Matt Turner [Mon, 25 May 2026 15:26:41 +0000 (11:26 -0400)]
linux-user/sh4: restore FP rounding mode on sigreturn
The SH4 FPSCR rounding-mode (RM) and denormal (DN) bits are not held
only in env->fpscr: they are also reflected into the derived
env->fp_status via set_float_rounding_mode()/set_flush_to_zero(). The
guest keeps the two in sync by routing every write to FPSCR through
helper_ld_fpscr().
restore_sigcontext() wrote the saved value straight into env->fpscr and
never touched env->fp_status, so on sigreturn the interrupted code
resumed with whatever FP rounding mode and flush-to-zero setting the
signal handler last installed. (regs->flags = 0 forces the FR/SZ/PR TB
flags to be recomputed, but fp_status is runtime float state, not a TB
flag, so it was left stale.) This is the FP analogue of the T/M/Q bit
problem just fixed for the integer status register.
Factor the FPSCR -> fp_status synchronisation out of helper_ld_fpscr()
into cpu_load_fpscr() and use it from restore_sigcontext() so the
rounding mode round-trips correctly across signal delivery.
Fixes: c3b5bc8ab3 ("SH4: Signal handling for the user space emulator, by Magnus Damm.") Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:26:40 +0000 (11:26 -0400)]
linux-user/sh4: preserve T/M/Q bits across signal delivery
QEMU keeps the SH4 T, M and Q status-register bits outside env->sr, in
the dedicated env->sr_t, env->sr_m and env->sr_q fields; cpu_read_sr()
folds them back into the architectural SR value and cpu_write_sr()
splits them back out.
setup_sigcontext() saved the bare env->sr (so the T/M/Q bits were always
zero in the signal frame) and restore_sigcontext() wrote the value
straight back into env->sr without updating sr_t/sr_m/sr_q. As a result
the T bit was never preserved across signal delivery: on sigreturn the
interrupted code resumed with whatever T value the signal handler last
left behind. Any conditional branch (or addc/subc/rotcl/div1, etc.)
immediately following the interrupted instruction could then take the
wrong path.
This is the cause of the long-standing intermittent failures of the
tests/tcg/multiarch/signals.c test on sh4, which was marked BROKEN. With
a SIGRTMIN timer firing every millisecond across many threads, the race
was hit a few percent of the time and corrupted the guest heap, surfacing
as a SIGSEGV in memset, a malloc assertion, or an rseq registration abort.
Traced on a deterministic rr recording: a cmp/hi set T=0, the timer
signal interrupted the very next instruction (a bf), the handler left
T=1, and the resumed bf took glibc calloc's MORECORE_CLEARS branch,
using the old top-chunk size as the clear length for a freshly split
small chunk and running memset off the end of the heap.
Fix setup_sigcontext()/restore_sigcontext() to use cpu_read_sr() and
cpu_write_sr() so the T, M and Q bits round-trip correctly, and drop the
BROKEN annotation on the sh4 signals test.
Fixes: c3b5bc8ab3 ("SH4: Signal handling for the user space emulator, by Magnus Damm.") Cc: qemu-stable@nongnu.org Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:24:27 +0000 (11:24 -0400)]
linux-user/mips: save/restore FCSR across signal delivery
QEMU keeps the MIPS FPU control/status register (FCSR, fcr31) in
env->active_fpu.fcr31. The rounding mode, flush-to-zero (FS), and
NaN-2008 mode bits in fcr31 are reflected into the derived
env->active_fpu.fp_status via set_float_rounding_mode() and friends;
every architectural write to FCSR goes through helper_ctc1() which
calls restore_fp_status() to keep the two in sync.
Both target_sigcontext variants (O32 and N32/N64) have an sc_fpc_csr
field that holds FCSR, but setup_sigcontext() never wrote it and
restore_sigcontext() never read it. As a result:
- The signal frame always delivered sc_fpc_csr == 0 to the handler,
so sigaction(SA_SIGINFO) handlers that inspect the interrupted
context see the wrong FCSR.
- On sigreturn, active_fpu.fcr31 retained whatever value the signal
handler last installed (if any), and active_fpu.fp_status was
never resynced. Interrupted code resumed with the wrong rounding
mode, FS flag, and NaN-2008 semantics.
Fix setup_sigcontext() to save fcr31 into sc_fpc_csr. Fix
restore_sigcontext() to read it back (masked to fcr31_rw_bitmask as
the kernel does) and call cpu_mips_restore_fp_status() to resync
fp_status from the restored fcr31.
Add cpu_mips_restore_fp_status() in target/mips/fpu.c (which already
defines ieee_rm and includes fpu_helper.h), and declare it in cpu.h.
Fixes: 084d0497a0 ("mips-linux-user: Save and restore fpu and dsp from sigcontext") Cc: qemu-stable@nongnu.org Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Matt Turner [Mon, 25 May 2026 15:23:12 +0000 (11:23 -0400)]
linux-user/ppc: restore fp_status from FPSCR on sigreturn
restore_user_regs() restores the PPC FPSCR with a direct assignment:
env->fpscr = (uint32_t) fpscr;
ppc_store_fpscr() exists precisely to write FPSCR and keep the derived
env->fp_status in sync: it calls fpscr_set_rounding_mode() to update
the softfloat rounding mode, and set_float_rebias_overflow/underflow()
to reflect the FP_OE/FP_UE enable bits. The direct assignment bypasses
all of this.
On sigreturn, interrupted code resumes with whatever rounding mode and
overflow/underflow-rebias state the signal handler last installed in
fp_status, rather than the state that was saved at signal delivery.
Replace the direct assign with ppc_store_fpscr(). The FPSCR_MTFS_MASK
applied inside ppc_store_fpscr() only excludes the computed FP_FEX and
FP_VX bits, which it re-derives correctly from the exception and enable
bits in the restored value.
Fixes: bcd4933a23 ("linux-user: ppc signal handling") Cc: qemu-stable@nongnu.org Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Matt Turner <mattst88@gmail.com> Signed-off-by: Helge Deller <deller@gmx.de>
Zero operands produce a zero high and low product. One operands produce
a copy of the other operand and a zero or sign extension in the high
half.
Fold those cases during TCG optimization so wide-multiply idioms used by
target translators can collapse before code generation.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260520125139.13352-3-philmd@linaro.org>
In order to ease next commit review, check arg2 constness
in the inner loop.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260520125139.13352-2-philmd@linaro.org>
In the standard reStructuredText inline markup, italic
text is surrounded by one asterisk.
Fix incomplete style from commits 5e97a28a8b9 ("tcg: convert
tcg/README to rst") and 76f42780292 ("tcg: Add add/sub with
carry opcodes and infrastructure").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260519210019.11665-1-philmd@linaro.org>
* tag 'pull-target-arm-20260529' of https://gitlab.com/pm215/qemu: (21 commits)
hw/dma/omap_dma: Fix indentation after ifdef removal
hw/dma/omap_dma: Fix coding style in omap_dma_transfer_setup()
hw/dma/omap_dma: Remove unused ifdeffed out code
target/arm: advertise FEAT_RNG_TRAP on cortex-max
target/arm: implement FEAT_RNG_TRAP for RNDR/RNDRRS
target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
target/arm: Enable FEAT_CMPBR for -cpu max
target/arm: Implement CB (immediate)
target/arm: Implement CB, CBB, CBH
target/arm: Add feature predicate for FEAT_CMPBR
hw/arm/xilinx_zynq: Split xilinx_zynq into header and implementation files
hw/block/m25p80: Add HAS_SR_TB flag for is25lp016d
hw/misc/zynq_slcr: Add logic for DCI configuration
hw/misc: Add dummy ZYNQ DDR controller
hw/dma/zynq-devcfg: Indicate power-up status of PL
hw/dma/zynq-devcfg: Simulate dummy PL reset
hw/dma/zynq: Ensure PCFG_DONE bit remains set to indicate PL is in user mode
hw/arm/zynq-devcfg: Prevent unintended unlock during initialization
hw/dma/zynq-devcfg: Handle bitstream loading via DMA to 0xffffffff
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 29 May 2026 16:58:13 +0000 (12:58 -0400)]
Merge tag 'pull-11.1-testing-macos-and-misc-280526-1' of https://gitlab.com/stsquad/qemu into staging
testing updates (gitlab, MacOS, MAINTAINERS)
- move tests/Makefile.include earlier in order
- add binary deps to .ninja-goals.run-tcg-tests-FOO
- clean-up jit locking around do_tb_phys_invalidate
- drop deprecated cirrus MacOS builds
- add gitlab MacOS builds
- update the gitlab issue template around binary test cases
- fix-up MAINTAINERS for dockerfiles
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmoYp8EACgkQ+9DbCVqe
# KkRL3wf+LmazWrTWC0hkP0KcFEvBVYNin87BnYFEcXYfo/dkNEXMQeHNHpkEGm1J
# dTwWrmlDLIuvSowrCT5J597t9ssmsy8e2djo7yYx2aKBZvjyfVF/AadA4xSYz7XV
# P0EaxYlGcN7CRyCSRMswFUJB7UwCopwjgaitITCGR6tb80nQRnbzzVTd/13Ne8qd
# E1qeOT3G/+10uL0iOAGBUXgxT4tTsbdwrm0hk6vvEX4oGGwg11WpTZFAKVUwm3kK
# 5CTUF4sJTy2Y2yht0AqSMteuUoTbvp5xKKJQ1yuDYFByma0d0K2MRtcdxSmdx7eO
# rp4gGzXafPY/sXF2QYCXv/8VaCXEoA==
# =p5gv
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 28 May 2026 16:38:25 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-11.1-testing-macos-and-misc-280526-1' of https://gitlab.com/stsquad/qemu:
MAINTAINERS: Cover python.docker with Python library section
MAINTAINERS: Cover debian-tricore-cross.docker with TriCore section
MAINTAINERS: Cover debian-xtensa-cross.docker with Xtensa section
MAINTAINERS: Cover debian-loongarch-cross.docker with LoongArch section
MAINTAINERS: Fix docker/dockerfiles/debian-hexagon-cross.docker path
gitlab: update issue template for binary test cases
gitlab: add MacOS 26 job on gitlab runner
gitlab: add initial MacOS 15 on gitlab runner
ci: drop cirrus MacOS build
accel/tcg: move jit thread manipulation into do_tb_phys_invalidate
tests/Makefile.include: add binary dependency to run-tcg-tests-% rules
tests/Makefile.include: fix typo in comment
Makefile: include tests/Makefile.include before ninja calculation
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Fri, 29 May 2026 16:58:03 +0000 (12:58 -0400)]
Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEIV1G9IJGaJ7HfzVi7wSWWzmNYhEFAmoZHBQACgkQ7wSWWzmN
# YhH7ywf/WZdieTiWCoi1XI2rZ6XCjdJRqTSmp+WENDDQt4tBnXXJ6PxyitFqZh7g
# oZnN1+WXgIAO0SZRPbzjspe9mFsXrFkE/7y9XijOF4F/bhbWPA/AL8SICxnjoyaC
# nOs1QU2hE7yhOqgnUHweUjNbgpUO8mIgLdSIbKYDgZq1vRFsXy2kkKbeiJkbPCfe
# 0ILqltFjS5MeCl2fV0WwUquWr7VXEXb0vGPQKAzRbygmbDC+qYRF100cTrSCxnOe
# LSW8c1nf2AHZkQJmj2HWc2DUwxynAr8N8jSRPgp4JSC6B2caSQygKHGtKe19Y/Be
# u4hm+k5+HB25xkA4czheMcNvefnzoQ==
# =JjfR
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 May 2026 00:54:44 EDT
# gpg: using RSA key 215D46F48246689EC77F3562EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [full]
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* tag 'net-pull-request' of https://github.com/jasowang/qemu:
hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
net/tap: check that user tries to define zero queues
net/tap: net_init_tap(): relax QEMU hubs check
net/tap: net_init_tap(): merge fd=, fds= and helper= cases into one
net/tap: fix vhostfds/vhostfd parameters API
net/tap: move fds parameters handling to separate functions
net: introduce net_parse_fds()
net/tap: net_init_tap_one(): drop model parameter
net/tap: net_init_tap_one() refactor to get vhostfd param
net/tap: net_init_tap(): common fail label
net/tap: net_init_tap(): refactor parameter checking
net/tap: net_init_tap(): drop extra vhostfdname variable
net/tap: net_init_tap_one(): add return value
net/af-xdp: fix type overflow
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'single-binary-20260528' of https://github.com/philmd/qemu: (22 commits)
hw/core: Remove SysemuCPUOps::get_phys_addr_attrs_debug
target/i386: Convert to translate_for_debug
target/microblaze: Convert to translate_for_debug
accel/common: Remove last bit of target-specific code
hw/tpm/tpm_tis_sysbus: defer resource allocation to realize
mailmap: Update email addresses for Andrew Jones
mailmap: Update email addresses for Daniel Henrique Barboza
hw/vfio: use stub_ss for iommufd-stubs.c
hw/net: use stub_ss for vhost_net-stub.c
net: use stub_ss for vhost-user-stub.c and vhost-vdpa-stub.c
migration: use stub_ss for vfio-stub.c
target/arm: move whpx-stub to arm_stubs_ss
target/arm: move kvm-stub to arm_stubs_ss
meson.build: move some subdir before system lib creation
meson: fix close_range detection on older glibc
system/qtest: Fix length parameter in the b64write code
system/vl: Free allocate memory for pid file name in case realpath() failed
docs/devel/tcg-ops: List more vector opcodes
docs/devel/tcg-ops: Stop listing dup2_vec()
monitor: fix missing spaces in screendump help text
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
No targets use the SysemuCPUOps::get_phys_addr_attrs_debug method
any more, so we can remove it, together with the handling of it
in cpu_translate_for_debug().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528161450.3564396-4-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 16:14:49 +0000 (17:14 +0100)]
target/i386: Convert to translate_for_debug
The get_phys_addr_attrs_debug method of SysemuCPUOps is used only by
x86 and microblaze. Convert x86 to the newer translate_for_debug
method, as a step towards being able to remove
get_phys_addr_attrs_debug.
The new API allows us to tell the caller the actual size of the
mapping via lg_page_size, so we do that, although no caller will care
since it's always at least TARGET_PAGE_BITS.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528161450.3564396-3-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 16:14:48 +0000 (17:14 +0100)]
target/microblaze: Convert to translate_for_debug
The get_phys_addr_attrs_debug method of SysemuCPUOps is used only by
x86 and microblaze. Convert microblaze to the newer
translate_for_debug method, as a step towards being able to remove
get_phys_addr_attrs_debug.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260528161450.3564396-2-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
accel/common: Remove last bit of target-specific code
Initialize the TypeInfo structure at runtime using the TargetInfo
API to resolve TYPE_ACCEL_CPU, replacing CPU_RESOLVING_TYPE by
target_cpu_type(). Since the code is no more target-specific, move
it to accel-common.c, removing the need for accel-target.c.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-Id: <20260528140857.44130-1-philmd@linaro.org>
hw/tpm/tpm_tis_sysbus: defer resource allocation to realize
Calling memory_region_init_ram_device_ptr() and
memory_region_init_io() from tpm_tis_sysbus_initfn() crashes
when the device is introspected without being realized, because
the memory subsystem has not been initialized at that point.
So running:
$ qemu-system-aarch64 -device tpm-tis-device,help
triggers qdev_device_help() which creates the device object
to list its properties, calling instance_init, but never
realizefn. The memory region calls in instance_init then hit
uninitialized subsystems:
With CONFIG_DEBUG_TCG:
Assertion 'target_page.decided' failed. (physmem.c:2524)
Without CONFIG_DEBUG_TCG:
Assertion 'mutex->initialized' failed. (qemu-thread-posix.c:107)
Since realizefn is only called when the device is actually
used in a running VM, moving resource allocation there avoids
the crash without breaking introspection.
This also fixes a memory leak that is reported by the address
sanitizer during 'make check', because we currently allocate
ppi.buf during instance_init and never free it. "Allocate in
realize and never free" is less bad, because we don't currently
support "unrealize and destroy a sysbus device".
Fixes: 46cd2c1050f ("hw/tpm: add PPI support to tpm-tis-device for ARM64 virt") Signed-off-by: Mohammadfaiz Bawa <mbawa@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260528093123.55403-1-mbawa@redhat.com>
Message-ID: <CAFEAcA8fEYODmPhbh1W=oPGvju-P=qWvN_dyWrPqAr-E9FK7UA@mail.gmail.com>
[PMD: Amend Peter comment from previous mail in description] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Thu, 28 May 2026 15:28:52 +0000 (16:28 +0100)]
hw/dma/omap_dma: Fix indentation after ifdef removal
Some of the ifdefs in omap_dma_transfer_setup() which we just
removed had if() blocks in them. Now that the code inside them
is always unconditional it has an extra unnecessary layer of
indentation; fix this, as a whitespace only change.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260528152852.3349928-4-peter.maydell@linaro.org
Peter Maydell [Thu, 28 May 2026 15:28:51 +0000 (16:28 +0100)]
hw/dma/omap_dma: Fix coding style in omap_dma_transfer_setup()
We're about to fix indent in a section of the
omap_dma_transfer_setup() function, which will make checkpatch
complain. Since we're touching the code anyway, fix the uses of if()
with no braces and wrongly formatted multiline comments.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20260528152852.3349928-3-peter.maydell@linaro.org
Peter Maydell [Thu, 28 May 2026 15:28:50 +0000 (16:28 +0100)]
hw/dma/omap_dma: Remove unused ifdeffed out code
The OMAP DMA device includes a lot of code which has been disabled
via ifdefs for over a decade. Whatever this unfinished development
work was, all knowledge of it is long gone, and we're unlikely to
be doing any serious work on this device model in future. If we
did, we'd likely have to start from scratch.
Remove all the ifdeffed out code. We will fix up the indentation
in a followup commit that has only whitespace changes.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260528152852.3349928-2-peter.maydell@linaro.org
Jason Wright [Thu, 28 May 2026 18:19:25 +0000 (18:19 +0000)]
target/arm: advertise FEAT_RNG_TRAP on cortex-max
Set ID_AA64PFR1.RNDR_TRAP=1 on the max CPU model so guests and
firmware detect FEAT_RNG_TRAP, per the Arm Architecture Reference
Manual for A-profile architecture (DDI 0487), and document the feature
as emulated in docs/system/arm/emulation.rst.
Signed-off-by: Jason Wright <wrigjl@proton.me> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Jason Wright [Thu, 28 May 2026 18:19:19 +0000 (18:19 +0000)]
target/arm: implement FEAT_RNG_TRAP for RNDR/RNDRRS
Add an .accessfn to the RNDR and RNDRRS system registers that traps
reads to EL3 when SCR_EL3.TRNDR is set, as required by FEAT_RNG_TRAP.
Mark SCR_EL3.TRNDR (bit 40) as a writable field in scr_write() when
the CPU advertises the feature. The pseudocode in DDI0487 revision M.b
shows the trap firing from EL0, EL1, EL2, and EL3, so there is no
check of arm_current_el().
When FEAT_RNG_TRAP is implemented without FEAT_RNG, an RNDR/RNDRRS read
with SCR_EL3.TRNDR=0 should UNDEF rather than succeed; handle that case
in access_rndr(). Register the rndr_reginfo CP reg entries whenever either
FEAT_RNG or FEAT_RNG_TRAP is implemented, so the accessfn fires even on a
FEAT_RNG_TRAP-only CPU.
When SCR_EL3.TRNDR is set, ID_AA64ISAR0_EL1.RNDR reads as 1 regardless
of whether FEAT_RNG is implemented; give ID_AA64ISAR0_EL1 a readfn so it
reports this at runtime, as we already do for ID_AA64PFR0_EL1.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wright <wrigjl@proton.me> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Tue, 5 May 2026 18:51:57 +0000 (19:51 +0100)]
hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
_of_dpa_flow_match() tries to do masked comparisons of OfDpaFlowkey
structs by casting pointers to them to uint64_t* and then doing the
memory accesses as 64-bit. This is undefined behaviour because the
pointers might not be 64-bit aligned, and the UB sanitizer spots this:
We do know that OfDpaFlowKey structs must be at least aligned enough
for uint32_t accesses, because that's the type of the first field.
Switch to using uint32_t accesses in the loop.
Because the "width" field is always set via the FLOW_KEY_WIDTH macro
and not exposed to the guest, we can adjust the macro to store the
number of uint32_t to be checked rather than needing to change the
loop boundary in the match function.
Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Peter Maydell [Tue, 5 May 2026 18:51:56 +0000 (19:51 +0100)]
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
In of_dpa_cmd_add_l2_flood(), we use rocker_tlv_parse_nested()
to fill in a tlvs[] array. If the guest command is valid then
the entries should be pointers to TLV data items with group IDs.
However, if the guest gives us bogus data then rocker_tlv_parse_nested()
indicates this by leaving the tlvs[] entries NULL. In the other
places that use this function, we check for this before using
the value, but here we forgot, and the result is that QEMU can
crash:
#0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:331
#1 0x00005555574f7137 in __asan_memcpy ()
#2 0x0000555558106792 in ldl_he_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:278
#3 0x0000555558106755 in ldl_le_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:311
#4 0x00005555580f85ed in rocker_tlv_get_le32 (tlv=0x0) at ../../hw/net/rocker/rocker_tlv.h:114
#5 0x000055555810a8ad in of_dpa_cmd_add_l2_flood (of_dpa=0x506000082e38, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2032
#6 0x0000555558108a74 in of_dpa_cmd_group_do (of_dpa=0x506000082e38, group_id=1073741824, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2115
#7 0x0000555558108730 in of_dpa_cmd_group_add (of_dpa=0x506000082e38, group_id=1073741824, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2135
#8 0x00005555580f66ec in of_dpa_group_cmd
(of_dpa=0x506000082e38, info=0x514000072e40, buf=0x5070002356c0 "\001", cmd=7, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2194
Check for NULL values and return an error.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/1851 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Alex Bennée [Tue, 26 May 2026 11:02:36 +0000 (12:02 +0100)]
gitlab: update issue template for binary test cases
Binary test cases are sketchy because they can be vectors for phishing
and other malware. Lets strongly hint that source bases tests are
preferred and binaries should have their provenance declared.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260526110243.470002-9-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:34 +0000 (12:02 +0100)]
gitlab: add initial MacOS 15 on gitlab runner
The gitlab runners are currently in beta but available to projects on
the Premium and Ultimate plans (which QEMU is via the Open Source
program).
We install some compilers via brew so we can run some of the check-tcg
softmmu test cases.
We disable rust as the version is too old.
We disable plugins because we haven't taught the test harness about
.dynlib vs .so yet.
There is a discrepancy between the vars and version of MacOS because
lcitool needs teaching about other versions (although I don't think it
matters as brew is shared across versions).
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260526110243.470002-7-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:32 +0000 (12:02 +0100)]
accel/tcg: move jit thread manipulation into do_tb_phys_invalidate
To invalidate a TB on MacOS we need to enable write access to the JIT
buffer. We were doing this for tb_phys_invalidate__locked but that is
not the only path into do_tb_phys_invalidate. Move the manipulation
into the shared function that does the work.
As a result we can drop the tb_phys_invalidate__locked function and
update the calls directly.
This enables watchpoints to work in MacOS TCG guests.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3444 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260526110243.470002-5-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:31 +0000 (12:02 +0100)]
tests/Makefile.include: add binary dependency to run-tcg-tests-% rules
Explicitly set the appropriate QEMU binary as a dependency so we can
ensure they get built. This is especially important for MacOS which
otherwise only builds the unsigned binaries on a normal "make all"
run.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260526110243.470002-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-Id: <20260528083920.33105-1-philmd@linaro.org>
Peter Maydell [Thu, 21 May 2026 18:08:54 +0000 (19:08 +0100)]
target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
The Arm ARM A1.5.10 notes that some instructions have "Alternate
Bfloat16 behaviors" when FPCR.AH == 1. We implement these using the
FPST_AH and FPST_AH_F16 fp_status words. The list includes the SME
BFVCT (single-precision to BFloat16) and BFCVTN, but we forgot to
make those use FPST_AH_F16 when we implemented them. (We get the
ASIMD and SVE insns on the list right.)
Peter Maydell [Thu, 28 May 2026 16:24:12 +0000 (17:24 +0100)]
target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
The Domain fault type can only happen for 32-bit short-format
descriptors. This means that it almost never needs to be encoded in
a long-format fault status code. However, there is one corner case
where we do need to report it as a long-format FSC: if a 64-bit EL2
does an AT insn on an AArch32 EL1&0 translation regime that is using
short-descriptors and that translation operation hits a Domain fault,
then this is reported in the PAR_EL1 in long-format.
The PAR_EL1 register description defines that this should be reported
as 0b111101 for a level 1 Domain fault or 0b111110 for a level 2
Domain fault.
The Arm ARM pseudocode special cases this in the function
AArch64_PARFaultStatus() (because no other "fault to LFSC" code path
can be a Domain fault). For QEMU, implement it in arm_fi_to_lfsc().
Cc: qemu-stable@nongnu.org Fixes: 1fa498fe0de97 ("target/arm: Provide fault type enum and FSR conversion functions")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3512 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260526174155.2491217-1-peter.maydell@linaro.org
Quan Sun [Fri, 22 May 2026 20:18:50 +0000 (13:18 -0700)]
meson: fix close_range detection on older glibc
The has_function('close_range') check succeeds at link time on hosts
with kernel >= 5.9 even when glibc does not declare the function
(glibc < 2.34, e.g. AlmaLinux 8 / CentOS 8 with glibc 2.28). This
causes CONFIG_CLOSE_RANGE to be set, but compilation then fails with:
error: implicit declaration of function 'close_range'
Fix by adding a prefix that includes <unistd.h>, so the meson check
only succeeds when the C library actually declares close_range() in
its headers.
Signed-off-by: Quan Sun <Quan.Sun@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260522201850.1342167-1-Quan.Sun@windriver.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thomas Huth [Mon, 18 May 2026 13:40:20 +0000 (15:40 +0200)]
system/qtest: Fix length parameter in the b64write code
The b64write code has a sanity check that the given lengths matches
the real length of the given data, and calculates the minimum of the
two values to be on the safe side. However, the address_space_write()
then uses the original value and ignores the calculated minimum. Use
out_len here to fix the problem.
Fixes: 70da30483e7 ("qtest: Use cpu address space instead of system memory") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-ID: <20260518134020.1420932-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thomas Huth [Mon, 18 May 2026 11:45:14 +0000 (13:45 +0200)]
system/vl: Free allocate memory for pid file name in case realpath() failed
In case realpath() fails, the code returns early in the function
qemu_maybe_daemonize(), without freeing the allocated memory. Add
a g_free() here to fix it.
And while we're at it, also free the memory in the qemu_unlink_pidfile()
function - it's not that important since QEMU is going to terminate anyway,
but some malloc sanitizers might still complain if we don't free it.
Fixes: dee2a4d4d2f ("vl: defuse PID file path resolve error") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260518114514.684401-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-5-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-4-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: var decl at top of function; add comment] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare and branch instructions, with various operand widths.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-3-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: move var decl to top of function] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-2-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:55 +0000 (09:33 +0200)]
hw/arm/xilinx_zynq: Split xilinx_zynq into header and implementation files
Create xilinx_zynq.h header file to expose ZynqMachineState and
related definitions for machine inheritance. This enables creation
of derived machines based on the Zynq platform.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260518073401.11279-11-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:54 +0000 (09:33 +0200)]
hw/block/m25p80: Add HAS_SR_TB flag for is25lp016d
The is25lp016d has 4 Block Write Protect Bits. BP3 specifies
whether the upper or lower range should be protected. Therefore,
we add the HAS_SR_TB flag to the is25lp016d flags.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260518073401.11279-10-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:52 +0000 (09:33 +0200)]
hw/misc/zynq_slcr: Add logic for DCI configuration
The registers for the digitally controlled impedance (DCI) clock are
part of the system level control registers (SLCR). The DONE bit in
the status register indicates a successfull DCI calibration. An
description of the calibration process can be found here:
https://docs.amd.com/r/en-US/ug585-zynq-7000-SoC-TRM/DDR-IOB-Impedance-Calibration
The DCI control register and status register have been added. As soon
as the ENABLE and RESET bit are set, the RESET bit has also been toggled
to 0 before and the UPDATE_CONTROL is not set, the DONE bit in the status
register is set. If these bits change the DONE bit is reset. Note that the
option bits are not taken into consideration.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-8-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:51 +0000 (09:33 +0200)]
hw/misc: Add dummy ZYNQ DDR controller
A dummy DDR controller for ZYNQ has been added. While all registers are present,
not all are functional. Read and write access is validated, and the user mode
can be set. This provides a basic DDR controller initialization, preventing
system hangs due to endless polling or similar issues.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com>
Message-id: 20260518073401.11279-7-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:50 +0000 (09:33 +0200)]
hw/dma/zynq-devcfg: Indicate power-up status of PL
It is assumed, that the programmable logic (PL) is always powered
during emulation. Therefor the PCFG_POR_B bit in the MCTRL register
is set.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-6-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:49 +0000 (09:33 +0200)]
hw/dma/zynq-devcfg: Simulate dummy PL reset
Setting PCFG_PROG_B should reset the PL. After a reset PCFG_INIT
should indicate that the reset is finished successfully.
In order to add a MMIO-Device as part of the PL in the Zynq, the
reset logic must succeed. The PCFG_INIT flag is now set when the
PL reset is triggered by PCFG_PROG_B. Indicating the reset was
successful.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-5-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:48 +0000 (09:33 +0200)]
hw/dma/zynq: Ensure PCFG_DONE bit remains set to indicate PL is in user mode
All register bits are clear on write by writing 1s to those bits, however
the register bits will only be cleared if the condition that sets the
interrupt flag is no longer true. Since we can assume that programming
is always done, the `PCFG_DONE` flag is always set to 1, so it will not
never be cleared.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-4-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:47 +0000 (09:33 +0200)]
hw/arm/zynq-devcfg: Prevent unintended unlock during initialization
During the emulation startup, all registers are reset, which triggers the
`r_unlock_post_write` function with a value of 0. This led to an
unintended memory access disable, making the devcfg unusable.
During startup, the memory space no longer gets locked.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-3-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:46 +0000 (09:33 +0200)]
hw/dma/zynq-devcfg: Handle bitstream loading via DMA to 0xffffffff
A DMA transfer to destination address `0xffffffff` should trigger a
bitstream load via the PCAP interface. Currently, this case is not
intercepted, causing loaders to enter an infinite loop when polling
the status register.
This commit adds a check for `0xffffffff` as the destination address.
If detected, the relevant status register bits (`DMA_DONE`,
`DMA_P_DONE`, and `PCFG_DONE`) are set to indicate a successful
bitstream load. If the address is different, the DMA transfer proceeds
as usual. A successful load is indicated but nothing is actually
done. Guests relying on FPGA functions are still known to fail.
This feature is required for the integration of the Beckhoff
CX7200 model.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-2-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Wed, 27 May 2026 18:45:58 +0000 (14:45 -0400)]
Merge tag 'pull-vfio-20260527' of https://github.com/legoater/qemu into staging
vfio queue:
* Fix vfio-user: container disconnect on device info query failure,
reject zero DMA and migration page size capabilities
* Fix dma_map_file() to avoid DMA against MAP_PRIVATE RAMBlocks
* Remove unused vfio_region_unmap()
* Update linux-headers to Linux v7.1-rc4
* Mark Multi-process QEMU as Odd Fixes in MAINTAINERS
* tag 'pull-vfio-20260527' of https://github.com/legoater/qemu:
vfio/container: Restrict dma_map_file() to shared RAM or RAM devices
vfio-user: reject zero migration page size capability
vfio-user: reject zero DMA page size capability
vfio-user: disconnect container when device info query fails
vfio: Clean up vfio_region_unmap()
linux-headers: Update to Linux v7.1-rc4
MAINTAINERS: Mark Multi-process QEMU as Odd Fixes
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'single-binary-20260527' of https://github.com/philmd/qemu: (32 commits)
MAINTAINERS: Update PhilMD's email address
MAINTAINERS: update qualcomm git tree URL
MAINTAINERS: Remove PhilMD from firmware sections
tests/tcg: Explicitly check for 64-bit z/Architecture
target/arm: Build cpu-max.c once
target/arm: Build cpu32-system.o as common object
target/arm: Define 'max' CPU type in cpu-max.c
target/arm: Re-use common aarch64_aa32_a57_init() helper
target/arm: Factor aarch64_aa32_a57_init() out
target/arm: Only set %kvm_target when KVM is enabled
target/arm: Implement DBGDEVID* registers in max AArch32 CPU
target/arm: Use make_ccsidr(LEGACY) in 32 bit 'max' CPU type
target/arm: Extract common code related to 'max' CPU
target/arm: Build cpu64.o as common object
target/arm: Build gdbstub64.o as common object
target/arm: Introduce common system/user meson source set
hw/arm/meson: Remove now unused arm_ss[] source set
hw/arm/aspeed: Build objects once
hw/arm/aspeed: Do not realize 64-bit CPU types under QTest
hw/arm/raspi: Build objects once
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
tests/tcg: Explicitly check for 64-bit z/Architecture
We do not support the 32-bit ESA/390 target, only the
64-bit z/Architecture.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260519171240.97420-5-philmd@linaro.org>
Call TargetInfo::target_aarch64() at runtime, allowing to
remove the target-specific TARGET_AARCH64 definition and
build cpu-max.c once as common object.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-18-philmd@linaro.org>
cpu32.c only contains CPU types used in 32-bit system emulation:
rename it as cpu32-system.c; always compile the file but only
register the QOM types for the 32-bit binary.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-17-philmd@linaro.org>
Rather than having the 32-bit 'max' CPU type defined in
cpu32.c and the 64-bit counter part in cpu64.c, unify the
code in a single place in cpu-max.c. Define stubs for
aarch64_host_initfn() and aarch64_max_tcg_initfn() in the
32-bit binary.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-16-philmd@linaro.org>
In order to make the following commit easier to review,
factor aarch64_aa32_a57_init() out of aarch64_a57_initfn()
as a preliminary step. We only add a %aa32_only argument
to restrict AArch64 features.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-14-philmd@linaro.org>
target/arm: Implement DBGDEVID* registers in max AArch32 CPU
32-bit ARM max CPU is a 'Cortex-A57 advertising none of the AArch64
features'. Keep it as close as possible as the A57, by implementing
the debug ID registers, following the changes in aarch64_a57_initfn
added by commits 48eb3ae64b3 ("target-arm: Adjust debug ID registers
per-CPU") and 09754ca867f ("target/arm: Implement AArch32 DBGDEVID,
DBGDEVID1, DBGDEVID2").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-12-philmd@linaro.org>
target/arm: Use make_ccsidr(LEGACY) in 32 bit 'max' CPU type
Commit 676624d757a ("target/arm/tcg: refine cache descriptions
with a wrapper") added the make_ccsidr() helper. Use it. Besides
being simpler to review, it also makes arm_max_initfn() more in
line which aarch64_a57_initfn(), which it almost duplicates.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-11-philmd@linaro.org>
target/arm: Extract common code related to 'max' CPU
Extract common code related to 'max' CPU. This commit only
move code used by the 32-bit 'max' CPU, but we will soon add
the 64-bit counterpart, so name it generically as "cpu-max.c".
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-10-philmd@linaro.org>
Commit 064f1ce95fe ("hw/arm/aspeed: Split AST2700 EVB
machine into a separate source file for maintainability")
remove the last TARGET_AARCH64 use.
Now than Aspeed machines can be filtered when running a
qemu-system-arm or qemu-system-aarch64 binary, we can
compile the aspeed.c file once, moving it from arm_ss[]
source set to arm_common_ss[].
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-5-philmd@linaro.org>
hw/arm/aspeed: Do not realize 64-bit CPU types under QTest
aspeed_ast27x0.c models 2 similar SoC based on a 64-bit only
CPU (Cortex-A35), only available in the 64-bit binary.
If we build this file as common object, these SoCs become
available in both 32 and 64-bit binaries; however when running
the introspection test on the 32-bit binary, the init() method
tries to init the Cortex-A35 type -- although not realizing it
-- which is not available. Simply skip CPU initialization when
running QTests on a 32-bit binary, asserting the realization
step is not reached.
Suggested-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-4-philmd@linaro.org>
Now than Raspi machines can be filtered when running a
qemu-system-arm or qemu-system-aarch64 binary, we can
remove the TARGET_AARCH64 #ifdef'ry and compile the
aspeed.c file once, moving it from arm_ss[] source set
to arm_common_ss[]. Note, we expose the TYPE_BCM2837
and TYPE_BCM2838 types to qemu-system-arm, but they are
not user-creatable, so not an issue.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-3-philmd@linaro.org>
hw/arm/raspi: Initialize 64-bit CPU types during DeviceRealize()
bcm2836.c models 3 similar SoC: BCM2835, BCM2836 and BCM2837.
The BCM2837 is a 64-bit only SoC (Cortex-A53), only available
in the 64-bit binary.
If we build this file as common object, all BCM SoCs become
available in both 32 and 64-bit binaries; however when running
the introspection test on the 32-bit binary, the BCM2837 init()
method tries to init the Cortex-A53 type -- although not
realizing it -- which is not available. This can be avoided by
deferring the CPU type initialization to the SoC DeviceRealize
step (this is safe because nothing uses the CPU type before,
only the GIC access them, just after their realization).
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-2-philmd@linaro.org>
Chenyi Qiang [Wed, 27 May 2026 10:11:08 +0000 (18:11 +0800)]
vfio/container: Restrict dma_map_file() to shared RAM or RAM devices
vfio_container_dma_map() uses dma_map_file() whenever a RAMBlock has an
fd and the VFIO IOMMU backend supports file-based DMA mapping. That is
not correct for private file-backed guest RAM.
dma_map_file() resolves PFNs from the backing file, but private guest
RAM mappings (MAP_PRIVATE) can run on different PFNs than the file
because they are subject to copy-on-write (COW) anomalies. As a result,
using dma_map_file() on a privately mapped RAMBlock can program DMA
against pages that do not back QEMU's actual guest memory.
Fix this by using dma_map_file() only for shared mapped RAMBlocks
(MAP_SHARED) or RAM device regions.
Fixes: fb32965b6dd8 ("vfio/iommufd: use IOMMU_IOAS_MAP_FILE") Reported-by: Farrah Chen <farrah.chen@intel.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220776 Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com> Link: https://lore.kernel.org/qemu-devel/20260527101109.71781-1-chenyi.qiang@intel.com Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
Anton Blanchard [Thu, 21 May 2026 11:08:24 +0000 (11:08 +0000)]
target/riscv: Use float_raise
Use float_raise instead of open coding it.
Signed-off-by: Anton Blanchard <antonb@tenstorrent.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260521110824.1091323-1-antonb@tenstorrent.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
target/riscv: Define MSTATUS_SBE and MSTATUS_MBE bit masks
Add the RISC-V privileged ISA defined bit positions for the Supervisor
Big-Endian (SBE, bit 36) and Machine Big-Endian (MBE, bit 37) fields
in the mstatus register. These are used alongside the existing
MSTATUS_UBE (bit 6) to control data endianness at each privilege level.
The MSTATUS_UBE definition was already present, but SBE and MBE were
missing.
Signed-off-by: Djordje Todorovic <djordje.todorovic@htecgroup.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260527083151.17876-2-djordje.todorovic@htecgroup.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
GuoHan Zhao [Fri, 22 May 2026 08:13:06 +0000 (16:13 +0800)]
vfio-user: reject zero migration page size capability
check_migr_pgsize() validates that no page-size bits smaller than
VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsize=0. This can replace
the default migration page size with an unusable value.
Reject a zero migration page size during version capability parsing, matching
the lower-bound check used for the DMA page-size capability.
GuoHan Zhao [Fri, 22 May 2026 08:13:05 +0000 (16:13 +0800)]
vfio-user: reject zero DMA page size capability
check_pgsizes() validates that no page-size bits smaller than
VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
malformed server overwrite the default page-size mask with zero.
Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
realization aborts instead of reporting a version capability error. Reject a
zero DMA page-size mask during version capability parsing.
GuoHan Zhao [Fri, 22 May 2026 06:56:37 +0000 (14:56 +0800)]
vfio-user: disconnect container when device info query fails
vfio_user_device_attach() connects the vfio-user container before querying
VFIO_USER_DEVICE_GET_INFO. If the device info query fails,
vfio_device_prepare() has not run yet, so vbasedev->bcontainer is still
NULL and the later vfio_device_detach() cleanup path cannot reach the new
container.
Disconnect the container before returning the attach failure so the listener,
RAM discard state, object reference and address space reference are released
on this error path.
projects / thirdparty / qemu.git / log
