From 8dcfb54090330c877ad5a05be5e555714eeb870c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 24 Sep 2024 20:34:09 +0200 Subject: [PATCH 01/23] hw/arm/armv7m: Expose and access System Control Space as little endian MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We only build ARM system emulators using little endianness, so the MO_TE definition always expands to MO_LE, and DEVICE_TARGET_ENDIAN to DEVICE_LITTLE_ENDIAN. Replace the definitions by their expanded value, making it closer to the Armv7-M Architecture Reference Manual (ARM DDI 0403E) description: The System Control Space (SCS, address range 0xE000E000 to 0xE000EFFF) is a memory-mapped 4KB address space that provides 32-bit registers for configuration, status reporting and control. All accesses to the SCS are little endian. Fixes: d5d680cacc ("memory: Access MemoryRegion with endianness") Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Reviewed-by: Richard Henderson Message-Id: <20250312104821.1012-1-philmd@linaro.org> --- hw/arm/armv7m.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c index 98a6984611..64009174b9 100644 --- a/hw/arm/armv7m.c +++ b/hw/arm/armv7m.c @@ -140,7 +140,7 @@ static MemTxResult v7m_sysreg_ns_write(void *opaque, hwaddr addr, /* S accesses to the alias act like NS accesses to the real region */ attrs.secure = 0; return memory_region_dispatch_write(mr, addr, value, - size_memop(size) | MO_TE, attrs); + size_memop(size) | MO_LE, attrs); } else { /* NS attrs are RAZ/WI for privileged, and BusFault for user */ if (attrs.user) { @@ -160,7 +160,7 @@ static MemTxResult v7m_sysreg_ns_read(void *opaque, hwaddr addr, /* S accesses to the alias act like NS accesses to the real region */ attrs.secure = 0; return memory_region_dispatch_read(mr, addr, data, - size_memop(size) | MO_TE, attrs); + size_memop(size) | MO_LE, attrs); } else { /* NS attrs are RAZ/WI for privileged, and BusFault for user */ if (attrs.user) { @@ -174,7 +174,7 @@ static MemTxResult v7m_sysreg_ns_read(void *opaque, hwaddr addr, static const MemoryRegionOps v7m_sysreg_ns_ops = { .read_with_attrs = v7m_sysreg_ns_read, .write_with_attrs = v7m_sysreg_ns_write, - .endianness = DEVICE_NATIVE_ENDIAN, + .endianness = DEVICE_LITTLE_ENDIAN, }; static MemTxResult v7m_systick_write(void *opaque, hwaddr addr, @@ -187,7 +187,7 @@ static MemTxResult v7m_systick_write(void *opaque, hwaddr addr, /* Direct the access to the correct systick */ mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->systick[attrs.secure]), 0); return memory_region_dispatch_write(mr, addr, value, - size_memop(size) | MO_TE, attrs); + size_memop(size) | MO_LE, attrs); } static MemTxResult v7m_systick_read(void *opaque, hwaddr addr, @@ -199,14 +199,14 @@ static MemTxResult v7m_systick_read(void *opaque, hwaddr addr, /* Direct the access to the correct systick */ mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->systick[attrs.secure]), 0); - return memory_region_dispatch_read(mr, addr, data, size_memop(size) | MO_TE, - attrs); + return memory_region_dispatch_read(mr, addr, data, + size_memop(size) | MO_LE, attrs); } static const MemoryRegionOps v7m_systick_ops = { .read_with_attrs = v7m_systick_read, .write_with_attrs = v7m_systick_write, - .endianness = DEVICE_NATIVE_ENDIAN, + .endianness = DEVICE_LITTLE_ENDIAN, }; /* From 02e521462405d9fd84b49787f6d8ae9b93d9b13c Mon Sep 17 00:00:00 2001 From: Bernhard Beschow Date: Tue, 18 Mar 2025 21:57:07 +0100 Subject: [PATCH 02/23] hw/arm/imx8mp-evk: Fix reference count of SoC object MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TYPE_FSL_IMX8MP is created using object_new(), so must be realized with qdev_realize_and_unref() to keep the reference counting intact. Fixes: a4eefc69b237 "hw/arm: Add i.MX 8M Plus EVK board" Signed-off-by: Bernhard Beschow Reviewed-by: Peter Maydell Message-ID: <20250318205709.28862-2-shentey@gmail.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/arm/imx8mp-evk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/arm/imx8mp-evk.c b/hw/arm/imx8mp-evk.c index e1a7892fd7..e1a21e52f9 100644 --- a/hw/arm/imx8mp-evk.c +++ b/hw/arm/imx8mp-evk.c @@ -37,7 +37,7 @@ static void imx8mp_evk_init(MachineState *machine) s = FSL_IMX8MP(object_new(TYPE_FSL_IMX8MP)); object_property_add_child(OBJECT(machine), "soc", OBJECT(s)); object_property_set_uint(OBJECT(s), "fec1-phy-num", 1, &error_fatal); - qdev_realize(DEVICE(s), NULL, &error_fatal); + qdev_realize_and_unref(DEVICE(s), NULL, &error_fatal); memory_region_add_subregion(get_system_memory(), FSL_IMX8MP_RAM_START, machine->ram); From 26c1c41e8ca2d510a3bdb888d9341a07ab13b20c Mon Sep 17 00:00:00 2001 From: Bernhard Beschow Date: Tue, 18 Mar 2025 21:57:08 +0100 Subject: [PATCH 03/23] hw/arm/fsl-imx8mp: Derive struct FslImx8mpState from TYPE_SYS_BUS_DEVICE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deriving from TYPE_SYS_BUS_DEVICE fixes the SoC object to be reset upon machine reset. It also makes the SoC implementation not user-creatable which can trigger the following crash: $ ./qemu-system-aarch64 -M virt -device fsl-imx8mp ** ERROR:../../devel/qemu/tcg/tcg.c:1006:tcg_register_thread: assertion failed: (n < tcg_max_ctxs) Bail out! ERROR:../../devel/qemu/tcg/tcg.c:1006:tcg_register_thread: assertion failed: (n < tcg_max_ctxs) Aborted (core dumped) Fixes: a4eefc69b237 "hw/arm: Add i.MX 8M Plus EVK board" Reported-by: Thomas Huth Suggested-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Signed-off-by: Bernhard Beschow Message-ID: <20250318205709.28862-3-shentey@gmail.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/arm/fsl-imx8mp.c | 2 +- hw/arm/imx8mp-evk.c | 2 +- include/hw/arm/fsl-imx8mp.h | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/hw/arm/fsl-imx8mp.c b/hw/arm/fsl-imx8mp.c index c3f6da6322..82edf61082 100644 --- a/hw/arm/fsl-imx8mp.c +++ b/hw/arm/fsl-imx8mp.c @@ -702,7 +702,7 @@ static void fsl_imx8mp_class_init(ObjectClass *oc, void *data) static const TypeInfo fsl_imx8mp_types[] = { { .name = TYPE_FSL_IMX8MP, - .parent = TYPE_DEVICE, + .parent = TYPE_SYS_BUS_DEVICE, .instance_size = sizeof(FslImx8mpState), .instance_init = fsl_imx8mp_init, .class_init = fsl_imx8mp_class_init, diff --git a/hw/arm/imx8mp-evk.c b/hw/arm/imx8mp-evk.c index e1a21e52f9..f17d5db466 100644 --- a/hw/arm/imx8mp-evk.c +++ b/hw/arm/imx8mp-evk.c @@ -37,7 +37,7 @@ static void imx8mp_evk_init(MachineState *machine) s = FSL_IMX8MP(object_new(TYPE_FSL_IMX8MP)); object_property_add_child(OBJECT(machine), "soc", OBJECT(s)); object_property_set_uint(OBJECT(s), "fec1-phy-num", 1, &error_fatal); - qdev_realize_and_unref(DEVICE(s), NULL, &error_fatal); + sysbus_realize_and_unref(SYS_BUS_DEVICE(s), &error_fatal); memory_region_add_subregion(get_system_memory(), FSL_IMX8MP_RAM_START, machine->ram); diff --git a/include/hw/arm/fsl-imx8mp.h b/include/hw/arm/fsl-imx8mp.h index bc97fc416e..22fdc0d67c 100644 --- a/include/hw/arm/fsl-imx8mp.h +++ b/include/hw/arm/fsl-imx8mp.h @@ -26,6 +26,7 @@ #include "hw/timer/imx_gpt.h" #include "hw/usb/hcd-dwc3.h" #include "hw/watchdog/wdt_imx2.h" +#include "hw/sysbus.h" #include "qom/object.h" #include "qemu/units.h" @@ -49,7 +50,7 @@ enum FslImx8mpConfiguration { }; struct FslImx8mpState { - DeviceState parent_obj; + SysBusDevice parent_obj; ARMCPU cpu[FSL_IMX8MP_NUM_CPUS]; GICv3State gic; From f32d678252134779d1f129d80435e827877136f5 Mon Sep 17 00:00:00 2001 From: Bernhard Beschow Date: Tue, 18 Mar 2025 21:57:09 +0100 Subject: [PATCH 04/23] hw/arm/fsl-imx8mp: Remove unused define MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The SoC has three SPI controllers, not four. Remove the extra define of an SPI IRQ. Fixes: 06908a84f036 "hw/arm/fsl-imx8mp: Add SPI controllers" Reviewed-by: Peter Maydell Signed-off-by: Bernhard Beschow Message-ID: <20250318205709.28862-4-shentey@gmail.com> Signed-off-by: Philippe Mathieu-Daudé --- include/hw/arm/fsl-imx8mp.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/hw/arm/fsl-imx8mp.h b/include/hw/arm/fsl-imx8mp.h index 22fdc0d67c..d016f7d337 100644 --- a/include/hw/arm/fsl-imx8mp.h +++ b/include/hw/arm/fsl-imx8mp.h @@ -238,7 +238,6 @@ enum FslImx8mpIrqs { FSL_IMX8MP_ECSPI1_IRQ = 31, FSL_IMX8MP_ECSPI2_IRQ = 32, FSL_IMX8MP_ECSPI3_IRQ = 33, - FSL_IMX8MP_ECSPI4_IRQ = 34, FSL_IMX8MP_I2C1_IRQ = 35, FSL_IMX8MP_I2C2_IRQ = 36, From 581ca58246c1906701680292dfa04af1d129308d Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 21 Mar 2025 13:32:31 -0700 Subject: [PATCH 05/23] hw/core/cpu: Use size_t for memory_rw_debug len argument MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Match the prototype of cpu_memory_rw_debug(). Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Message-Id: <20250325224403.4011975-4-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé --- include/hw/core/cpu.h | 2 +- target/sparc/cpu.h | 2 +- target/sparc/mmu_helper.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h index 5d11d26556..abd8764e83 100644 --- a/include/hw/core/cpu.h +++ b/include/hw/core/cpu.h @@ -154,7 +154,7 @@ struct CPUClass { int (*mmu_index)(CPUState *cpu, bool ifetch); int (*memory_rw_debug)(CPUState *cpu, vaddr addr, - uint8_t *buf, int len, bool is_write); + uint8_t *buf, size_t len, bool is_write); void (*dump_state)(CPUState *cpu, FILE *, int flags); void (*query_cpu_fast)(CPUState *cpu, CpuInfoFast *value); int64_t (*get_arch_id)(CPUState *cpu); diff --git a/target/sparc/cpu.h b/target/sparc/cpu.h index 462bcb6c0e..68f8c21e7c 100644 --- a/target/sparc/cpu.h +++ b/target/sparc/cpu.h @@ -604,7 +604,7 @@ void dump_mmu(CPUSPARCState *env); #if !defined(TARGET_SPARC64) && !defined(CONFIG_USER_ONLY) int sparc_cpu_memory_rw_debug(CPUState *cpu, vaddr addr, - uint8_t *buf, int len, bool is_write); + uint8_t *buf, size_t len, bool is_write); #endif /* translate.c */ diff --git a/target/sparc/mmu_helper.c b/target/sparc/mmu_helper.c index 7548d01777..3821cd91ec 100644 --- a/target/sparc/mmu_helper.c +++ b/target/sparc/mmu_helper.c @@ -389,7 +389,7 @@ void dump_mmu(CPUSPARCState *env) * that the sparc ABI is followed. */ int sparc_cpu_memory_rw_debug(CPUState *cs, vaddr address, - uint8_t *buf, int len, bool is_write) + uint8_t *buf, size_t len, bool is_write) { CPUSPARCState *env = cpu_env(cs); target_ulong addr = address; From 82bdce7b9453df2ede67d2b7f01b6e9e4491f408 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 25 Mar 2025 23:20:15 +0100 Subject: [PATCH 06/23] hw/block/m25p80: Categorize and add description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20250325224310.8785-3-philmd@linaro.org> --- hw/block/m25p80.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index b84c6afb32..0887c103e4 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -1870,7 +1870,9 @@ static void m25p80_class_init(ObjectClass *klass, void *data) dc->vmsd = &vmstate_m25p80; device_class_set_props(dc, m25p80_properties); device_class_set_legacy_reset(dc, m25p80_reset); + set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); mc->pi = data; + dc->desc = "Serial Flash"; } static const TypeInfo m25p80_info = { From 43b815eae1bd7ef11a5985e1f52fe65ea698f75d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 25 Mar 2025 23:20:22 +0100 Subject: [PATCH 07/23] hw/display/dm163: Add description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20250325224310.8785-4-philmd@linaro.org> --- hw/display/dm163.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/display/dm163.c b/hw/display/dm163.c index 75a91f62bd..f6f0ec0c63 100644 --- a/hw/display/dm163.c +++ b/hw/display/dm163.c @@ -330,7 +330,7 @@ static void dm163_class_init(ObjectClass *klass, void *data) DeviceClass *dc = DEVICE_CLASS(klass); ResettableClass *rc = RESETTABLE_CLASS(klass); - dc->desc = "DM163"; + dc->desc = "DM163 8x3-channel constant current LED driver"; dc->vmsd = &vmstate_dm163; dc->realize = dm163_realize; rc->phases.hold = dm163_reset_hold; From c0a1dabd0b5ea8da520957c23ebdb243d955991d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 25 Mar 2025 23:36:52 +0100 Subject: [PATCH 08/23] hw/dma/i82374: Categorize and add description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20250325224310.8785-5-philmd@linaro.org> --- hw/dma/i82374.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/dma/i82374.c b/hw/dma/i82374.c index 9652d47adc..0bf69ef399 100644 --- a/hw/dma/i82374.c +++ b/hw/dma/i82374.c @@ -150,6 +150,8 @@ static void i82374_class_init(ObjectClass *klass, void *data) dc->realize = i82374_realize; dc->vmsd = &vmstate_i82374; device_class_set_props(dc, i82374_properties); + dc->desc = "Intel 82374 DMA controller"; + set_bit(DEVICE_CATEGORY_MISC, dc->categories); } static const TypeInfo i82374_info = { From facfc943cb943ae05997a22642334558751c2bdb Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Tue, 21 Jan 2025 11:36:55 +0100 Subject: [PATCH 09/23] hw/mips: Mark the "mipssim" machine as deprecated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are not aware of anybody still using this machine, support for it has been withdrawn from the Linux kernel (i.e. there also won't be any future development anymore), and we are not aware of any binaries online that could be used for regression testing to avoid that the machine bitrots ... thus let's mark it as deprecated now. Signed-off-by: Thomas Huth Acked-by: Philippe Mathieu-Daudé Message-ID: <20250121103655.1285596-1-thuth@redhat.com> Signed-off-by: Philippe Mathieu-Daudé --- docs/about/deprecated.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index e2b4f077d4..76291fdfd6 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -292,6 +292,19 @@ Big-Endian variants of MicroBlaze ``petalogix-ml605`` and ``xlnx-zynqmp-pmu`` ma Both ``petalogix-ml605`` and ``xlnx-zynqmp-pmu`` were added for little endian CPUs. Big endian support is not tested. +Mips ``mipssim`` machine (since 10.0) +''''''''''''''''''''''''''''''''''''' + +Linux dropped support for this virtual machine type in kernel v3.7, and +there does not seem to be anybody around who is still using this board +in QEMU: Most former MIPS-related people are working on other architectures +in their everyday job nowadays, and we are also not aware of anybody still +using old binaries with this board (i.e. there is also no binary available +online to check that this board did not completely bitrot yet). It is +recommended to use another MIPS machine for future MIPS code development +instead. + + Backend options --------------- From 2542d5cf471a38c4ceb9717708178938b96ded47 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 21 Mar 2025 23:12:48 +0100 Subject: [PATCH 10/23] hw/rtc/goldfish: keep time offset when resetting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently resetting the leads to resynchronizing the Goldfish RTC with the system clock of the host. In real hardware an RTC reset would not change the wall time. Other RTCs like pl031 do not show this behavior. Move the synchronization of the RTC with the system clock to the instance realization. Cc: qemu-stable@nongnu.org Reported-by: Frederik Du Toit Lotter Fixes: 9a5b40b8427 ("hw: rtc: Add Goldfish RTC device") Signed-off-by: Heinrich Schuchardt Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250321221248.17764-1-heinrich.schuchardt@canonical.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/rtc/goldfish_rtc.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/hw/rtc/goldfish_rtc.c b/hw/rtc/goldfish_rtc.c index 0f1b53e0e4..d83cc26481 100644 --- a/hw/rtc/goldfish_rtc.c +++ b/hw/rtc/goldfish_rtc.c @@ -239,15 +239,8 @@ static const VMStateDescription goldfish_rtc_vmstate = { static void goldfish_rtc_reset(DeviceState *dev) { GoldfishRTCState *s = GOLDFISH_RTC(dev); - struct tm tm; timer_del(s->timer); - - qemu_get_timedate(&tm, 0); - s->tick_offset = mktimegm(&tm); - s->tick_offset *= NANOSECONDS_PER_SECOND; - s->tick_offset -= qemu_clock_get_ns(rtc_clock); - s->tick_offset_vmstate = 0; s->alarm_next = 0; s->alarm_running = 0; s->irq_pending = 0; @@ -258,6 +251,7 @@ static void goldfish_rtc_realize(DeviceState *d, Error **errp) { SysBusDevice *dev = SYS_BUS_DEVICE(d); GoldfishRTCState *s = GOLDFISH_RTC(d); + struct tm tm; memory_region_init_io(&s->iomem, OBJECT(s), &goldfish_rtc_ops[s->big_endian], s, @@ -267,6 +261,11 @@ static void goldfish_rtc_realize(DeviceState *d, Error **errp) sysbus_init_irq(dev, &s->irq); s->timer = timer_new_ns(rtc_clock, goldfish_rtc_interrupt, s); + + qemu_get_timedate(&tm, 0); + s->tick_offset = mktimegm(&tm); + s->tick_offset *= NANOSECONDS_PER_SECOND; + s->tick_offset -= qemu_clock_get_ns(rtc_clock); } static const Property goldfish_rtc_properties[] = { From 490aaae935b6461cfe30660e819317521b255321 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 25 Mar 2025 23:21:17 +0100 Subject: [PATCH 11/23] hw/misc/pll: Do not expose as user-creatable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All these devices are part of SoC components and can not be created manually. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20250325224310.8785-9-philmd@linaro.org> --- hw/misc/bcm2835_cprman.c | 8 ++++++++ hw/misc/npcm_clk.c | 6 ++++++ hw/misc/stm32l4x5_rcc.c | 4 ++++ 3 files changed, 18 insertions(+) diff --git a/hw/misc/bcm2835_cprman.c b/hw/misc/bcm2835_cprman.c index aa14cd931f..0c4d4b7de5 100644 --- a/hw/misc/bcm2835_cprman.c +++ b/hw/misc/bcm2835_cprman.c @@ -137,6 +137,8 @@ static void pll_class_init(ObjectClass *klass, void *data) device_class_set_legacy_reset(dc, pll_reset); dc->vmsd = &pll_vmstate; + /* Reason: Part of BCM2835CprmanState component */ + dc->user_creatable = false; } static const TypeInfo cprman_pll_info = { @@ -241,6 +243,8 @@ static void pll_channel_class_init(ObjectClass *klass, void *data) device_class_set_legacy_reset(dc, pll_channel_reset); dc->vmsd = &pll_channel_vmstate; + /* Reason: Part of BCM2835CprmanState component */ + dc->user_creatable = false; } static const TypeInfo cprman_pll_channel_info = { @@ -362,6 +366,8 @@ static void clock_mux_class_init(ObjectClass *klass, void *data) device_class_set_legacy_reset(dc, clock_mux_reset); dc->vmsd = &clock_mux_vmstate; + /* Reason: Part of BCM2835CprmanState component */ + dc->user_creatable = false; } static const TypeInfo cprman_clock_mux_info = { @@ -416,6 +422,8 @@ static void dsi0hsck_mux_class_init(ObjectClass *klass, void *data) DeviceClass *dc = DEVICE_CLASS(klass); dc->vmsd = &dsi0hsck_mux_vmstate; + /* Reason: Part of BCM2835CprmanState component */ + dc->user_creatable = false; } static const TypeInfo cprman_dsi0hsck_mux_info = { diff --git a/hw/misc/npcm_clk.c b/hw/misc/npcm_clk.c index 0e85974cf9..b6a893ffb2 100644 --- a/hw/misc/npcm_clk.c +++ b/hw/misc/npcm_clk.c @@ -1108,6 +1108,8 @@ static void npcm7xx_clk_pll_class_init(ObjectClass *klass, void *data) dc->desc = "NPCM7xx Clock PLL Module"; dc->vmsd = &vmstate_npcm7xx_clk_pll; + /* Reason: Part of NPCMCLKState component */ + dc->user_creatable = false; } static void npcm7xx_clk_sel_class_init(ObjectClass *klass, void *data) @@ -1116,6 +1118,8 @@ static void npcm7xx_clk_sel_class_init(ObjectClass *klass, void *data) dc->desc = "NPCM7xx Clock SEL Module"; dc->vmsd = &vmstate_npcm7xx_clk_sel; + /* Reason: Part of NPCMCLKState component */ + dc->user_creatable = false; } static void npcm7xx_clk_divider_class_init(ObjectClass *klass, void *data) @@ -1124,6 +1128,8 @@ static void npcm7xx_clk_divider_class_init(ObjectClass *klass, void *data) dc->desc = "NPCM7xx Clock Divider Module"; dc->vmsd = &vmstate_npcm7xx_clk_divider; + /* Reason: Part of NPCMCLKState component */ + dc->user_creatable = false; } static void npcm_clk_class_init(ObjectClass *klass, void *data) diff --git a/hw/misc/stm32l4x5_rcc.c b/hw/misc/stm32l4x5_rcc.c index fd8466dff3..158b743cae 100644 --- a/hw/misc/stm32l4x5_rcc.c +++ b/hw/misc/stm32l4x5_rcc.c @@ -150,6 +150,8 @@ static void clock_mux_class_init(ObjectClass *klass, void *data) rc->phases.hold = clock_mux_reset_hold; rc->phases.exit = clock_mux_reset_exit; dc->vmsd = &clock_mux_vmstate; + /* Reason: Part of Stm32l4x5RccState component */ + dc->user_creatable = false; } static void clock_mux_set_enable(RccClockMuxState *mux, bool enabled) @@ -302,6 +304,8 @@ static void pll_class_init(ObjectClass *klass, void *data) rc->phases.hold = pll_reset_hold; rc->phases.exit = pll_reset_exit; dc->vmsd = &pll_vmstate; + /* Reason: Part of Stm32l4x5RccState component */ + dc->user_creatable = false; } static void pll_set_vco_multiplier(RccPllState *pll, uint32_t vco_multiplier) From b2e72fadc8119aa1ad3de9528d991be4d348cca5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 25 Mar 2025 23:21:28 +0100 Subject: [PATCH 12/23] hw/nvram/xlnx-efuse: Do not expose as user-creatable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This device is part of SoC components thus can not be created manually. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-Id: <20250325224310.8785-10-philmd@linaro.org> --- hw/nvram/xlnx-efuse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c index 29e7dd539e..176e88fcd1 100644 --- a/hw/nvram/xlnx-efuse.c +++ b/hw/nvram/xlnx-efuse.c @@ -280,6 +280,8 @@ static void efuse_class_init(ObjectClass *klass, void *data) dc->realize = efuse_realize; device_class_set_props(dc, efuse_properties); + /* Reason: Part of Xilinx SoC */ + dc->user_creatable = false; } static const TypeInfo efuse_info = { From 48ca224250444150f21cbded5745a0e36703b5e7 Mon Sep 17 00:00:00 2001 From: Zheng Huang Date: Fri, 28 Mar 2025 11:21:49 +0800 Subject: [PATCH 13/23] hw/scsi/lsi53c895a: fix memory leak in lsi_scsi_realize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address a memory leak bug in the usages of timer_del(). The issue arises from the incorrect use of the ambiguous timer API timer_del(), which does not free the timer object. The LeakSanitizer report this issue during fuzzing. The correct API timer_free() freed the timer object instead. ================================================================= ==2586273==ERROR: LeakSanitizer: detected memory leaks Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x55f2afd89879 in calloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:75:3 #1 0x7f443b93ac50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50) #2 0x55f2b053962e in timer_new include/qemu/timer.h:542:12 #3 0x55f2b0514771 in timer_new_us include/qemu/timer.h:582:12 #4 0x55f2b0514288 in lsi_scsi_realize hw/scsi/lsi53c895a.c:2350:24 #5 0x55f2b0452d26 in pci_qdev_realize hw/pci/pci.c:2174:9 Signed-off-by: Zheng Huang Reviewed-by: Philippe Mathieu-Daudé Message-ID: <73cd69f9-ff9b-4cd4-b8aa-265f9d6067b9@gmail.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/scsi/lsi53c895a.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c index d85e384ad6..6689ebba25 100644 --- a/hw/scsi/lsi53c895a.c +++ b/hw/scsi/lsi53c895a.c @@ -2372,7 +2372,7 @@ static void lsi_scsi_exit(PCIDevice *dev) LSIState *s = LSI53C895A(dev); address_space_destroy(&s->pci_io_as); - timer_del(s->scripts_timer); + timer_free(s->scripts_timer); } static void lsi_class_init(ObjectClass *klass, void *data) From 1c2d03bb0889b7a9a677d53126fb035190683af4 Mon Sep 17 00:00:00 2001 From: Zheng Huang Date: Fri, 28 Mar 2025 17:49:35 +0800 Subject: [PATCH 14/23] hw/sd/sdhci: free irq on exit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a memory leak bug in sdhci_pci_realize() due to s->irq not being freed in sdhci_pci_exit(). Signed-off-by: Zheng Huang Reviewed-by: Philippe Mathieu-Daudé Message-ID: <09ddf42b-a6db-42d5-954b-148d09d8d6cc@gmail.com> [PMD: Moved qemu_free_irq() call before sdhci_common_unrealize()] Signed-off-by: Philippe Mathieu-Daudé --- hw/sd/sdhci-pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/sd/sdhci-pci.c b/hw/sd/sdhci-pci.c index 5268c0dee5..bca149e811 100644 --- a/hw/sd/sdhci-pci.c +++ b/hw/sd/sdhci-pci.c @@ -18,6 +18,7 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "qemu/module.h" +#include "hw/irq.h" #include "hw/qdev-properties.h" #include "hw/sd/sdhci.h" #include "sdhci-internal.h" @@ -48,6 +49,7 @@ static void sdhci_pci_exit(PCIDevice *dev) { SDHCIState *s = PCI_SDHCI(dev); + qemu_free_irq(s->irq); sdhci_common_unrealize(s); sdhci_uninitfn(s); } From 70fe5ae121ce3013ac3a29809ed86c3837ad43ee Mon Sep 17 00:00:00 2001 From: Chung-Yi Chen Date: Fri, 28 Mar 2025 20:37:25 +0800 Subject: [PATCH 15/23] hw/char/bcm2835_aux: Fix incorrect interrupt ID when RX disabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a misconfiguration issue in the read implementation of the AUX_MU_IIR_REG register. This issue can lead to a transmit interrupt being incorrectly interpreted as a receive interrupt when the receive interrupt is disabled and the receive FIFO holds valid bytes. The AUX_MU_IIR_REG register (interrupt ID bits [2:1]) indicates the status of mini UART interrupts: - 00: No interrupts - 01: Transmit FIFO is empty - 10: Receive FIFO is not empty - 11: When the transmit interrupt is enabled and the receive interrupt is disabled, the original code incorrectly sets the interrupt ID bits. Specifically: 1. Transmit FIFO empty, receive FIFO empty - Expected 0b01, returned 0b01 (correct) 2. Transmit FIFO empty, receive FIFO not empty - Expected 0b01, returned 0b10 (incorrect) In the second case, the code sets the interrupt ID to 0b10 (receive FIFO is not empty) even if the receive interrupt is disabled. To fix this, the patch adds additional condition for setting the interrupt ID bits to also check if the receive interrupt is enabled. Reference: BCM2835 ARM Peripherals, page 13. Available on https://datasheets.raspberrypi.com/bcm2835/bcm2835-peripherals.pdf Fixes: 97398d900ca ("bcm2835_aux: add emulation of BCM2835 AUX (aka UART1) block") Signed-off-by: Chung-Yi Chen Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250328123725.94176-1-yeechen0207@gmail.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/char/bcm2835_aux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c index c6e7eccf7d..9b073fc330 100644 --- a/hw/char/bcm2835_aux.c +++ b/hw/char/bcm2835_aux.c @@ -98,7 +98,7 @@ static uint64_t bcm2835_aux_read(void *opaque, hwaddr offset, unsigned size) * interrupts are active, besides that this cannot occur. At * present, we choose to prioritise the rx interrupt, since * the tx fifo is always empty. */ - if (s->read_count != 0) { + if ((s->iir & RX_INT) && s->read_count != 0) { res |= 0x4; } else { res |= 0x2; From c458f9474d6574505ce9144ab1a90b951e69c1bd Mon Sep 17 00:00:00 2001 From: Zheng Huang Date: Sat, 29 Mar 2025 19:47:19 +0800 Subject: [PATCH 16/23] hw/ufs: free irq on exit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a memory leak bug in ufs_init_pci() due to u->irq not being freed in ufs_exit(). Signed-off-by: Zheng Huang Reviewed-by: Philippe Mathieu-Daudé Message-ID: <43ceb427-87aa-44ee-9007-dbaecc499bba@gmail.com> Signed-off-by: Philippe Mathieu-Daudé --- hw/ufs/ufs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 857de6e9c2..ee13edacd8 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -25,6 +25,7 @@ #include "qapi/error.h" #include "migration/vmstate.h" #include "scsi/constants.h" +#include "hw/irq.h" #include "trace.h" #include "ufs.h" @@ -1808,6 +1809,8 @@ static void ufs_exit(PCIDevice *pci_dev) { UfsHc *u = UFS(pci_dev); + qemu_free_irq(u->irq); + qemu_bh_delete(u->doorbell_bh); qemu_bh_delete(u->complete_bh); From 04e99f9eb7920b0f0fcce65686c3bedf5e32a1f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 31 Mar 2025 16:46:13 +0200 Subject: [PATCH 17/23] hw/pci-host/designware: Fix ATU_UPPER_TARGET register access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix copy/paste error writing to the ATU_UPPER_TARGET register, we want to update the upper 32 bits. Cc: qemu-stable@nongnu.org Reported-by: Joey Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2861 Fixes: d64e5eabc4c ("pci: Add support for Designware IP block") Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Gustavo Romero Message-Id: <20250331152041.74533-2-philmd@linaro.org> --- hw/pci-host/designware.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c index c07740bfaa..5598d18f47 100644 --- a/hw/pci-host/designware.c +++ b/hw/pci-host/designware.c @@ -371,7 +371,7 @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address, case DESIGNWARE_PCIE_ATU_UPPER_TARGET: viewport->target &= 0x00000000FFFFFFFFULL; - viewport->target |= val; + viewport->target |= (uint64_t)val << 32; break; case DESIGNWARE_PCIE_ATU_LIMIT: From fb5bc76cae61b7c65e71ccf1c6027bf878f5b7dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Fri, 21 Mar 2025 11:24:35 +0100 Subject: [PATCH 18/23] target/hppa: Remove duplicated CPU_RESOLVING_TYPE definition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CPU_RESOLVING_TYPE definition was added in commit 0dacec874fa ("cpu: add CPU_RESOLVING_TYPE macro"), but then added again in commit d3ae32d4d20. Remove the duplication. Fixes: d3ae32d4d20 ("target/hppa: Implement cpu_list") Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson Message-Id: <20250321184200.4329-1-philmd@linaro.org> --- target/hppa/cpu.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/target/hppa/cpu.h b/target/hppa/cpu.h index 7be4a1d380..8b36642b59 100644 --- a/target/hppa/cpu.h +++ b/target/hppa/cpu.h @@ -391,6 +391,4 @@ void hppa_cpu_alarm_timer(void *); #endif G_NORETURN void hppa_dynamic_excp(CPUHPPAState *env, int excp, uintptr_t ra); -#define CPU_RESOLVING_TYPE TYPE_HPPA_CPU - #endif /* HPPA_CPU_H */ From 070a500cc0da70c1b4c62a6c95e41f0a1b19dc0b Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Sat, 22 Mar 2025 18:43:36 -0700 Subject: [PATCH 19/23] target/avr: Fix buffer read in avr_print_insn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unconditionally attempt to read 4 bytes, as there may only be 2 bytes remaining in the translator cache. Cc: qemu-stable@nongnu.org Reviewed-by: Pierrick Bouvier Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20250325224403.4011975-2-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé --- target/avr/disas.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/target/avr/disas.c b/target/avr/disas.c index b7689e8d7c..d341030174 100644 --- a/target/avr/disas.c +++ b/target/avr/disas.c @@ -68,28 +68,35 @@ static bool decode_insn(DisasContext *ctx, uint16_t insn); int avr_print_insn(bfd_vma addr, disassemble_info *info) { - DisasContext ctx; + DisasContext ctx = { info }; DisasContext *pctx = &ctx; bfd_byte buffer[4]; uint16_t insn; int status; - ctx.info = info; - - status = info->read_memory_func(addr, buffer, 4, info); + status = info->read_memory_func(addr, buffer, 2, info); if (status != 0) { info->memory_error_func(status, addr, info); return -1; } insn = bfd_getl16(buffer); - ctx.next_word = bfd_getl16(buffer + 2); - ctx.next_word_used = false; + + status = info->read_memory_func(addr + 2, buffer + 2, 2, info); + if (status == 0) { + ctx.next_word = bfd_getl16(buffer + 2); + } if (!decode_insn(&ctx, insn)) { output(".db", "0x%02x, 0x%02x", buffer[0], buffer[1]); } - return ctx.next_word_used ? 4 : 2; + if (!ctx.next_word_used) { + return 2; + } else if (status == 0) { + return 4; + } + info->memory_error_func(status, addr + 2, info); + return -1; } From 8001d22b0c67b2fbf8f2cb7b2f44bd7b46b360c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 25 Mar 2025 13:10:33 +0100 Subject: [PATCH 20/23] target/sparc: Log unimplemented ASI load/store accesses MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the cache-controller feature is not implemented, log potential ASI access as unimplemented. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Clément Chigot Message-Id: <20250325123927.74939-4-philmd@linaro.org> --- target/sparc/ldst_helper.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/target/sparc/ldst_helper.c b/target/sparc/ldst_helper.c index b559afc9a9..45882e25db 100644 --- a/target/sparc/ldst_helper.c +++ b/target/sparc/ldst_helper.c @@ -600,6 +600,9 @@ uint64_t helper_ld_asi(CPUSPARCState *env, target_ulong addr, case 0x0C: /* Leon3 Date Cache config */ if (env->def.features & CPU_FEATURE_CACHE_CTRL) { ret = leon3_cache_control_ld(env, addr, size); + } else { + qemu_log_mask(LOG_UNIMP, "0x" TARGET_FMT_lx ": unimplemented" + " address, size: %d\n", addr, size); } break; case 0x01c00a00: /* MXCC control register */ @@ -816,6 +819,9 @@ void helper_st_asi(CPUSPARCState *env, target_ulong addr, uint64_t val, case 0x0C: /* Leon3 Date Cache config */ if (env->def.features & CPU_FEATURE_CACHE_CTRL) { leon3_cache_control_st(env, addr, val, size); + } else { + qemu_log_mask(LOG_UNIMP, "0x" TARGET_FMT_lx ": unimplemented" + " address, size: %d\n", addr, size); } break; From fca2817fdcb00e65020c2dcfcb0b23b2a20ea3c4 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 28 Mar 2025 12:55:24 -0500 Subject: [PATCH 21/23] target/mips: Revert TARGET_PAGE_BITS_VARY MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Revert ee3863b9d41 and a08d60bc6c2b. The logic behind changing the system page size because of what the Loongson kernel "prefers" is flawed. In the Loongson-2E manual, section 5.5, it is clear that the cpu supports a 4k page size (along with many others). Similarly for the Loongson-3 series CPUs, the 4k page size is mentioned in the section 7.7 (PageMask Register). Therefore we must continue to support a 4k page size. Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250328175526.368121-2-richard.henderson@linaro.org> [PMD: Mention Loongson-3 series CPUs] Signed-off-by: Philippe Mathieu-Daudé --- hw/mips/fuloong2e.c | 1 - hw/mips/loongson3_virt.c | 1 - target/mips/cpu-param.h | 5 ----- target/mips/tcg/system/cp0_helper.c | 7 +------ target/mips/tcg/system/tlb_helper.c | 2 +- 5 files changed, 2 insertions(+), 14 deletions(-) diff --git a/hw/mips/fuloong2e.c b/hw/mips/fuloong2e.c index 646044e274..2a8507b8b0 100644 --- a/hw/mips/fuloong2e.c +++ b/hw/mips/fuloong2e.c @@ -334,7 +334,6 @@ static void mips_fuloong2e_machine_init(MachineClass *mc) mc->default_cpu_type = MIPS_CPU_TYPE_NAME("Loongson-2E"); mc->default_ram_size = 256 * MiB; mc->default_ram_id = "fuloong2e.ram"; - mc->minimum_page_bits = 14; machine_add_audiodev_property(mc); } diff --git a/hw/mips/loongson3_virt.c b/hw/mips/loongson3_virt.c index db1cc51314..1da20dccec 100644 --- a/hw/mips/loongson3_virt.c +++ b/hw/mips/loongson3_virt.c @@ -677,7 +677,6 @@ static void loongson3v_machine_class_init(ObjectClass *oc, void *data) mc->max_cpus = LOONGSON_MAX_VCPUS; mc->default_ram_id = "loongson3.highram"; mc->default_ram_size = 1600 * MiB; - mc->minimum_page_bits = 14; mc->default_nic = "virtio-net-pci"; } diff --git a/target/mips/cpu-param.h b/target/mips/cpu-param.h index 11b3ac0ac6..8fcb1b4f5f 100644 --- a/target/mips/cpu-param.h +++ b/target/mips/cpu-param.h @@ -18,12 +18,7 @@ # define TARGET_VIRT_ADDR_SPACE_BITS 32 #endif #endif -#ifdef CONFIG_USER_ONLY #define TARGET_PAGE_BITS 12 -#else -#define TARGET_PAGE_BITS_VARY -#define TARGET_PAGE_BITS_MIN 12 -#endif #define TCG_GUEST_DEFAULT_MO (0) diff --git a/target/mips/tcg/system/cp0_helper.c b/target/mips/tcg/system/cp0_helper.c index 01a07a169f..8c2114c58a 100644 --- a/target/mips/tcg/system/cp0_helper.c +++ b/target/mips/tcg/system/cp0_helper.c @@ -877,18 +877,13 @@ void update_pagemask(CPUMIPSState *env, target_ulong arg1, int32_t *pagemask) if ((mask >> maskbits) != 0) { goto invalid; } - /* We don't support VTLB entry smaller than target page */ - if ((maskbits + TARGET_PAGE_BITS_MIN) < TARGET_PAGE_BITS) { - goto invalid; - } env->CP0_PageMask = mask << CP0PM_MASK; return; invalid: /* When invalid, set to default target page size. */ - mask = (~TARGET_PAGE_MASK >> TARGET_PAGE_BITS_MIN); - env->CP0_PageMask = mask << CP0PM_MASK; + env->CP0_PageMask = 0; } void helper_mtc0_pagemask(CPUMIPSState *env, target_ulong arg1) diff --git a/target/mips/tcg/system/tlb_helper.c b/target/mips/tcg/system/tlb_helper.c index ca4d6b27bc..123639fa18 100644 --- a/target/mips/tcg/system/tlb_helper.c +++ b/target/mips/tcg/system/tlb_helper.c @@ -875,7 +875,7 @@ refill: break; } } - pw_pagemask = m >> TARGET_PAGE_BITS_MIN; + pw_pagemask = m >> TARGET_PAGE_BITS; update_pagemask(env, pw_pagemask << CP0PM_MASK, &pw_pagemask); pw_entryhi = (address & ~0x1fff) | (env->CP0_EntryHi & 0xFF); { From d89b9899babcc01d7ee75f2917da861dc2afbc27 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 28 Mar 2025 12:55:25 -0500 Subject: [PATCH 22/23] target/mips: Require even maskbits in update_pagemask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The number of bits set in PageMask must be even. Fixes: d40b55bc1b86 ("target/mips: Fix PageMask with variable page size") Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250328175526.368121-3-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé Cc: qemu-stable@nongnu.org --- target/mips/tcg/system/cp0_helper.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/target/mips/tcg/system/cp0_helper.c b/target/mips/tcg/system/cp0_helper.c index 8c2114c58a..5db8166d45 100644 --- a/target/mips/tcg/system/cp0_helper.c +++ b/target/mips/tcg/system/cp0_helper.c @@ -866,24 +866,17 @@ void helper_mtc0_memorymapid(CPUMIPSState *env, target_ulong arg1) void update_pagemask(CPUMIPSState *env, target_ulong arg1, int32_t *pagemask) { - uint32_t mask; - int maskbits; - /* Don't care MASKX as we don't support 1KB page */ - mask = extract32((uint32_t)arg1, CP0PM_MASK, 16); - maskbits = cto32(mask); + uint32_t mask = extract32((uint32_t)arg1, CP0PM_MASK, 16); + int maskbits = cto32(mask); - /* Ensure no more set bit after first zero */ - if ((mask >> maskbits) != 0) { - goto invalid; + /* Ensure no more set bit after first zero, and maskbits even. */ + if ((mask >> maskbits) == 0 && maskbits % 2 == 0) { + env->CP0_PageMask = mask << CP0PM_MASK; + } else { + /* When invalid, set to default target page size. */ + env->CP0_PageMask = 0; } - env->CP0_PageMask = mask << CP0PM_MASK; - - return; - -invalid: - /* When invalid, set to default target page size. */ - env->CP0_PageMask = 0; } void helper_mtc0_pagemask(CPUMIPSState *env, target_ulong arg1) From 256ba7715b109c080c0c77a3923df9e69736ba17 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Fri, 28 Mar 2025 12:55:26 -0500 Subject: [PATCH 23/23] target/mips: Simplify and fix update_pagemask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When update_pagemask was split from helper_mtc0_pagemask, we failed to actually write to the new parameter but continue to write to env->CP0_PageMask. Thus the use within page_table_walk_refill modifies cpu state and not the local variable as expected. Simplify by renaming to compute_pagemask and returning the value directly. No need for either env or pointer return. Fixes: 074cfcb4dae ("target/mips: Implement hardware page table walker for MIPS32") Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-ID: <20250328175526.368121-4-richard.henderson@linaro.org> Signed-off-by: Philippe Mathieu-Daudé Cc: qemu-stable@nongnu.org --- target/mips/tcg/system/cp0_helper.c | 10 +++++----- target/mips/tcg/system/tlb_helper.c | 2 +- target/mips/tcg/tcg-internal.h | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/target/mips/tcg/system/cp0_helper.c b/target/mips/tcg/system/cp0_helper.c index 5db8166d45..78e422b0ca 100644 --- a/target/mips/tcg/system/cp0_helper.c +++ b/target/mips/tcg/system/cp0_helper.c @@ -864,24 +864,24 @@ void helper_mtc0_memorymapid(CPUMIPSState *env, target_ulong arg1) } } -void update_pagemask(CPUMIPSState *env, target_ulong arg1, int32_t *pagemask) +uint32_t compute_pagemask(uint32_t val) { /* Don't care MASKX as we don't support 1KB page */ - uint32_t mask = extract32((uint32_t)arg1, CP0PM_MASK, 16); + uint32_t mask = extract32(val, CP0PM_MASK, 16); int maskbits = cto32(mask); /* Ensure no more set bit after first zero, and maskbits even. */ if ((mask >> maskbits) == 0 && maskbits % 2 == 0) { - env->CP0_PageMask = mask << CP0PM_MASK; + return mask << CP0PM_MASK; } else { /* When invalid, set to default target page size. */ - env->CP0_PageMask = 0; + return 0; } } void helper_mtc0_pagemask(CPUMIPSState *env, target_ulong arg1) { - update_pagemask(env, arg1, &env->CP0_PageMask); + env->CP0_PageMask = compute_pagemask(arg1); } void helper_mtc0_pagegrain(CPUMIPSState *env, target_ulong arg1) diff --git a/target/mips/tcg/system/tlb_helper.c b/target/mips/tcg/system/tlb_helper.c index 123639fa18..df80301a41 100644 --- a/target/mips/tcg/system/tlb_helper.c +++ b/target/mips/tcg/system/tlb_helper.c @@ -876,7 +876,7 @@ refill: } } pw_pagemask = m >> TARGET_PAGE_BITS; - update_pagemask(env, pw_pagemask << CP0PM_MASK, &pw_pagemask); + pw_pagemask = compute_pagemask(pw_pagemask << CP0PM_MASK); pw_entryhi = (address & ~0x1fff) | (env->CP0_EntryHi & 0xFF); { target_ulong tmp_entryhi = env->CP0_EntryHi; diff --git a/target/mips/tcg/tcg-internal.h b/target/mips/tcg/tcg-internal.h index 74fc1309a7..950e6afc3f 100644 --- a/target/mips/tcg/tcg-internal.h +++ b/target/mips/tcg/tcg-internal.h @@ -47,7 +47,7 @@ bool mips_cpu_exec_interrupt(CPUState *cpu, int int_req); void mmu_init(CPUMIPSState *env, const mips_def_t *def); -void update_pagemask(CPUMIPSState *env, target_ulong arg1, int32_t *pagemask); +uint32_t compute_pagemask(uint32_t val); void r4k_invalidate_tlb(CPUMIPSState *env, int idx, int use_extra); uint32_t cpu_mips_get_random(CPUMIPSState *env);