condition for second page probing: checked "env->vl > elems"
instead of "env->vl > elems + env->vstart", failing to account for
the vstart offset.
- Incorrect second page address calculation: used
"addr + (elems << log2_esz)" instead of "addr + page_split".
For segment loads (nf > 1), this would probe the wrong address,not
at the page boundary.
- Wrong second page probe size: used "elems * msize" (the first page
size) instead of calculating the remaining size as
"(env->vl - env->vstart) * msize - page_split". This would probe
too little memory and could miss faults.
This commit fixes these bugs by leveraging the probe_pages helper
which automatically handles cross-page memory accesses correctly.
Fixes: 17288e38bebf ("optimize the memory probing for vector fault-only-first loads.") Signed-off-by: Max Chou <max.chou@sifive.com> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-3-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Wed, 18 Mar 2026 01:38:04 +0000 (09:38 +0800)]
target/riscv: rvv: Fix missing flags merge in probe_pages for cross-page accesses
When probe_pages probes a memory region that spans two pages, it calls
probe_access_flags twice - once for each page. However, the flags from
the second page probe were overwriting the flags from the first page
instead of being merged together.
Signed-off-by: Max Chou <max.chou@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-2-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 12 Mar 2026 03:32:01 +0000 (11:32 +0800)]
hw/char: sifive_uart: Remove ip variable
The ip variable is no longer used in the code. Remove it from the
codebase.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260312033201.1619554-5-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 12 Mar 2026 03:32:00 +0000 (11:32 +0800)]
hw/char: sifive_uart: Update IRQ when rxctrl is written
When rxctl is updated, we also need to check whether the IRQ should be
raised, as the user may activate the Rx channel or change the Rx FIFO
watermark level.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260312033201.1619554-4-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 12 Mar 2026 03:31:59 +0000 (11:31 +0800)]
hw/char: sifive_uart: Sync txwm interrupt pending status after TX FIFO enqueue
Currently, the txwm interrupt pending status is only updated when the
asynchronous transmit handler runs. This can cause the txwm interrupt
state to become unsynchronized between the SiFive UART and the
interrupt controller.
For example, when a txwm interrupt is raised, the corresponding APLIC
pending bit is also set. However, if software later enqueues additional
characters into the TX FIFO exceeding the transmit watermark, the
APLIC pending bit may remain set because the txwm interrupt pending
status is not updated at enqueue time.
This issue has been observed on resource-constrained machines, where
Linux reports spurious IRQ errors. In these cases, the asynchronous
transmit handler is unable to drain the TX FIFO quickly enough to update
the txwm pending status before software reads the ip register, which
derives the txwm pending state directly from the actual number of
characters in the TX FIFO.
This commit fixes the issue by updating the txwm interrupt pending
status immediately after enqueuing data into the TX FIFO, ensuring that
the interrupt pending status between the SiFive UART and the interrupt
controller remains synchronized.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260312033201.1619554-3-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Thu, 12 Mar 2026 03:31:58 +0000 (11:31 +0800)]
hw/char: sifive_uart: Implement txctrl.txen and rxctrl.rxen
Implement txctrl.txen and rxctrl.rxen as follows:
* txctrl.txen
The txen bit controls whether the Tx channel is active. When cleared,
transmission of Tx FIFO contents is suppressed, and the txd pin is
driven high.
* rxctrl.rxen:
The rxen bit controls whether the Rx channel is active. When cleared,
the state of the rxd pin is ignored, and no characters will be
enqueued into the Rx FIFO.
Therefore, the Tx FIFO should not be dequeued when txctrl.txen is
cleared, and the Rx FIFO should not be enqueued when rxctrl.rxen is
cleared.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260312033201.1619554-2-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
projects / thirdparty / qemu.git / log
