Peter Maydell [Tue, 5 May 2026 18:51:56 +0000 (19:51 +0100)]
hw/net/rocker_of_dpa: Check group ID pointers are not NULL
In of_dpa_cmd_add_l2_flood(), we use rocker_tlv_parse_nested()
to fill in a tlvs[] array. If the guest command is valid then
the entries should be pointers to TLV data items with group IDs.
However, if the guest gives us bogus data then rocker_tlv_parse_nested()
indicates this by leaving the tlvs[] entries NULL. In the other
places that use this function, we check for this before using
the value, but here we forgot, and the result is that QEMU can
crash:
#0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:331
#1 0x00005555574f7137 in __asan_memcpy ()
#2 0x0000555558106792 in ldl_he_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:278
#3 0x0000555558106755 in ldl_le_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:311
#4 0x00005555580f85ed in rocker_tlv_get_le32 (tlv=0x0) at ../../hw/net/rocker/rocker_tlv.h:114
#5 0x000055555810a8ad in of_dpa_cmd_add_l2_flood (of_dpa=0x506000082e38, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2032
#6 0x0000555558108a74 in of_dpa_cmd_group_do (of_dpa=0x506000082e38, group_id=1073741824, group=0x503000b4e440, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2115
#7 0x0000555558108730 in of_dpa_cmd_group_add (of_dpa=0x506000082e38, group_id=1073741824, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2135
#8 0x00005555580f66ec in of_dpa_group_cmd
(of_dpa=0x506000082e38, info=0x514000072e40, buf=0x5070002356c0 "\001", cmd=7, group_tlvs=0x7fff68702c20)
at ../../hw/net/rocker/rocker_of_dpa.c:2194
Check for NULL values and return an error.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/1851 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason Wang <jasowang@redhat.com>
Alex Bennée [Tue, 26 May 2026 11:02:36 +0000 (12:02 +0100)]
gitlab: update issue template for binary test cases
Binary test cases are sketchy because they can be vectors for phishing
and other malware. Lets strongly hint that source bases tests are
preferred and binaries should have their provenance declared.
Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20260526110243.470002-9-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:34 +0000 (12:02 +0100)]
gitlab: add initial MacOS 15 on gitlab runner
The gitlab runners are currently in beta but available to projects on
the Premium and Ultimate plans (which QEMU is via the Open Source
program).
We install some compilers via brew so we can run some of the check-tcg
softmmu test cases.
We disable rust as the version is too old.
We disable plugins because we haven't taught the test harness about
.dynlib vs .so yet.
There is a discrepancy between the vars and version of MacOS because
lcitool needs teaching about other versions (although I don't think it
matters as brew is shared across versions).
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260526110243.470002-7-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:32 +0000 (12:02 +0100)]
accel/tcg: move jit thread manipulation into do_tb_phys_invalidate
To invalidate a TB on MacOS we need to enable write access to the JIT
buffer. We were doing this for tb_phys_invalidate__locked but that is
not the only path into do_tb_phys_invalidate. Move the manipulation
into the shared function that does the work.
As a result we can drop the tb_phys_invalidate__locked function and
update the calls directly.
This enables watchpoints to work in MacOS TCG guests.
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3444 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260526110243.470002-5-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Alex Bennée [Tue, 26 May 2026 11:02:31 +0000 (12:02 +0100)]
tests/Makefile.include: add binary dependency to run-tcg-tests-% rules
Explicitly set the appropriate QEMU binary as a dependency so we can
ensure they get built. This is especially important for MacOS which
otherwise only builds the unsigned binaries on a normal "make all"
run.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com>
Message-ID: <20260526110243.470002-4-alex.bennee@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Acked-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Message-Id: <20260528083920.33105-1-philmd@linaro.org>
Peter Maydell [Thu, 21 May 2026 18:08:54 +0000 (19:08 +0100)]
target/arm: SME BFCVT, BFCVTN have "Alternate BFloat16 behaviors"
The Arm ARM A1.5.10 notes that some instructions have "Alternate
Bfloat16 behaviors" when FPCR.AH == 1. We implement these using the
FPST_AH and FPST_AH_F16 fp_status words. The list includes the SME
BFVCT (single-precision to BFloat16) and BFCVTN, but we forgot to
make those use FPST_AH_F16 when we implemented them. (We get the
ASIMD and SVE insns on the list right.)
Peter Maydell [Thu, 28 May 2026 16:24:12 +0000 (17:24 +0100)]
target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
The Domain fault type can only happen for 32-bit short-format
descriptors. This means that it almost never needs to be encoded in
a long-format fault status code. However, there is one corner case
where we do need to report it as a long-format FSC: if a 64-bit EL2
does an AT insn on an AArch32 EL1&0 translation regime that is using
short-descriptors and that translation operation hits a Domain fault,
then this is reported in the PAR_EL1 in long-format.
The PAR_EL1 register description defines that this should be reported
as 0b111101 for a level 1 Domain fault or 0b111110 for a level 2
Domain fault.
The Arm ARM pseudocode special cases this in the function
AArch64_PARFaultStatus() (because no other "fault to LFSC" code path
can be a Domain fault). For QEMU, implement it in arm_fi_to_lfsc().
Cc: qemu-stable@nongnu.org Fixes: 1fa498fe0de97 ("target/arm: Provide fault type enum and FSR conversion functions")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3512 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260526174155.2491217-1-peter.maydell@linaro.org
Quan Sun [Fri, 22 May 2026 20:18:50 +0000 (13:18 -0700)]
meson: fix close_range detection on older glibc
The has_function('close_range') check succeeds at link time on hosts
with kernel >= 5.9 even when glibc does not declare the function
(glibc < 2.34, e.g. AlmaLinux 8 / CentOS 8 with glibc 2.28). This
causes CONFIG_CLOSE_RANGE to be set, but compilation then fails with:
error: implicit declaration of function 'close_range'
Fix by adding a prefix that includes <unistd.h>, so the meson check
only succeeds when the C library actually declares close_range() in
its headers.
Signed-off-by: Quan Sun <Quan.Sun@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260522201850.1342167-1-Quan.Sun@windriver.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thomas Huth [Mon, 18 May 2026 13:40:20 +0000 (15:40 +0200)]
system/qtest: Fix length parameter in the b64write code
The b64write code has a sanity check that the given lengths matches
the real length of the given data, and calculates the minimum of the
two values to be on the safe side. However, the address_space_write()
then uses the original value and ignores the calculated minimum. Use
out_len here to fix the problem.
Fixes: 70da30483e7 ("qtest: Use cpu address space instead of system memory") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Message-ID: <20260518134020.1420932-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Thomas Huth [Mon, 18 May 2026 11:45:14 +0000 (13:45 +0200)]
system/vl: Free allocate memory for pid file name in case realpath() failed
In case realpath() fails, the code returns early in the function
qemu_maybe_daemonize(), without freeing the allocated memory. Add
a g_free() here to fix it.
And while we're at it, also free the memory in the qemu_unlink_pidfile()
function - it's not that important since QEMU is going to terminate anyway,
but some malloc sanitizers might still complain if we don't free it.
Fixes: dee2a4d4d2f ("vl: defuse PID file path resolve error") Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Fiona Ebner <f.ebner@proxmox.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260518114514.684401-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-5-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-4-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: var decl at top of function; add comment] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare and branch instructions, with various operand widths.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-3-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: move var decl to top of function] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260518174750.660258-2-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:55 +0000 (09:33 +0200)]
hw/arm/xilinx_zynq: Split xilinx_zynq into header and implementation files
Create xilinx_zynq.h header file to expose ZynqMachineState and
related definitions for machine inheritance. This enables creation
of derived machines based on the Zynq platform.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260518073401.11279-11-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:54 +0000 (09:33 +0200)]
hw/block/m25p80: Add HAS_SR_TB flag for is25lp016d
The is25lp016d has 4 Block Write Protect Bits. BP3 specifies
whether the upper or lower range should be protected. Therefore,
we add the HAS_SR_TB flag to the is25lp016d flags.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260518073401.11279-10-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:52 +0000 (09:33 +0200)]
hw/misc/zynq_slcr: Add logic for DCI configuration
The registers for the digitally controlled impedance (DCI) clock are
part of the system level control registers (SLCR). The DONE bit in
the status register indicates a successfull DCI calibration. An
description of the calibration process can be found here:
https://docs.amd.com/r/en-US/ug585-zynq-7000-SoC-TRM/DDR-IOB-Impedance-Calibration
The DCI control register and status register have been added. As soon
as the ENABLE and RESET bit are set, the RESET bit has also been toggled
to 0 before and the UPDATE_CONTROL is not set, the DONE bit in the status
register is set. If these bits change the DONE bit is reset. Note that the
option bits are not taken into consideration.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-8-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:51 +0000 (09:33 +0200)]
hw/misc: Add dummy ZYNQ DDR controller
A dummy DDR controller for ZYNQ has been added. While all registers are present,
not all are functional. Read and write access is validated, and the user mode
can be set. This provides a basic DDR controller initialization, preventing
system hangs due to endless polling or similar issues.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com>
Message-id: 20260518073401.11279-7-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:50 +0000 (09:33 +0200)]
hw/dma/zynq-devcfg: Indicate power-up status of PL
It is assumed, that the programmable logic (PL) is always powered
during emulation. Therefor the PCFG_POR_B bit in the MCTRL register
is set.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-6-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:49 +0000 (09:33 +0200)]
hw/dma/zynq-devcfg: Simulate dummy PL reset
Setting PCFG_PROG_B should reset the PL. After a reset PCFG_INIT
should indicate that the reset is finished successfully.
In order to add a MMIO-Device as part of the PL in the Zynq, the
reset logic must succeed. The PCFG_INIT flag is now set when the
PL reset is triggered by PCFG_PROG_B. Indicating the reset was
successful.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-5-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:48 +0000 (09:33 +0200)]
hw/dma/zynq: Ensure PCFG_DONE bit remains set to indicate PL is in user mode
All register bits are clear on write by writing 1s to those bits, however
the register bits will only be cleared if the condition that sets the
interrupt flag is no longer true. Since we can assume that programming
is always done, the `PCFG_DONE` flag is always set to 1, so it will not
never be cleared.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-4-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:47 +0000 (09:33 +0200)]
hw/arm/zynq-devcfg: Prevent unintended unlock during initialization
During the emulation startup, all registers are reset, which triggers the
`r_unlock_post_write` function with a value of 0. This led to an
unintended memory access disable, making the devcfg unusable.
During startup, the memory space no longer gets locked.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-3-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
YannickV [Mon, 18 May 2026 07:33:46 +0000 (09:33 +0200)]
hw/dma/zynq-devcfg: Handle bitstream loading via DMA to 0xffffffff
A DMA transfer to destination address `0xffffffff` should trigger a
bitstream load via the PCAP interface. Currently, this case is not
intercepted, causing loaders to enter an infinite loop when polling
the status register.
This commit adds a check for `0xffffffff` as the destination address.
If detected, the relevant status register bits (`DMA_DONE`,
`DMA_P_DONE`, and `PCFG_DONE`) are set to indicate a successful
bitstream load. If the address is different, the DMA transfer proceeds
as usual. A successful load is indicated but nothing is actually
done. Guests relying on FPGA functions are still known to fail.
This feature is required for the integration of the Beckhoff
CX7200 model.
Signed-off-by: YannickV <Y.Vossen@beckhoff.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Message-id: 20260518073401.11279-2-corvin.koehne@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Stefan Hajnoczi [Wed, 27 May 2026 18:45:58 +0000 (14:45 -0400)]
Merge tag 'pull-vfio-20260527' of https://github.com/legoater/qemu into staging
vfio queue:
* Fix vfio-user: container disconnect on device info query failure,
reject zero DMA and migration page size capabilities
* Fix dma_map_file() to avoid DMA against MAP_PRIVATE RAMBlocks
* Remove unused vfio_region_unmap()
* Update linux-headers to Linux v7.1-rc4
* Mark Multi-process QEMU as Odd Fixes in MAINTAINERS
* tag 'pull-vfio-20260527' of https://github.com/legoater/qemu:
vfio/container: Restrict dma_map_file() to shared RAM or RAM devices
vfio-user: reject zero migration page size capability
vfio-user: reject zero DMA page size capability
vfio-user: disconnect container when device info query fails
vfio: Clean up vfio_region_unmap()
linux-headers: Update to Linux v7.1-rc4
MAINTAINERS: Mark Multi-process QEMU as Odd Fixes
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'single-binary-20260527' of https://github.com/philmd/qemu: (32 commits)
MAINTAINERS: Update PhilMD's email address
MAINTAINERS: update qualcomm git tree URL
MAINTAINERS: Remove PhilMD from firmware sections
tests/tcg: Explicitly check for 64-bit z/Architecture
target/arm: Build cpu-max.c once
target/arm: Build cpu32-system.o as common object
target/arm: Define 'max' CPU type in cpu-max.c
target/arm: Re-use common aarch64_aa32_a57_init() helper
target/arm: Factor aarch64_aa32_a57_init() out
target/arm: Only set %kvm_target when KVM is enabled
target/arm: Implement DBGDEVID* registers in max AArch32 CPU
target/arm: Use make_ccsidr(LEGACY) in 32 bit 'max' CPU type
target/arm: Extract common code related to 'max' CPU
target/arm: Build cpu64.o as common object
target/arm: Build gdbstub64.o as common object
target/arm: Introduce common system/user meson source set
hw/arm/meson: Remove now unused arm_ss[] source set
hw/arm/aspeed: Build objects once
hw/arm/aspeed: Do not realize 64-bit CPU types under QTest
hw/arm/raspi: Build objects once
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
tests/tcg: Explicitly check for 64-bit z/Architecture
We do not support the 32-bit ESA/390 target, only the
64-bit z/Architecture.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20260519171240.97420-5-philmd@linaro.org>
Call TargetInfo::target_aarch64() at runtime, allowing to
remove the target-specific TARGET_AARCH64 definition and
build cpu-max.c once as common object.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-18-philmd@linaro.org>
cpu32.c only contains CPU types used in 32-bit system emulation:
rename it as cpu32-system.c; always compile the file but only
register the QOM types for the 32-bit binary.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-17-philmd@linaro.org>
Rather than having the 32-bit 'max' CPU type defined in
cpu32.c and the 64-bit counter part in cpu64.c, unify the
code in a single place in cpu-max.c. Define stubs for
aarch64_host_initfn() and aarch64_max_tcg_initfn() in the
32-bit binary.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-16-philmd@linaro.org>
In order to make the following commit easier to review,
factor aarch64_aa32_a57_init() out of aarch64_a57_initfn()
as a preliminary step. We only add a %aa32_only argument
to restrict AArch64 features.
Suggested-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-14-philmd@linaro.org>
target/arm: Implement DBGDEVID* registers in max AArch32 CPU
32-bit ARM max CPU is a 'Cortex-A57 advertising none of the AArch64
features'. Keep it as close as possible as the A57, by implementing
the debug ID registers, following the changes in aarch64_a57_initfn
added by commits 48eb3ae64b3 ("target-arm: Adjust debug ID registers
per-CPU") and 09754ca867f ("target/arm: Implement AArch32 DBGDEVID,
DBGDEVID1, DBGDEVID2").
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-12-philmd@linaro.org>
target/arm: Use make_ccsidr(LEGACY) in 32 bit 'max' CPU type
Commit 676624d757a ("target/arm/tcg: refine cache descriptions
with a wrapper") added the make_ccsidr() helper. Use it. Besides
being simpler to review, it also makes arm_max_initfn() more in
line which aarch64_a57_initfn(), which it almost duplicates.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-11-philmd@linaro.org>
target/arm: Extract common code related to 'max' CPU
Extract common code related to 'max' CPU. This commit only
move code used by the 32-bit 'max' CPU, but we will soon add
the 64-bit counterpart, so name it generically as "cpu-max.c".
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-10-philmd@linaro.org>
Commit 064f1ce95fe ("hw/arm/aspeed: Split AST2700 EVB
machine into a separate source file for maintainability")
remove the last TARGET_AARCH64 use.
Now than Aspeed machines can be filtered when running a
qemu-system-arm or qemu-system-aarch64 binary, we can
compile the aspeed.c file once, moving it from arm_ss[]
source set to arm_common_ss[].
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-5-philmd@linaro.org>
hw/arm/aspeed: Do not realize 64-bit CPU types under QTest
aspeed_ast27x0.c models 2 similar SoC based on a 64-bit only
CPU (Cortex-A35), only available in the 64-bit binary.
If we build this file as common object, these SoCs become
available in both 32 and 64-bit binaries; however when running
the introspection test on the 32-bit binary, the init() method
tries to init the Cortex-A35 type -- although not realizing it
-- which is not available. Simply skip CPU initialization when
running QTests on a 32-bit binary, asserting the realization
step is not reached.
Suggested-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-4-philmd@linaro.org>
Now than Raspi machines can be filtered when running a
qemu-system-arm or qemu-system-aarch64 binary, we can
remove the TARGET_AARCH64 #ifdef'ry and compile the
aspeed.c file once, moving it from arm_ss[] source set
to arm_common_ss[]. Note, we expose the TYPE_BCM2837
and TYPE_BCM2838 types to qemu-system-arm, but they are
not user-creatable, so not an issue.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-3-philmd@linaro.org>
hw/arm/raspi: Initialize 64-bit CPU types during DeviceRealize()
bcm2836.c models 3 similar SoC: BCM2835, BCM2836 and BCM2837.
The BCM2837 is a 64-bit only SoC (Cortex-A53), only available
in the 64-bit binary.
If we build this file as common object, all BCM SoCs become
available in both 32 and 64-bit binaries; however when running
the introspection test on the 32-bit binary, the BCM2837 init()
method tries to init the Cortex-A53 type -- although not
realizing it -- which is not available. This can be avoided by
deferring the CPU type initialization to the SoC DeviceRealize
step (this is safe because nothing uses the CPU type before,
only the GIC access them, just after their realization).
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@oss.qualcomm.com> Acked-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20260526203722.79463-2-philmd@linaro.org>
Chenyi Qiang [Wed, 27 May 2026 10:11:08 +0000 (18:11 +0800)]
vfio/container: Restrict dma_map_file() to shared RAM or RAM devices
vfio_container_dma_map() uses dma_map_file() whenever a RAMBlock has an
fd and the VFIO IOMMU backend supports file-based DMA mapping. That is
not correct for private file-backed guest RAM.
dma_map_file() resolves PFNs from the backing file, but private guest
RAM mappings (MAP_PRIVATE) can run on different PFNs than the file
because they are subject to copy-on-write (COW) anomalies. As a result,
using dma_map_file() on a privately mapped RAMBlock can program DMA
against pages that do not back QEMU's actual guest memory.
Fix this by using dma_map_file() only for shared mapped RAMBlocks
(MAP_SHARED) or RAM device regions.
Fixes: fb32965b6dd8 ("vfio/iommufd: use IOMMU_IOAS_MAP_FILE") Reported-by: Farrah Chen <farrah.chen@intel.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220776 Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com> Link: https://lore.kernel.org/qemu-devel/20260527101109.71781-1-chenyi.qiang@intel.com Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
Anton Blanchard [Thu, 21 May 2026 11:08:24 +0000 (11:08 +0000)]
target/riscv: Use float_raise
Use float_raise instead of open coding it.
Signed-off-by: Anton Blanchard <antonb@tenstorrent.com> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Max Chou <max.chou@sifive.com>
Message-ID: <20260521110824.1091323-1-antonb@tenstorrent.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
target/riscv: Define MSTATUS_SBE and MSTATUS_MBE bit masks
Add the RISC-V privileged ISA defined bit positions for the Supervisor
Big-Endian (SBE, bit 36) and Machine Big-Endian (MBE, bit 37) fields
in the mstatus register. These are used alongside the existing
MSTATUS_UBE (bit 6) to control data endianness at each privilege level.
The MSTATUS_UBE definition was already present, but SBE and MBE were
missing.
Signed-off-by: Djordje Todorovic <djordje.todorovic@htecgroup.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260527083151.17876-2-djordje.todorovic@htecgroup.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
GuoHan Zhao [Fri, 22 May 2026 08:13:06 +0000 (16:13 +0800)]
vfio-user: reject zero migration page size capability
check_migr_pgsize() validates that no page-size bits smaller than
VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsize=0. This can replace
the default migration page size with an unusable value.
Reject a zero migration page size during version capability parsing, matching
the lower-bound check used for the DMA page-size capability.
GuoHan Zhao [Fri, 22 May 2026 08:13:05 +0000 (16:13 +0800)]
vfio-user: reject zero DMA page size capability
check_pgsizes() validates that no page-size bits smaller than
VFIO_USER_DEF_PGSIZE are set, but it still accepts pgsizes=0. This lets a
malformed server overwrite the default page-size mask with zero.
Later vfio_user_setup() asserts that proxy->dma_pgsizes is non-zero, so device
realization aborts instead of reporting a version capability error. Reject a
zero DMA page-size mask during version capability parsing.
GuoHan Zhao [Fri, 22 May 2026 06:56:37 +0000 (14:56 +0800)]
vfio-user: disconnect container when device info query fails
vfio_user_device_attach() connects the vfio-user container before querying
VFIO_USER_DEVICE_GET_INFO. If the device info query fails,
vfio_device_prepare() has not run yet, so vbasedev->bcontainer is still
NULL and the later vfio_device_detach() cleanup path cannot reach the new
container.
Disconnect the container before returning the attach failure so the listener,
RAM discard state, object reference and address space reference are released
on this error path.
Cédric Le Goater [Thu, 21 May 2026 08:14:09 +0000 (10:14 +0200)]
linux-headers: Update to Linux v7.1-rc4
Update headers to retrieve new IOMMUFD capabilities (ATS not-supported),
VFIO migration flags (VFIO_PRECOPY_INFO_REINIT flag and
VFIO_DEVICE_FEATURE_MIG_PRECOPY_INFOv2), KVM caps for LoongArch and
more.
Cc: Avihai Horon <avihaih@nvidia.com> Cc: Song Gao <gaosong@loongson.cn> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Song Gao <gaosong@loongson.cn> Link: https://lore.kernel.org/qemu-devel/20260521081409.1843075-1-clg@redhat.com Signed-off-by: Cédric Le Goater <clg@redhat.com>
Anton Johansson [Wed, 7 May 2025 10:46:51 +0000 (12:46 +0200)]
target-info: Add target_riscv64()
Adds a helper function to tell if the binary is targeting riscv64 or
not.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com> Acked-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260520-hw-riscv-cpu-int-v3-7-d1123ea63d9c@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Anton Johansson [Wed, 30 Apr 2025 12:17:46 +0000 (14:17 +0200)]
configs/target: Implement per-binary TargetInfo structure for riscv
Defines TargetInfo for 32- and 64-bit riscv binaries.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260520-hw-riscv-cpu-int-v3-6-d1123ea63d9c@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The Spike RISC-V ISA Simulator aims for maximum coverage,
so can start with the 'max' CPU type by default.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260526095731.63525-2-philmd@linaro.org>
Anton Johansson [Wed, 30 Apr 2025 12:16:51 +0000 (14:16 +0200)]
hw/riscv: Filter machine types for qemu-system-riscv32/64 binaries
Register machines able to run in qemu-system-riscv32,
qemu-system-riscv64, or both.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Anton Johansson <anjo@rev.ng> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260520-hw-riscv-cpu-int-v3-4-d1123ea63d9c@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Anton Johansson [Mon, 15 Dec 2025 11:39:02 +0000 (12:39 +0100)]
hw/core: Add riscv[32|64] to "none" machine
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260520-hw-riscv-cpu-int-v3-5-d1123ea63d9c@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Anton Johansson [Wed, 30 Apr 2025 11:44:17 +0000 (13:44 +0200)]
hw/riscv: Add macros and globals for simplifying machine definitions
Adds macros and global interfaces for defining machines available only
in qemu-system-riscv32, qemu-system-riscv64, or both.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260520-hw-riscv-cpu-int-v3-3-d1123ea63d9c@rev.ng>
[PMD: Constify InterfaceInfo] Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Defines generic 32- and 64-bit riscv machine interfaces for machines to
implement.
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Signed-off-by: Anton Johansson <anjo@rev.ng> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20260520-hw-riscv-cpu-int-v3-1-d1123ea63d9c@rev.ng> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Stefan Hajnoczi [Tue, 26 May 2026 17:20:15 +0000 (13:20 -0400)]
Merge tag 'pull-target-arm-20260526' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
* hw/timer/mss_timer: Remove dead code in timer_write()
* OMAP: Remove various pieces of dead code
* target/arm: Set debug in attrs in translate_for_debug()
* target/arm/ptw: Flip sense of get_phys_addr_* return values
* tests/functional/aarch64: Bump up timeout on vbsa
* target/arm: Fix minor FEAT_AFP corner case bugs
* target/arm: Implement FEAT_FAMINMAX
* target/arm: Implement FEAT_FPMR
* target/arm: Some initial patches towards other FP8 features
* tag 'pull-target-arm-20260526' of https://gitlab.com/pm215/qemu: (54 commits)
target/arm: Move vectors_overlap to vec_internal.h
target/arm: Split vector-type.h from cpu.h
target/arm: Implement FSCALE for SME
target/arm: Implement FSCALE for AdvSIMD
target/arm: Add isar_feature_aa64_f8cvt
target/arm: Implement ID_AA64FPFR0
target/arm: Enable FEAT_FPMR for -cpu max
linux-user/aarch64: Implement FPMR signal frames
target/arm: Dump FPMR when present
tests/functional/aarch64/rme: update images to support FEAT_FP8
target/arm: Trap direct acceses to FPMR
target/arm: Add FPMR_EL to TBFLAGS
target/arm: Clear FPMR on ResetSVEState
target/arm: Enable EnFPM bits for FEAT_FPMR
target/arm: Update SCTLR bits for FEAT_FPMR
target/arm: Introduce FPMR
target/arm: Update HCRX bits for Arm ARM M.a.a
target/arm: Update SCR bits for Arm ARM M.a.a
target/arm: Enable FEAT_FAMINMAX for -cpu max
target/arm: Implement FEAT_FAMINMAX for SVE
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Stefan Hajnoczi [Tue, 26 May 2026 17:19:51 +0000 (13:19 -0400)]
Merge tag 'pull-aspeed-20260526' of https://github.com/legoater/qemu into staging
aspeed queue:
* Fix AST2600 RNG register definitions
* Add a USB EHCI functional test to the AST2600 SDK machine test
* Add a new anacapa-bmc machine (Meta/Facebook AST2600)
* Refactor SRAM to support AST1040 memory layout
* Add a new AST1040 Bridge IC SoC model and EVB machine
* Convert all Aspeed device models to use the Resettable
interface
* tag 'pull-aspeed-20260526' of https://github.com/legoater/qemu: (37 commits)
hw/i2c/aspeed_i2c: convert to use Resettable interface
hw/adc/aspeed_adc: convert to use Resettable interface
hw/rtc/aspeed_rtc: convert to use Resettable interface
hw/fsi/aspeed_apb2opb: convert to use Resettable interface
hw/net/ftgmac100: convert to use Resettable interface
hw/watchdog/wdt_aspeed: convert to use Resettable interface
hw/i3c/aspeed_i3c: convert to use Resettable interface
hw/intc/aspeed_intc: convert to use Resettable interface
hw/intc/aspeed_vic: convert to use Resettable interface
hw/ssi/aspeed_smc: convert to use Resettable interface
hw/sd/aspeed_sdhci: convert to use Resettable interface
hw/gpio/aspeed_gpio: convert to use Resettable interface
hw/timer/aspeed_timer: convert to use Resettable interface
hw/pci-host/aspeed_pcie: convert to use Resettable interface
hw/misc/aspeed_ltpi: convert to use Resettable interface
hw/misc/aspeed_scu: convert to use Resettable interface
hw/misc/aspeed_sdmc: convert to use Resettable interface
hw/misc/aspeed_lpc: convert to use Resettable interface
hw/misc/aspeed_xdma: convert to use Resettable interface
hw/misc/aspeed_sbc: convert to use Resettable interface
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'ui-pull-request' of https://gitlab.com/marcandre.lureau/qemu: (38 commits)
ui/gtk: Fix focus loss on re-attachment with single VC
ui/input: Remove unused QKeyCode helpers and keymaps
ui/console: Remove qemu_text_console_put_qcode()
qemu-keymap: Use Linux key codes
ui/vnc: Use Linux key codes
ui/spice: Use Linux key codes
ui/sdl2: Use Linux key codes
ui/keymaps: Use Linux key codes
ui/input-linux: Use Linux key codes
ui/input-legacy: Use Linux key codes
ui/input-barrier: Use Linux key codes
ui/gtk: Use Linux key codes
ui/dbus: Use Linux key codes
ui/cocoa: Use Linux key codes
replay: Use Linux key codes
hw/m68k/next-kbd: Use Linux key codes
hw/input/virtio-input: Use Linux key codes
hw/input/ps2: Use Linux key codes
hw/input/hid: Use Linux key codes
hw/input/adb-kbd: Use Linux key codes
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
target/arm: Move vectors_overlap to vec_internal.h
We will shortly need this outside of sme_helper.c.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-24-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
We want to be able to reference ARMVectorType etc from
common code, so move it out of cpu.h.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-23-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-22-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-21-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-20-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-19-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-18-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
projects / thirdparty / qemu.git / log
