Jim MacArthur [Thu, 2 Apr 2026 14:20:29 +0000 (15:20 +0100)]
tcg/aarch64/tcg-target.c.inc: Manual replace of I3310, I3313
These are not formats in themselves, but extra constants to OR in with
the existing ldst_imm format.
Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260402-aarch64-tcg-instruction-format-rename2-v1-2-0998a08a515c@linaro.org>
Jim MacArthur [Thu, 2 Apr 2026 14:20:28 +0000 (15:20 +0100)]
tcg/aarch64/tcg-target.c.inc: Replacement of I3XXX names
Mechanical replacement of instruction format names of the form 'I3206'
etc with more useful names. Where possible, names from a64.decode are
used. Includes manual fixes to whitespace.
Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260402-aarch64-tcg-instruction-format-rename2-v1-1-0998a08a515c@linaro.org>
hw/intc/xics: Add a check for an invalid server id
A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.
Fix this by validating the server id before using it and ignoring
invalid values.
Caleb Schlossin [Tue, 20 Jan 2026 15:01:39 +0000 (09:01 -0600)]
ppc/pnv: Add a nest MMU model
The nest MMU is used for translations needed by I/O subsystems
on Power10. The nest is the shared, on-chip infrastructure
that connects CPU cores, memory controllers, and I/O.
This patch sets up a basic skeleton with its xscom
area, mapping both needed xscom regions. Support required
for PowerVM bringup.
Use Power9 property for device tree to allow OPAL to
work with Power9 and Power10.
Reviewed-by: Chalapathi V <chalapathi.v@linux.ibm.com> Reviewed-by: Glenn Miles <milesg@linux.ibm.com> Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com> Signed-off-by: Chalapathi V <chalapathi.v@linux.ibm.com> Signed-off-by: Caleb Schlossin <calebs@linux.ibm.com> Reviewed-by: Aditya Gupta <adityag@linux.ibm.com> Link: https://lore.kernel.org/qemu-devel/20260120150139.714805-1-calebs@linux.ibm.com Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
With all MPIPL support in place, export a "dump" node in device tree,
signifying that PowerNV QEMU platform supports MPIPL
Also, export fw-load-area dt node, which has details about where the
kernel & initrd were loaded, so that kernel can verify whether the
kernel/initrd images were loaded within the boot memory region. QEMU
just exports these details in fw-load-area, the check for boot memory
region is done in kernel.
Since now device tree can change at pnv_reset, hence regenerate device
tree during pnv_reset
pnv/mpipl: Set thread entry size to be allocated by firmware
Set the "Thread Register State Entry Size" that is required by firmware
(OPAL), to know size of memory to allocate to capture CPU state, in the
event of a crash
pnv/mpipl: Preserve memory regions as per MDST/MDDT tables
Implement copying of memory region, as mentioned by MDST and MDDT
tables.
Copy the memory regions from source to destination in chunks of 32MB
Note, qemu can fail preserving a particular entry due to any reason,
such as:
* region length mis-matching in MDST & MDDT
* failed copy due to access/decode/etc memory issues
HDAT doesn't specify any field in MDRT to notify host about such errors.
Though HDAT section "15.3.1.3 Memory Dump Results Table (MDRT)" says:
The Memory Dump Results Table is a list of the memory ranges that
have been included in the dump
Based on above statement, it looks like MDRT should include only those
regions which are successfully captured in the dump, hence, regions
which qemu fails to dump, just get skipped, and will not have a
corresponding entry in MDRT
Fix this by handling the command in PowerNV SBE, and sending a response so
skiboot knows SBE has handled the STASH command
The stashed skiboot base is later used to access the relocated MDST/MDDT
tables when MPIPL is implemented.
The purpose of stashing relocated base address is explained in following
skiboot commit:
author Vasant Hegde <hegdevasant@linux.vnet.ibm.com> Fri Jul 12 16:47:51 2019 +0530
committer Oliver O'Halloran <oohall@gmail.com> Thu Aug 15 17:53:39 2019 +1000
SBE: Send OPAL relocated base address to SBE
OPAL relocates itself during boot. During memory preserving IPL hostboot needs
to access relocated OPAL base address to get MDST, MDDT tables. Hence send
relocated base address to SBE via 'stash MPIPL config' chip-op. During next
IPL SBE will send stashed data to hostboot... so that hostboot can access
these data.
During MPIPL (aka fadump), after a kernel crash, the kernel does
opal_cec_reboot2 opal call, signifying an abnormal termination.
When OPAL receives this opal call, it further triggers SBE S0 interrupt,
to trigger a MPIPL boot.
Currently S0 interrupt is unimplemented in QEMU.
Implement S0 interrupt as 'pause_vcpus' + 'guest_reset' in QEMU, as the
SBE's implementation of S0 seems to be basically "stop all clocks" and
then "host reset".
pause_vcpus is done in a later patch when register preserving support is
added
See 'stopClocksS0' in SBE source code for more information.
ppc/pnv: Move SBE host doorbell function to top of file
Moved 'pnv_sbe_set_host_doorbell' as-it-is to above
'pnv_sbe_power9_xscom_ctrl_write'.
This is done since in a future patch, S0 interrupt implementation uses
'pnv_sbe_set_host_doorbell', hence the host doorbell function needs to
be declared/defined before 'pnv_sbe_power9_xscom_ctrl_write' where we
implement the S0 interrupt.
Jaehoon Kim [Thu, 23 Apr 2026 19:59:18 +0000 (14:59 -0500)]
qapi/iothread: introduce poll-weight parameter for aio-poll
Introduce a configurable poll-weight parameter for adaptive polling
in IOThread. This parameter replaces the hardcoded POLL_WEIGHT_SHIFT
constant, allowing runtime control over how much the most recent
event interval affects the next polling duration calculation.
The poll-weight parameter uses a shift value where larger values
decrease the weight of the current interval, enabling more gradual
adjustments. When set to 0, a default value of 3 is used (meaning
the current interval contributes approximately 1/8 to the weighted
average).
This patch also removes the hardcoded default value checks from
adjust_polling_time(). Instead, poll-grow, poll-shrink, and
poll-weight now use default values initialized in iothread.c
during IOThread creation.
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20260423195918.661299-4-jhkim@linux.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Jaehoon Kim [Thu, 23 Apr 2026 19:59:17 +0000 (14:59 -0500)]
aio-poll: refine iothread polling using weighted handler intervals
Improve adaptive polling by updating each AioHandler's poll.ns
every loop iteration using weighted averages. This reduces CPU
consumption while minimizing performance impact.
Background:
Starting from QEMU 10.0, poll.ns was introduced per event handler
to mitigate excessive fluctuations in IOThread polling times
observed in earlier versions (QEMU 9.x). However, the current
design has limitations:
1. poll.ns is updated only when an event occurs, making it
difficult to treat block_ns as a reliable event interval.
2. The IOThread's next polling time is determined by the maximum
poll.ns among all AioHandlers, meaning idle AioHandlers with
high poll.ns can have an outsized impact on polling duration.
3. For io_uring, idle AioHandlers are cleared after
POLL_IDLE_INTERVAL_NS (7s), but for ppoll/epoll there is no
such mechanism, leading to increased CPU consumption from idle
nodes.
Implementation:
This patch treats block_ns as an event interval and updates each
AioHandler's poll.ns in every loop iteration:
- Active handlers (with events): poll.ns is updated using a
weighted average of the current block_ns and previous poll.ns,
smoothing out adjustments and preventing excessive fluctuations.
- Inactive handlers (no events): poll.ns accumulates block_ns
without weighting, allowing rapid isolation of idle nodes. When
poll.ns exceeds poll_max_ns, it resets to 0, preventing
sporadically active handlers from unnecessarily prolonging
iothread polling.
- The iothread polling duration is set based on the largest poll.ns
among active handlers. The shrink divider defaults to 2, matching
the grow rate, to reduce frequent poll_ns resets for slow devices.
The implementation renames poll_idle_timeout to last_dispatch_timestamp
for use as an active handler identifier.
Testing:
POLL_WEIGHT_SHIFT=3 (12.5% weight) was selected based on testing
comparing baseline vs weight=2/3 across various workloads:
Performance results (RHEL 10.1 + QEMU 10.0.0, FCP/FICON, 1-8 iothreads,
numjobs 1/4/8 averaged):
| poll-weight=2 | poll-weight=3
--------------------|--------------------|-----------------
Throughput avg | -2.4% (all tests) | -2.2% (all tests)
CPU consumption avg | -10.9% (all tests) | -9.4% (all tests)
Both configurations achieve ~10% CPU reduction with minimal throughput
impact (~2%). Weight=3 is chosen as default for slightly better
throughput while maintaining substantial CPU savings.
Additional validation testing on s390x SSD with fio (bs=8k, iodepth=8,
numjobs=1) shows how poll_weight affects polling time (poll.ns)
behavior:
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com>
Message-ID: <20260423195918.661299-3-jhkim@linux.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Jaehoon Kim [Thu, 23 Apr 2026 19:59:16 +0000 (14:59 -0500)]
aio-poll: avoid unnecessary polling time computation
Nodes are no longer added to poll_aio_handlers when adaptive polling is
disabled, preventing unnecessary try_poll_mode() calls. This avoids
iterating over all nodes to compute max_ns unnecessarily when polling
is disabled.
Signed-off-by: Jaehoon Kim <jhkim@linux.ibm.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20260423195918.661299-2-jhkim@linux.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Peter Maydell [Mon, 27 Apr 2026 15:00:07 +0000 (16:00 +0100)]
tests/qtest: Make qtest_get_arch() cleverer
The qtest_get_arch() function tries to determine the architecture
under test by extracting it from the binary name as provided in
QTEST_QEMU_BINARY. The current logic finds the last '-' in the
string and assumes everything beyond it is the architecture name.
Although we also look for the substring "-system-", the only effect
this check has is that we will exit with an error if it is not
present.
Because the logic at the moment is very simplistic, although
it is possible to provide more complex commands than a bare
QEMU binary path, such as:
QTEST_QEMU_BINARY='rr record ./qemu-system-x86_64'
it is not possible to provide extra arguments to QEMU, such as:
QTEST_QEMU_BINARY='./qemu-system-x86_64 -d trace:foo'
Because the "-system-" check and the "find the architecture" check
are not the same, the latter example will pass the "we found
-system-" check and not notice that the "architecture name" it has
found starts further on in the string; so rather than printing an
error it will return "d trace:foo" to the test.
Improve the "find the architecture name" logic to look for the
rightmost occurrence of the substring "-system-" in
QTEST_QEMU_BINARY, and take the architecture name as starting there
and continuing until the first whitespace character or the end of the
string.
Because we now need to potentially modify the environment variable
string to terminate the architecture name if it is not the last part
of the string, we make a copy of it which we cache in a static
variable. This lets us avoid having to modify all the callers to get
them to take ownership of the returned string.
Fengyuan Yu [Wed, 25 Mar 2026 07:09:06 +0000 (15:09 +0800)]
tests/qtest: Add Intel IOMMU bare-metal test
Add a qtest suite for the Intel IOMMU (VT-d) device on the Q35 machine.
The test exercises both Legacy and Scalable translation modes using
iommu-testdev and the qos-intel-iommu helpers, without requiring any
guest kernel or firmware.
The test validates:
- Legacy-mode Root Entry Table and Context Entry Table configuration
- Scalable-mode Context Entry, PASID Directory, and PASID Table setup
- Legacy-mode 4-level page table walks for 48-bit address translation
- Scalable-mode second-level and first-level 4-level page table walks
- Pass-through mode in both Legacy and Scalable modes
- DMA transaction execution with memory content verification
Introduce a libqos helper module for Intel IOMMU (VT-d) bare-metal
testing via iommu-testdev. The helper provides routines to:
- Build Legacy-mode structures: Root Entry Tables, Context Entry Tables,
and 4-level page tables for 48-bit address translation
- Build Scalable-mode structures: Scalable Context Entries, PASID
Directory Entries, PASID Table Entries, and 4-level page tables for
both second-level and first-level translation
- Program VT-d registers (Root Table Address, Invalidation Queue,
Fault Event MSI, Global Command) following the VT-d specification,
with GSTS read-back verification for each step
- Execute DMA translations through iommu-testdev and verify results
by reading back guest memory
The module supports all major VT-d translation modes through the
QVTDTransMode enum:
- Legacy pass-through
- Legacy translated with 4-level paging
- Scalable pass-through
- Scalable Second-Level Translation
- Scalable First-Level Translation
Stefan Hajnoczi [Wed, 29 Apr 2026 13:22:50 +0000 (09:22 -0400)]
Merge tag 'pull-riscv-to-apply-20260429-1' of https://github.com/alistair23/qemu into staging
RISC-V PR for 11.1.
* Use standard EN_PRI bit for PRI IOMMU
* Add draft RISC-V Zbr ext as xbr0p93
* Forbid to use legacy native endianness API
* Fix irq_overflow_left residual value bug in IOMMU
* Add IPSR.PMIP RW1C support to IOMMU
* Use kvm timer frequency when kvm enabled
* Fix stale ptshift and base on page walk restart
* Fix heap OOB in ACLINT MTIMER multi-socket
* Reject RISC-V HTIF invalid signature ranges
* Fix RV32 henvcfg/stateen CSR handling
* Add Zvfbfa extension support
* Allow fractional LMUL on vector SHA instructions
* Add Tenstorrent mvendorid
* Warn if a ELF format file is loaded as a binary
* Initialize riscv_excp_names[] and riscv_intr_names[] using designated initializer
* Mask xepc[0] only when Zc* extension is enabled
* Generate access fault if sc comparison fails
* Don't OR mip.SEIP when mvien is one
* Use ELEN for Fractional LMUL check
* Fix Zjpm implementation
* Handle mask/source overlap of vector reduction instructions
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmnxjOkACgkQr3yVEwxT
# gBMf6Q/+IdCh9/rzqJFyBcHxkbQGMncGzBsmLHmeCIgUc7gPxF8Cw6zFbJ3p2H3m
# ry4pnrqp8juKlDfuDcQyXgoQSWJ5MqkrQZaxUUomEhZPoJr3XrWXcp9nVPAOOtni
# WQR/AW0rsm97ujaAN/OSQKUFOfUVzRSOrSZg0xSg3fmYTia7CEKVKByQnfNlKLvk
# 6RRax8Dlcmmn2Q9AXWV5oaEH8ZDorC6GRN2p805LLzdEWmkY5wMKaHAnTXs8qErm
# wK4E+CWmFW2f5h1Mg0MvuV5Ko6TDFD7wghSM/HV7Aykdvwg2bO2MUmEt0zMQwtMU
# OOx/UihFDcPBDLjnrVTsLEf02ol98W6gkqAxhpiGez5PGzfYX7xNMFHHj6RqA/dC
# kThR5CfThVY+Daw9F26b8kovq/xlaeM6nZM5L4qtMpZbojZbZ414H15prBlJoYF9
# R1amO14+VNuZBrPIXFOLbPk8T5DmM8Km9V/oaV6Ra/vkSF43tmiqrV/s4+NbBIZB
# H42JDlruats9kTFeMggZS4VVkgkNgelM4cvvfK8KAhp6sdmub/cPxlZcYsnuOuD3
# lJEBWO3bDNpEHsHCLrwYVlS3dZQXWo+KifHElK8lMOW3b/93rjlzgLRERvdaVxpb
# NlCOjGwGxfb/Z7r1ylcrbK2DONP0kuoZDpVfacqZ8UXbxnyvosg=
# =oT5a
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 29 Apr 2026 00:45:29 EDT
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20260429-1' of https://github.com/alistair23/qemu: (51 commits)
target/riscv: rvv: Handle mask/source overlap of vector reduction instructions
target/riscv: Fix pointer masking translation mode check bug
target/riscv: Rename riscv_pm_get_virt_pmm() to riscv_pm_get_vm_ldst_pmm()
target/riscv: Fix pointer masking for virtual-machine load/store insns
target/riscv: Fix pointer masking PMM field selection logic
target/riscv: Add a helper to return the current effective priv mode
target/riscv: fix address masking
target/riscv: Use ELEN for Fractional LMUL check
target/riscv: Don't OR mip.SEIP when mvien is one
target/riscv: Generate access fault if sc comparison fails
target/riscv: Mask xepc[0] only when Zc* extension is enabled
target/riscv: Initialize riscv_excp_names[] and riscv_intr_names[] using designated initializer
target/riscv: fix RV32 stateen CSR handling
hw/riscv/boot: Warn if a ELF format file is loaded as a binary
target/riscv: tt-ascalon: Add Tenstorrent mvendorid
target/riscv: rvv: Allow fractional LMUL on vector SHA instructions
target/riscv: Expose Zvfbfa extension as a cpu property
target/riscv: rvv: Support Zvfbfa vector bf16 operations
target/riscv: Introduce BF16 canonical NaN for Zvfbfa extension
target/riscv: Introduce altfmt into DisasContext
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Anton Blanchard [Fri, 17 Apr 2026 12:06:26 +0000 (12:06 +0000)]
target/riscv: rvv: Handle mask/source overlap of vector reduction instructions
Masked vector reduction instructions must not use v0 as a source register.
Check rs1 and rs2 against the mask register when vm=0.
Signed-off-by: Anton Blanchard <antonb@tenstorrent.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260417120626.77415-1-antonb@tenstorrent.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
When running with virtualization in VS/VU mode, or when executing the
virtual-machine load/store instructions (HLV.* and HSV.*), the type of
address that determines which pointer masking rules apply should be
checked against vsatp rather than satp.
As a result, sign extension also applies to the virtual-machine
load/store instructions.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Radim Krčmář <rkrcmar@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-7-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 09:37:14 +0000 (17:37 +0800)]
target/riscv: Rename riscv_pm_get_virt_pmm() to riscv_pm_get_vm_ldst_pmm()
Rename riscv_pm_get_virt_pmm() to riscv_pm_get_vm_ldst_pmm() to better
reflect its actual usage. This function is used when checking the PMM
field for virtual-machine load/store instructions (HLV.* and HSV.*),
rather than for VS/VU modes.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-6-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 09:37:13 +0000 (17:37 +0800)]
target/riscv: Fix pointer masking for virtual-machine load/store insns
The effective privilege of explicit memory accesses made by
virtual-machine load/store instructions (HLV.* and HSV.*) is controlled
by hstatus.SPVP. mstatus.MPRV does not affect these virtual-machine
load/store instructions.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-5-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-4-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 09:37:11 +0000 (17:37 +0800)]
target/riscv: Add a helper to return the current effective priv mode
This helper returns the current effective privilege mode.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-3-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Yong-Xuan Wang [Tue, 21 Apr 2026 09:37:10 +0000 (17:37 +0800)]
target/riscv: fix address masking
The pmlen should get the corresponding value before shifting address.
Signed-off-by: Yong-Xuan Wang <yongxuan.wang@sifive.com> Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421093715.2995067-2-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Alistair Francis [Wed, 15 Apr 2026 23:37:39 +0000 (09:37 +1000)]
target/riscv: Don't OR mip.SEIP when mvien is one
The RISC-V spec states that
"""
But when bit 9 of mvien is one, bit SEIP in mip is read-only and does
not include the value of bit 9 of mvip. Rather, the value of mip.SEIP
is simply the supervisor external interrupt signal from the hart’s
external interrupt controller (APLIC or IMSIC).
"""
As such let's mark the mip.SEIP in rmw_mip64().
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/2828 Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com>
Message-ID: <20260415233740.3027321-4-alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 07:49:40 +0000 (15:49 +0800)]
target/riscv: Mask xepc[0] only when Zc* extension is enabled
IALIGN is 16 when the CPU supports the Zc* extension. Only xepc[0]
should be masked when the Zc* extension is enabled.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421074940.2916287-1-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Frank Chang [Tue, 21 Apr 2026 07:11:07 +0000 (15:11 +0800)]
target/riscv: Initialize riscv_excp_names[] and riscv_intr_names[] using designated initializer
Use designated initializers to initialize riscv_excp_names[] and
riscv_intr_names[] so that we don't have to explicitly add "reserved"
items. Also, add the missing trap names: sw_check, hw_error,
virt_illegal_instruction, semihost, s_guest_external, and
counter_overflow.
Signed-off-by: Frank Chang <frank.chang@sifive.com> Reviewed-by: Max Chou <max.chou@sifive.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260421071107.2848439-1-frank.chang@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bruno Sa [Fri, 10 Apr 2026 11:08:42 +0000 (12:08 +0100)]
target/riscv: fix RV32 stateen CSR handling
The RV32 stateen CSRs are split between the low-half CSR and the
corresponding xH CSR, but the current implementation still handles some
upper-half bits through the low-half write paths and also accepts the
xH CSRs on RV64.
Fix this by:
- rejecting mstateen*h and hstateen*h accesses on RV64
- keeping the RV64-only writable bits in the low-half write paths
- handling the RV32 upper-half writable bits in write_mstateen0h() and
write_hstateen0h()
- dropping unsupported writable bits from write_sstateen0()
Signed-off-by: Bruno Sa <bruno.vilaca.sa@gmail.com>
Message-ID: <20260410110928.1014170-1-bruno.vilaca.sa@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Nicholas Piggin [Wed, 15 Apr 2026 06:48:35 +0000 (16:48 +1000)]
hw/riscv/boot: Warn if a ELF format file is loaded as a binary
It is possible that an ELF file can not be loaded, in that
case the loader falls back to loading the file as a binary
blob. Print a warning in this case because it is likely that
it is not intended.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260415064838.652297-4-joel@jms.id.au> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Michael Ellerman <mpe@oss.tenstorrent.com>
Message-ID: <20260114020516.982305-1-joel@jms.id.au> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Anton Blanchard [Sun, 4 Jan 2026 23:37:24 +0000 (23:37 +0000)]
target/riscv: rvv: Allow fractional LMUL on vector SHA instructions
Vector SHA instructions incorrectly raise an illegal instruction exception
when LMUL < 1. The ISA only states that LMUL*VLEN >= EGW:
For element-group instructions, LMUL*VLEN must always be at least as
large as EGW, otherwise an illegal-instruction exception is raised, even
if vl=0.
There is already a check for this:
MAXSZ(s) >= egw_bytes
so just remove the check for a fractional LMUL.
Signed-off-by: Anton Blanchard <antonb@tenstorrent.com> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260104233724.192886-1-antonb@tenstorrent.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:34 +0000 (20:52 +0800)]
target/riscv: Expose Zvfbfa extension as a cpu property
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-10-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:33 +0000 (20:52 +0800)]
target/riscv: rvv: Support Zvfbfa vector bf16 operations
According to the Zvfbfa ISA spec v0.1, the following vector floating
point instructions have different behaviors depend on the ALTFMT and
VSEW fields of VTYPE CSR.
When altfmt=1 and SEW=8, all vector floating-point instructions become
reserved, except for the following, which are redefined to use the
BF16 format for any operand that would otherwise have used the FP16
format:
- vfwcvt.f.x[u].v, vfncvt.x[u].f.w, vfncvt.rtz.x[u].f.w
When altfmt=1 and SEW=16, all vector floating-point instructions become
reserved, except for the following, which are redefined to use the
BF16 format for any operand that would otherwise have used the FP16
format:
- vfadd.v[vf], vfsub.v[vf], vfmin.v[vf], vfmax.v[vf], vmfeq.v[vf],
vmfle.v[vf], vmflt.v[vf], vmfne.v[vf], vmfgt.vf, vmfge.vf,
vfmul.v[vf], vfrsub.vf, vfmadd.v[vf], vfnmadd.v[vf], vfmsub.v[vf],
vfnmsub.v[vf], vfmacc.v[vf], vfnmacc.v[vf], vfmsac.v[vf],
vfnmsac.v[vf], vfwadd.v[vf], vfwsub.v[vf], vfwadd.w[vf],
vfwsub.w[vf], vfwmul.v[vf], vfwmacc.v[vf], vfwnmacc.v[vf],
vfwmsac.v[vf], vfwnmsac.v[vf], vfwcvt.f.f.v, vfncvt.f.f.w,
vfncvt.rod.f.f.w, vfrsqrt7.v, vfrec7.v, vfclass.v
The following instructions marked with * have the same semantics
regardless of altfmt.
*- vfmv.f.s,
vfwmaccbf16.v[vf] (only if Zvfbfwma is implemented)
vfwcvtbf16.f.f.v (only if Zvfbfmin is implemented)
vfncvtbf16.f.f.w (only if Zvfbfmin is implemented)
The following instructions marked with ** differ only in that
improperly NaN-boxed f-register operands must substitute the BF16
canonical NaN instead of the FP16 canonical NaN.
**- vfsgnj.v[vf], vfsgnjn.v[vf], vfsgnjx.v[vf], vfslide1up.vf,
vfslide1down.vf, vfmv.v.f, vfmerge.vfm, vfmv.s.f
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-9-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:32 +0000 (20:52 +0800)]
target/riscv: Introduce BF16 canonical NaN for Zvfbfa extension
According to the Zvfbfa ISA spec (v0.1), improperly NaN-boxed
f-register operands must substitute the BF16 canonical NaN instead of
the FP16 canonical NaN for some vector floating-point instructions.
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-8-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:31 +0000 (20:52 +0800)]
target/riscv: Introduce altfmt into DisasContext
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-7-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:30 +0000 (20:52 +0800)]
target/riscv: Use the tb->cs_base as the extend tb flags
We have more than 32-bits worth of state per TB, so use the
tb->cs_base, which is otherwise unused for RISC-V, as the extend flag.
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-6-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:29 +0000 (20:52 +0800)]
target/riscv: rvv: Introduce reset_ill_vtype to reset illegal vtype CSR
Replace the same vill reset flow by reset_ill_vtype function.
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-5-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:28 +0000 (20:52 +0800)]
target/riscv: rvv: Add new VTYPE CSR field - altfmt
According to the Zvfbfa ISA spec v0.1, the vtype CSR adds a new field:
altfmt for BF16 support.
This update changes the layout of the vtype CSR fields.
- Removed VEDIV field (bits 8-9) since EDIV extension is not planned to
be part of the base V extension
- Added ALTFMT field at bit 8
- Changed RESERVED field to start from bit 9 instead of bit 10
When Zvfbfa is disabled, bits 8+ are treated as reserved (preserving
existing behavior for altfmt bit). When Zvfbfa is enabled, only bits 9+
are reserved.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-4-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:27 +0000 (20:52 +0800)]
target/riscv: Add the Zvfbfa extension implied rule
According to the Zvfbfa isa spec:
The Zvfbfa extension requires the Zve32f and Zfbfmin extensions.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-3-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Max Chou [Thu, 2 Apr 2026 12:52:26 +0000 (20:52 +0800)]
target/riscv: Add cfg properties for Zvfbfa extensions
The Zvfbfa extension adds more complete BF16 vector compute support
and requires the Zve32f and Zfbfmin extensions.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com> Reviewed-by: Nutty Liu <nutty.liu@hotmail.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260402125234.1371897-2-max.chou@sifive.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Bruno Sa [Thu, 9 Apr 2026 15:53:42 +0000 (16:53 +0100)]
target/riscv: preserve RV32 henvcfgh on henvcfg writes
On RV32, STCE/ADUE/PBMTE/DTE are implemented in henvcfgh. A write to
henvcfg should therefore only update the low 32 bits of env->henvcfg.
The current write_henvcfg() path overwrites env->henvcfg with the
low-half value and clears any bits previously written via henvcfgh.
Preserve the upper 32 bits on RV32 henvcfg writes and keep the existing
RV64 behaviour unchanged.
Signed-off-by: Bruno Sa <bruno.vilaca.sa@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260409155344.2849233-2-bruno.vilaca.sa@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Prevents huge allocations and crashes caused by malformed HTIF signature
addresses.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3205 Signed-off-by: Munkhbaatar Enkhbaatar <munkhuu0825@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251209085349.61510-1-munkhuu0825@gmail.com>
[ Squashed with following commit to fix build failures
hw/char/riscv_htif: Fix format specifier for uint64_t
Message-ID: <20260415134826.1742308-1-chao.liu.zevorn@gmail.com> Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com>
] Tested-by: Tao Tang <tangtao1634@phytium.com.cn> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Chao Liu <chao.liu.zevorn@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
hw/intc: fix heap OOB in ACLINT MTIMER multi-socket
The MMIO read/write handlers index timecmp[] with the absolute hartid
(hartid_base + offset) but the array is allocated with num_harts
elements. In multi-socket configurations with hartid_base > 0 this
causes heap OOB access in the QEMU process.
Fix by using the relative offset for array indexing.
Cc: qemu-security@nongnu.org Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-2-sebasjosue84@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
target/riscv: fix stale ptshift and base on page walk restart
When the atomic compare-and-swap for updating A/D bits in the page
table entry fails due to a concurrent PTE modification by another
vCPU, get_physical_address() jumps to the 'restart' label to re-walk
the page table from the root.
However, neither 'ptshift' nor 'base' are re-initialized before the
restart. After the walk completes, ptshift has been decremented to
its final value and base has been overwritten with an inner PTE PPN.
On goto restart, the for loop resets i=0 but ptshift and base remain
stale, causing the restarted walk to compute incorrect PTE addresses.
In an SMP guest with MTTCG and Svadu active, this can result in
incorrect physical address mappings or guest crashes.
Fix by saving the root base address and re-initializing both ptshift
and base on each restart.
Fixes: 0c3e702aca ("RISC-V CPU Helpers") Signed-off-by: Sebastián Alba Vives <sebasjosue84@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260401053853.10473-1-sebasjosue84@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Yicong Yang [Wed, 25 Mar 2026 08:13:14 +0000 (16:13 +0800)]
hw/riscv/virt-acpi-build.c: Use kvm timer frequency when kvm enabled
The timer frequency is decided by the host(kvm) rather than a fixed
RISCV_ACLINT_DEFAULT_TIMEBASE_FREQ on kvm accelerated VM. So build
RCHT with KVM provided timer frequency if KVM is enabled, just like
how we build the timer node on DT based VM.
Fixes: ebfd39289370 ("hw/riscv/virt: virt-acpi-build.c: Add RHCT Table") Signed-off-by: Yicong Yang <yang.yicong@picoheart.com> Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-ID: <20260325081314.57089-1-yang.yicong@picoheart.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
projects / thirdparty / qemu.git / log
