However, passing a different `owner` to `memory_region_init` does not
work. `memory_region_ref` has an optimization where it takes a ref
only on the owner. That means when flatviews are created, it does not
take a ref on the region and you can get a UAF from `flatview_destroy`
called from RCU.
The correct fix therefore is to use `NULL` as the name which will set
the `owner` but not the `parent` (which is still NULL). This allows us
to use `memory_region_ref` on itself while not having to rely on unparent
for cleanup.
Signed-off-by: Joelle van Dyne <j@getutm.app> Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260103214400.71694-1-j@getutm.app>
Unfortunately I can't contribute to QEMU for the time being, but Eric
has offered to take on maintainership of the ACPI VIOT. Thank you!
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251230154844.325364-2-jean-philippe@linaro.org>
zhenwei pi [Sun, 21 Dec 2025 02:43:21 +0000 (10:43 +0800)]
cryptodev-builtin: Limit the maximum size
This backend driver is used for demonstration purposes only, unlimited
size leads QEMU OOM.
Fixes: CVE-2025-14876 Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend") Reported-by: 이재영 <nakamurajames123@gmail.com> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251221024321.143196-3-zhenwei.pi@linux.dev>
Haixu Cui [Tue, 16 Dec 2025 03:21:22 +0000 (11:21 +0800)]
virtio-spi: Add vhost-user-spi device support
This patch introduces support for vhost-user-spi and vhost-user-spi-pci
devices in QEMU, enabling virtio-based SPI communication via the vhost-user
protocol.
The implementation follows the virtio-spi specification and leverages
the upstream virtio-spi driver in Linux. Relevant references:
Signed-off-by: Haixu Cui <quic_haixcui@quicinc.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251216032122.1316684-3-quic_haixcui@quicinc.com>
Haixu Cui [Tue, 16 Dec 2025 03:21:21 +0000 (11:21 +0800)]
standard-headers: Update virtio_spi.h from Linux v6.18-rc3
Synced virtio_spi.h from upstream Linux kernelusing
scripts/update-linux-headers.sh.
Source:
- Linux commit dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa (v6.18-rc3)
- Author: Linus Torvalds <torvalds@linux-foundation.org>
- Date: Sun Oct 26 15:59:49 2025 -0700
This update ensures QEMU's standard headers are consistent with the latest
virtio SPI definitions from Linux v6.18-rc3.
Signed-off-by: Haixu Cui <quic_haixcui@quicinc.com> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251216032122.1316684-2-quic_haixcui@quicinc.com>
Igor Mammedov [Thu, 11 Dec 2025 16:54:54 +0000 (17:54 +0100)]
q35: Fix migration of SMRAM state
When migrating, dst QEMU by default has SMRAM unlocked,
and since wmask is not migrated, the migrated value of
MCH_HOST_BRIDGE_F_SMBASE in config space fall to prey of
mch_update_smbase_smram()
...
if (pd->wmask[MCH_HOST_BRIDGE_F_SMBASE] == 0xff) {
*reg = 0x00;
and is getting cleared and leads to unlocked smram
on dst even if on source it's been locked.
As Andrey has pointed out [1], we should derive wmask
from config and not other way around.
Drop offending chunk and resync wmask based on MCH_HOST_BRIDGE_F_SMBASE
register value. That would preserve the register during
migration and set smram regions into corresponding state.
What that changes is:
that it would let guest write junk values in register
(with no apparent effect) until it's stumbles upon
reserved 0x1 [|] 0x2 values, at which point it
would be only possible to lock register and trigger
switch to SMRAM blackhole in CPU AS.
While at it, fix up test by removing junk discard before negotiation hunk.
PS2:
Instead of adding a dedicated post_load handler for it,
reuse mch_update->mch_update_smbase_smram call chain
that is called on write/reset/post_load to be consistent
with how we handle mch registers.
PS3:
for prosterity here is erro message Andrey got due to this bug:
qemu: vfio_container_dma_map(0x..., 0x0, 0xa0000, 0x....) = -22 (Invalid argument)
qemu: hardware error: vfio: DMA mapping failed, unable to continue
Kevin Wolf [Fri, 5 Dec 2025 14:57:18 +0000 (15:57 +0100)]
pcie_sriov: Fix PCI_SRIOV_* accesses in pcie_sriov_pf_exit()
PCI_SRIOV_* are offsets into the SR-IOV capability, not into the PCI
config space. pcie_sriov_pf_exit() erroneously takes them as the latter,
which makes it read PCI_HEADER_TYPE and PCI_BIST when it tries to read
PCI_SRIOV_TOTAL_VF.
In many cases we're lucky enough that the PCI config space will be 0
there, so we just skip the whole for loop, but this isn't guaranteed.
For example, setting the multifunction bit on the PF and then doing a
'device_del' on it will get a larger number and cause a segfault.
Fix this and access the real PCI_SRIOV_* fields in the capability.
Cc: qemu-stable@nongnu.org Fixes: 19e55471d4e8 ('pcie_sriov: Allow user to create SR-IOV device') Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251205145718.55136-1-kwolf@redhat.com>
This is because proxy->last_pcie_cap_offset is only initialised to a
non-zero value in virtio_pci_realize() if it's a PCI Express device, and
then virtio_pci_device_plugged() still tries to use it.
To fix this, just skip the SR-IOV code for !pci_is_express(). Then the
next thing pci_qdev_realize() does is call pcie_sriov_register_device(),
which returns the appropriate error.
Cc: qemu-stable@nongnu.org Fixes: d0c280d3fac6 ('pcie_sriov: Make a PCI device with user-created VF ARI-capable') Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251204172657.174391-1-kwolf@redhat.com>
Dorinda Bassey [Thu, 4 Dec 2025 16:20:13 +0000 (17:20 +0100)]
virtio-dmabuf: Ensure UUID persistence for hash table insertion
In `virtio_add_resource` function, the UUID used as a key for
`g_hash_table_insert` was temporary, which could lead to
invalid lookups when accessed later. This patch ensures that
the UUID remains valid by duplicating it into a newly allocated
memory space. The value is then inserted into the hash table
with this persistent UUID key to ensure that the key stored in
the hash table remains valid as long as the hash table entry
exists.
Fixes: faefdba847 ("hw/display: introduce virtio-dmabuf") Signed-off-by: Dorinda Bassey <dbassey@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Albert Esteve <aesteve@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Jim MacArthur <jim.macarthur@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251204162129.262745-1-dbassey@redhat.com>
Eugenio Pérez [Mon, 1 Dec 2025 12:51:49 +0000 (13:51 +0100)]
vhost: accept indirect descriptors in shadow virtqueue
The device is not able to generate indirect descriptors by itself, only
the driver can do it. And SVQ is already able to handle them by reusing
VirtQueue struct.
Shadow VirtQueue just transform the indirect descriptors to chained
buffers. This way we don't need to map a new buffer for the indirect
table and handle its exhaustion etc. As they are only used in control
plane and HW devices don't like indirect, we should not see significant
downsides with these.
Tested functionally by forwarding the CVQ descriptors.
Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251201125149.2151026-1-eperezma@redhat.com>
Gavin Shan [Mon, 1 Dec 2025 14:18:03 +0000 (00:18 +1000)]
acpi/ghes: Use error_fatal in acpi_ghes_memory_errors()
Use error_fatal in acpi_ghes_memory_errors() so that the caller needn't
explicitly call exit(). The return value of acpi_ghes_memory_errors()
and ghes_record_cper_errors() is changed to 'bool' indicating an error
has been raised, to be compatible with what's documented in error.h.
Suggested-by: Igor Mammedov <imammedo@redhat.com> Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251201141803.2386129-6-gshan@redhat.com>
Gavin Shan [Mon, 1 Dec 2025 14:18:02 +0000 (00:18 +1000)]
acpi/ghes: Bail early on error from get_ghes_source_offsets()
In ghes_record_cper_errors(), get_ghes_source_offsets() can return
a error initialized by error_setg(). Without bailing on this error,
it can call into the second error_setg() due to the unexpected value
returned from the read acknowledgement register. The second error_setg()
can trigger assert(*errp == NULL) in its callee error_setv(), which
isn't expected.
Bail early in ghes_record_cper_errors() when error is received from
get_ghes_source_offsets() to avoid the unexpected behavior.
Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251201141803.2386129-5-gshan@redhat.com>
Gavin Shan [Mon, 1 Dec 2025 14:18:01 +0000 (00:18 +1000)]
target/arm/kvm: Exit on error from acpi_ghes_memory_errors()
A core dump is no sense as there isn't programming bugs related to
errors from acpi_ghes_memory_errors().
Exit instead of abort when the function returns errors, and the
excessive error message is also dropped.
Suggested-by: Igor Mammedov <imammedo@redhat.com> Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251201141803.2386129-4-gshan@redhat.com>
Gavin Shan [Mon, 1 Dec 2025 14:18:00 +0000 (00:18 +1000)]
acpi/ghes: Abort in acpi_ghes_memory_errors() if necessary
The function hw/acpi/ghes-stub.c::acpi_ghes_memory_errors() shouldn't
be called by any one. Take g_assert_not_reached() as a clearer indication.
Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251201141803.2386129-3-gshan@redhat.com>
Gavin Shan [Mon, 1 Dec 2025 14:17:59 +0000 (00:17 +1000)]
acpi/ghes: Automate data block cleanup in acpi_ghes_memory_errors()
Use g_auto_ptr() to automate data block cleanup in the function so
that it won't be a burden to us.
Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gavin Shan <gshan@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251201141803.2386129-2-gshan@redhat.com>
Wafer Xie [Wed, 19 Nov 2025 13:24:52 +0000 (21:24 +0800)]
vdpa: fix vhost-vdpa suspended state not be shared
When stopping a vhost-vdpa device, only the first queue pair is marked as suspended,
while the remaining queues are not updated to the suspended state.
As a result, when stopping a multi-queue vhost-vdpa device,
the following error message will be printed.
qemu-system-x86_64:vhost VQ 2 ring restore failed: -1: Operation not permitted (1)
qemu-system-x86_64:vhost VQ 3 ring restore failed: -1: Operation not permitted (1)
So move v->suspended to v->shared, and then all the vhost_vdpa devices cannot
have different suspended states.
Fixes: 0bb302a9960a ("vdpa: add vhost_vdpa_suspend") Suggested-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Eugenio Pérez <eperezma@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Wafer Xie <wafer@jaguarmicro.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20251119132452.3117-1-wafer@jaguarmicro.com>
Daniil Tatianin [Thu, 13 Nov 2025 08:58:42 +0000 (11:58 +0300)]
virtio/vhost: don't consider non-MAP_SHARED regions public
Just having a file descriptor is not enough to consider a memory region
public. If QEMU didn't map it as MAP_SHARED (in case of share=off), guest
writes to this region won't be visible to the vhost-user backend, thus
causing it to read all zeroes or garbage. Make sure we don't pass such
regions and include that to our definition of what a private region is.
Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> Fixes: 552b25229c ("vhost: Rework memslot filtering and fix "used_memslot" tracking") Acked-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251113085842.323745-1-d-tatianin@yandex-team.ru>
Peter Maydell [Thu, 5 Feb 2026 09:50:33 +0000 (09:50 +0000)]
Merge tag 'pull-aspeed-20260204' of https://github.com/legoater/qemu into staging
aspeed queue:
* Added support for the new AST1700 IO expander, including several
device models (LTPI, PWM, I2C, GPIO, etc.).
* Updated the AST2700 SoC with LTPI support, EHCI IRQ fixes, and other
improvements.
* Updated test images and test cases for various Aspeed platforms.
* Fixed issues in the Aspeed I2C and ADC models.
* Added support for pca9535 GPIO expander.
* Updated documentation for Aspeed boards.
* tag 'pull-aspeed-20260204' of https://github.com/legoater/qemu: (45 commits)
tests/functional/aarch64: Add I2C test for AST1700 IO expanders
tests/functional/aarch64: Parameterize PCIe2 initialization in AST2700
tests/functional/aarch64: Parameterize I2C bus ID in AST2700 test
hw/arm/aspeed: Enable AST1700 IO expander support
hw/arm/aspeed: Model AST1700 I3C block as unimplemented device
hw/arm/aspeed: Attach SGPIOM device to AST1700 model
hw/arm/aspeed: Attach PWM device to AST1700 model
hw/arm/aspeed: Attach WDT device to AST1700 model
hw/arm/aspeed: attach I2C device to AST1700 model
hw/arm/aspeed: Attach GPIO device to AST1700 model
hw/arm/aspeed: Attach SCU device to AST1700 model
hw/arm/aspeed: Attach ADC device to AST1700 model
hw/arm/aspeed: Attach SPI device to AST1700 model
hw/arm/aspeed: Attach SRAM device to AST1700 model
hw/arm/aspeed: Attach UART device to AST1700 model
hw/arm/aspeed: Attach LTPI controller to AST1700 model
hw/arm/aspeed: Integrate interrupt controller for AST1700
hw/arm/aspeed: Integrate AST1700 device into AST27X0
hw/arm/aspeed: Add AST1700 LTPI expander device model
hw/misc: Add basic Aspeed PWM model
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-8-clement.mathieu--drif@eviden.com>
intel_iommu: Minimal handling of privileged ATS request
The purpose of this commit is not to support privileged requests but
to prevent devices from doing things they wouldn't be able to do
with real hardware.
We simply block privileged requests when the SRS ecap is not set
and abort when the ecap is present.
For now, its not worth implementing support for privileged requests
because the kernel does not support it.
(https://lore.kernel.org/linux-iommu/20230411064815.31456-11-baolu.lu@linux.intel.com/)
However, we may consider working on it depending on how the development
goes in the kernel.
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-7-clement.mathieu--drif@eviden.com>
intel_iommu: Handle insufficient permissions during translation requests
ATS translations should not fail when the write permission is not set.
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-6-clement.mathieu--drif@eviden.com>
pci: Block ATS requests when privileged mode is disabled
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-5-clement.mathieu--drif@eviden.com>
pcie: Add a function to check if pasid privileged mode is enabled
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-4-clement.mathieu--drif@eviden.com>
intel_iommu: Support memory operations with pre-translated addresses
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-3-clement.mathieu--drif@eviden.com>
intel_iommu: Add an IOMMU index for pre-translated addresses
Signed-off-by: Clement Mathieu--Drif <clement.mathieu--drif@eviden.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251029105137.1097933-2-clement.mathieu--drif@eviden.com>
hw/pci-host: Set DEVICE_CATEGORY_BRIDGE once in parent class_init()
No need to set DEVICE_CATEGORY_BRIDGE for each device
implementing TYPE_PCI_HOST_BRIDGE: set it once in the
parent.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20251027112306.57634-1-philmd@linaro.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251027112306.57634-1-philmd@linaro.org>
Akihiko Odaki [Mon, 27 Oct 2025 01:24:18 +0000 (10:24 +0900)]
pci/shpc: Do not unparent in instance_finalize()
Children are automatically unparented so manually unparenting is
unnecessary.
Worse, automatic unparenting happens before the instance_finalize()
callback of the parent gets called, so object_unparent() calls in
the callback will refer to objects that are already unparented, which
is semantically incorrect.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20251027-shpc-v1-1-00e9b20a355d@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251027-shpc-v1-1-00e9b20a355d@rsg.ci.i.u-tokyo.ac.jp>
Kane Chen [Wed, 4 Feb 2026 08:21:46 +0000 (08:21 +0000)]
tests/functional/aarch64: Add I2C test for AST1700 IO expanders
Extend the AST2700 test suite to verify I2C connectivity on AST1700
IO expanders using the DCSCM image. This validates the new bus-label
naming scheme by testing communication on both primary and
expander-attached I2C buses.
Kane Chen [Wed, 4 Feb 2026 08:21:44 +0000 (08:21 +0000)]
tests/functional/aarch64: Parameterize PCIe2 initialization in AST2700
The current AST2700 functional test forces PCIe2 enablement by manually
manipulating U-Boot env and FDT via the console. This sequence
interferes with test cases that rely on the default boot flow of the
image.
Introduce a 'enable_pcie' parameter (defaulting to True) to both
'verify_openbmc_boot_start' and 'verify_openbmc_boot_and_login' methods.
This allow test cases to toggle the PCIe2 initialization sequence based
on their specific requirements without breaking standard boot tests.
Kane Chen [Wed, 4 Feb 2026 08:21:43 +0000 (08:21 +0000)]
tests/functional/aarch64: Parameterize I2C bus ID in AST2700 test
The current Aspeed AST2700 functional test case strictly uses I2C bus
1 for its sensor tests. This hard-coded approach prevents the test
logic from being reused for other machine types or configurations
where I2C bus 1 might be disabled or where a different bus needs to
be verified (e.g., I2C expanders).
This refactoring allows the same I2C verification logic to be shared
across different test scenarios by simply passing the target bus
number.
Kane Chen [Wed, 4 Feb 2026 08:21:40 +0000 (08:21 +0000)]
hw/arm/aspeed: Model AST1700 I3C block as unimplemented device
AST1700 exposes more I3C buses than the current dummy I3C model
provides. When Linux probes the I3C devices on AST1700 this mismatch
can trigger a kernel panic. Model the I3C block as an unimplemented
device to make the missing functionality explicit and avoid unexpected
side effects.
This wires up the I3C interrupt lines for the IO expanders and adds the
corresponding device entries for the AST1700 model.
No functional I3C emulation is provided yet; this only prevents crashes and
documents the missing piece.
Kane Chen [Wed, 4 Feb 2026 08:21:21 +0000 (08:21 +0000)]
hw/arm/aspeed: Integrate AST1700 device into AST27X0
Connect the AST1700 device as a child of the AST27X0 model to reflect
its role in DC-SCM 2.0 LTPI-based architectures. This patch wires
the AST1700 device into the platform without introducing functional
peripherals.
This forms the base for LTPI expander emulation in QEMU using
AST27X0 as the host controller.
Note: ioexp_num is set to 0 at this stage. Once all related devices
and interrupts are fully implemented, ioexp_num will be updated to
its expected value. This ensures the machine remains functional at
every commit and avoids potential compiler or build issues.
Kane Chen [Wed, 4 Feb 2026 08:21:19 +0000 (08:21 +0000)]
hw/arm/aspeed: Add AST1700 LTPI expander device model
Introduce a minimal QEMU device model for the ASPEED AST1700, an
MCU-less I/O expander used in the LTPI topology defined by the
DC-SCM 2.0 specification (see figure 2):
https://www.opencompute.org/documents/ocp-dc-scm-2-0-ltpi-ver-1-0-pdf
This initial implementation includes:
* Definition of aspeed.ast1700 as a SysBusDevice
* Setup of a basic memory region to reserve I/O space for future
peripheral modeling
This stub establishes the foundation for LTPI-related device emulation,
without implementing any functional peripherals at this stage.
Kane Chen [Wed, 4 Feb 2026 08:21:17 +0000 (08:21 +0000)]
hw/arm/aspeed: Attach LTPI controller to AST27X0 platform
Connect the LTPI controller device (representing the AST1700 I/O
expander) to the AST27X0 SoC model. This patch sets up the memory
mapping and device registration according to the AST2700 SoC design,
where the LTPI controller is exposed at fixed MMIO regions.
This change only handles device instantiation and integration,
without implementing the controller's internal logic.
Kane Chen [Wed, 4 Feb 2026 08:21:15 +0000 (08:21 +0000)]
hw/misc: Add LTPI controller
LTPI (LVDS Tunneling Protocol & Interface) is defined in the OCP DC-SCM
2.0 specification:
https://www.opencompute.org/documents/ocp-dc-scm-2-0-ltpi-ver-1-0-pdf
LTPI is a protocol and physical interface for tunneling various low-speed
signals between the HPM and SCM. As shown in Figure 2, the AST27x0 (left)
integrates two LTPI controllers, allowing it to connect to up to two
extended boards.
This commit introduces a simple device model for the ASPEED LTPI
controller in QEMU.
The model includes basic MMIO read/write operations and sets default
register values during reset to emulate a link-up state.
Implements register space with read/write callbacks.
Jamin Lin [Tue, 3 Feb 2026 02:08:53 +0000 (10:08 +0800)]
docs/system/arm/aspeed: Load raw U-Boot image in AST2700 boot example
Recent SDK versions no longer provide a U-Boot FIT image, and U-Boot is
now built as a single raw binary. Update the documentation to load the
raw u-boot.bin image directly.
Jamin Lin [Tue, 3 Feb 2026 02:08:50 +0000 (10:08 +0800)]
tests/functional/aarch64/test_aspeed_ast2700: Enable PCIe2 DTS status for AST2700 tests
PCIe2 is disabled by default starting from SDK v10.00.
Add a helper function to stop U-Boot autoboot and update the device
tree at runtime, setting the PCIe2 node status to "okay" before
booting Linux. This allows the AST2700 functional test to verify
the PCIe2 root complex behavior correctly.
Jamin Lin [Tue, 3 Feb 2026 02:08:49 +0000 (10:08 +0800)]
hw/i2c/aspeed_i2c: Fix DMA moving data into incorrect address
In the previous design, the I2C model updated dma_dram_offset only when
firmware programmed the RX/TX DMA buffer address registers. The firmware
used to rewrite these registers before issuing each DMA command.
The firmware driver behavior has changed to program the DMA address
registers only once during I2C initialization. As a result, the I2C model
no longer refreshes dma_dram_offset, causing DMA to move data into an
incorrect DRAM address.
Fix this by introducing helper functions to update dma_dram_offset from
the DMA address registers, and invoke them right before handling TX/RX
DMA operations. This guarantees DMA always uses the correct buffer
address even if the registers are programmed only once.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Fixes: c400c38854017eeccda63115814eba4c3ef2b51f ("hw/i2c/aspeed: Introduce a new dma_dram_offset attribute in AspeedI2Cbus") Reviewed-by: Cédric Le Goater <clg@redhat.com> Link: https://lore.kernel.org/qemu-devel/20260203020855.1642884-5-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Jamin Lin [Tue, 3 Feb 2026 02:08:46 +0000 (10:08 +0800)]
hw/arm/aspeed_ast27x0: Fix EHCI3/4 IRQ routing to GIC
EHCI3 and EHCI4 were missing entries in aspeed_soc_ast2700a1_irqmap,
so their source IRQs were never routed through the INTC OR-gates.
As a result, EHCI3/4 interrupts were not propagated to the GIC,
causing incorrect interrupt behavior for these controllers.
Add EHCI3 and EHCI4 to the IRQ map and route them to the same INTC
group as other shared peripherals, ensuring their interrupts are
properly connected to the GIC.
Jamin Lin [Tue, 27 Jan 2026 03:23:40 +0000 (11:23 +0800)]
hw/arm/aspeed_ast2600: Expand RC_H PCIe MMIO window to 0x60000000 - 0x80000000
Historically, the ASPEED PCIe driver supported both RC_L and RC_H, with RC_L
using MMIO window 0x60000000 - 0x70000000 and RC_H using 0x70000000 - 0x80000000.
Mainline Linux has dropped RC_L support and now supports RC_H only, updating
RC_H to use a single combined MMIO window 0x60000000 - 0x80000000.
Update the AST2600 QEMU model accordingly by moving PCIE_MMIO1 base to
0x60000000 and increasing the aliased MMIO size to 0x20000000.
Jamin Lin [Tue, 27 Jan 2026 03:23:39 +0000 (11:23 +0800)]
hw/pci-host/aspeed_pcie: Drop AST2600 RC_H root-bus remap and bus-nr property
The original AST2600 PCIe design supported both RC_L and RC_H, using root bus
number 0 for RC_L and 0x80 for RC_H. In that model, the root port appeared as
80:08.0 and QEMU carried a "bus-nr" property plus a config-space bus remap to
translate bus 0x80 to bus 0x00 for PCI enumeration.
Linux mainline has since dropped RC_L support and updated the RC_H root bus
number to start at 0. The root port is now enumerated as 00:08.0, matching the
default QEMU PCIe subsystem root bus numbering.
Remove the bus number setting and the AST2600 bus remap logic, and drop the
corresponding "bus-nr"/rc_bus_nr fields and property plumbing. QEMU now relies
on the default root bus 0 behavior.
Jamin Lin [Tue, 27 Jan 2026 03:23:38 +0000 (11:23 +0800)]
hw/pci-host/aspeed_pcie: Drop AST2600 PCIe root device
AST2600 PCIe previously exposed a root bus at 0x80 with both a
root device at 80:00.0 and a root port at 80:08.0.
Recent ASPEED SDK PCIe driver updates decided to remove the root
device and keep only a single root port. This behavior has already
been accepted by the upstream Linux kernel.
Update the QEMU PCIe model accordingly by dropping the root device
implementation and related properties. AST2600 now matches the
AST2700 PCIe topology and no longer supports the legacy RC_L
layout.
Cédric Le Goater [Mon, 26 Jan 2026 14:18:20 +0000 (15:18 +0100)]
hw/adc: Fix out-of-bounds write in Aspeed ADC model
The 'regs' array has ASPEED_ADC_NR_REGS (52) elements, while the
memory region covers offsets 0x00-0xFC. The aspeed_adc_engine_write()
function has an out-of-bounds write vulnerability when accessing
unimplemented registers.
Fix this by using 'return' instead of 'break' in the default case,
which prevents execution from reaching the s->regs[reg] assignment for
unimplemented registers.
Patrick Williams [Wed, 21 Jan 2026 18:17:06 +0000 (13:17 -0500)]
hw/arm/aspeed: catalina: use pca9535
A few entries in the catalina model were using the PCA9552 chip
because it was "close enough" in function. Since there is a PCA9535
model now, switch to use it.
Nabih Estefan [Tue, 20 Jan 2026 21:11:16 +0000 (21:11 +0000)]
hw/i2c/aspeed_i2c.c: Add a check for dma_read
If aspeed_i2c_dma_read fails in aspeed_i2c_bus_send currently, we get
stuck in an infinite retry loop. Add a check for the return value of
aspeed_i2c_dma_read that will break us out of said loop.
Kane-Chen-AS [Mon, 12 Jan 2026 08:30:53 +0000 (16:30 +0800)]
hw/i2c/aspeed: Introduce 'bus-label' to customize bus naming
On some Aspeed-based machines, multiple I2C controllers may exist
across different components, such as the primary SoC and an external
IO expander or co-processor (e.g., AST1700). Using the current static
naming convention results in object name conflicts when multiple
controllers attempt to instantiate buses with the same ID.
This patch introduces a 'bus-label' property for the Aspeed I2C
controller. This allows higher-level layers, such as the SoC realize
function, to provide a unique identifier for the buses. The I2C bus
object name is then constructed using this label (e.g., "ioexp0.0"
instead of the default "aspeed.i2c.bus.0").
This enhancement ensures unique bus identifiers across the system and
resolves naming conflicts in multi-controller configurations.
Merge tag 'single-binary-20260203' of https://github.com/philmd/qemu into staging
Various patches related to single binary effort:
- Endianness cleanups on various targets (PPC in particular)
- Few cleanups around target_ulong type on Alpha
- Have CPUClass::disas_set_info() take a const CPUState
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmmCDTkACgkQ4+MsLN6t
# wN7vHQ/+LCAYESbTy7cXeKGgAslwPbX1Q2zYGk0rhGMgrbBtQThbgQSkNsAwYmzg
# 6vx5crw9vYA/kLq0jyJQPTRIAKzXH9BzdEfTsEt5AIpZv6Cc4im6JBZdrxUa6S0O
# AMGb4pn9bpkcwHOv2ufotJbl0fa+id4WgQgXyLDEgwgNVvY18fVWfn5OwAon2bWo
# nb6zqRfwgdyAB+liwmlPNI+M4hZ3vDdct7whUP8t37FjTL0lNrsyG/Epr0xJB5ru
# CRsjubBkXAq8HlmwHZp8JSM/Lriitp8Z2ubD8VBqYbMYI25XUnRlBWWxTnQKkaDD
# Vgbq67UqS/k/X6vV5cfJaeS2qOdgF98V0VmrOqlNXTwMU56lzMn0ThgLqUXznRos
# IUfTUvmjfGu63aAWG2l+HBrehK5JEAGYzK6ZTiTA6abpvfHUjehslsQlAlMgcSnL
# TnMsM7mxS+XNbf6bsew0azTt2p/V81JDVrQuQgmAJS9ZOpALMFGep5YAYKvN/kLf
# cSbl+hQRsxqxQPoc6y0NrnCcfT33U1+I+IXpMIR/VyC0RgseW9HeRdJWuNyKBW/4
# VUBnQnYNhZM9hDHKp5PzU2KhoeudAlK3gws8zvtWfLCFyAvfmEYX0Gt5r23JkoxT
# IO340Jz5XRwfXMWENc6Bm8lqr7HilQi28HFNXWdy897YfNS83Ow=
# =J0gm
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 04 Feb 2026 12:59:05 AM AEST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'single-binary-20260203' of https://github.com/philmd/qemu: (30 commits)
disas: Have disas_set_info() take a const CPUState
disas: Make disassemble_info::target_info field const
disas/riscv: Make rv_decode::cfg const
target/arm: Have arm_sctlr_b() take a const @env argument
target/arm: Have is_64() take a const @env argument
target/arm: Have cpu_isar_feature() use a const ARMCPU object
target/arm: Have arm_feature() take a const @env argument
target/alpha: Expand TCGv type for 64-bit target
target/alpha: Remove target_ulong uses in get_physical_address()
target/alpha: Do not use target_ulong for page table entries / indexes
target/alpha: Do not use target_ulong for trap arguments
target/alpha: Replace target_ulong -> uint64_t in gdb_write_register()
target/alpha: Build system units in common source set
target/alpha: Avoid target-specific migration headers in machine.c
target/m68k: Inline translator_ld[uw,l,q]() calls
target/i386: Inline translator_ld[uw,l,q]() calls
target/riscv: Inline translator_ld[uw,l,q]() calls
target/riscv: Inline cpu_ld[lq]_code() calls
target/ppc: Inline cpu_ldl_code() call in ppc_ldl_code()
target/ppc: Check endianness at runtime in ppc_data_endian_env()
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'firmware-20260203-pull-request' of https://gitlab.com/kraxel/qemu into staging
firmware updates for 11.0
- igvm: rework reset handling.
- igvm: add MADT parameter support.
- uefi: variable store fixes.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmmB5AYACgkQTLbY7tPo
# cThR7Q//d5Z9cIQEOn7hqAgsqyz4llvyLpZk+pWuyQmJ7iBtF7geP0p61iICi5vP
# +jyKJChHtPQzAQLqKwgHLWAuYSW82EZPh74YvL4MBNe7WX8LouHvCoTsOE28Nxqx
# EWDtucSwwwQpx/r1iSSHEHqjlV2MudlGFMaOb0+by57j2ZsAGEe/0J+yF07hhXLQ
# OxQY1l8gHC+PK6BnRLnwIlBVBe+o2E9hJeV0GA/zd1UufTxsan/r06T1JRsdNhPe
# vkBFedwPz+4+jKbOVWBp2pY5FSxmIEe+sOqRdhFvyvz+KBziAyisCNtv/eABrd9h
# Jk/yfvrDIZEJk7GtwMAC/un+zz/iQfu9BK3EAtT5OnUCEbj7HNaEjuStB2AnfBnw
# 4clhjPA+qwej1771zAuKC5HOc+2mMxbON/roD4nGcEY3WKq7JvjUrIopesJcgCCu
# TjV1UXAxyG6CRvsiUc3uesdleumAqt3I4+OryfnPY5SloYjlg+bEW8fpKvXmI82l
# uZsI1SL3yqXJMVQEh0cS7awquKKkjzNR0CGR+a9KBMl3kCiuAPPkevEhERpd1J6V
# W6zZrNI9IHczBKrZEJ42apXutGmADDZUdREjktc4gUBvTzC317bfSTGk/tvQQe7N
# lRr9KV+56bSVrnLiqcCzfVj8U2YTecsvO98Xp28W3nwwvIls3mQ=
# =npQG
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 03 Feb 2026 10:03:18 PM AEST
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [unknown]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [unknown]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'firmware-20260203-pull-request' of https://gitlab.com/kraxel/qemu:
igvm: Fill MADT IGVM parameter field on x86_64
igvm: Only build stubs if igvm is enabled
igvm: Pass machine state to IGVM file processing
igvm: Refactor qigvm_parameter_insert
igvm: Add common function for finding parameter entries
igvm: Move structs to internal header
hw/acpi: Add standalone function to build MADT
hw/acpi: Make BIOS linker optional
hw/acpi: Make acpi_checksum() public
igvm: move igvm file processing to reset callbacks
igvm: add trace points for igvm file loading and processing
igvm: move file load to complete callback
igvm: make igvm-cfg object resettable
igvm: reorganize headers
hw/uefi: fix size negotiation
hw/uefi: skip time check for append-write updates.
docs/system/igvm.rst: Update external links
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
disas: Have disas_set_info() take a const CPUState
The CPUClass::disas_set_info() handler is meant to initialize
the %disassemble_info structure; it shoudn't alter the CPU state.
Enforce the CPUState can not be modified by having the handler
take a const pointer.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260202222412.24923-8-philmd@linaro.org>
disas: Make disassemble_info::target_info field const
Disassemblers shouldn't need writeable context, so make the
disassemble_info::target_info field const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202222412.24923-7-philmd@linaro.org>
Disassembler is not expected to alter the CPU config.
Besides, all other RISC-V methods takes a const RISCVCPUConfig.
Make the @cfg field of the rv_decode structure const, passing
a const pointer to disasm_inst().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202222412.24923-6-philmd@linaro.org>
target/arm: Have arm_sctlr_b() take a const @env argument
arm_sctlr_b() only access @env read-only, make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202222412.24923-5-philmd@linaro.org>
target/arm: Have is_64() take a const @env argument
is_64() only access @env read-only, make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202222412.24923-4-philmd@linaro.org>
target/arm: Have cpu_isar_feature() use a const ARMCPU object
The @cpu_ variable is only accessed read-only, make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202222412.24923-3-philmd@linaro.org>
target/arm: Have arm_feature() take a const @env argument
arm_feature() only access @env read-only, make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202222412.24923-2-philmd@linaro.org>
This is a mechanical replacement, adapting style to pass
the checkpatch.pl script.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-8-philmd@linaro.org>
target/alpha: Remove target_ulong uses in get_physical_address()
%addr is a virtual address, so use the 'vaddr' type.
%pphys is a pointer to a physical address, so use the 'hwaddr' type.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-7-philmd@linaro.org>
target/alpha: Do not use target_ulong for page table entries / indexes
%L[123]pte are loaded calling ldq_le_phys() which returns
a uint64_t. %pt is loaded with @ptbr, declared as uint64_t
in target/alpha/cpu.h:
236 uint64_t ptbr;
%index is at most 1024 so can fit in uint16_t.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-6-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-5-philmd@linaro.org>
target/alpha: Replace target_ulong -> uint64_t in gdb_write_register()
On Alpha, the target_ulong type expands to uint64_t.
Besides, ldq_be_p() returns a uint64_t type, and all
field / values accessed are uint64_t, see target/alpha/cpu.h:
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-4-philmd@linaro.org>
target/alpha: Build system units in common source set
Since commits bb5de52524c ("target: Widen pc/cs_base in
cpu_get_tb_cpu_state") and 32f0c394bbf ("target: Use vaddr
in gen_intermediate_code") we remove all uses of the target_ulong
type in target/alpha/. Use the meson target_common_system_arch[]
source set to prevent further uses of target-specific types.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-3-philmd@linaro.org>
target/alpha: Avoid target-specific migration headers in machine.c
machine.c doesn't use any target-specific macro defined by
the "migration/cpu.h" header. Use the minimum header required:
"migration/qemu-file-types.h" and "migration/vmstate.h", which
are not target-specific.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202234550.34156-2-philmd@linaro.org>
In preparation of removing the translator_ld[uw,l,q]() methods,
inline them for the m68k target, expanding MO_TE -> MO_BE since
this architecture is only available in big endianness.
Mechanical change using the following Coccinelle 'spatch' script:
In preparation of removing the translator_ld[uw,l,q]() methods,
inline them for the x86 targets, expanding MO_TE -> MO_LE since
the architecture uses little endian order.
Mechanical change using the following Coccinelle 'spatch' script:
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202213348.96754-1-philmd@linaro.org>
In preparation of removing the translator_ld[uw,l,q]() methods,
inline them for the RISC-V targets, using mo_endian(ctx) -- which
we introduced in commit 504f7f304ff -- instead of MO_TE.
Mechanical change using the following Coccinelle 'spatch' script:
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202213810.97141-1-philmd@linaro.org>
In preparation of removing the cpu_ldl_code() and cpu_ldq_code()
wrappers, inline them.
Since RISC-V instructions are always stored in little-endian order
(see "Volume I: RISC-V Unprivileged ISA" document, chapter
'Instruction Encoding Spaces and Prefixes': "instruction fetch
in RISC-V is little-endian"), replace MO_TE -> MO_LE.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260202214317.99090-1-philmd@linaro.org>
target/ppc: Inline cpu_ldl_code() call in ppc_ldl_code()
In preparation of removing the cpu_ldl_code wrapper, inline it.
Get the runtime endianness with ppc_data_endian_env(), passing it
to cpu_ldl_code_mmu(). No need to swap versus qemu-system binary
anymore.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-12-philmd@linaro.org>
target/ppc: Check endianness at runtime in ppc_data_endian_env()
Rather a runtime endianness check via env MSR over
a build-time one.
Now CPU can change endianness at runtime.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-11-philmd@linaro.org>
Centralize endianness check on MSR via a common helper.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-10-philmd@linaro.org>
target/ppc: Check endianness via env in ppc_disas_set_info()
disas_set_info() shouldn't bother with env->hflags,
access env->msr directly.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-9-philmd@linaro.org>
target/ppc: Inline need_byteswap() and replace translator_ldl_swap()
Rather than using a boolean with translator_ldl_swap(),
get the MemOp endianness with ppc_code_endian() and pass
it to translator_ldl_end().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20260202210106.93257-8-philmd@linaro.org>
Introduce the ppc_code_endian_dc() helper which returns the
MemOp endianness for the CODE path.
Use it in need_byteswap(), removing one TARGET_BIG_ENDIAN.
Note, the target MemOp endianness can be evaluated as (see
commit 5c43a750b67 "accel/tcg: Implement translator_ld*_end"):
MO_TE ^ (do_swap * MO_BSWAP)
For PPC we use the DisasContext::le_mode field to swap the
default (big-endian) order, so to get the PPC MemOp endianness
we can directly use:
MO_BE ^ (ctx->le_mode * MO_BSWAP)
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-ID: <20260202210106.93257-7-philmd@linaro.org>
Introduce ppc_data_endian_env() which returns the endian MemOp
of the data path from the vCPU env pointer. Keep it hardcoded
as MO_TE, the target built-time endianness.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-ID: <20260202210106.93257-6-philmd@linaro.org>
projects / thirdparty / qemu.git / log
