| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
When update_pagemask was split from helper_mtc0_pagemask,
we failed to actually write to the new parameter but continue
to write to env->CP0_PageMask. Thus the use within
page_table_walk_refill modifies cpu state and not the local
variable as expected.
Simplify by renaming to compute_pagemask and returning the
value directly. No need for either env or pointer return.
Fixes: 074cfcb4dae ("target/mips: Implement hardware page table walker for MIPS32")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250328175526.368121-4-richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: qemu-stable@nongnu.org
|
|
The number of bits set in PageMask must be even.
Fixes: d40b55bc1b86 ("target/mips: Fix PageMask with variable page size")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250328175526.368121-3-richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Cc: qemu-stable@nongnu.org
|
|
Revert ee3863b9d41 and a08d60bc6c2b. The logic behind changing
the system page size because of what the Loongson kernel "prefers"
is flawed.
In the Loongson-2E manual, section 5.5, it is clear that the cpu
supports a 4k page size (along with many others). Similarly for
the Loongson-3 series CPUs, the 4k page size is mentioned in the
section 7.7 (PageMask Register). Therefore we must continue to
support a 4k page size.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250328175526.368121-2-richard.henderson@linaro.org>
[PMD: Mention Loongson-3 series CPUs]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
When the cache-controller feature is not implemented,
log potential ASI access as unimplemented.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Clément Chigot <chigot@adacore.com>
Message-Id: <20250325123927.74939-4-philmd@linaro.org>
|
|
Do not unconditionally attempt to read 4 bytes, as there
may only be 2 bytes remaining in the translator cache.
Cc: qemu-stable@nongnu.org
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20250325224403.4011975-2-richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
The CPU_RESOLVING_TYPE definition was added in commit
0dacec874fa ("cpu: add CPU_RESOLVING_TYPE macro"), but
then added again in commit d3ae32d4d20. Remove the
duplication.
Fixes: d3ae32d4d20 ("target/hppa: Implement cpu_list")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250321184200.4329-1-philmd@linaro.org>
|
|
Match the prototype of cpu_memory_rw_debug().
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250325224403.4011975-4-richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
https://github.com/alistair23/qemu into staging
Fifth RISC-V PR for 10.0
* Add docs/specs/riscv-iommu.rst to MAINTAINERS
* Fix broken link to external risv iommu document
* Revert scounteren and senvcfg to fixup older kernel boots
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEaukCtqfKh31tZZKWr3yVEwxTgBMFAmfmR0UACgkQr3yVEwxT
# gBOdqw/9GeSsIO4DDQ9Zu6C+v4pj9SXuvdpJrO0JBKXdrhp3OH9kVVR5nGvGA1pt
# S155AhH8D/pjpMM1exYfBylqTB+CiwjCZnvakvlxx8FkBuDQ/xPBEoPz00TAFAli
# 93TDys83HJWk0UDXCCr8Ch7VhaEX07IyFNFz9TQiNNm0zsK4DRtfmYgGQ+RbkIny
# 9PxZf6Dz1vfASXGu66EMA1CFaFzXXpxQZtx39OKwfJ4tRj8J/jUFvUtPnP4/sOxH
# lyGKIgOfBaSW2AenCoYjPGlRbbdET2YG+IMiqvo5Ie94lZASA6g/8p6zZaBH0RIC
# eUNJM7QjimZAIhzhS9xr/Jz/JGY/aeHgVcyPzWVMSty1Qa3a1hsuD/2UFxXadelL
# 2QGcVRn2o/3GqgjL+8s7A4c79vjQ8kRSI2GqSaUJ5PGdq/xHC6+f08VfqoZZRWEE
# YtzaPh96f6MZT0UdIqCLAG7UfUpYySabzMyYSop7Wqy+O4/bMK2LFtA4IDpomdha
# +ZSvCYYarvBDWaTYcbeX2hRnRoF0H5HVK3GYgt088mp4qL+6hM5oxMS2AK/iMuEi
# rW2TVk8CfwvGGgLXVj/fmMJ6P6XaIPvo0mvJ2Er67aQFXN+o2IzDqtIH9VUjJFhr
# EKiPq0RpX2BBeoi6vtU1Qf2kUj3GHPENACvErC8BlgyywXReb74=
# =Xno2
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 28 Mar 2025 02:52:53 EDT
# gpg: using RSA key 6AE902B6A7CA877D6D659296AF7C95130C538013
# gpg: Good signature from "Alistair Francis <alistair@alistair23.me>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6AE9 02B6 A7CA 877D 6D65 9296 AF7C 9513 0C53 8013
* tag 'pull-riscv-to-apply-20250328' of https://github.com/alistair23/qemu:
Revert "target/riscv/kvm: add missing KVM CSRs"
docs/specs/riscv-iommu: Fixed broken link to external risv iommu document
docs: Added docs/specs/riscv-iommu.rst in MAINTAINERS file.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
into staging
bug fix for 10.0
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEKAB0WIQS4/x2g0v3LLaCcbCxAov/yOSY+3wUCZ+VEzQAKCRBAov/yOSY+
# 33HaBADRMzbDPYWLlJpaovU7y3mdX/TAMS+sCBiQa2BqqzC65Pgqmu42gdCUrupa
# 32xz+7Bb0p65c3kXcjlMUb8mrEGvp/eFBW1mJWCcx9+LfW5qL6jQrjvUw/TYrMCv
# 8OvkvfROiDDV02su4Y7cErvyB5sGyVKtI2AwYH9xp+KDxvyrKQ==
# =D4AD
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 27 Mar 2025 08:30:05 EDT
# gpg: using RSA key B8FF1DA0D2FDCB2DA09C6C2C40A2FFF239263EDF
# gpg: Good signature from "Song Gao <m17746591750@163.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B8FF 1DA0 D2FD CB2D A09C 6C2C 40A2 FFF2 3926 3EDF
* tag 'pull-loongarch-20250327' of https://github.com/gaosong715/qemu:
target/loongarch: Fix the cpu unplug resource leak
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
This commit breaks KVM boot on older kernels, like reported in [1], due
to senvcfg not being available in them.
There's also another problem related to scounteren. Using a recent
enough guest buildroot, 'ping' will be build with rdtime support. In
this case, doing a ping in a KVM guest while exposing scounteren will
result in an error. The root cause relates to how KVM handles
scounteren, but QEMU can work around it by initializing scounteren with
the host value during init().
Fixing these issues in a non-rushed-bandaid manner results in an amount
of design changes that I don't feel comfortable pushing during code
freeze, so for 10.0 we'll remove the CSRs and re-introduce them in 10.1
with the adequate support.
This reverts commit 4db19d5b21e058e6eb3474b6be470d1184afaa9e.
[1] https://lore.kernel.org/qemu-riscv/CABJz62OfUDHYkQ0T3rGHStQprf1c7_E0qBLbLKhfv=+jb0SYAw@mail.gmail.com/
Reported-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250327152052.707657-1-dbarboza@ventanamicro.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
When the cpu is created, qemu_add_vm_change_state_handler
is called in the kvm_arch_init_vcpu function to create
the VMChangeStateEntry resource.
However, the resource is not released when the cpu is destroyed.
This results in a qemu process segment error when the virtual
machine restarts after the cpu is unplugged.
This patch solves the problem by adding the corresponding resource
release process to the kvm_arch_destroy_vcpu function.
Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-Id: <20250324123328.518076-1-lixianglai@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
|
|
Replace the comma at the end of the line by a semicolon.
Fixes: 41868f846d2 ("s390x/cpumodel: "host" and "qemu" as CPU subclasses")
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250324165356.39540-1-philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
|
Error reporting patches for 2025-03-21
# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCAAwFiEENUvIs9frKmtoZ05fOHC0AOuRhlMFAmfdeWkSHGFybWJydUBy
# ZWRoYXQuY29tAAoJEDhwtADrkYZTeigQAJicOKRQPm5qCn/XP70k6OuvTXsU8Fw/
# FVXE3I1lE9MnUDVHe9RgY79piS7oQ/pR92QcPxTx/Kj22gSiFBgrH5q0bURZAOxR
# /85DTxjVGuz3pAMhfXZ3rRyJGhX4MgPmYYXkvOyrz0cpHMR3DN9helIfdVfVtWAh
# VTVEH2PKdd9I56gbi9irlfdeh/+Nb2+1swBbtpUWFthDPj7Cib+gHsrJQbRX7qSf
# 0eEGVgqydfAuSLbMnD6SwCXbuJQ/mHg5+71QmSJFqthRzLHqXuUk6m6n8EXTgE6D
# MEdwkhSZ6ksNEWkzBvv3lfO8WnAqH0jp+xkuDTJabJzZG17pC61B2HQRsrFxZxqU
# Ftr4XDPccDc9ohX0GYwCpvfW2Y8ZLzjurc04dpSPoqIBZxAPySirWOmTbT7I6MFF
# EVt4VdjwXi0jSLWeH0yq6NmpSiKDxC6kY78xvAx6Pr9QQWtCeH/sQKXQ+16IqqTf
# aeM4zXUs8cWD+QULqkxp7aHJPg91zU+BQGopkmMCpCNGwnzJPajfJgCDsWHnn47z
# jiuOISWS650bUL6D4GgC1l2pYVPqt3ybF6DZL0giDE6NPpIich/KA1SSVXDy3bVK
# AGRMczC40GHvlDFKkLI0j5HM1HY8aYdn44skY28R/+SzyV0463u5oljcYmDe7oWC
# iLtinF/DKCDa
# =FJPm
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 21 Mar 2025 10:36:25 EDT
# gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg: issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
* tag 'pull-error-2025-03-21' of https://repo.or.cz/qemu/armbru:
target/loongarch: Clean up virt_cpu_irq_init() error handling
target/loongarch: Remove unnecessary temporary variable assignment
hw/loongarch/virt: Eliminate error_propagate()
target/loongarch: Fix error handling of KVM feature checks
hw/xen: Downgrade a xen_bus_realize() non-error to warning
hw/xen: Fix xen_bus_realize() error handling
error: Strip trailing '\n' from an error string argument
cryptodev: Fix error handling in cryptodev_lkcf_execute_task()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
into staging
* Fix a KVM SMP guest hang. This is not completely trivial, but just
small enough to merge it. If this causes any more problems, we can
revert it and the timebase patch which exposed the underlying issue
for release.
* Fix a bunch of Coverity issues reported introduced in ppc, mostly in
powernv code.
* Fix a NetBSD boot bug on mac99 caused by VSX/VMX decodetree rewrite.
* Fix the default CPU selection for older spapr machines.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEETkN92lZhb0MpsKeVZ7MCdqhiHK4FAmfdBbsACgkQZ7MCdqhi
# HK50jxAAi38NfsYBXBFSStwQKTBfbuhjDP2A1wiJVDrcJydQXnZb/xCR+kgRdiZt
# I5roIvD2bsbgHJtnCthLo0fQVGPIohsWUnnR6BlEAVN/gwW+8T+tNhLEZZ402+GK
# bzc4pxqtFitS9m5gyAat2g8bfLEEpEmUr2uAJXnPMDDrzSwtbtlUgPKGXfppsyhp
# P26Ut9M6dmPt+EMdJUTJ4RDOPuj53lXmDnbtpG9sA0zYXlG3sRe7nE9X0iKwXB4g
# Yher/IHSyHVqFe3t9TX9m/DY1EU8fFX/GoShoIMLk8v5Sy1viIsUXpWiIn9O3h1E
# WoAS6HvH3CdcHz3EC1XXSGEjEz2r75kPVvLC/wDy4DmXMxSnadodjGohbUkYs+26
# IV/Y3cnGTE2sPoP+vwmv7UKzBncKzTQO2luLkTQzX+x6XGr1MQPdAIm4WW9KfQVq
# VMS06/oqlQQ8gspAWpNo86P+8/hpFlN42dEE+mzARJkm1JNrO+0yMj8OB/og1o92
# T585TOpPDLm8ZeY8fETpgJ0rR4AKb+5e9KnbmS7XuvIWPK/G7OOt5gF8YXiT9yKw
# R77TPm7Evq6zJ9+TQ4KPBqn4LumphXiBWsSpsVcmZqTTf7nKqii0ZdO8asrtn8oN
# pgJ9AgAlnlCUIn4a/sDJ6k/HhC19IxyfC+y4bgsevwGOmo8H43s=
# =SYBy
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 21 Mar 2025 02:22:51 EDT
# gpg: using RSA key 4E437DDA56616F4329B0A79567B30276A8621CAE
# gpg: Good signature from "Nicholas Piggin <npiggin@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4E43 7DDA 5661 6F43 29B0 A795 67B3 0276 A862 1CAE
* tag 'pull-ppc-for-10.0-2-20250321' of https://gitlab.com/npiggin/qemu:
target/ppc: Fix e200 duplicate SPRs
target/ppc: Fix facility interrupt checks for VSX
ppc/spapr: fix default cpu for pre-9.0 machines.
ppc/amigaone: Constify default_env
ppc/amigaone: Check blk_pwrite return value
ppc/pnv: Fix system symbols in HOMER structure definitions
ppc/pnv: Move the PNOR LPC address into struct PnvPnor
ppc/spapr: Fix possible pa_features memory overflow
ppc/xive2: Fix logical / bitwise comparison typo
pnv/xive: Fix possible undefined shift error in group size calculation
ppc/xive: Fix typo in crowd block level calculation
ppc/spapr: Fix RTAS stopped state
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
staging
loongarch queue
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQQNhkKjomWfgLCz0aQfewwSUazn0QUCZ9zfpQAKCRAfewwSUazn
# 0VVzAQDtmH3TGh1e5hX/y9g5W733DmUlG1haJ2VNYS+FljXdZQEAkZAe3opRuuoK
# FhXCHiMhCT0+bVfOuZ6sc6pVQb29Ag0=
# =vJ5O
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 20 Mar 2025 23:40:21 EDT
# gpg: using EDDSA key 0D8642A3A2659F80B0B3D1A41F7B0C1251ACE7D1
# gpg: Good signature from "bibo mao <maobibo@loongson.cn>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7044 3A00 19C0 E97A 31C7 13C4 8E86 8FB7 A176 9D4C
# Subkey fingerprint: 0D86 42A3 A265 9F80 B0B3 D1A4 1F7B 0C12 51AC E7D1
* tag 'pull-loongarch-20250321' of https://gitlab.com/bibo-mao/qemu:
target/loongarch: fix bad shift in check_ps()
docs/system: Add entry for LoongArch system
host/include/loongarch64: Fix inline assembly compatibility with Clang
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
DSRR0/1 registers are in the BookE ISA not e200 specific, so
remove the duplicate e200 register definitions.
Cc: Roman Kapl <rka@sysgo.com>
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2768
Fixes: 0e3bf4890906 ("ppc: add DBCR based debugging")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Facility interrupt checks in general should come after the ISA version
check, because the facility interrupt and facility type themselves are
ISA dependent and should not appear on CPUs where the instruction does
not exist at all.
This resolves a QEMU crash booting NetBSD/macppc due to
qemu: fatal: Raised an exception without defined vector 94
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2741
Cc: Chinmay Rath <rathc@linux.ibm.com>
Cc: qemu-stable@nongnu.org
Debugged-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Fixes: aa0f34ec3fc7 ("target/ppc: implement vrlq")
Fixes: 7419dc5b2b5b ("target/ppc: Move VSX vector storage access insns to decodetree.")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
In expression 1ULL << tlb_ps, left shifting by more than 63 bits has
undefined behavior. The shift amount, tlb_ps, is as much as 64. check
"tlb_ps >=64" to fix.
Resolves: Coverity CID 1593475
Fixes: d882c284a3 ("target/loongarch: check tlb_ps")
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
|
|
Temporary variable ret is assigned at last line and return, it can
be removed and return directly.
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250320032158.1762751-6-maobibo@loongson.cn>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
For some paravirt KVM features, if user forces to enable it however
KVM does not support, qemu should fail to run and exit immediately,
rather than continue to run. Here set error message and return directly
in function kvm_arch_init_vcpu().
Fixes: 6edd2a9bec90 (target/loongarch/kvm: Implement LoongArch PMU extension)
Fixes: 936c3f4d7916 (target/loongarch: Use auto method with LSX feature)
Fixes: 5e360dabedb1 (target/loongarch: Use auto method with LASX feature)
Fixes: 620d9bd0022e (target/loongarch: Add paravirt ipi feature detection)
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250320032158.1762751-2-maobibo@loongson.cn>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
This change takes the CPUPPCState 'quiesced' field added for powernv
hardware CPU core controls (used to stop and start cores), and extends
it to spapr to model the "RTAS stopped" state. This prevents the
schedulers attempting to run stopped CPUs unexpectedly, which can cause
hangs and possibly other unexpected behaviour.
The detail of the problematic situation is this:
A KVM spapr guest boots with all secondary CPUs defined to be in the
"RTAS stopped" state. In this state, the CPU is only responsive to the
start-cpu RTAS call. This behaviour is modeled in QEMU with the
start_powered_off feature, which sets ->halted on secondary CPUs at
boot. ->halted=true looks like an idle / sleep / power-save state which
typically is responsive to asynchronous interrupts, but spapr clears
wake-on-interrupt bits in the LPCR SPR. This more-or-less works.
Commit e8291ec16da8 ("target/ppc: fix timebase register reset state")
recently caused the decrementer to expire sooner at boot, causing a
decrementer exception on secondary CPUs in RTAS stopped state. This
was not a problem on TCG, but KVM limits how a guest can modify LPCR, in
particular it prevents the clearing of wake-on-interrupt bits, and so in
the course of CPU register synchronisation, the LPCR as set by spapr to
model the RTAS stopped state is overwritten with KVM's LPCR value, and
that then causes QEMU's interrupt code to notice the expired decrementer
exception, turn that into an interrupt, and set CPU_INTERRUPT_HARD.
That causes the CPU to be kicked, and the KVM vCPU thread to loop
calling kvm_cpu_exec(). kvm_cpu_exec() calls
kvm_arch_process_async_events(), which on ppc just returns ->halted.
This is still true, so it returns immediately with EXCP_HLT, and the
vCPU never goes to sleep because qemu_wait_io_event() sees
CPU_INTERRUPT_HARD is set. All this while the vCPU holds the bql. This
causes the boot CPU to eventually lock up when it needs the bql.
So make 'quiesced' represent the "RTAS stopped" state, and have it
explicitly not respond to exceptions (interrupt conditions) rather than
rely on machine register state to model that state. This matches the
powernv quiesced state very well because it essentially turns off the
CPU core via a side-band control unit.
There are still issues with QEMU and KVM idea of LPCR diverging and that
is quite ugly and fragile that should be fixed. spapr should synchronize
its LPCR properly with KVM, and not try to use values that KVM does not
support.
Reported-by: Misbah Anjum N <misanjum@linux.ibm.com>
Tested-by: Misbah Anjum N <misanjum@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
For privilege version 1.12 or newer, C always implies Zca. We can only
check ext_zca to allow 16-bit aligned PC addresses. For older privilege
versions, we only check C.
Signed-off-by: Yu-Ming Chang <yumin686@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <174184718265.10540.10120024221661781046-0@git.sr.ht>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
Recently, when I was writing a RISCV test, I found that when VL is set to 0, the
instruction should be nop, but when I tested it, I found that QEMU will treat
all elements as tail elements, and in the case of VTA=1, write all elements
to 1.
After troubleshooting, it was found that the vext_vx_rm_1 function was called in
the vext_vx_rm_2, and then the vext_set_elems_1s function was called to process
the tail element, but only VSTART >= vl was checked in the vext_vx_rm_1
function, which caused the tail element to still be processed even if it was
returned in advance.
So I've made the following change:
Put VSTART_CHECK_EARLY_EXIT(env) at the beginning of the vext_vx_rm_2 function,
so that the VSTART register is checked correctly.
Fixes: df4252b2ec ("target/riscv/vector_helpers: do early exit when
vstart >= vl")
Signed-off-by: Chao Liu <lc00631@tecorigin.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <b2649f14915150be4c602d63cd3ea4adf47e9d75.1741573286.git.lc00631@tecorigin.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
Some vector instructions are special, such as the vlm.v instruction,
where setting its vl actually sets evl = (vl + 7) >> 3. To improve
maintainability, we will uniformly use VSTART_CHECK_EARLY_EXIT() to
check for the condition vstart >= vl. This function will also handle
cases involving evl.
Fixes: df4252b2ec ("target/riscv/vector_helpers: do early exit when
vstart >= vl")
Signed-off-by: Chao Liu <lc00631@tecorigin.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <f575979874e323a9e0da7796aa391c7d87e56f88.1741573286.git.lc00631@tecorigin.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
Coverity found the following issue:
>>> CID 1593156: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "0x10 << depth" with type
"int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then
used in a context that expects an expression of type "uint64_t" (64
bits, unsigned).
4299 depth = 16 << depth;
Fix it by forcing the expression to be 64 bits wide by using '16ULL'.
Resolves: Coverity CID 1593156
Fixes: c48bd18eae ("target/riscv: Add support for Control Transfer Records extension CSRs.")
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250307124602.1905754-1-dbarboza@ventanamicro.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
Commit f06bfe3dc38c ("target/riscv: implement zicfiss instructions") adds
`ssamoswap` instruction. `ssamoswap` takes the code-point from existing
reserved encoding (and not a zimop like other shadow stack instructions).
If shadow stack is not enabled (via xenvcfg.SSE) and effective priv is
less than M then `ssamoswap` must result in an illegal instruction
exception. However if effective priv is M, then `ssamoswap` results in
store/AMO access fault. See Section "22.2.3. Shadow Stack Memory
Protection" of priv spec.
Fixes: f06bfe3dc38c ("target/riscv: implement zicfiss instructions")
Reported-by: Ved Shanbhogue <ved@rivosinc.com>
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250306064636.452396-2-debug@rivosinc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
Commit:8205bc1 ("target/riscv: introduce ssp and enabling controls for
zicfiss") introduced CSR_SSP but it mis-interpreted the spec on access
to CSR_SSP in M-mode. Gated to CSR_SSP is not gated via `xSSE`. But
rather rules clearly specified in section "22.2.1. Shadow Stack Pointer
(ssp) CSR access contr" in the priv spec.
Fixes: 8205bc127a83 ("target/riscv: introduce ssp and enabling controls
for zicfiss". Thanks to Adam Zabrocki for bringing this to attention.
Reported-by: Adam Zabrocki <azabrocki@nvidia.com>
Signed-off-by: Deepak Gupta <debug@rivosinc.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20250306064636.452396-1-debug@rivosinc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
Fault-only-first loads in the RISC-V vector extension need to update
the vl with the element index that causes an exception.
In order to ensure this the emulation of this instruction used to probe the
memory covered by the load operation with a loop that iterated over each element
so that when a flag was raised it was possible to set the vl to the
corresponding element index.
This loop was executed every time whether an exception happened or not.
This commit removes the per element memory probing from the main execution path
and adds a broad memory probing first. If this probing raises any flag that is
not a watchpoint flag (that per standard is allowed by this instruction) we
proceed with the per element probing to find the index of the element causing
the exception and set vl to such index.
Signed-off-by: Paolo Savini <paolo.savini@embecosm.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250221155320.59159-2-paolo.savini@embecosm.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
|
|
In StreamingMode, fp_access_checked is handled already.
We cannot fall through to fp_access_check lest we fall
foul of the double-check assertion.
Cc: qemu-stable@nongnu.org
Fixes: 285b1d5fcef ("target/arm: Handle SME in sve_access_check")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250307190415.982049-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: move declaration of 'ret' to top of block]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
The check for fp_excp_el in assert_fp_access_checked is
incorrect. For SME, with StreamingMode enabled, the access
is really against the streaming mode vectors, and access
to the normal fp registers is allowed to be disabled.
C.f. sme_enabled_check.
Convert sve_access_checked to match, even though we don't
currently check the exception state.
Cc: qemu-stable@nongnu.org
Fixes: 3d74825f4d6 ("target/arm: Add SME enablement checks")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250307190415.982049-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
|
In the Arm ARM, rule R_TYTWB states that returning to AArch32
is an illegal exception return if:
* AArch32 is not supported at any exception level
* the target EL is configured for AArch64 via SCR_EL3.RW
or HCR_EL2.RW or via CPU state at reset
We check the second of these, but not the first (which can only be
relevant for the case of a return to EL0, because if AArch32 is not
supported at one of the higher ELs then the RW bits will have an
effective value of 1 and the the "configured for AArch64" condition
will hold also).
Add the missing condition. Although this is technically a bug
(because we have one AArch64-only CPU: a64fx) it isn't worth
backporting to stable because no sensible guest code will
deliberately try to return to a nonexistent execution state
to check that it gets an illegal exception return.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
We already call env_archcpu() multiple times within the
exception_return helper function, and we're about to want to
add another use of the ARMCPU pointer. Add a local variable
cpu so we can call env_archcpu() just once.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
When EL1 doesn't support AArch32, the HCR_EL2.RW bit is supposed to
be RAO/WI. Enforce the RAO/WI behaviour.
Note that we handle "reset value should honour RES1 bits" in the same
way that SCR_EL3 does, via a reset function.
We do already have some CPU types which don't implement AArch32
above EL0, so this is technically a bug; it doesn't seem worth
backporting to stable because no sensible guest code will be
deliberately attempting to set the RW bit to a value corresponding
to an unimplemented execution state and then checking that we
did the right thing.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The definition of SCR_EL3.RW says that its effective value is 1 if:
- EL2 is implemented and does not support AArch32, and SCR_EL3.NS is 1
- the effective value of SCR_EL3.{EEL2,NS} is {1,0} (i.e. we are
Secure and Secure EL2 is disabled)
We implement the second of these in arm_el_is_aa64(), but forgot the
first.
Provide a new function arm_scr_rw_eff() to return the effective
value of SCR_EL3.RW, and use it in arm_el_is_aa64() and the other
places that currently look directly at the bit value.
(scr_write() enforces that the RW bit is RAO/WI if neither EL1 nor
EL2 have AArch32 support, but if EL1 does but EL2 does not then the
bit must still be writeable.)
This will mean that if code at EL3 attempts to perform an exception
return to AArch32 EL2 when EL2 is AArch64-only we will correctly
handle this as an illegal exception return: it will be caught by the
"return to an EL which is configured for a different register width"
check in HELPER(exception_return).
We do already have some CPU types which don't implement AArch32
above EL0, so this is technically a bug; it doesn't seem worth
backporting to stable because no sensible guest code will be
deliberately attempting to set the RW bit to a value corresponding
to an unimplemented execution state and then checking that we
did the right thing.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The functions arm_current_el() and arm_el_is_aa64() are used only in
target/arm and in hw/intc/arm_gicv3_cpuif.c. They're functions that
query internal state of the CPU. Move them out of cpu.h and into
internals.h.
This means we need to include internals.h in arm_gicv3_cpuif.c, but
this is justifiable because that file is implementing the GICv3 CPU
interface, which really is part of the CPU proper; we just ended up
implementing it in code in hw/intc/ for historical reasons.
The motivation for this move is that we'd like to change
arm_el_is_aa64() to add a condition that uses cpu_isar_feature();
but we don't want to include cpu-features.h in cpu.h.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The arm_cpu_data_is_big_endian() and related functions are now used
only in target/arm; they can be moved to internals.h.
The motivation here is that we would like to move arm_current_el()
to internals.h.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
We would like to move arm_el_is_aa64() to internals.h; however, it is
used by access_secure_reg(). Make that function not be inline, so
that it can stay in cpu.h.
access_secure_reg() is used only in two places:
* in hflags.c
* in the user-mode arm emulators, to decide whether to store
the TLS value in the secure or non-secure banked field
The second of these is not on a super-hot path that would care about
the inlining (and incidentally will always use the NS banked field
because our user-mode CPUs never set ARM_FEATURE_EL3); put the
definition of access_secure_reg() in hflags.c, near its only use
inside target/arm.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
The A32_BANKED_REG_{GET,SET} macros are only used inside target/arm;
move their definitions to cpregs.h. There's no need to have them
defined in all the code that includes cpu.h.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
Misc HW patches
- Set correct values for MPC8569E's eSDHC (Zoltan)
- Emulate Ricoh RS5C372 RTC device (Bernhard)
- Array overflow fixes in SMSC91C111 netdev (Peter)
- Fix typo in Xen HVM (Philippe)
- Move graphic height/width/depth globals to their own file (Philippe)
- Introduce qemu_arch_available() helper (Philippe)
- Check fw_cfg's ACPI availability at runtime (Philippe)
- Remove virtio-mem dependency on CONFIG_DEVICES (Philippe)
- Sort HyperV SYNDBG API definitions (Pierrick)
- Remove need for SDHCI_VENDOR_FSL definition (Philippe)
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmfRXiMACgkQ4+MsLN6t
# wN5zFhAAzSW/hZneD8hycKtr9nBlvZSD72cEt+b656OCbTyyucUi1sG4rMPMvHeW
# h6HP6xt2SfQxXbec6Y0pWxWUkBOQzk72s0zpttOED3oEspkrId2D+VSsSH1E+QLh
# WoG7/hVgz0bDHexWYIDdGufO4no/icwewAKmC5Kp2HbaNxIIHyWlK1+RO69/lCLN
# s3qkNesMsQyEWN28ogEMRqyCIG3oJVP76U4TVcdxIiE51WI8sP8/7V2um0AXN68m
# IV3INrfVJjGDp501elrUbD3qsYopRdxoMAvwiVojrLXin6xtS+SQjEe/hcNxzM70
# 0IQPp9WWwLjNkeFlAJF4wpwGJttFNHj+5gtH7/YRrP75jt9kAxPXkFw/OFfpVd30
# NYbeFlWDhRL1QPBs+WPBZTrfD7fRmpfMJRLF3/w61+WvnVrshlyDaoCWbR+L329F
# uOQFsBdAD7m/lkZ0mHtskS2vkZx7Itn1av4gql7T7/6cE1R7ItKy1HY9UUCtY6Gp
# 7V6XrsAE3khg2HY8IcJ73+sPLQn/GxqZFE7PqmAhgcl6RZEFQv8PNrEgFxCEYyuK
# KJjx0hRMLoigp0CEclLfOqz2d3knsI8SJbgD4iTYQc02E69lx8a4XS4N8JXoLEdh
# 3i/ndwKEFmzwNuqbU0nYsSJDiAO9ejra8O2BXZS/a4pkxC2jtdw=
# =VVr6
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 12 Mar 2025 18:12:51 HKT
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* tag 'hw-misc-20250312' of https://github.com/philmd/qemu:
hw/sd/sdhci: Remove need for SDHCI_VENDOR_IMX definition
hw/hyperv/hyperv-proto: Move SYNDBG definitions from target/i386
hw/virtio/virtio-mem: Remove CONFIG_DEVICES include
hw/i386/fw_cfg: Check ACPI availability with acpi_builtin()
hw/acpi: Introduce acpi_builtin() helper
system: Replace arch_type global by qemu_arch_available() helper
system: Extract target-specific globals to their own compilation unit
hw/xen/hvm: Fix Aarch64 typo
hw/net/smc91c111: Don't allow data register access to overrun buffer
hw/net/smc91c111: Use MAX_PACKET_SIZE instead of magic numbers
hw/net/smc91c111: Sanitize packet length on tx
hw/net/smc91c111: Sanitize packet numbers
hw/rtc: Add Ricoh RS5C372 RTC emulation
hw/sd/sdhci: Set reset value of interrupt registers
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Allows SYNDBG definitions to be available for common compilation units.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20250307215623.524987-5-pierrick.bouvier@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
A translation that encounters a process table entry that is zero is
something that Linux does to cause certain kernel NULL pointer
dereferences to fault. It is not itself a programming error, so avoid
the guest error log.
Message-ID: <20241219034035.1826173-5-npiggin@gmail.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
From the Freescale PowerPC Architecture Primer:
Alternate time base APU. This APU, implemented on the e500v2, defines
a 64-bit time base counter that differs from the PowerPC defined time
base in that it is not writable and counts at a different, and
typically much higher, frequency. The alternate time base always
counts up, wrapping when the 64-bit count overflows.
This implementation of ATB uses the same frequency as the TB. The
existing spr_read_atbu/l functions are unused without this patch
to wire them into the SPR.
RTEMS uses this SPR on the e6500, though this hasn't been tested.
Message-ID: <20241219034035.1826173-6-npiggin@gmail.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
As per the PAPR, bit 0 of byte 64 in pa-features property
indicates availability of 2nd DAWR registers. i.e. If this bit is set, 2nd
DAWR is present, otherwise not. Use KVM_CAP_PPC_DAWR1 capability to find
whether kvm supports 2nd DAWR or not. If it's supported, allow user to set
the pa-feature bit in guest DT using cap-dawr1 machine capability.
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
Signed-off-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Message-ID: <173708681866.1678.11128625982438367069.stgit@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Extend the existing watchpoint facility from TCG DAWR0 emulation
to DAWR1 on POWER10.
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Message-ID: <173708680684.1678.13237334676438770057.stgit@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Move helper_attn(), helper_scv() and helper_pminsn() to
tcg-excp_helper.c.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Message-ID: <20250127102620.39159-15-philmd@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
In order to move TCG specific code dependent on powerpc_excp()
in the next commit, expose its prototype in "internal.h".
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Message-ID: <20250127102620.39159-14-philmd@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Fix style in do_rfi() before moving the code around.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Message-ID: <20250127102620.39159-13-philmd@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Move helpers common to system/user emulation to tcg-excp_helper.c.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Message-ID: <20250127102620.39159-12-philmd@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Move exception helpers to tcg-excp_helper.c so they are
only built when TCG is selected. Preprocessor guards
are added for some helpers unused when CONFIG_USER_ONLY.
[npiggin: mention USER_ONLY change]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250127102620.39159-10-philmd@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
Introduced in commit db789c6cd33 ("ppc: Provide basic
raise_exception_* functions"), raise_exception_ra() has
never been used. Remove as dead code.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Message-ID: <20250127102620.39159-9-philmd@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
