Guest code was performing a byte load to the SCU MMIO region, leading
to the guest code crashing (it should be using proper accessors, but
that is not Qemu's bug). Hardware and the documentation[1] both agree
that byte loads are okay, so change all of the aspeed SCU devices to
accept a minimum access size of 1.
[1] See the 'ARM Address Space Mapping' table in the ASPEED docs. This
is section 6.1 in the ast2400 and ast2700, and 7.1 in the ast2500 and
ast2600 datasheets.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2636
Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Troy Lee <leetroy@gmail.com>
Message-ID: <20241118021820.4928-1-joel@jms.id.au>
[PMD: Rebased, only including SCU changes]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Link: https://lore.kernel.org/qemu-devel/20250331230444.88295-3-philmd@linaro.org
Signed-off-by: Cédric Le Goater <clg@redhat.com>
All MemoryRegionOps::read/write() handlers switch over a 32-bit
aligned value, because converted using TO_REG(), which is defined
as:
#define TO_REG(offset) ((offset) >> 2)
So all implementations are 32-bit.
Set min/max access_size accordingly.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Link: https://lore.kernel.org/qemu-devel/20250331230444.88295-2-philmd@linaro.org
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Revert ee3863b9d4 and a08d60bc6c. The logic behind changing
the system page size because of what the Loongson kernel "prefers"
is flawed.
In the Loongson-2E manual, section 5.5, it is clear that the cpu
supports a 4k page size (along with many others). Similarly for
the Loongson-3 series CPUs, the 4k page size is mentioned in the
section 7.7 (PageMask Register). Therefore we must continue to
support a 4k page size.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250328175526.368121-2-richard.henderson@linaro.org>
[PMD: Mention Loongson-3 series CPUs]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fix copy/paste error writing to the ATU_UPPER_TARGET
register, we want to update the upper 32 bits.
Cc: qemu-stable@nongnu.org
Reported-by: Joey <jeundery@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2861
Fixes: d64e5eabc4 ("pci: Add support for Designware IP block")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org>
Message-Id: <20250331152041.74533-2-philmd@linaro.org>
Fix a memory leak bug in ufs_init_pci() due to u->irq
not being freed in ufs_exit().
Signed-off-by: Zheng Huang <hz1624917200@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <43ceb427-87aa-44ee-9007-dbaecc499bba@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fix a misconfiguration issue in the read implementation of the
AUX_MU_IIR_REG register. This issue can lead to a transmit interrupt
being incorrectly interpreted as a receive interrupt when the receive
interrupt is disabled and the receive FIFO holds valid bytes.
The AUX_MU_IIR_REG register (interrupt ID bits [2:1]) indicates the
status of mini UART interrupts:
- 00: No interrupts
- 01: Transmit FIFO is empty
- 10: Receive FIFO is not empty
- 11: <Not possible>
When the transmit interrupt is enabled and the receive interrupt is
disabled, the original code incorrectly sets the interrupt ID bits.
Specifically:
1. Transmit FIFO empty, receive FIFO empty
- Expected 0b01, returned 0b01 (correct)
2. Transmit FIFO empty, receive FIFO not empty
- Expected 0b01, returned 0b10 (incorrect)
In the second case, the code sets the interrupt ID to 0b10 (receive FIFO
is not empty) even if the receive interrupt is disabled.
To fix this, the patch adds additional condition for setting the
interrupt ID bits to also check if the receive interrupt is enabled.
Reference: BCM2835 ARM Peripherals, page 13. Available on
https://datasheets.raspberrypi.com/bcm2835/bcm2835-peripherals.pdf
Fixes: 97398d900c ("bcm2835_aux: add emulation of BCM2835 AUX (aka UART1) block")
Signed-off-by: Chung-Yi Chen <yeechen0207@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250328123725.94176-1-yeechen0207@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fix a memory leak bug in sdhci_pci_realize() due to s->irq
not being freed in sdhci_pci_exit().
Signed-off-by: Zheng Huang <hz1624917200@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <09ddf42b-a6db-42d5-954b-148d09d8d6cc@gmail.com>
[PMD: Moved qemu_free_irq() call before sdhci_common_unrealize()]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Address a memory leak bug in the usages of timer_del().
The issue arises from the incorrect use of the ambiguous timer API
timer_del(), which does not free the timer object. The LeakSanitizer
report this issue during fuzzing. The correct API timer_free() freed
the timer object instead.
=================================================================
==2586273==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x55f2afd89879 in calloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:75:3
#1 0x7f443b93ac50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
#2 0x55f2b053962e in timer_new include/qemu/timer.h:542:12
#3 0x55f2b0514771 in timer_new_us include/qemu/timer.h:582:12
#4 0x55f2b0514288 in lsi_scsi_realize hw/scsi/lsi53c895a.c:2350:24
#5 0x55f2b0452d26 in pci_qdev_realize hw/pci/pci.c:2174:9
Signed-off-by: Zheng Huang <hz1624917200@outlook.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <73cd69f9-ff9b-4cd4-b8aa-265f9d6067b9@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This device is part of SoC components thus can not
be created manually.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20250325224310.8785-10-philmd@linaro.org>
All these devices are part of SoC components and can not
be created manually.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20250325224310.8785-9-philmd@linaro.org>
Currently resetting the leads to resynchronizing the Goldfish RTC
with the system clock of the host. In real hardware an RTC reset
would not change the wall time. Other RTCs like pl031 do not show
this behavior.
Move the synchronization of the RTC with the system clock to the
instance realization.
Cc: qemu-stable@nongnu.org
Reported-by: Frederik Du Toit Lotter <fred.lotter@canonical.com>
Fixes: 9a5b40b842 ("hw: rtc: Add Goldfish RTC device")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250321221248.17764-1-heinrich.schuchardt@canonical.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20250325224310.8785-5-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20250325224310.8785-4-philmd@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20250325224310.8785-3-philmd@linaro.org>
Deriving from TYPE_SYS_BUS_DEVICE fixes the SoC object to be reset upon machine
reset. It also makes the SoC implementation not user-creatable which can trigger
the following crash:
$ ./qemu-system-aarch64 -M virt -device fsl-imx8mp
**
ERROR:../../devel/qemu/tcg/tcg.c:1006:tcg_register_thread: assertion failed:
(n < tcg_max_ctxs)
Bail out! ERROR:../../devel/qemu/tcg/tcg.c:1006:tcg_register_thread:
assertion failed: (n < tcg_max_ctxs)
Aborted (core dumped)
Fixes: a4eefc69b2 "hw/arm: Add i.MX 8M Plus EVK board"
Reported-by: Thomas Huth <thuth@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Message-ID: <20250318205709.28862-3-shentey@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
TYPE_FSL_IMX8MP is created using object_new(), so must be realized with
qdev_realize_and_unref() to keep the reference counting intact.
Fixes: a4eefc69b2 "hw/arm: Add i.MX 8M Plus EVK board"
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20250318205709.28862-2-shentey@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
We only build ARM system emulators using little
endianness, so the MO_TE definition always expands to
MO_LE, and DEVICE_TARGET_ENDIAN to DEVICE_LITTLE_ENDIAN.
Replace the definitions by their expanded value, making
it closer to the Armv7-M Architecture Reference Manual
(ARM DDI 0403E) description:
The System Control Space (SCS, address range 0xE000E000 to
0xE000EFFF) is a memory-mapped 4KB address space that provides
32-bit registers for configuration, status reporting and control.
All accesses to the SCS are little endian.
Fixes: d5d680cacc ("memory: Access MemoryRegion with endianness")
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20250312104821.1012-1-philmd@linaro.org>
The maximum padding size is either 64 or 128 bytes and should always be smaller
than "req_len". If "padding_size" exceeds "req_len", then
"req_len - padding_size" underflows due to "uint32_t" data type, leading to a
large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory
access, potentially leading to a buffer overflow.
Added a check to ensure "padding_size" does not exceed "req_len" before
computing "pad_offset". This prevents "req_len - padding_size" from underflowing
and avoids accessing invalid memory.
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Fixes: 5cd7d8564a ("aspeed/hace: Support AST2600 HACE ")
Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Updated the IRQ handler mask check to AND with select variable.
This ensures that the interrupt service routine is correctly triggered
for the interrupts within the same irq group.
For example, both `eth0` and the debug UART are handled in `GICINT132`.
Without this fix, the debug console may hang if the `eth0` ISR is not
handled.
Signed-off-by: Steven Lee <steven_lee@aspeedtech.com>
Change-Id: Ic3609eb72218dfd68be6057d78b8953b18828709
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Fixes: d831c5fd86 ("aspeed/intc: Add AST2700 support")
Link: https://lore.kernel.org/qemu-devel/20250320092543.4040672-2-steven_lee@aspeedtech.com
Signed-off-by: Cédric Le Goater <clg@redhat.com>
* pl011: pad C PL011State struct to same size as Rust struct
* rust: hpet: fix type of "timers" property
* rust: hpet: fix functional tests (and really everything that uses it)
* rust: Kconfig: Factor out whether devices are Rust or C
* rust: vmstate: Fixes and tests
-----BEGIN PGP SIGNATURE-----
iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmfdsUsUHHBib256aW5p
QHJlZGhhdC5jb20ACgkQv/vSX3jHroOGpwf/Qk4bAcLX7A1/nOmYT+DtWzZ9V/VS
hSOe6BruzW8rzwMyn/d7oR+aUpk3sL+v2iPBWqoZ/wh0w8kcABcUfWsqqGI8ln/K
pnTdiC+hra5z0AFH1tmjjtOI50WDOeSjh5SFvoPJtGzhEbo89QvsUWgy98HiHOMm
YFPDuhg3Pfd1XDcdoaa85sOHO1vDsj45fCEJhx6Ktib4vOlEm2I4Z9YR/JxNMT33
vy/y09HG4cpc6bWKLPL3nqR9RchUSI+YRDZ8rlaXUowiZzH2K/wi0qJOsvG6oJF5
awni0YWuwyFi16jmUub8NFnWk6NKjbACqw74AwoVPbNbDoCrrogXzIF2Lw==
=NzCN
-----END PGP SIGNATURE-----
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* exec/cpu-all: remove BSWAP_NEEDED
* pl011: pad C PL011State struct to same size as Rust struct
* rust: hpet: fix type of "timers" property
* rust: hpet: fix functional tests (and really everything that uses it)
* rust: Kconfig: Factor out whether devices are Rust or C
* rust: vmstate: Fixes and tests
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmfdsUsUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroOGpwf/Qk4bAcLX7A1/nOmYT+DtWzZ9V/VS
# hSOe6BruzW8rzwMyn/d7oR+aUpk3sL+v2iPBWqoZ/wh0w8kcABcUfWsqqGI8ln/K
# pnTdiC+hra5z0AFH1tmjjtOI50WDOeSjh5SFvoPJtGzhEbo89QvsUWgy98HiHOMm
# YFPDuhg3Pfd1XDcdoaa85sOHO1vDsj45fCEJhx6Ktib4vOlEm2I4Z9YR/JxNMT33
# vy/y09HG4cpc6bWKLPL3nqR9RchUSI+YRDZ8rlaXUowiZzH2K/wi0qJOsvG6oJF5
# awni0YWuwyFi16jmUub8NFnWk6NKjbACqw74AwoVPbNbDoCrrogXzIF2Lw==
# =NzCN
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 21 Mar 2025 14:34:51 EDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu: (24 commits)
rust: hpet: fix decoding of timer registers
rust/vmstate: Include complete crate path of VMStateFlags in vmstate_clock
rust/vmstate: Add unit test for vmstate_validate
rust/vmstate: Add unit test for pointer case
rust/vmstate: Add unit test for vmstate_{of|struct} macro
rust/vmstate: Add unit test for vmstate_of macro
rust/vmstate: Support vmstate_validate
rust/vmstate: Re-implement VMState trait for timer binding
rust/vmstate: Relax array check when build varray in vmstate_struct
rust/vmstate: Fix unnecessary VMState bound of with_varray_flag()
rust/vmstate: Fix "cannot infer type" error in vmstate_struct
rust/vmstate: Fix type check for varray in vmstate_struct
rust/vmstate: Fix size field of VMStateField with VMS_ARRAY_OF_POINTER flag
rust/vmstate: Fix num field when varray flags are set
rust/vmstate: Fix num_offset in vmstate macros
rust/vmstate: Remove unnecessary unsafe
exec/cpu-all: remove BSWAP_NEEDED
load_aout: replace bswap_needed with big_endian
rust: pl011: Check size of state struct at compile time
hw/char/pl011: Pad PL011State struct to same size as Rust impl
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
small enough to merge it. If this causes any more problems, we can
revert it and the timebase patch which exposed the underlying issue
for release.
* Fix a bunch of Coverity issues reported introduced in ppc, mostly in
powernv code.
* Fix a NetBSD boot bug on mac99 caused by VSX/VMX decodetree rewrite.
* Fix the default CPU selection for older spapr machines.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEETkN92lZhb0MpsKeVZ7MCdqhiHK4FAmfdBbsACgkQZ7MCdqhi
HK50jxAAi38NfsYBXBFSStwQKTBfbuhjDP2A1wiJVDrcJydQXnZb/xCR+kgRdiZt
I5roIvD2bsbgHJtnCthLo0fQVGPIohsWUnnR6BlEAVN/gwW+8T+tNhLEZZ402+GK
bzc4pxqtFitS9m5gyAat2g8bfLEEpEmUr2uAJXnPMDDrzSwtbtlUgPKGXfppsyhp
P26Ut9M6dmPt+EMdJUTJ4RDOPuj53lXmDnbtpG9sA0zYXlG3sRe7nE9X0iKwXB4g
Yher/IHSyHVqFe3t9TX9m/DY1EU8fFX/GoShoIMLk8v5Sy1viIsUXpWiIn9O3h1E
WoAS6HvH3CdcHz3EC1XXSGEjEz2r75kPVvLC/wDy4DmXMxSnadodjGohbUkYs+26
IV/Y3cnGTE2sPoP+vwmv7UKzBncKzTQO2luLkTQzX+x6XGr1MQPdAIm4WW9KfQVq
VMS06/oqlQQ8gspAWpNo86P+8/hpFlN42dEE+mzARJkm1JNrO+0yMj8OB/og1o92
T585TOpPDLm8ZeY8fETpgJ0rR4AKb+5e9KnbmS7XuvIWPK/G7OOt5gF8YXiT9yKw
R77TPm7Evq6zJ9+TQ4KPBqn4LumphXiBWsSpsVcmZqTTf7nKqii0ZdO8asrtn8oN
pgJ9AgAlnlCUIn4a/sDJ6k/HhC19IxyfC+y4bgsevwGOmo8H43s=
=SYBy
-----END PGP SIGNATURE-----
Merge tag 'pull-ppc-for-10.0-2-20250321' of https://gitlab.com/npiggin/qemu into staging
* Fix a KVM SMP guest hang. This is not completely trivial, but just
small enough to merge it. If this causes any more problems, we can
revert it and the timebase patch which exposed the underlying issue
for release.
* Fix a bunch of Coverity issues reported introduced in ppc, mostly in
powernv code.
* Fix a NetBSD boot bug on mac99 caused by VSX/VMX decodetree rewrite.
* Fix the default CPU selection for older spapr machines.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEETkN92lZhb0MpsKeVZ7MCdqhiHK4FAmfdBbsACgkQZ7MCdqhi
# HK50jxAAi38NfsYBXBFSStwQKTBfbuhjDP2A1wiJVDrcJydQXnZb/xCR+kgRdiZt
# I5roIvD2bsbgHJtnCthLo0fQVGPIohsWUnnR6BlEAVN/gwW+8T+tNhLEZZ402+GK
# bzc4pxqtFitS9m5gyAat2g8bfLEEpEmUr2uAJXnPMDDrzSwtbtlUgPKGXfppsyhp
# P26Ut9M6dmPt+EMdJUTJ4RDOPuj53lXmDnbtpG9sA0zYXlG3sRe7nE9X0iKwXB4g
# Yher/IHSyHVqFe3t9TX9m/DY1EU8fFX/GoShoIMLk8v5Sy1viIsUXpWiIn9O3h1E
# WoAS6HvH3CdcHz3EC1XXSGEjEz2r75kPVvLC/wDy4DmXMxSnadodjGohbUkYs+26
# IV/Y3cnGTE2sPoP+vwmv7UKzBncKzTQO2luLkTQzX+x6XGr1MQPdAIm4WW9KfQVq
# VMS06/oqlQQ8gspAWpNo86P+8/hpFlN42dEE+mzARJkm1JNrO+0yMj8OB/og1o92
# T585TOpPDLm8ZeY8fETpgJ0rR4AKb+5e9KnbmS7XuvIWPK/G7OOt5gF8YXiT9yKw
# R77TPm7Evq6zJ9+TQ4KPBqn4LumphXiBWsSpsVcmZqTTf7nKqii0ZdO8asrtn8oN
# pgJ9AgAlnlCUIn4a/sDJ6k/HhC19IxyfC+y4bgsevwGOmo8H43s=
# =SYBy
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 21 Mar 2025 02:22:51 EDT
# gpg: using RSA key 4E437DDA56616F4329B0A79567B30276A8621CAE
# gpg: Good signature from "Nicholas Piggin <npiggin@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4E43 7DDA 5661 6F43 29B0 A795 67B3 0276 A862 1CAE
* tag 'pull-ppc-for-10.0-2-20250321' of https://gitlab.com/npiggin/qemu:
target/ppc: Fix e200 duplicate SPRs
target/ppc: Fix facility interrupt checks for VSX
ppc/spapr: fix default cpu for pre-9.0 machines.
ppc/amigaone: Constify default_env
ppc/amigaone: Check blk_pwrite return value
ppc/pnv: Fix system symbols in HOMER structure definitions
ppc/pnv: Move the PNOR LPC address into struct PnvPnor
ppc/spapr: Fix possible pa_features memory overflow
ppc/xive2: Fix logical / bitwise comparison typo
pnv/xive: Fix possible undefined shift error in group size calculation
ppc/xive: Fix typo in crowd block level calculation
ppc/spapr: Fix RTAS stopped state
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Targets know whether they are big-endian more than they know if
the endianness is different from the host: the former is mostly
a constant, at least in machine creation code, while the latter
has to be computed with TARGET_BIG_ENDIAN != HOST_BIG_ENDIAN or
something like that.
load_aout, however, takes a "bswap_needed" argument. Replace
it with a "big_endian" argument; even though all users are
big-endian, it is cheap enough to keep the optional swapping
functionality even for little-endian boards.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Allow the device being added to loongarch virt VMs.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250319141159.1461621-6-kraxel@redhat.com>
Allow the device being added to riscv virt VMs.
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250319141159.1461621-5-kraxel@redhat.com>
Catch lseek errors. Return on errors.
Use autoptr for the GString to simplify cleanup.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250319141159.1461621-3-kraxel@redhat.com>
Make live migration more robust. Commit 4c0cfc72b3 ("pflash_cfi01:
write flash contents to bdrv on incoming migration") elaborates in
detail on the motivation.
Cc: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20250319141159.1461621-2-kraxel@redhat.com>
When POWER10 CPU was made as default, we missed keeping POWER9 as
default for older pseries releases (pre-9.0) at that time.
This caused breakge in default cpu evaluation for older pseries
machines and hence this fix.
Fixes: 51113013f3 ("ppc/spapr: change pseries machine default to POWER10 CPU")
Cc: qemu-stable@nongnu.org
Signed-off-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250313094705.2361997-1-harshpb@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
The variable holding default env is not supposed to be written.
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250314200145.08E0F4E6067@zero.eik.bme.hu>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Coverity reported that return value of blk_pwrite() maybe should not
be ignored. We can't do much if this happens other than report an
error but let's do that to silence this report.
Resolves: Coverity CID 1593725
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Message-ID: <20250314200140.2DBE74E6069@zero.eik.bme.hu>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
* Update functional tests parts of the documenation
* Some minor fixes for functional tests
-----BEGIN PGP SIGNATURE-----
iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmfawycRHHRodXRoQHJl
ZGhhdC5jb20ACgkQLtnXdP5wLbU2vA//UV2RdKVIQDS7MbMYRjmUr0NK9/9dLmrn
/lZVWXCBDEB7seu/VOGZmr1H0zoQ8XYJTSbrmp2cW0NRPhCVeAz9Zpg7+jt3Qy6/
ahbiNQyhYztMbSa4XOOUEoLZBsfZILjWgqBilrRn7ng6wJoNabEIs/KqMP3O9qsx
TYCCnu5JkMF85Bf0l3kUJlLX0b5+BnpUNDke1cipvTa7u/Coz0mDBBZZtgW1bBj8
TETuMC1JtCg3aj1ey7k0pK4nCd740mr5w659C4LE8NCE0/juc3AtRM5RCqU9tAGh
tXpfrZziyvSrAhyWieRQlgzLvrt2gTF/5FrqhPUssts+vkH1EgB56FiPXdqMtLRo
zU+SVRuOMHQZn7E6L9KQ7Gz5w98PSVGYxUUpWIvOx/0d9wgoIfYPjgtJz5UV11mV
Nnt304UV4FKw94V8S8JYUClamP4SMTMLZNRIsd46Ef+DOL1CI+jcDZBntijwSgs1
5fs0IZyl6ZXtmUibVWJ+PqyYW6YiAfi/wY/mJlfnvKVZjoudbhNkNOtC9hi4YTQd
yJ7gVy9A4OeQqXgiQcymFvlseggds7uPQ9/szuGC1RwrW2NYH1YLisKpNzPtqq16
TEOnsozlDa9OUDshKxrA5rwHiDcSuqJjkP26N91AmdEQDgoQcbIKWghriTxkOV9Q
d2aJt+3KF04=
=cNi4
-----END PGP SIGNATURE-----
Merge tag 'pull-request-2025-03-19' of https://gitlab.com/thuth/qemu into staging
* Fix linking problem when CONFIG_VIRTIO_PCI is not set for s390x
* Update functional tests parts of the documenation
* Some minor fixes for functional tests
# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmfawycRHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbU2vA//UV2RdKVIQDS7MbMYRjmUr0NK9/9dLmrn
# /lZVWXCBDEB7seu/VOGZmr1H0zoQ8XYJTSbrmp2cW0NRPhCVeAz9Zpg7+jt3Qy6/
# ahbiNQyhYztMbSa4XOOUEoLZBsfZILjWgqBilrRn7ng6wJoNabEIs/KqMP3O9qsx
# TYCCnu5JkMF85Bf0l3kUJlLX0b5+BnpUNDke1cipvTa7u/Coz0mDBBZZtgW1bBj8
# TETuMC1JtCg3aj1ey7k0pK4nCd740mr5w659C4LE8NCE0/juc3AtRM5RCqU9tAGh
# tXpfrZziyvSrAhyWieRQlgzLvrt2gTF/5FrqhPUssts+vkH1EgB56FiPXdqMtLRo
# zU+SVRuOMHQZn7E6L9KQ7Gz5w98PSVGYxUUpWIvOx/0d9wgoIfYPjgtJz5UV11mV
# Nnt304UV4FKw94V8S8JYUClamP4SMTMLZNRIsd46Ef+DOL1CI+jcDZBntijwSgs1
# 5fs0IZyl6ZXtmUibVWJ+PqyYW6YiAfi/wY/mJlfnvKVZjoudbhNkNOtC9hi4YTQd
# yJ7gVy9A4OeQqXgiQcymFvlseggds7uPQ9/szuGC1RwrW2NYH1YLisKpNzPtqq16
# TEOnsozlDa9OUDshKxrA5rwHiDcSuqJjkP26N91AmdEQDgoQcbIKWghriTxkOV9Q
# d2aJt+3KF04=
# =cNi4
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 19 Mar 2025 09:14:15 EDT
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5
* tag 'pull-request-2025-03-19' of https://gitlab.com/thuth/qemu:
tests/functional/test_migration: Use "ncat" instead of "nc" in the exec test
tests/functional/test_x86_64_kvm_xen: Remove avocado tags
docs/devel/testing/functional: Add a section about logging
docs/system/arm: Use "functional tests" instead of "integration tests"
docs/system: Use the meson binary from the pyvenv
tests/functional: remove all class level fields
tests/functional/test_arm_orangepi: rename test class to 'OrangePiMachine'
hw/virtio: Also include md stubs in case CONFIG_VIRTIO_PCI is not set
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
These definitions were taken from skiboot firmware. I naively thought it
would be nicer to keep the code similar by using the preprocessor, but
it was pointed out that system headers might still use those symbols and
cause something unexpected. Also just nicer to keep the QEMU tree clean.
Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Fixes: 70bc5c2498 ("ppc/pnv: Make HOMER memory a RAM region")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Rather than use the hardcoded define throughout the tree for the
PNOR LPC address, keep it within the PnvPnor object.
This should solve a dead code issue in the BMC HIOMAP checks where
Coverity (correctly) reported that the sanity checks are dead code.
We would like to keep the sanity checks without turning them into a
compile time assert in case we would like to make them configurable
in future.
Fixes: 4c84a0a4a6 ("ppc/pnv: Add a PNOR address and size sanity checks")
Resolves: Coverity CID 1593723
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Coverity reports a possible memory overflow in spapr_dt_pa_features().
This should not be a true bug since DAWR1 cap is only be true for
CPU_POWERPC_LOGICAL_3_10. Add an assertion to ensure any bug there is
caught.
Resolves: Coverity CID 1593722
Fixes: 5f361ea187 ("ppc: spapr: Enable 2nd DAWR on Power10 pSeries machine")
Reviewed-By: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
The comparison as written is always false (perhaps confusingly, because
the functions/macros are not really booleans but return 0 or the tested
bit value). Change to use logical-and.
Resolves: Coverity CID 1593721
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Coverity discovered a potential shift overflow in group size calculation
in the case of a guest error. Add checks and logs to ensure a issues are
caught.
Make the group and crowd error checking code more similar to one another
while here.
Resolves: Coverity CID 1593724
Fixes: 9cb7f6ebed ("ppc/xive2: Support group-matching when looking for target")
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
I introduced this bug when "tidying" the original patch, not Frederic.
Paper bag for me.
Fixes: 9cb7f6ebed ("ppc/xive2: Support group-matching when looking for target")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Currently we require everywhere that wants to know if there
is an HPET device to check for "CONFIG_HPET || CONFIG_X_HPET_RUST".
Factor out whether the HPET device is Rust or C into a separate
Kconfig stanza, so that CONFIG_HPET means "there is an HPET",
and whether this has pulled in CONFIG_X_HPET_RUST or CONFIG_HPET_C
is something the rest of QEMU can ignore.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Link: https://lore.kernel.org/r/20250319193110.1565578-3-peter.maydell@linaro.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Currently every board that uses the PL011 duplicates the logic that
selects the Rust implementation if Rust was enabled and the C
implementation if it does not. Factor this out into a separate
Kconfig stanza, so that boards can go back to simply doing "select
PL011" and get whichever implementation is correct for the build.
This fixes a compilation failure if CONFIG_VMAPPLE is enabled
in a Rust build, because hw/vmapple/Kconfig didn't have the
"pick the Rust PL011 if Rust is enabled" logic in it.
Fixes: 59f4d65584 ("hw/vmapple/vmapple: Add vmapple machine type")
Reported-by: Tanish Desai <tanishdesai37@gmail.com>
Analyzed-by: Tanish Desai <tanishdesai37@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Link: https://lore.kernel.org/r/20250319193110.1565578-2-peter.maydell@linaro.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The Error ** argument must be NULL, &error_abort, &error_fatal, or a
pointer to a variable containing NULL. Passing an argument of the
latter kind twice without clearing it in between is wrong: if the
first call sets an error, it no longer points to NULL for the second
call.
virt_cpu_irq_init() is wrong that way: it passes &err to
hotplug_handler_plug() twice. If both calls failed, this could trip
error_setv()'s assertion. Moreover, if just one fails, the Error
object leaks. Fortunately, these calls can't actually fail.
Messed up in commit 50ebc3fc47 (hw/intc/loongarch_ipi: Notify ipi
object when cpu is plugged) and commit 087a23a87c
(hw/intc/loongarch_extioi: Use cpu plug notification).
Clean this up by passing &error_abort instead.
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Acked-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20250320032158.1762751-7-maobibo@loongson.cn>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
When there is an error, it is put into a local variable and then
propagated to somewhere else. Instead the error can be set right
away, error propagation can be removed.
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20250320032158.1762751-5-maobibo@loongson.cn>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
This change takes the CPUPPCState 'quiesced' field added for powernv
hardware CPU core controls (used to stop and start cores), and extends
it to spapr to model the "RTAS stopped" state. This prevents the
schedulers attempting to run stopped CPUs unexpectedly, which can cause
hangs and possibly other unexpected behaviour.
The detail of the problematic situation is this:
A KVM spapr guest boots with all secondary CPUs defined to be in the
"RTAS stopped" state. In this state, the CPU is only responsive to the
start-cpu RTAS call. This behaviour is modeled in QEMU with the
start_powered_off feature, which sets ->halted on secondary CPUs at
boot. ->halted=true looks like an idle / sleep / power-save state which
typically is responsive to asynchronous interrupts, but spapr clears
wake-on-interrupt bits in the LPCR SPR. This more-or-less works.
Commit e8291ec16d ("target/ppc: fix timebase register reset state")
recently caused the decrementer to expire sooner at boot, causing a
decrementer exception on secondary CPUs in RTAS stopped state. This
was not a problem on TCG, but KVM limits how a guest can modify LPCR, in
particular it prevents the clearing of wake-on-interrupt bits, and so in
the course of CPU register synchronisation, the LPCR as set by spapr to
model the RTAS stopped state is overwritten with KVM's LPCR value, and
that then causes QEMU's interrupt code to notice the expired decrementer
exception, turn that into an interrupt, and set CPU_INTERRUPT_HARD.
That causes the CPU to be kicked, and the KVM vCPU thread to loop
calling kvm_cpu_exec(). kvm_cpu_exec() calls
kvm_arch_process_async_events(), which on ppc just returns ->halted.
This is still true, so it returns immediately with EXCP_HLT, and the
vCPU never goes to sleep because qemu_wait_io_event() sees
CPU_INTERRUPT_HARD is set. All this while the vCPU holds the bql. This
causes the boot CPU to eventually lock up when it needs the bql.
So make 'quiesced' represent the "RTAS stopped" state, and have it
explicitly not respond to exceptions (interrupt conditions) rather than
rely on machine register state to model that state. This matches the
powernv quiesced state very well because it essentially turns off the
CPU core via a side-band control unit.
There are still issues with QEMU and KVM idea of LPCR diverging and that
is quite ugly and fragile that should be fixed. spapr should synchronize
its LPCR properly with KVM, and not try to use values that KVM does not
support.
Reported-by: Misbah Anjum N <misanjum@linux.ibm.com>
Tested-by: Misbah Anjum N <misanjum@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
xen_bus_realize() reports a failure to set up a watch as error, but it
doesn't treat it as one: it simply continues. Report a warning
instead.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20250314143500.2449658-3-armbru@redhat.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
The Error ** argument must be NULL, &error_abort, &error_fatal, or a
pointer to a variable containing NULL. Passing an argument of the
latter kind twice without clearing it in between is wrong: if the
first call sets an error, it no longer points to NULL for the second
call.
xen_bus_realize() is wrong that way: it passes &local_err to
xs_node_watch() in a loop. If this fails in more than one iteration,
it can trip error_setv()'s assertion.
Fix by clearing @local_err.
Fixes: c4583c8c39 (xen-bus: reduce scope of backend watch)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <20250314143500.2449658-2-armbru@redhat.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
For the s390x target, it's possible to build the QEMU binary without
CONFIG_VIRTIO_PCI and only have the virtio-mem device via the ccw
transport. In that case, QEMU currently fails to link correctly:
/usr/bin/ld: libqemu-s390x-softmmu.a.p/hw_s390x_s390-virtio-ccw.c.o: in function `s390_machine_device_pre_plug':
../hw/s390x/s390-virtio-ccw.c:579:(.text+0x1e96): undefined reference to `virtio_md_pci_pre_plug'
/usr/bin/ld: libqemu-s390x-softmmu.a.p/hw_s390x_s390-virtio-ccw.c.o: in function `s390_machine_device_plug':
../hw/s390x/s390-virtio-ccw.c:608:(.text+0x21a4): undefined reference to `virtio_md_pci_plug'
/usr/bin/ld: libqemu-s390x-softmmu.a.p/hw_s390x_s390-virtio-ccw.c.o: in function `s390_machine_device_unplug_request':
../hw/s390x/s390-virtio-ccw.c:622:(.text+0x2334): undefined reference to `virtio_md_pci_unplug_request'
/usr/bin/ld: libqemu-s390x-softmmu.a.p/hw_s390x_s390-virtio-ccw.c.o: in function `s390_machine_device_unplug':
../hw/s390x/s390-virtio-ccw.c:633:(.text+0x2436): undefined reference to `virtio_md_pci_unplug'
clang: error: linker command failed with exit code 1 (use -v to see invocation)
We also need to include the stubs when CONFIG_VIRTIO_PCI is missing.
Fixes: aa910c20ec ("s390x: virtio-mem support")
Message-ID: <20250313063522.1348288-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
The PPN field in a non-leaf PDT entry is positioned differently from that
in a leaf PDT entry. The original implementation incorrectly used the leaf
entry's PPN mask to extract the PPN from a non-leaf entry, leading to an
erroneous page table walk.
This commit introduces new macros to properly define the fields for
non-leaf PDT entries and corrects the page table walk.
Signed-off-by: Jason Chien <jason.chien@sifive.com>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-ID: <20250301173751.9446-1-jason.chien@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
