Vishal Chourasia [Fri, 24 Oct 2025 13:05:59 +0000 (18:35 +0530)]
hw/core/loader: add check for zero size in load_image_targphys_as
Currently load_image_targphys_as() returns -1 on file open failure or
when max size is exceeded. Add an explicit check for zero-sized files
to catch this error early, since some callers check for size <= 0.
Also, remove the redundant size > 0 check later in the function.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-10-vishalc@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Vishal Chourasia [Fri, 24 Oct 2025 13:05:55 +0000 (18:35 +0530)]
hw/core/loader: capture Error from load_image_targphys
Add Error **errp parameter to load_image_targphys(),
load_image_targphys_as(), and get_image_size() to enable better
error reporting when image loading fails.
Pass NULL for errp in all existing call sites to maintain current
behavior. No functional change intended in this patch.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Aditya Gupta <adityag@linux.ibm.com> Tested-by: Aditya Gupta <adityag@linux.ibm.com> Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-6-vishalc@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Vishal Chourasia [Fri, 24 Oct 2025 13:05:53 +0000 (18:35 +0530)]
hw/core/loader: Use qemu_open() instead of open() in get_image_size()
Replace open() with qemu_open() which provides better error handling
via the Error object, automatically sets O_CLOEXEC, and supports FD
passing with /dev/fdset.
Currently pass errp argument as NULL.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Vishal Chourasia <vishalc@linux.ibm.com>
Message-ID: <20251024130556.1942835-4-vishalc@linux.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
hw/int/loongarch: Include missing 'system/memory.h' header
"system/memory.h" header is indirectly pulled by "hw/sysbus.h".
Include it explicitly to avoid when refactoring the latter:
In file included from ../../hw/intc/loongson_ipi.c:9:
In file included from /Users/philmd/source/qemu/include/hw/intc/loongson_ipi.h:12:
include/hw/intc/loongson_ipi_common.h:37:18: error: field has incomplete type 'MemoryRegion' (aka 'struct MemoryRegion')
37 | MemoryRegion ipi_iocsr_mem;
| ^
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-Id: <20251024190416.8803-21-philmd@linaro.org>
hw/sysbus: Have various helpers take a const SysBusDevice argument
These getters don't update any SysBusDevice internal fields,
make the argument const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20251024190416.8803-3-philmd@linaro.org>
hw/qdev: Have qdev_get_gpio_out_connector() take const DeviceState arg
This getter doesn't update any DeviceState internal fields,
make it const.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20251024190416.8803-2-philmd@linaro.org>
BALATON Zoltan [Thu, 23 Oct 2025 15:26:25 +0000 (17:26 +0200)]
hw/pci-host/raven: Simplify PCI bus creation
Instead of doing it manually use pci_register_root_bus() to create and
register the PCI bus. Also drop pci_bus from PREPPCIState and use the
existing bus field in the parent PCIHostState.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <4ffa168d68947d95a16c51d73cedd141b0df0ea0.1761232472.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
BALATON Zoltan [Thu, 23 Oct 2025 15:26:21 +0000 (17:26 +0200)]
hw/pci-host/raven: Simplify creating PCI facing part
There is no need to init and realize the PCI facing part of the host
bridge separately as it does not expose any properties that need to be
available before realize. It can be simpilfied using pci_create_simple.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-ID: <5a60e395d72e5eb4d01093434fbb645d72ac567a.1761232472.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The only user of this macro was VirtIONet.vlans, which has been
converted to regular VMSTATE_BUFFER.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Peter Xu <peterx@redhat.com>
Message-ID: <20251023135316.31128-3-mjt@tls.msk.ru> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Michael Tokarev [Thu, 23 Oct 2025 13:53:09 +0000 (16:53 +0300)]
hw/net/virtio-net: make VirtIONet.vlans an array instead of a pointer
This field is a fixed-size buffer (number of elements is MAX_VLAN,
known at build time). There's no need to allocate it dynamically,
it can be made an integral part of VirtIONet structure.
This field is the only user of VMSTATE_BUFFER_POINTER_UNSAFE() macro.
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Tested-by: Lei Yang <leiyang@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20251023135316.31128-2-mjt@tls.msk.ru> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Peter Maydell [Fri, 17 Oct 2025 08:53:50 +0000 (09:53 +0100)]
target/hppa: Set FPCR exception flag bits for non-trapped exceptions
In commit ebd394948de4e8 ("target/hppa: Fix FPE exceptions") when
we added the code for setting up the registers correctly on trapping
FP exceptions, we accidentally broke the handling of the flag bits
for non-trapping exceptions.
In update_fr0_op() we incorrectly zero out the flag bits and the C
bit, so any fp operation would clear previously set flag bits. We
also stopped setting the flag bits when the fp operation raises
an exception and the trap is not enabled.
Adjust the code so that we set the Flag bits for every exception that
happened and where the trap is not enabled. (This is the correct
behaviour for the case where an instruction triggers two exceptions,
one of which traps and one of which does not; that can only happen
for inexact + underflow or inexact + overflow.)
Merge tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu into staging
Merge misc, crypto and I/O subsystems changes
* Fix use after free in websocket handshake (CVE-2025-11234)
* Improved stack traces fatal errors/aborts raised for
user creatable objects
* Stop requiring 'key encipherment' usage in x509 certs
* Only sanity check CA certs needed in the chain of trust
* Allow intermediate CA certs to be present in client/server
cert file
* Fix regression propagating errors in premature shutdown
of TLS connections
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmj7nZQACgkQvobrtBUQ
# T9+ezBAAsgKl5O/8FYGoSAaVHq4dzbXl/Q0NzHzX7NJ7W8K6LvNy4w8zpuPZEWIt
# luo3uAeRFmWGCE5kAe/rfySwvNAYfKTJWbd4+c/DN6spK8MViMfY/mL2Zows3LsJ
# LDkmi7OVZpTO+JTDt9O0LpjXmtRGunDsm1Wq8WZcrLtsMe0KatVaQen0nFqc8aUf
# uwAgMrZiMpsGp23PLlxaqQVBV2lzXGQHb1Y2UR0DkMBn19861ovPeNRgODc1SpmV
# pvqoeXNVu3Mw4CmY3jb0fArRD8G6g8y0USahVNfXV3cYFXp1/SaEL4sNbYU3VhxG
# MJXvA+uVir6HHJWiDbjiAG+6zjoggaPAwkp5f4M89fnPGgX9sRRAsCdJnR5IIEDo
# 58bc1WWni+KzkDXY/GJ1lMQ6jJuQxavIcpW/zi/sSLu1ceK+j+JqLmjGzpr1mPrk
# D63MvLSOsKFgJNP51OeC5s3GN9UOo6jO/wOMyLTDUTdhc/WOz3Q+f5/E/bRXtaE0
# S+NxMTHJdwDfeRpDXMglL9f5K1ApBo7GAMmjhwXCD3XqUb1pD7RbFNu+QKMqgT4Z
# Jv/Rsik3XOHMFNoMtm+fSaUfeETASJBQQancnLyUcCUrWR9MTKBAtlm0fJypxaBp
# 787FL5LthIX5u7tNf5Btl67BJalHFICVEQrFe/gPq5YnuIRDmwo=
# =WY6C
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 05:39:00 PM CEST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [unknown]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* tag 'next-pr-pull-request' of https://gitlab.com/berrange/qemu:
crypto: switch to newer gnutls API for distinguished name
crypto: stop requiring "key encipherment" usage in x509 certs
crypto: allow client/server cert chains
crypto: fix error reporting in cert chain checks
crypto: validate an error is reported in test expected fails
crypto: remove extraneous pointer usage in gnutls certs
crypto: only verify CA certs in chain of trust
io: fix use after free in websocket handshake code
io: move websock resource release to close method
io: release active GSource in TLS channel finalizer
tests: use macros for registering char tests for sockets
qom: use ERRP_GUARD in user_creatable_complete
crypto: propagate Error object on premature termination
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
crypto: stop requiring "key encipherment" usage in x509 certs
This usage flag was deprecated by RFC8813, such that it is
forbidden to be present for certs using ECDSA/ECDH algorithms,
and in TLS 1.3 is conceptually obsolete.
As such many valid certs will no longer have this key usage
flag set, and QEMU should not be rejecting them, as this
prevents use of otherwise valid & desirable algorithms.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
matoro [Mon, 13 Feb 2023 18:00:49 +0000 (13:00 -0500)]
crypto: allow client/server cert chains
The existing implementation assumes that client/server certificates are
single individual certificates. If using publicly-issued certificates,
or internal CAs that use an intermediate issuer, this is unlikely to be
the case, and they will instead be certificate chains. While this can
be worked around by moving the intermediate certificates to the CA
certificate, which DOES currently support multiple certificates, this
instead allows the issued certificate chains to be used as-is, without
requiring the overhead of shuffling certificates around.
Corresponding libvirt change is available here:
https://gitlab.com/libvirt/libvirt/-/merge_requests/222
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: matoro <matoro_mailinglist_qemu@matoro.tk>
[DB: adapted for code conflicts with multi-CA patch] Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The loop that checks the CA certificate chain can fail to report
an error message if one of the certs in the chain has an issuer
that is not present in the chain. In this case, the outer loop
'while (checking_issuer)' will terminate after failing to find
the issuer, and no error message will be reported.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
crypto: validate an error is reported in test expected fails
There was a bug where TLS x509 credentials validation failed
to fill out the Error object. Validate this in the failure
scenarios.
Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
crypto: remove extraneous pointer usage in gnutls certs
The 'gnutls_x509_crt_t' type is already a pointer, not a struct,
so the extra level of pointer indirection is not needed.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Henry Kleynhans [Wed, 22 Dec 2021 15:06:00 +0000 (15:06 +0000)]
crypto: only verify CA certs in chain of trust
The CA file provided to qemu may contain CA certificates which do not
form part of the chain of trust for the specific certificate we are
sanity checking.
This patch changes the sanity checking from validating every CA
certificate to only checking the CA certificates which are part of the
chain of trust (issuer chain). Other certificates are ignored.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Henry Kleynhans <hkleynhans@fb.com>
[DB: changed 'int' to 'bool' in 'checking_issuer' variable] Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
io: fix use after free in websocket handshake code
If the QIOChannelWebsock object is freed while it is waiting to
complete a handshake, a GSource is leaked. This can lead to the
callback firing later on and triggering a use-after-free in the
use of the channel. This was observed in the VNC server with the
following trace from valgrind:
==2523108== Invalid read of size 4
==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
==2523108== by 0x44863B4: qio_task_complete (task.c:197)
==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd
==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
==2523108== by 0x6EDC444: g_free (gmem.c:208)
==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
==2523108== by 0x4042881: dpy_refresh (console.c:880)
==2523108== by 0x4042881: gui_update (console.c:90)
==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
==2523108== by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495)
==2523108== by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:576)
==2523108== by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.c:663)
==2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108== Block was alloc'd at
==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
==2523108== by 0x454F300: qemu_default_main (main.c:37)
==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
==2523108==
The above can be reproduced by launching QEMU with
for i in {1..100}; do
(echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
done
CVE-2025-11234 Reported-by: Grant Millar | Cylo <rid@cylo.io> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The QIOChannelWebsock object releases all its resources in the
finalize callback. This is later than desired, as callers expect
to be able to call qio_channel_close() to fully close a channel
and release resources related to I/O.
The logic in the finalize method is at most a failsafe to handle
cases where a consumer forgets to call qio_channel_close.
This adds equivalent logic to the close method to release the
resources, using g_clear_handle_id/g_clear_pointer to be robust
against repeated invocations. The finalize method is tweaked
so that the GSource is removed before releasing the underlying
channel.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
io: release active GSource in TLS channel finalizer
While code is supposed to call qio_channel_close() before releasing the
last reference on an QIOChannel, this is not guaranteed. QIOChannelFile
and QIOChannelSocket both cleanup resources in their finalizer if the
close operation was missed.
This ensures the TLS channel will do the same failsafe cleanup.
Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
tests: use macros for registering char tests for sockets
The test-char.c has a couple of helper macros for registering tests that
need to be repeated for both IP and UNIX sockets. One test case was not
using the macro though.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
With error_propagate, the stack trace from any error_abort/fatal
usage will start from the error_propagate() call, which is largely
useless. Using ERRP_GUARD ensures the stack trace starts from
the origin that reported the error.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
crypto: propagate Error object on premature termination
The way that premature termination was handled in TLS connections was
changed to handle an ordering problem during graceful shutdown in the
migration code.
Unfortunately one of the codepaths returned -1 to indicate an error
condition, but failed to set the 'errp' parameter.
This broke error handling in the qio_channel_tls_handshake function,
as the QTask callback would no longer see that an error was raised.
As a result, the client will go on to try to use the already closed
TLS connection, resulting in misleading errors.
This was evidenced in the I/O test 233 which showed changes such as
-qemu-nbd: Certificate does not match the hostname localhost
+qemu-nbd: Failed to read initial magic: Unable to read from socket: Connection reset by peer
Fixes: 7e0c22d585581b8083ffdeb332ea497218665daf Acked-by: Peter Xu <peterx@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Merge tag 'pull-riscv-to-apply-20251024' of https://github.com/alistair23/qemu into staging
Second RISC-V PR for 10.2
* Correct mmu-type property of sifive_u harts in device tree
* Centralize MO_TE uses in a pair of helpers
* Fix Ethernet interface support for microchip-icicle-kit
* Fix mask for smsiaddrcfgh
* Fix env->priv setting in reset_regs_csr()
* Coverity-related fixes
* Fix riscv_cpu_sirq_pending() mask
* Fix a uninitialized variable warning
* Make PMP granularity configurable
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmj6vn4ACgkQr3yVEwxT
# gBORBg/9HMcPIWY4TweyZXcVkcB/4LY3XboBCcumTUO3dEkiVMYc5TDauO++YiyJ
# YPRzFSAgwNxoF2ndtNLSc6OCu6LPRzWpt9a/MavTzfNLOQZ5vUbYCd3g24uR4Plz
# AOt7Jn9l8+95MxGeTq5NfDdOnyC+mF4EiIjhplbZz7UcMpouKRysAibSjuyXlYGD
# DutmQ/bctyDsASNFIl3xwT4po1M4EgMX4nL01ZbfYw2sTjPH2Vj53E0eQ9iZCsP6
# l8L8PEz4Jiad2rapJdm2OS6mirMd3PZbYWqvRga/NQiTs4jGYSxiIhlpqR3Ez2id
# UBGjLKcbsgvyaX1ILq3n6nfftjrXpSEnCMh86/H3xZ8dhA8eBMrGTJvYXAX33ao5
# d3ClcT+E7FTduc+hWl/B/l3eb6fOcEIQ172slBiPEfJJqwJgkXgOfftlxRJQ3iGs
# FbpCL0zEeB1/0SUvgI8Wv5652GiaAljWhhIM7FhWpohc2DxV2iUXuxhhXgHkztwL
# EIddIo9FLQqY7wxlQhvQKRT0hCm/9mtokq6jiQUTuVMn7gf4fWdvDSozRvX1b0DB
# CiJcPnKgM/M4UQHci8rboADWPSJ8oOSdz5dheQfXVNJczFnDqzMMVFbkFicXidJU
# aT+1sPuuSYE6hquR1p4yvxeyyfIQCdffzRBr3WZ2iq7GQ+I4/64=
# =P0/u
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 24 Oct 2025 01:47:10 AM CEST
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20251024' of https://github.com/alistair23/qemu: (25 commits)
target/riscv: Make PMP CSRs conform to WARL constraints
target/riscv: Make PMP granularity configurable
target/riscv: Fix a uninitialized variable warning
target/riscv: fix riscv_cpu_sirq_pending() mask
target/riscv/riscv-qmp-cmds.c: coverity-related fixes
target/riscv/kvm: fix env->priv setting in reset_regs_csr()
hw/intc: Allow gaps in hartids for aclint and aplic
aplic: fix mask for smsiaddrcfgh
microchip icicle: Enable PCS on Cadence Ethernet
hw/net/cadence_gem: Add pcs-enabled property
hw/riscv: microchip_pfsoc: Connect Ethernet PHY channels
hw/net/cadence_gem: Support two Ethernet interfaces connected to single MDIO bus
target/riscv: Introduce mo_endian_env() helper
target/riscv: Introduce mo_endian() helper
target/riscv: Factor MemOp variable out when MO_TE is set
target/riscv: Conceal MO_TE|MO_ALIGN within gen_lr() / gen_sc()
target/riscv: Conceal MO_TE within gen_cmpxchg*()
target/riscv: Conceal MO_TE within gen_storepair_tl()
target/riscv: Conceal MO_TE within gen_fload_idx() / gen_fstore_idx()
target/riscv: Conceal MO_TE within gen_load_idx() / gen_store_idx()
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Jay Chang [Wed, 22 Oct 2025 02:41:41 +0000 (10:41 +0800)]
target/riscv: Make PMP CSRs conform to WARL constraints
This patch ensure pmpcfg and pmpaddr comply with WARL constraints.
When the PMP granularity is greater than 4 bytes, NA4 mode is not valid
per the spec and will be silently ignored.
According to the spec, changing pmpcfg.A only affects the "read" value
of pmpaddr. When G > 2 and pmpcfg.A is NAPOT, bits pmpaddr[G-2:0] read
as all ones. When G > 1 and pmpcfg.A is OFF or TOR, bits pmpaddr[G-1:0]
read as all zeros. This allows software to read back the correct
granularity value.
In addition, when updating the PMP address rule in TOR mode,
the start and end addresses of the PMP region should be aligned
to the PMP granularity. (The current SPEC only state in TOR mode
that bits pmpaddr[G-1:0] do not affect the TOR address-matching logic.)
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022024141.42178-3-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Jay Chang [Wed, 22 Oct 2025 02:41:40 +0000 (10:41 +0800)]
target/riscv: Make PMP granularity configurable
Previously, the PMP granularity in qemu always used a minimum
granularity of 4 bytes, this patch add pmp-granularity to allow
platforms to configure the value.
A new CPU parameter pmp-granularity has been introduced to the QEMU
command line. For example:
If no specific value is provided, the default value is 4 bytes.
Signed-off-by: Jay Chang <jay.chang@sifive.com> Reviewed-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022024141.42178-2-jay.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Akihiko Odaki [Tue, 21 Oct 2025 05:07:14 +0000 (14:07 +0900)]
target/riscv: Fix a uninitialized variable warning
riscv_cpu_validate_v() left its variable, min_vlen, uninitialized if
no vector extension is available, causing a compiler warning.
Re-define riscv_cpu_validate_v() as no-op when no vector extension is
available to prevent the scenario that will read the unintialized
variable by construction. It also simplifies its caller as a bonus.
Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20251021-vlen-v2-1-1fb581d4c6bf@rsg.ci.i.u-tokyo.ac.jp> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
We're filtering out (MIP_VSSIP | MIP_VSTIP | MIP_VSEIP) from S-mode
pending interrupts without apparent reason. There's no special treatment
for these ints as far as the spec goes, and this filtering is causing
read_stopi() to miss those VS interrupts [1].
We shouldn't return delegated VS interrupts in S-mode though, so change
the current mask with "~env->hideleg". Note that this is the same
handling we're doing in riscv_cpu_mirq_pending() and env->mideleg.
Coverity CID 1641401 reports that, in reg_is_ulong_integer(), we're
dereferencing a NULL pointer in "reg1" when using it in strcasecmp()
call. A similar case is reported with CID 1641393.
In theory that will never happen - it's guaranteed that both "reg1" and
"reg2" is non-NULL because we're retrieving them in compile-time from
static arrays. Coverity doesn't know that though.
To make Coverity happier and add a bit more clarity in the code,
g_assert() each token to make it clear that those 2 values aren't
supposed to be NULL ever. Do that in both reg_is_ulong_integer() and
reg_is_u64_fpu().
We're also taking the opportunity to implement suggestions made by Peter
in [1] in both functions:
- use g_strsplit() instead of strtok();
- use g_ascii_strcasecmp() instead of strcasecmp().
target/riscv/kvm: fix env->priv setting in reset_regs_csr()
This patch was originally made by Gitlab user Bo Gan (@ganboing) 4
months ago in the context of issue [1]. I asked the author to send a
patch to the mailing list ~3 months ago and got no reply. I'm sending
the patch myself because we already missed 10.1 without this fix.
I'll also just post verbatim Bo Gan comment in the commit msg:
"In RISCV Linux with KVM enabled, gdbstub is broken. The
get_physical_address isn't able to page-walk correctly and resolve the
physical page. This is due to that the vcpu is being treated as starting
in M mode even if KVM enabled. However, with KVM, the vcpu is actually
started in S mode. The mmu_idx will give 3 (M), instead of 1 (S),
resulting in Guest PA == VA (wrong)!"
Set env->priv to PRV_S in kvm_riscv_reset_regs_csr() since the VCPU is
always started in S-mode for KVM.
Cc: qemu-stable@nongnu.org Closes: https://gitlab.com/qemu-project/qemu/-/issues/2991 Originally-by: Bo Gan (@ganboing in Gitlab) Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251022111105.483992-1-dbarboza@ventanamicro.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
hw/intc: Allow gaps in hartids for aclint and aplic
This is needed for riscv based CPUs by MIPS since those may have
sparse hart-ID layouts. ACLINT and APLIC still assume a dense
range, and if a hart is missing, this causes NULL derefs.
Signed-off-by: Chao-ying Fu <cfu@mips.com> Signed-off-by: Djordje Todorovic <djordje.todorovic@htecgroup.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251018154522.745788-2-djordje.todorovic@htecgroup.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Guenter Roeck [Sat, 4 Oct 2025 20:00:48 +0000 (13:00 -0700)]
hw/net/cadence_gem: Add pcs-enabled property
The Linux kernel checks the PCS disabled bit in the R_DESCONF register
to determine if SGMII is supported. If the bit is set, SGMII support is
disabled. Since the Microchip Icicle devicetree file configures SGMII
interface mode, enabling the Ethernet interfaces fails when booting
the Linux kernel.
Add pcs-enabled property to to let the driver know if PCS should be
enabled. Set the flag to false by default (indicating that PCS is disabled)
to match the exiting code.
Signed-off-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-4-linux@roeck-us.net> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Guenter Roeck [Sat, 4 Oct 2025 20:00:46 +0000 (13:00 -0700)]
hw/net/cadence_gem: Support two Ethernet interfaces connected to single MDIO bus
The Microchip PolarFire SoC Icicle Kit supports two Ethernet interfaces.
The PHY on each may be connected to separate MDIO busses, or both may be
connected on the same MDIO bus using different PHY addresses.
To be able to support two PHY instances on a single MDIO bus, two properties
are needed: First, there needs to be a flag indicating if the MDIO bus on
a given Ethernet interface is connected. If not, attempts to read from this
bus must always return 0xffff. Implement this property as phy-connected.
Second, if the MDIO bus on an interface is active, it needs a link to the
consumer interface to be able to provide PHY access for it. Implement this
property as phy-consumer.
Signed-off-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251004200049.871646-2-linux@roeck-us.net> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
mo_endian_env() returns the target endianness from CPUArchState.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-14-philmd@linaro.org>
[ Changes by AF:
- Only define mo_endian_env() for softmmu
] Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
mo_endian() returns the target endianness from DisasContext.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-13-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Factor MemOp variable out when MO_TE is set
In preparation of automatically replacing the MO_TE flag
in the next commit, use an local @memop variable.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-12-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_TE|MO_ALIGN within gen_lr() / gen_sc()
All callers of gen_lr() / gen_sc() set the MO_TE and MO_ALIGN flags.
Set them once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-11-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
All callers of gen_cmpxchg() / gen_cmpxchg64() set the MO_TE flag.
Set it once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-10-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_TE within gen_storepair_tl()
All callers of gen_storepair_tl() set the MO_TE flag. Set it once in
the callee.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-9-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_TE within gen_fload_idx() / gen_fstore_idx()
All callers of gen_fload_idx() / gen_fstore_idx() set the MO_TE flag.
Set it once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-8-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_TE within gen_load_idx() / gen_store_idx()
All callers of gen_load_idx() / gen_store_idx() set the MO_TE flag.
Set it once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-7-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: Conceal MO_TE within gen_load() / gen_store()
All callers of gen_load() / gen_store() set the MO_TE flag.
Set it once in the callees.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-6-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
All callers of gen_inc() set the MO_TE flag. Set it once in
the callee.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-5-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
All callers of gen_amo() set the MO_TE flag. Set it once in
the callee.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-4-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Extract the implicit MO_TE definition in order to replace
it in the next commit.
Mechanical change using:
$ for n in UW UL UQ UO SW SL SQ; do \
sed -i -e "s/MO_TE$n/MO_TE | MO_$n/" \
$(git grep -l MO_TE$n target/hexagon); \
done
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251010155045.78220-3-philmd@linaro.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Merge tag 'pull-target-arm-20251023' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* target/arm: Enable FEAT_AIE for -cpu max
* target/arm: Fix reads of CNTFRQ_EL0 in linux-user mode
* target/arm: Implement SME2 support in gdbstub
* hw/intc/arm_gicv3_dist: Implement GICD_TYPER2 as 0
* hw/intc/arm_gicv3_kvm: Avoid reading ICC_CTLR_EL1 from kernel in cpuif reset
* MAINTAINERS: Claim the Arm XML in gdb-xml
* hw/net/rocker: Don't overflow in of_dpa_mask2prefix()
# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmj6QZ8ZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3gA1D/0S210sIggCfQoJGXrcEgEh
# pfoRMnESlMk2rdnkYdSUrWp+62/mVx+PwaJxtle4HOzCp2iEwDttJI7XSJoUIg90
# uYLg9wCCjMxu5oHrRgD5xTzJPVALJLHSO2oF3UXmTk44nCxbcAerM3lQYiTJJRZA
# 32uy4RhNdDDy+KhZccUAD1XNR1kcoczMQ2lxMD9NADFgRF5E4z06grVIwiuRe6sK
# 4GhkMIXox9679qQMX/IkVKWJyIPEQv4F42B0Ksbpe4GxJxmt/Q/4Ef1dHYWwodwr
# X0Ot7OMClBsEoivlgeMAhLrU92RY1sVrITGRn675tJ6Hsaz3PnkjEF7t9aX4PqiP
# TDStDpcli7zOU/O5QL5qrNF7GZfhNlBdZmFFE6vZk6eGjAdhev8eNmgU33hP5ndr
# sbrVYZ+UQvWkGrUWl9Vopw0rPHrBejtQ4xWFSp0LJqX1Ev6R3LDIA+XOxvetue1t
# jiqlVqJfnTcsggfy2/nmY/zgdQDruNhvg8OrY1XM8Zhw7TT+1WFoh2K0OtgnxFi8
# pPpg15MMI872lMbn9U81qHFxfC82LXr4nw8hn6ox36FUSCDdqqdSjIkCb7OstyC9
# lrgd9WbmkeG9fJqhiSaKywgfvOGbfIfrRiJpKkSSeJQIjX8HxqjDCtOARvGw0duq
# 5no0CUpaUoPT6LFsl7/3wA==
# =ZRVN
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 23 Oct 2025 09:54:23 AM CDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [unknown]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [unknown]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [unknown]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20251023' of https://gitlab.com/pm215/qemu:
hw/net/rocker: Don't overflow in of_dpa_mask2prefix()
tests/tcg/aarch64: Add test case for SME2 gdbstub registers
target/arm: Implement org.gnu.gdb.aarch64.tls XML feature in gdbstub
target/arm: Implement SME2 support in gdbstub
MAINTAINERS: Claim the Arm XML in gdb-xml
hw/intc/arm_gicv3_kvm: Avoid reading ICC_CTLR_EL1 from kernel in cpuif reset
target/arm: Fix reads of CNTFRQ_EL0 in linux-user mode
target/arm: Enable FEAT_AIE for -cpu max
target/arm: Honor param.aie in get_phys_addr_lpae
target/arm: Use el local indexing mair_el
target/arm: Drop trivial assert vs attrindx
target/arm: Add AIE to ARMVAParameters
target/arm: Implement MAIR2_ELx and AMAIR2_ELx
target/arm: Add isar feature test for FEAT_AIE
hw/intc/arm_gicv3_kvm: Drop DPRINTF macro
hw/intc/arm_gicv3_dist: Implement GICD_TYPER2 as 0
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-ppc-for-10.2-d2-20251023-1' of https://gitlab.com/harshpb/qemu into staging
ppc queue for 10.2
* FADUMP Support for pSeries
* Pegasos II cleanup and Pegasos I emulation
* Deprecation of pseries 3.0 up till 4.2
* Coverity fix for amigaone (CID: 1641398)
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmj6G24ACgkQRUTplPnW
# j7uSmA/+MECjSD6TTVaRFdE/+Cd9LVMp8HmlkteaT+Fp/MhJKUGAxF89eBrZKBsJ
# Ukecklx+6x1d6grmBIAaI3sGW3qJW42CcZL4Q1xuL+zsny8sZ3vpp3q/Haxn68WV
# j53LC46rqCUueBffWWRf0q3wRovjY1MiO3LmQn+sEPLcMGLgghvD4kl2WD2uI/Gy
# iYeZJq+FjroVp606xVXQHhymuQeXd/4txGEzU2x7+FpLtdhuoxKa7FD+YtJ4PP3a
# qgZtZy3y4Bs41Gm6uEjdUnuKINjfADOhjqSDzqY5JZF7tgYh5hK0ibd1MI+opvCt
# 39YTpDoN18ljtO2g509sBuywxkz+y/EDsI8pry42MpkXxys2bj8mXoAV45jBOp5s
# n/GHfJ0d//dm2gpDxGhOKFK5qvFldo8tX5msgbMAXirbXzke5PVHbMr/YXmM7kkW
# 4DaKnMjyRxPIDeyqPfjKspC8VnmF6Z6LzDSMYGYejHO/OKlNE7ZQqaYh5itNTaqE
# xkRC+WISGm98cGYpu57VvD/wE0VmygBZ2l+j5gYS5tDVniZW3B4dUAOAqo7JCbIO
# uMfRgmHaR0Jc2Xj5wf8J/D1ZzDok2OV2siabfwew5pvhJl7HiCoH/k+qzgovC5hO
# L/5P4n+7ZRJwLhP45ewXkEoOK5tWowofdq/5SsFjie7n8d3U5cU=
# =usd9
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 23 Oct 2025 07:11:26 AM CDT
# gpg: using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <harsh.prateek.bora@gmail.com>" [undefined]
# gpg: aka "Harsh Prateek Bora <harshpb@linux.ibm.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D 2142 4544 E994 F9D6 8FBB
* tag 'pull-ppc-for-10.2-d2-20251023-1' of https://gitlab.com/harshpb/qemu: (32 commits)
MAINTAINERS: Add entry for FADump (pSeries)
tests/functional: Add test for fadump in PSeries
hw/ppc: Enable fadump for PSeries
hw/ppc: Pass dump-sizes property for fadump in device tree
hw/ppc: Implement saving CPU state in Fadump
hw/ppc: Preserve memory regions registered for fadump
hw/ppc: Trigger Fadump boot if fadump is registered
hw/ppc: Implement fadump register command
hw/ppc/pegasos2: Add VOF support for pegasos1
hw/ppc/pegasos2: Add Pegasos I emulation
hw/ppc/pegasos2: Add bus frequency to machine state
hw/ppc/pegasos2: Introduce abstract superclass
hw/ppc/pegasos2: Move hardware specific parts out of machine reset
hw/ppc/pegasos2: Move PCI IRQ routing setup to a function
hw/ppc/pegasos2: Add south bridge pointer in the machine state
hw/ppc/pegasos2: Rename mv field in machine state
hw/ppc/pegasos2: Remove fdt pointer from machine state
hw/ppc/pegasos2: Change device tree generation
hw/ppc/pegasos2: Remove explicit name properties from device tree
ppc/vof: Make nextprop behave more like Open Firmware
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Merge tag 'pull-loongarch-20251023' of https://github.com/bibo-mao/qemu into staging
loongarch queue
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQQNhkKjomWfgLCz0aQfewwSUazn0QUCaPoVJAAKCRAfewwSUazn
# 0V1sAP4xtZMCEK9XuKApu4ZyTfPAtl0WLmhEQUKuEn3A6lNfowD9EUTMW3ksiyY/
# hZRb4D8WIJGj3nEIWvLiTg3a+wBT1AI=
# =sB19
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 23 Oct 2025 06:44:36 AM CDT
# gpg: using EDDSA key 0D8642A3A2659F80B0B3D1A41F7B0C1251ACE7D1
# gpg: Good signature from "bibo mao <maobibo@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7044 3A00 19C0 E97A 31C7 13C4 8E86 8FB7 A176 9D4C
# Subkey fingerprint: 0D86 42A3 A265 9F80 B0B3 D1A4 1F7B 0C12 51AC E7D1
* tag 'pull-loongarch-20251023' of https://github.com/bibo-mao/qemu:
target/loongarch: Add bit A/D checking in TLB entry with PTW supported
target/loongarch: Update matched ptw bit A/D with PTW supported
target/loongarch: Add basic hardware PTW support
target/loongarch: Add common interface update_tlb_index()
target/loongarch: Add field tlb_index to record TLB search info
target/loongarch: Move last PTE lookup into page table walker loop
target/loongarch: Reserve higher 48 bit PTE attribute with huge page
target/loongarch: Add debug parameter with loongarch_page_table_walker()
target/loongarch: Add MMUContext parameter in fill_tlb_entry()
target/loongarch: target/loongarch: Add common function get_tlb_random_index()
target/loongarch: Add function sptw_prepare_tlb before adding tlb entry
target/loongarch: Add present and write bit with pte entry
target/loongarch: Add CSR_PWCH write helper function
target/loongarch: Use auto method with PTW feature
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Thu, 16 Oct 2025 14:54:07 +0000 (15:54 +0100)]
hw/net/rocker: Don't overflow in of_dpa_mask2prefix()
In of_dpa_mask2prefix() we do "(2 << i)" for a loop where i can go up
to 31. At i == 31 we shift off the top end of an integer. This
doesn't actually calculate the wrong value in practice, because we
calculate 0 - 1 which is the 0xffffffff mask we wanted (and for QEMU
shifting off the top of a signed integer is not UB); but it makes
Coverity complain.
We could fix this simply by using "2ULL" (where the "(2ULL << i) - 1"
expression also evaluates to 0xffffffff for i == 31), but in fact
this function is a slow looping implementation of counting the number
of trailing zeroes in the (network-order) input mask:
Peter Maydell [Fri, 17 Oct 2025 15:30:27 +0000 (16:30 +0100)]
tests/tcg/aarch64: Add test case for SME2 gdbstub registers
Test the SME2 register exposure over gdbstub, in the same way
we already do for SME.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20251017153027.969016-4-peter.maydell@linaro.org
Peter Maydell [Fri, 17 Oct 2025 15:30:26 +0000 (16:30 +0100)]
target/arm: Implement org.gnu.gdb.aarch64.tls XML feature in gdbstub
GDB expects the TLS registers to be exposed via org.gnu.gdb.aarch64.tls,
which will contain either just "tpidr", or else "tpidr" and "tpidr2".
This will be important for SME in future, because the lazy state
restoration scheme requires GDB to use the TPIDR2 information.
GDB doesn't currently implement that, but we should provide the
register via the XML so that we are ready when future GDB versions
support it.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251017153027.969016-3-peter.maydell@linaro.org
Peter Maydell [Fri, 17 Oct 2025 15:30:25 +0000 (16:30 +0100)]
target/arm: Implement SME2 support in gdbstub
For SME2, we need to expose the new ZT0 register in the gdbstub XML.
gdb documents that the requirements are:
> The ‘org.gnu.gdb.aarch64.sme2’ feature is optional. If present,
> then the ‘org.gnu.gdb.aarch64.sme’ feature must also be present.
> The ‘org.gnu.gdb.aarch64.sme2’ feature should contain the
> following:
>
> - ZT0 is a register of 512 bits (64 bytes). It is defined as a
> vector of bytes.
Implement this.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20251017153027.969016-2-peter.maydell@linaro.org
Peter Maydell [Fri, 17 Oct 2025 15:42:44 +0000 (16:42 +0100)]
MAINTAINERS: Claim the Arm XML in gdb-xml
Add F: entries to the Arm CPU section to claim the Arm related
XML files in gdb-xml.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20251017154244.971608-1-peter.maydell@linaro.org
Peter Maydell [Thu, 23 Oct 2025 12:12:50 +0000 (13:12 +0100)]
hw/intc/arm_gicv3_kvm: Avoid reading ICC_CTLR_EL1 from kernel in cpuif reset
Currently in arm_gicv3_icc_reset() we read the kernel's value of
ICC_CTLR_EL1 as part of resetting the CPU interface. This mostly
works, but we're actually breaking an assumption the kernel makes
that userspace only accesses the in-kernel GIC data when the VM is
totally paused, which may not be the case if a single vCPU is being
reset. The effect is that it's possible that the read attempt
returns EBUSY.
Avoid this by reading the kernel's value of the reset ICC_CTLR_EL1
once in device realize. This brings ICC_CTLR_EL1 into line with
the other cpuif registers, where we assume we know what the kernel
is resetting them to and just update QEMU's data structures in
arm_gicv3_icc_reset().
Peter Maydell [Thu, 23 Oct 2025 12:12:50 +0000 (13:12 +0100)]
target/arm: Fix reads of CNTFRQ_EL0 in linux-user mode
In commit bd8e9ddf6f6 ("target/arm: Refactor default generic timer
frequency handling") we changed how we initialized the generic timer
frequency as reported in the CNTFRQ_EL0 register. As part of that,
we chanegd the linux-user version of the CNTFRQ_EL0 sysreg from
having a constant value set at compile time through the .resetvalue
field to having a reset value which we compute in a .resetfn.
This accidentally broke the reading of CNTFRQ_EL0 in linux-user mode,
because the cpreg is marked as ARM_CP_CONST, which means we translate
it as a read of the compile-time constant value in the .resetvalue
field. This is now zero, so userspace sees a 0 frequency value.
Fix the bug by dropping the ARM_CP_CONST marking. This will cause us
to translate the read as a load of the value from the CPU state
struct cp15.c14_cntfrq field, which is where the real frequency value
now lives.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3159 Fixes: bd8e9ddf6f6 ("target/arm: Refactor default generic timer frequency handling") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251013161040.216819-1-peter.maydell@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-8-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-6-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
We just extracted 3 bits; the <= 7 test is trivially true.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-5-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Allow the bit to be set in TCR2;
extract the bit in aa64_va_parameters.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Enable the SCR.AIEn bit in scr_write, and test it in aien_access.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-3-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20251014195017.421681-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 23 Oct 2025 12:12:49 +0000 (13:12 +0100)]
hw/intc/arm_gicv3_kvm: Drop DPRINTF macro
We don't generally like DPRINTF debug macros, preferring tracepoints.
In this case the macro is used in only three places (reset, realize,
and in the unlikely event the host kernel doesn't have GICv3 register
access support). These don't seem worth converting to tracepoints,
so simply delete the macro and its uses.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Peter Maydell [Thu, 23 Oct 2025 12:12:49 +0000 (13:12 +0100)]
hw/intc/arm_gicv3_dist: Implement GICD_TYPER2 as 0
The GIC distributor registers GICD_TYPER2 is present when the
GICv4.1 is implemented, and RES0 otherwise. QEMU's TCG implementation
is only GICv4.0, so this register is RES0. However, since it's
reasonable for GICv4.1-aware software to read the register, expecting
the zero for GICv3 and GICv4.0, implement the case to avoid it being
logged as an invalid guest read.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Aditya Gupta [Tue, 21 Oct 2025 13:48:17 +0000 (19:18 +0530)]
tests/functional: Add test for fadump in PSeries
Add testcases for testing fadump with PSeries and PSeries+KVM
combinations
It tests if fadump is successfully detected and registered in the first
kernel boot. Then crashes the kernel, and verifies whether we have a
/proc/vmcore in the 2nd boot
Also introduce 'wait_for_regex_console_pattern' to check for cases where
there is a single success message, but can have multiple failure
messages.
This is particularly useful for cases such as fadump, where the
success message is
"Reserved 1024MB ... successfully"
But at the same point, it can fail with multiple errors such as
"Not supported" or "Allocation failed"
'wait_for_regex_console_pattern' also has a timeout, for cases when we
know the success/failure should appear in a short amount of time,
instead of waiting for the much longer test timeout, such as kernels
with support of fadump will print the success/failure in earlyboot of
the kernel, while kernel without support of fadump won't print anything
for long time, and without a timeout the testcase keeps waiting till
longer test timeout
Aditya Gupta [Tue, 21 Oct 2025 13:48:16 +0000 (19:18 +0530)]
hw/ppc: Enable fadump for PSeries
With all support in place for preserving memory regions, enable fadump by
exporting the "ibm,kernel-dump" property in the device tree, representing
the fadump dump information, in case of a crash.
Currently "ibm,configure-kernel-dump" RTAS call is already registered,
which tells the kernel that the platform (QEMU) supports fadump.
Now, in case of a crash, if fadump was registered, we also pass
"ibm,kernel-dump" in device tree, which tells the kernel that the fadump
dump is active.
Pass "fadump=on" to enable Linux to use firmware assisted dump.
Aditya Gupta [Tue, 21 Oct 2025 13:48:15 +0000 (19:18 +0530)]
hw/ppc: Pass dump-sizes property for fadump in device tree
Platform (ie. QEMU) is expected to pass few device tree properties for
details for fadump:
* "ibm,configure-kernel-dump-sizes": Space required to store dump data
for firmware provided dump sections (ie. CPU & HPTE regions)
* "ibm,configure-kernel-dump-version": Versions of fadump supported
Pass the above device tree nodes so that kernel can reserve sufficient
space for preserving the CPU state data
Aditya Gupta [Tue, 21 Oct 2025 13:48:14 +0000 (19:18 +0530)]
hw/ppc: Implement saving CPU state in Fadump
Kernel expects CPU states/register states in the format mentioned in
"Register Save Area" in PAPR.
The platform (in our case, QEMU) saves each CPU register in the form of
an array of "register entries", the start and end of this array is
signified by "CPUSTRT" and "CPUEND" register entries respectively.
The CPUSTRT and CPUEND register entry also has 4-byte logical CPU ID,
thus storing the CPU ID corresponding to the array of register entries.
Each register, and CPUSTRT, CPUEND has a predefined identifier.
Implement calculating identifier for a given register in
'fadump_str_to_u64', which has been taken from the linux kernel
Similarly GPRs also have predefined identifiers, and a corresponding
64-bit resiter value (split into two 32-bit cells). Implement
calculation of GPR identifiers with 'fadump_gpr_id_to_u64'
PAPR has restrictions on particular order of few registers, and is
free to be in any order for other registers.
Some registers mentioned in PAPR have not been exported as they are not
implemented in QEMU / don't make sense in QEMU.
Implement saving of CPU state according to the PAPR document
Aditya Gupta [Tue, 21 Oct 2025 13:48:13 +0000 (19:18 +0530)]
hw/ppc: Preserve memory regions registered for fadump
While the first kernel boots, it registers memory regions for fadump
such as:
* CPU state data (has to be populated by the platform)
* HPTE state data (has to be populated by the platform)
* Real Mode Regions (platform should copy it to requested
destination addresses)
* OS defined regions (such as parameter save area)
Platform is also expected to modify the 'bytes_dumped' to the length of
data preserved/copied by platform (ideally same as the source length
passed by kernel).
The kernel passes source address and length for the memory regions, and
a destination address to where the memory is to be copied.
Implement the preserving/copying of the Real Mode Regions and the
Parameter Save Area in QEMU Pseries
The regions are copied in chunks instead of copying all at once.
Aditya Gupta [Tue, 21 Oct 2025 13:48:12 +0000 (19:18 +0530)]
hw/ppc: Trigger Fadump boot if fadump is registered
According to PAPR:
R1–7.3.30–3. When the platform receives an ibm,os-term RTAS call, or
on a system reset without an ibm,nmi-interlock RTAS call, if the
platform has a dump structure registered through the
ibm,configure-kernel-dump call, the platform must process each
registered kernel dump section as required and, when available,
present the dump structure information to the operating system
through the “ibm,kernel-dump” property, updated with status for each
dump section, until the dump has been invalidated through the
ibm,configure-kernel-dump RTAS call.
If Fadump has been registered, trigger an Fadump boot (memory preserving
boot), if QEMU recieves a 'ibm,os-term' rtas call.
Implementing the fadump boot as:
* pause all vcpus (will need to save registers later)
* preserve memory regions specified by fadump (will be implemented
in future)
* do a memory preserving reboot (GUEST_RESET in QEMU doesn't clear
the memory)
Memory regions registered by fadump will be handled in a later patch.
Note: Preserving memory regions is not implemented yet so on an
"ibm,os-term" call will just trigger a reboot in QEMU if fadump is
registered, and the second kernel will boot as a normal boot (not
fadump boot)
Aditya Gupta [Tue, 21 Oct 2025 13:48:11 +0000 (19:18 +0530)]
hw/ppc: Implement fadump register command
Add skeleton to handle "ibm,configure-kernel-dump" rtas call in QEMU,
including register, unregister and invalidate commands.
The register just verifies the structure of the fadump memory structure
passed by kernel, and set fadump_registered in spapr state to true.
Verify basic details mandated by the PAPR, such as number of
inputs/output, and add handling for the three fadump commands:
regiser/unregister/invalidate.
The checks are based on the table in following requirement in PAPR v2.13:
"R1–7.3.30–1. For the Configure Platform Assisted Kernel Dump option ..."
Relevant section for the register command in PAPR is:
Section 7.3.30: "ibm,configure-kernel-dump RTAS call" (PAPR v2.13)
Note: Any modifications made by the kernel to the fadump memory
structure after the 'ibm,configure-kernel-dump' RTAS call returns will
not be reflected in QEMU, as QEMU retains the fadump memory structure
that was provided during fadump registration.
The kernel must unregister and re-register fadump to apply any changes
to the fadump memory structure.
BALATON Zoltan [Thu, 23 Oct 2025 00:06:19 +0000 (02:06 +0200)]
hw/ppc/pegasos2: Add VOF support for pegasos1
When running without firmware ROM using Virtual Open Firmware we need
to do some hardware initialisation and provide the device tree as the
machine firmware would normally do.
BALATON Zoltan [Thu, 23 Oct 2025 00:06:18 +0000 (02:06 +0200)]
hw/ppc/pegasos2: Add Pegasos I emulation
The Pegasos II is a redesign of the original Pegasos (later marked I)
that replaces the north bridge and has updated firmware but otherwise
these are very similar. The Pegasos uses the same north bridge that
AmigaOne used which we already emulate so we can also easily emulate
Pegasos I.
BALATON Zoltan [Thu, 23 Oct 2025 00:06:15 +0000 (02:06 +0200)]
hw/ppc/pegasos2: Move hardware specific parts out of machine reset
Move the pegasos2 specific chipset reset out from machine reset to a
separate function and move generic parts that are not pegasos2
specific from build_fdt to machine reset so now build_fdt only
contains pegasos2 specific parts and can be renamed accordingly.
BALATON Zoltan [Thu, 23 Oct 2025 00:06:09 +0000 (02:06 +0200)]
hw/ppc/pegasos2: Change device tree generation
We generate a flattened device tree programmatically for VOF. Change
this to load the static parts from a device tree blob and only
generate the parts that depend on run time conditions such as CPU
type, memory size and PCI devices. Moving the static parts in a dts
makes the board code simpler and more generic.
BALATON Zoltan [Thu, 23 Oct 2025 00:06:07 +0000 (02:06 +0200)]
ppc/vof: Make nextprop behave more like Open Firmware
The FDT does not normally store name properties but reconstructs it
from path but Open Firmware specification says each node should at
least have this property. This is correctly handled in getprop but
nextprop should also return it even if not present as a property.
Explicit name properties are still allowed because they are needed
e.g. on the root node that guests expect to have specific names as
seen on real machines instead of being empty so sometimes the node
name may need to be overriden. For example on pegasos MorphOS checks
the name of "/" and expects to find bplan,Pegasos2 which is how it
identifies the machine.
projects / thirdparty / qemu.git / log
