| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Commit 638ac1c78457 introduced a regression in interrupt remapping
when running a VM configured with an intel-iommu device and an
assigned PCI VF. During boot, Linux reports repeated messages :
[ 15.416794] __common_interrupt: 2.37 No irq handler for vector
[ 15.417266] __common_interrupt: 2.37 No irq handler for vector
[ 15.417733] __common_interrupt: 2.37 No irq handler for vector
[ 15.418202] __common_interrupt: 2.37 No irq handler for vector
[ 15.418670] __common_interrupt: 2.37 No irq handler for vector
and may eventually hang.
The issue is caused by the incorrect use of the macro
ACCEL_KERNEL_GSI_IRQFD_POSSIBLE, which should instead be
ACCEL_GSI_IRQFD_POSSIBLE.
Fixes: 638ac1c78457 ("hw/intc: Generalize APIC helper names from kvm_* to accel_*")
Cc: Magnus Kulke <magnuskulke@linux.microsoft.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251106105148.737093-1-clg@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Function migrate_add_blocker will free the reason and set it to NULL
if failure is returned.
Signed-off-by: Bin Guo <guobin@linux.alibaba.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Link: https://lore.kernel.org/r/20251024205532.19883-1-guobin@linux.alibaba.com
Signed-off-by: Peter Xu <peterx@redhat.com>
|
|
This is needed for riscv based CPUs by MIPS since those may have
sparse hart-ID layouts. ACLINT and APLIC still assume a dense
range, and if a hart is missing, this causes NULL derefs.
Signed-off-by: Chao-ying Fu <cfu@mips.com>
Signed-off-by: Djordje Todorovic <djordje.todorovic@htecgroup.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20251018154522.745788-2-djordje.todorovic@htecgroup.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
4.5.4. Supervisor MSI address configuration (smsiaddrcfg and
smsiaddrcfgh)
smsiaddrcfgh:
bits 22:20 LHXS(WARL)
bits 11:0 High Base PPN(WARL)
Signed-off-by: Jialong Yang <z_bajeer@yeah.net>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <44f3e0d1.161.199d0c338b0.Coremail.z_bajeer@yeah.net>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Cc: qemu-stable@nongnu.org
|
|
Currently in arm_gicv3_icc_reset() we read the kernel's value of
ICC_CTLR_EL1 as part of resetting the CPU interface. This mostly
works, but we're actually breaking an assumption the kernel makes
that userspace only accesses the in-kernel GIC data when the VM is
totally paused, which may not be the case if a single vCPU is being
reset. The effect is that it's possible that the read attempt
returns EBUSY.
Avoid this by reading the kernel's value of the reset ICC_CTLR_EL1
once in device realize. This brings ICC_CTLR_EL1 into line with
the other cpuif registers, where we assume we know what the kernel
is resetting them to and just update QEMU's data structures in
arm_gicv3_icc_reset().
Reviewed-by: Salil Mehta <salil.mehta@huawei.com>
Tested-by: Salil Mehta <salil.mehta@huawei.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20251014102439.319915-1-peter.maydell@linaro.org
|
|
We don't generally like DPRINTF debug macros, preferring tracepoints.
In this case the macro is used in only three places (reset, realize,
and in the unlikely event the host kernel doesn't have GICv3 register
access support). These don't seem worth converting to tracepoints,
so simply delete the macro and its uses.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The GIC distributor registers GICD_TYPER2 is present when the
GICv4.1 is implemented, and RES0 otherwise. QEMU's TCG implementation
is only GICv4.0, so this register is RES0. However, since it's
reasonable for GICv4.1-aware software to read the register, expecting
the zero for GICv3 and GICv4.0, implement the case to avoid it being
logged as an invalid guest read.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
As per the previous patch, the APIC instance is already available in
apic_msr_{read,write}, so it can be passed along. It turns out that
the call to cpu_get_current_apic() is only required in
apic_mem_{read,write}, so it has been moved there. Longer term,
cpu_get_current_apic() could be removed entirely if
apic_mem_{read,write} is tied to a CPU's local address space.
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251019210303.104718-10-shentey@gmail.com>
[PMD: Move return after apic_send_msi() in apic_mem_write()]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Avoids the `current_cpu` global and seems more robust by not "forgetting" the
own APIC and then re-determining it by cpu_get_current_apic() which uses the
global.
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251019210303.104718-9-shentey@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
Makes the APIC API more type-safe by resolving quite a few APIC_COMMON
downcasts.
Like PICCommonState, the APICCommonState is now a public typedef while staying
an abstract datatype.
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20251019210303.104718-8-shentey@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
LoongArch virt machine uses GPEX PCIE host bridge rather than 7A host
bridge. Remove header file ls7a.h and put hardware information to file
include/hw/loongarch/virt.h
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
|
|
[commit message by YiFei Zhu]
A malicious kernel may control the instruction pointer in SMM in a
multi-processor VM by sending a sequence of IPIs via APIC:
CPU0 CPU1
IPI(CPU1, MODE_INIT)
x86_cpu_exec_reset()
apic_init_reset()
s->wait_for_sipi = true
IPI(CPU1, MODE_SMI)
do_smm_enter()
env->hflags |= HF_SMM_MASK;
IPI(CPU1, MODE_STARTUP, vector)
do_cpu_sipi()
apic_sipi()
/* s->wait_for_sipi check passes */
cpu_x86_load_seg_cache_sipi(vector)
A different sequence, SMI INIT SIPI, is also buggy in TCG because
INIT is not blocked or latched during SMM. However, it is not
vulnerable to an instruction pointer control in the same way because
x86_cpu_exec_reset clears env->hflags, exiting SMM.
Fixes: a9bad65d2c1f ("target-i386: wake up processors that receive an SMI")
Analyzed-by: YiFei Zhu <zhuyifei@google.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
* i386: fix migration issues in 10.1
* target/i386/mshv: new accelerator
* rust: use glib-sys-rs
* rust: fixes for docker tests
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmjnaOwUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroNsFQf/WXKxZLLnItHwDz3UdwjzewPWpz5N
# fpS0E4C03J8pACDgyfl7PQl47P7NlJ08Ig2Lc5l3Z9KiAKgh0orR7Cqd0BY5f9lo
# uk4FgXfXpQyApywAlctadrTfcH8sRv2tMaP6EJ9coLtJtHW9RUGFPaZeMsqrjpAl
# TpwAXPYNDDvvy1ih1LPh5DzOPDXE4pin2tDa94gJei56gY95auK4zppoNYLdB3kR
# GOyR4QK43/yhuxPHOmQCZOE3HK2XrKgMZHWIjAovjZjZFiJs49FaHBOpRfFpsUlG
# PB3UbIMtu69VY20LqbbyInPnyATRQzqIGnDGTErP6lfCGTKTy2ulQYWvHA==
# =KM5O
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 09 Oct 2025 12:49:00 AM PDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [unknown]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (35 commits)
rust: fix path to rust_root_crate.sh
tests/docker: make --enable-rust overridable with EXTRA_CONFIGURE_OPTS
MAINTAINERS: Add maintainers for mshv accelerator
docs: Add mshv to documentation
target/i386/mshv: Use preallocated page for hvcall
qapi/accel: Allow to query mshv capabilities
accel/mshv: Handle overlapping mem mappings
target/i386/mshv: Implement mshv_vcpu_run()
target/i386/mshv: Write MSRs to the hypervisor
target/i386/mshv: Integrate x86 instruction decoder/emulator
target/i386/mshv: Register MSRs with MSHV
target/i386/mshv: Register CPUID entries with MSHV
target/i386/mshv: Set local interrupt controller state
target/i386/mshv: Implement mshv_arch_put_registers()
target/i386/mshv: Implement mshv_get_special_regs()
target/i386/mshv: Implement mshv_get_standard_regs()
target/i386/mshv: Implement mshv_store_regs()
target/i386/mshv: Add CPU create and remove logic
accel/mshv: Add vCPU signal handling
accel/mshv: Add vCPU creation and execution loop
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Create the MSHV virtual machine by opening a partition and issuing
the necessary ioctl to initialize it. This sets up the basic VM
structure and initial configuration used by MSHV to manage guest state.
Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Link: https://lore.kernel.org/r/20250916164847.77883-10-magnuskulke@linux.microsoft.com
[Add stubs; fix format strings for trace-events; make mshv_hvcall
available only in per-target files; mshv.h/mshv_int.h split. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Rename APIC helper functions to use an accel_* prefix instead of kvm_*
to support use by accelerators other than KVM. This is a preparatory
step for integrating MSHV support with common APIC logic.
Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Link: https://lore.kernel.org/r/20250916164847.77883-5-magnuskulke@linux.microsoft.com
[Remove dead definition of mshv_msi_via_irqfd_enabled. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Introduce a 'first-cpu-index' property for specifying the first QEMU CPU
connected to the GICv3. This makes it possible to have multiple instances
of the GICv3 connected to different CPU clusters.
For KVM, mark this property has unsupported. It probably does not make
much sense as it is intented to be used to model non-SMP systems.
Signed-off-by: Luc Michel <luc.michel@amd.com>
Signed-off-by: Francisco Iglesias <francisco.iglesias@amd.com>
Reviewed-by: Sai Pavan Boddu <sai.pavan.boddu@amd.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20250926070806.292065-24-luc.michel@amd.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Fixes: 4d4baab24179 ("loongarch: add a direct interrupt controller device")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Migration/Memory Pull for 10.2
- PeterX's fix on tls warning for preempt channel when migratino completes
- Arun's series to enhance error reporting for vTPM and migration framework
- PeterX's patch to cleanup multifd send TLS BYE messages
- Juraj's fix on postcopy start state transition when switchover failed
- Yanfei's fix to migrate APIC before VFIO-PCI to avoid irq fallbacks
- Dan's cleanup to simplify error reporting in qemu_fill_buffer()
- PeterM's fix on address space leak when cpu hot plug / unplug
- Steve's cpr-exec wholeset
# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQS5GE3CDMRX2s990ak7X8zN86vXBgUCaN/uIhIccGV0ZXJ4QHJl
# ZGhhdC5jb20ACgkQO1/MzfOr1wZ+mAEA1l2RS9sZS1W3vXQMCNb+Nu8Uo2p+e5Qj
# Uu6J0WVV+XsBANtzGZk2UM/frqlABywW3/ozJ4qBvIPKo758Mr6/lqUH
# =asUv
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 03 Oct 2025 08:39:14 AM PDT
# gpg: using EDDSA key B9184DC20CC457DACF7DD1A93B5FCCCDF3ABD706
# gpg: issuer "peterx@redhat.com"
# gpg: Good signature from "Peter Xu <xzpeter@gmail.com>" [unknown]
# gpg: aka "Peter Xu <peterx@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B918 4DC2 0CC4 57DA CF7D D1A9 3B5F CCCD F3AB D706
* tag 'staging-pull-request' of https://gitlab.com/peterx/qemu: (45 commits)
migration-test: test cpr-exec
vfio: cpr-exec mode
migration: cpr-exec docs
migration: cpr-exec mode
migration: cpr-exec save and load
migration: cpr-exec-command parameter
oslib: qemu_clear_cloexec
migration: add cpr_walk_fd
migration: multi-mode notifier
migration: simplify error reporting after channel read
physmem: Destroy all CPU AddressSpaces on unrealize
memory: New AS helper to serialize destroy+free
include/system/memory.h: Clarify address_space_destroy() behaviour
migration: ensure APIC is loaded prior to VFIO PCI devices
migration: Fix state transition in postcopy_start() error handling
migration/multifd/tls: Cleanup BYE message processing on sender side
migration: HMP: Adjust the order of output fields
migration: Make migration_has_failed() work even for CANCELLING
io/crypto: Move tls premature termination handling into QIO layer
backends/tpm: Propagate vTPM error on migration failure
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The load procedure of VFIO PCI devices involves setting up IRT
for each VFIO PCI devices. This requires determining whether an
interrupt is single-destination interrupt to decide between
Posted Interrupt(PI) or remapping mode for the IRTE. However,
determining this may require accessing the VM's APIC registers.
For example:
ioctl(vbasedev->fd, VFIO_DEVICE_SET_IRQS, irqs)
...
kvm_arch_irq_bypass_add_producer
kvm_x86_call(pi_update_irte)
vmx_pi_update_irte
kvm_intr_is_single_vcpu
If the LAPIC has not been loaded yet, interrupts will use remapping
mode. To prevent the fallback of interrupt mode, keep APIC is always
loaded prior to VFIO PCI devices.
Signed-off-by: Yicong Shen <shenyicong.1023@bytedance.com>
Signed-off-by: Yanfei Xu <yanfei.xu@bytedance.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Link: https://lore.kernel.org/r/20250818131127.1021648-1-yanfei.xu@bytedance.com
Signed-off-by: Peter Xu <peterx@redhat.com>
|
|
The current 'timecmp' field in vmstate_riscv_mtimer is insufficient to keep
timers functional after migration.
If an mtimer's entry in 'mtimer->timers' is active at the time the snapshot
is taken, it means riscv_aclint_mtimer_write_timecmp() has written to
'mtimecmp' and scheduled a timer into QEMU's main loop 'timer_list'.
During snapshot save, these active timers must also be migrated; otherwise,
after snapshot load there is no mechanism to restore 'mtimer->timers' back
into the 'timer_list', and any pending timer events would be lost.
QEMU's migration framework commonly uses VMSTATE_TIMER_xxx macros to save
and restore 'QEMUTimer' variables. However, 'timers' is a pointer array
with variable length, and vmstate.h did not previously provide a helper
macro for such type.
This commit adds a new macro, 'VMSTATE_TIMER_PTR_VARRAY', to handle saving
and restoring a variable-length array of 'QEMUTimer *'. We then use this
macro to migrate the 'mtimer->timers' array, ensuring that timer events
remain scheduled correctly after snapshot load.
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Signed-off-by: TANG Tiancheng <lyndra@linux.alibaba.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911-timers-v3-3-60508f640050@linux.alibaba.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
In QEMU's RISC-V ACLINT timer model, 'mtime' is not stored directly as a
state variable. It is computed on demand as:
mtime = rtc_r + time_delta
where:
- 'rtc_r' is the current VM virtual time (in ticks) obtained via
cpu_riscv_read_rtc_raw() from QEMU_CLOCK_VIRTUAL.
- 'time_delta' is an offset applied when the guest writes a new 'mtime'
value via riscv_aclint_mtimer_write():
time_delta = value - rtc_r
Under this design, 'rtc_r' is assumed to be monotonically increasing
during VM execution. Even if the guest writes an 'mtime' value smaller
than the current one (making 'time_delta' negative in signed arithmetic,
or underflow in unsigned arithmetic), the computed 'mtime' remains
correct because 'rtc_r_new > rtc_r_old':
mtime_new = rtc_r_new + (value - rtc_r_old)
However, this monotonicity assumption breaks on snapshot load.
Before restoring a snapshot, QEMU resets the guest, which calls
riscv_aclint_mtimer_reset_enter() to set 'mtime' to 0 and recompute
'time_delta' as:
time_delta = 0 - rtc_r_reset
Here, the time_delta differs from the value that was present when the
snapshot was saved. As a result, subsequent reads produce a fixed offset
from the true mtime.
This can be observed with the 'date' command inside the guest: after loading
a snapshot, the reported time appears "frozen" at the save point, and only
resumes correctly after the guest has run long enough to compensate for the
erroneous offset.
The fix is to treat 'time_delta' as part of the device's migratable
state and save/restore it via vmstate. This preserves the correct
relation between 'rtc_r' and 'mtime' across snapshot save/load, ensuring
'mtime' continues incrementing from the precise saved value after
restore.
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Signed-off-by: TANG Tiancheng <lyndra@linux.alibaba.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250911-timers-v3-1-60508f640050@linux.alibaba.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
https://gitlab.com/harshpb/qemu into staging
ppc queue for 20250928
* Support for PowerNV11 and PPE42 CPU/Machines.
* Deprecation of Power8E and Power8NVL
* Decodetree patches for some floating-point instructions
* Minor bug fixes, improvements in ppc/spapr/xive/xics.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmjZgYQACgkQRUTplPnW
# j7uNJQ/8Cbr3xqyCyyqL+MM+Ze1PbXe4xSgdg13A1sNU3IHTffB77DCQVOxjudUS
# uo+XHVFssc4SKDZYjEzXFnYpzRpbZzfcuhG4kgn9QQ3VyKP+2xe6kWLleDbB6ds1
# e9ZAW6Ryk4R3ZFLnZzGfEdltliaoIn6zy4R25oJfJUgIRt0Xz++GBxll+Tdr8Exy
# qstvvyyjeTiIS3kA1zk6fbhDRJKKBsA0L1G1Pk6AuTMKa1RRTCniA36idnGVFAuY
# ef8WCEQYQS0do9Ytai06Tp1QNRVMG2y+AsKbSQRMi92lFfn+qhvA29OJd5TNvXtp
# LNiIfXHo3jLjGBUP13iVN8b8udWdis9BayvA/OwDaKWgononEHb9nqJgzVJR4n7t
# DxxUxcSCiEXOpObtklrKhi1nDt16nXPZ/bnnreMSWzxHBZK1My7qnI3S0hA7c11z
# YgssB5wJbRaETaEVzQfWfAcSaPpXBzBEXOAJcbd+Ni6w9SxXz2OrhckTOvfrXpmI
# XQ1KFUCkmTtXF1qB+oEihlrvG2qjdGuleRZdyiktaM2psBFgN/2gHl3S+JjL9kiY
# 9FdBffr/2K604l7EQkAYWixe2WMMsjHVHpuxJ7opG7MMSXJZq9cXKIK+tbkSNoRO
# Ia6Qr6eWJWjFF3y4OZCbYAOVU77ez6lo7kRj0e99fOjxfI+UuWU=
# =Fjdq
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 28 Sep 2025 11:42:12 AM PDT
# gpg: using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <harsh.prateek.bora@gmail.com>" [undefined]
# gpg: aka "Harsh Prateek Bora <harshpb@linux.ibm.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D 2142 4544 E994 F9D6 8FBB
* tag 'pull-ppc-for-20250928-20250929' of https://gitlab.com/harshpb/qemu: (27 commits)
target/ppc: use MAKE_64BIT_MASK for mcrfs exception clear mask
target/ppc: Deprecate Power8E and Power8NVL
target/ppc: Introduce macro for deprecating PowerPC CPUs
target/ppc: Move remaining floating-point move instructions to decodetree.
target/ppc: Move floating-point move instructions to decodetree.
target/ppc: Move floating-point compare instructions to decodetree.
target/ppc: Move floating-point rounding and conversion instructions to decodetree.
ppc/xive2: Fix integer overflow warning in xive2_redistribute()
ppc/spapr: init lrdr-capapcity phys with ram size if maxmem not provided
hw/intc/xics: Add missing call to register vmstate_icp_server
tests/functional: Add test for IBM PPE42 instructions
hw/ppc: Add a test machine for the IBM PPE42 CPU
hw/ppc: Support for an IBM PPE42 CPU decrementer
target/ppc: Add IBM PPE42 special instructions
target/ppc: Support for IBM PPE42 MMU
target/ppc: Add IBM PPE42 exception model
target/ppc: IBM PPE42 exception flags and regs
target/ppc: Add IBM PPE42 family of processors
target/ppc: IBM PPE42 general regs and flags
tests/powernv: Add PowerNV test for Power11
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Coverity reported an integer overflow warning in xive2_redistribute()
where the code does a left shift operation "0xffffffff << crowd". Fix the
warning by using a 64 byte integer type. Also refactor the calculation
into dedicated routines.
Resolves: Coverity CID 1612608
Fixes: 555e446019f5 ("ppc/xive2: Support redistribution of group interrupts")
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Signed-off-by: Gautam Menghani <gautam@linux.ibm.com>
Reviewed-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250811074912.162774-1-gautam@linux.ibm.com
Message-ID: <20250811074912.162774-1-gautam@linux.ibm.com>
|
|
An obsolete wrapper function with a workaround was removed entirely,
without restoring the call it wrapped.
Without this, the guest is stuck after savevm/loadvm.
Fixes: 24ee9229fe31 ("ppc/spapr: remove deprecated machine pseries-2.9")
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Link: https://lore.kernel.org/qemu-devel/6187781.lOV4Wx5bFT@fvogt-thinkpad
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Gautam Menghani <gautam@linux.ibm.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250819223905.2247-2-farosas@suse.de
Message-ID: <20250819223905.2247-2-farosas@suse.de>
|
|
Existing code in XIVE2 assumes the chip to be a Power10 Chip.
Instead add a handler to get reference to the interrupt controller (XIVE)
for a given Power Chip.
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Tested-by: Amit Machhiwal <amachhiw@linux.ibm.com>
Tested-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Link: https://lore.kernel.org/r/20250925173049.891406-4-adityag@linux.ibm.com
Message-ID: <20250925173049.891406-4-adityag@linux.ibm.com>
|
|
when cpu added, connect dintc irq to cpu INT_DMSI irq pin.
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20250916122109.749813-12-gaosong@loongson.cn>
|
|
Implement dintc set irq and update CSR_MSGIS.
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20250916122109.749813-9-gaosong@loongson.cn>
|
|
Implement th DINTC realize and unrealize.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-8-gaosong@loongson.cn>
|
|
the DINTC use [2fe00000-2ff00000) Memory.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-7-gaosong@loongson.cn>
|
|
Add Loongarch direct interrupt controller device base Definition.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250916122109.749813-5-gaosong@loongson.cn>
|
|
The last use of this interface was removed in 603bc048a27f
("hw/arm: Remove pxa2xx_pic"). As the comment in gicv3
stated, keeping pointer references to cpregs has SMP issues,
so avoid future temptation by removing the interface.
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
Let kvm related gic file out for now, as they are compiled only on
aarch64 hosts.
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250801174006.2466508-3-pierrick.bouvier@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
* hw/i386: split isapc from PCI boards
* cpu-exec, accel: remove BQL usage for interrupt_request != 0
* memory, hpet, pmtimer: introduce BQL-free PIO/MMIO
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmixiO4UHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroMTowf9EmIcSgFXrP8QR/rVQ+Z8+csR4md7
# QDzQwoDHaP9F/J728AoT/nDwwlfiHRbcH8AQbzzMrsmMnqhaWCFWD5snGelzPJAo
# BPaOa4eYvwgssW1apfxGgzae71B3Hbx/sMYHdRcUvBnvS6cKEcOcgK8pANuZGzGQ
# uRquCMvk14WhnQV/NFqr2PmtmxXjdDNefdi1RfpaPDEt4VZsh4B3afU+I+L4LvIQ
# NOPh0PbDk+BLRt2fRPgdwF6KqS5ajPEzKnBlS0uxSXKxpLOLM/2SNDOGDDVUrAwV
# ILrnchZrpxHsHwBCjaBhKZDTTQUcH0HUrZhRJbUPsg5feHRs3KoaFJjmCQ==
# =RMLB
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 29 Aug 2025 09:03:10 PM AEST
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [unknown]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (28 commits)
tcg: move interrupt caching and single step masking closer to user
kvm: i386: irqchip: take BQL only if there is an interrupt
hpet: make main counter read lock-less
hpet: move out main counter read into a separate block
hpet: switch to fine-grained device locking
acpi: mark PMTIMER as unlocked
memory: reintroduce BQL-free fine-grained PIO/MMIO
add cpu_test_interrupt()/cpu_set_interrupt() helpers and use them tree wide
user-exec: ensure interrupt_request is not used
hw/i386/isapc.c: replace rom_memory with system_memory
hw/i386/pc_piix.c: replace rom_memory with pci_memory
hw/i386/pc_piix.c: remove unused headers after isapc machine split
hw/i386: move isapc machine to separate isapc.c file
hw/i386/pc_piix.c: assume pcmc->pci_enabled is always true in pc_init1()
hw/i386/pc_piix.c: always initialise ISA IDE drives in pc_init_isa()
hw/i386/pc_piix.c: remove pc_system_flash_cleanup_unused() from pc_init_isa()
hw/i386/pc_piix.c: hardcode hole64_size to 0 in pc_init_isa()
hw/i386/pc_piix.c: simplify RAM size logic in pc_init_isa()
hw/i386/pc_piix.c: remove nvdimm initialisation from pc_init_isa()
hw/i386/pc_piix.c: remove SGX initialisation from pc_init_isa()
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Close a race condition that causes cpr-transfer to lose VFIO
interrupts on ARM.
CPR stops VCPUs but does not disable VFIO interrupts, which may continue
to arrive throughout the transition to new QEMU.
CPR calls kvm_irqchip_remove_irqfd_notifier_gsi in old QEMU to force
future interrupts to the producer eventfd, where they are preserved.
Old QEMU then destroys the old KVM instance. However, interrupts may
already be pending in KVM state. To preserve them, call ioctl
KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES to flush them to guest RAM, where
they will be picked up when the new KVM+VCPU instance is created.
Cc: qemu-stable@nongnu.org
Signed-off-by: Steve Sistare <steven.sistare@oracle.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Message-id: 1754936384-278328-1-git-send-email-steven.sistare@oracle.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
The helpers form load-acquire/store-release pair and ensure
that appropriate barriers are in place in case checks happen
outside of BQL.
Use them to replace open-coded checkers/setters across the code,
to make sure that barriers are not missed. Helpers also make code a
bit more readable.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Jason J. Herne <jjherne@linux.ibm.com>
Link: https://lore.kernel.org/r/20250821155603.2422553-1-imammedo@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
When booting the Linux kernel from tests/functional/test_loongarch64_virt.py
with a QEMU that has been compiled with --enable-ubsan, there is
a warning like this:
.../hw/intc/loongarch_pch_pic.c:171:46: runtime error: index 512 out of
bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
.../hw/intc/loongarch_pch_pic.c:171:46
.../hw/intc/loongarch_pch_pic.c:175:45: runtime error: index 256 out of
bounds for type 'uint8_t[64]' (aka 'unsigned char[64]')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
.../hw/intc/loongarch_pch_pic.c:175:45
It happens because "addr" is added first before substracting the base
(PCH_PIC_HTMSI_VEC or PCH_PIC_ROUTE_ENTRY).
Additionally, this code looks like it is not endianness safe, since
it uses a 64-bit pointer to write values into an array of 8-bit values.
Thus rework the code to use the stq_le_p / ldq_le_p helpers here
and make sure that we do not create pointers with undefined behavior
by accident.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
|
|
staging
target-arm queue:
* Add missing 64-bit PMCCNTR in AArch32 mode
* Reinstate bogus AArch32 DBGDTRTX register for migration compat
* fix big-endian handling of AArch64 FPU registers in gdbstub
* fix handling of setting SVE registers from gdbstub
* hw/intc/arm_gicv3_kvm: fix writing of enable/active/pending state to KVM
* hw/display/framebuffer: Add cast to force 64x64 multiply
* tests/tcg: Fix run for tests with specific plugin
# -----BEGIN PGP SIGNATURE-----
#
# iQJMBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmiM4mgZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3lH/D/iniJpHRVDVAvHcYe7vSgLl
# HHfdEro/lOJJbaktQwOwkSuyl5HFy3YoIg3/5K2kX40DRkeA/M1HWkaWpwpCUReV
# 6XS8fCDmxw5M0oncJsTD1cYxCAAHm/CSt2uvdwgHo6nU+vnEa85ml3Q57phLEkvl
# 2R6xjXDD2FY3Xi6l2Jvqhnx/y60D5YnZVo/G9jcwRI2kIvpwTxukge5rGRTeagzL
# fKwsgr8jThvWyzTJtd88n36uD8xiH8/IfHh+e0kGYfzPRjEGfN3rKh4OlyfRyv7D
# AVI8qgVz0ex7DEjJTCS2nNYmNhO8hTE+cybcsH6AU2e3V7/vqg3Lh0/1cWlmvGnR
# 8L0/RBy0exPI1kRABfjXPV4VtNSuByxp+F+s4LvUrxgnnbv29ldOnQNHn3BZJtZn
# OuuixZNa3/tJFa+2U20fPW+q2H9uhPhvLn5fhtCx1ucYONLMrWl3Z8Q3/qwbW+5e
# FR459UaVHUvqKDGL6cjnaQ3VclrsXngCbeBmLm7fDfniRf/4uIc3q6RzdwY3waj3
# t7D/+GmLwZzajEaCU1NcI+Uz+yO/wJhEXUtWAzm6xeowYfOEeZc1pRgGWSqy4qvi
# L9vKmZtRW5LvwLwpMLdcoB3BOIszSDy7AylX4onSWl3Vp3GYiOhYqv9OKlQoUGtu
# xjFCVDCB/0FPl9b+xoYK
# =lN06
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 01 Aug 2025 11:51:04 EDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20250801' of https://gitlab.com/pm215/qemu:
tests/tcg: Fix run for tests with specific plugin
target/arm: Fix handling of setting SVE registers from gdb
target/arm: Fix big-endian handling of NEON gdb remote debugging
target/arm: Reinstate bogus AArch32 DBGDTRTX register for migration compat
hw/display/framebuffer: Add cast to force 64x64 multiply
hw/intc/arm_gicv3_kvm: Write all 1's to clear enable/active
hw/intc/arm_gicv3_kvm: Remove writes to ICPENDR registers
target/arm: add support for 64-bit PMCCNTR in AArch32 mode
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
KVM's userspace access interface to the GICD enable and active bits
is via set/clear register pairs which implement the hardware's "write
1s to the clear register to clear the 0 bits, and write 1s to the set
register to set the 1 bits" semantics. We didn't get this right,
because we were writing 0 to the clear register.
Writing 0 to GICD_IC{ENABLE,ACTIVE}R architecturally has no effect on
interrupt status (all writes are simply ignored by KVM) and doesn't
comply with the intention of "first write to the clear-reg to clear
all bits".
Write all 1's to actually clear the enable/active status.
This didn't have any adverse effects on migration because there
we start with a clean VM state; it would be guest-visible when
doing a system reset, but since Linux always cleans up the
register state of the GIC during bootup before it enables it
most users won't have run into a problem here.
Cc: qemu-stable@nongnu.org
Fixes: 367b9f527bec ("hw/intc/arm_gicv3_kvm: Implement get/put functions")
Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
Message-id: 20250729161650.43758-3-zenghui.yu@linux.dev
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
As per the arm-vgic-v3 kernel doc [1]:
Accesses to GICD_ICPENDR register region and GICR_ICPENDR0 registers
have RAZ/WI semantics, meaning that reads always return 0 and writes
are always ignored.
The state behind these registers (both 0 and 1 bits) is written by
writing to the GICD_ISPENDR and GICR_ISPENDR0 registers, unlike
some of the other set/clear register pairs.
Remove the useless writes to ICPENDR registers in kvm_arm_gicv3_put().
[1] https://docs.kernel.org/virt/kvm/devices/arm-vgic-v3.html
Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
Message-id: 20250729161650.43758-2-zenghui.yu@linux.dev
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
QEMU start failed when smp cpu < smp maxcpus , because qemu send a NULL
cpu to KVM, this patch adds a check for kvm_ipi_access_regs() to fix it.
run with '-smp 1,maxcpus=4,sockets=4,cores=1,threads=1'
we got:
Unexpected error in kvm_device_access() at ../accel/kvm/kvm-all.c:3477:
qemu-system-loongarch64: KVM_SET_DEVICE_ATTR failed: Group 1073741825 attr 0x0000000000010000: Invalid argument
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250725081213.3867592-1-gaosong@loongson.cn>
|
|
The RISC-V Advanced interrupt Architecture:
4.5.16. Interrupt targets:
If interrupt source i is inactive in this domain, register target[i] is
read-only zero.
Signed-off-by: Yang Jialong <z_bajeer@yeah.net>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250728055114.252024-1-z_bajeer@yeah.net>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
When pushing a context, the lower-level context becomes valid if it
had V=1, and so on. Iterate lower level contexts and send them
pending interrupts if they become enabled.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-51-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
This is needed by the next patch which will re-send on all lower
rings when pushing a context.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-50-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
Implement the phys (aka hard) VP push. PowerVM uses this operation.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-49-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
Implement set LGS for the POOL ring.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-48-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
xive2 must take into account redistribution of group interrupts if
the VP directed priority exceeds the group interrupt priority after
this operation. The xive1 code is not group aware so implement this
for xive2.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-47-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
When pushing a context, any presented group interrupt should be
redistributed before processing pending interrupts to present
highest priority.
This can occur when pushing the POOL ring when the valid PHYS
ring has a group interrupt presented, because they share signal
registers.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-46-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
Implement pool context push TIMA op.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-45-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
Certain TIMA operations should only be performed when a ring is valid,
others when the ring is invalid, and they are considered undefined if
used incorrectly. Add checks for this condition.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-44-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
|
After pulling the pool context, if a pool irq had been presented and
was cleared in the process, there could be a pending irq in phys that
should be presented. Process the phys irq ring after pulling pool ring
to catch this case and avoid losing irqs.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Glenn Miles <milesg@linux.ibm.com>
Reviewed-by: Michael Kowal <kowal@linux.ibm.com>
Tested-by: Gautam Menghani <gautam@linux.ibm.com>
Link: https://lore.kernel.org/qemu-devel/20250512031100.439842-43-npiggin@gmail.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
|
