17798 Commits

Author SHA1 Message Date
Stefan Hajnoczi
2c8cf1f16d Merge tag 'mips-20260707' of https://github.com/philmd/qemu into staging
MIPS and SuperH patches queue

- MIPS Octeon COP2 crypto opcodes
- Fix for SH4 FIPR/FTRV vector math opcodes

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmpNQigACgkQ4+MsLN6t
# wN5BHA//R59P7ivsi6dET3DDD6KgF5RLXRxa6uEqbFABUc0faXrSyDhBfoL4Bym5
# FTeFdNfOWgq+c5Rj9xSf51nmPCXyhxBFnXRhrGiAwyE0sLUZ5pli2uhQ81AaBpHT
# ZtSjNt2pHTr+tIShtDOpaGNFcPyg2w1xGfTUKdlIUAmm7ibjx1qMr5ZKwnMKSMEO
# 35SsFkPQaD2b8kInQeefnvs9Qgn50hQxYuY96EJzbNj4GL2pZe+LtKW1tmRDihhY
# kMu4EXeXBsew0zPZ9EtGl6CTyE9kViOsH+aG5wxwtvSfTv40lSgLPbPyVJz2cVcN
# wg+lzWs7e7+SFLCCnGJiM0PRdaD38KTpGdS7GRrRkgF/FjmpDGXIbWkaavNU2nQ9
# RZ5UAh+6J5LVdUleeBvJg/e5L2LNnpdFbc5YtdN3gAYoNezaUAapUgBKlbGqQ9x/
# MOS+XidI4uA9jtSv91IL2480vDdtDr2u9/K/lEq2ZFCAYRTHkFbnGOKpq0pzPu0l
# voev2Xx4R+PNG7VadCJPkDIDUGVIhcjEHNr1ZuCa5SIQyDdgy5Bzh5WyCtgFtTyh
# MEVyMkdUS9V94z+1A6XM7zK3r6xLdkn5RcIXhWmbgCHda2a5XlyqqgdP/ZQQzy7l
# LyZH0Ji6XShbcwUDQXvRuvuzEfD05CAzFrUjSYrYhQsUWsV5FfM=
# =WfqR
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 07 Jul 2026 20:15:04 CEST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'mips-20260707' of https://github.com/philmd/qemu: (23 commits)
  qemu-options: Do not list -enable-kvm on MIPS binaries
  target/sh4: fixup tcg for sh4 fipr/ftrv instructions
  tests/tcg/mips: cover Octeon QMAC instructions
  target/mips: add Octeon CvmCount RDHWR support
  target/mips: decode Octeon CHORD and LLM COP2 selectors
  target/mips: decode Octeon block-cipher COP2 selectors
  target/mips: decode Octeon ZUC and SNOW3G COP2 selectors
  target/mips: decode Octeon HSH and SHA3 COP2 selectors
  target/mips: decode Octeon CRC and GFM COP2 selectors
  target/mips: decode Octeon COP2 register selectors
  target/mips: add Octeon CHORD and LLM COP2 helpers
  target/mips: add Octeon HSH COP2 helpers
  target/mips: add Octeon Camellia COP2 helpers
  target/mips: add Octeon 3DES and KASUMI COP2 helpers
  target/mips: add Octeon SMS4 COP2 helpers
  target/mips: add Octeon AES COP2 helpers
  target/mips: add Octeon SNOW3G COP2 helpers
  target/mips: add Octeon ZUC COP2 helpers
  target/mips: add Octeon SHA3 COP2 helpers
  target/mips: add Octeon GFM COP2 helpers
  ...

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2026-07-08 15:59:51 +02:00
Randy Schifflin
614a52cf54 target/sh4: fixup tcg for sh4 fipr/ftrv instructions
Fixes TCG generation for sh4 `fipr` and `ftrv` instructions.
Updates the current logic for these instructions to check the
FPSCR register appropriately (according to the sh4 cpu manual, `fipr`
and `ftrv` are only defined when the FPSCR register PR flag is 0).
Also fixes the mth/nth-vector operands by multiplying by 4 to convert
to the correct floating point register offset.

Signed-off-by: Randy Schifflin <randy.schifflin@gmail.com>
Reviewed-by: Yoshinori Sato <yoshinori.sato@nifty.com>
Message-ID: <20260629-fixup-sh4-tcg-fpu-instructions-b4-v1-2-4356b305f971@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:51 +02:00
James Hilliard
c2fd17ec64 target/mips: add Octeon CvmCount RDHWR support
Octeon exposes CvmCount through RDHWR register 31. Add the Octeon-only
decode path, enable the corresponding HWREna bit for linux-user, and use
an unsigned mask when checking HWREna so bit 31 is handled safely.

For user-mode emulation, return host ticks as a monotonic counter source
suitable for existing Octeon userspace code. In system mode, fall back to
the existing CP0 Count value.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-20-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
8d399e3e03 target/mips: decode Octeon CHORD and LLM COP2 selectors
Add explicit decodetree entries and translator bindings for the Octeon
CHORD and sparse LLM COP2 selectors.  CHORD and LLM use their own COP2
selector window rather than the crypto engine windows covered by the
preceding decode patches.

This completes the explicit COP2 selector coverage by adding the
remaining CHORD and LLM register and operation selectors.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-19-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
ec931476cd target/mips: decode Octeon block-cipher COP2 selectors
Add explicit decodetree entries and translator bindings for the Octeon
AES, SMS4, 3DES, KASUMI, and Camellia COP2 operation selectors.  These
selectors consume or update engine state, so keep them as per-operation
helper calls while the simple block-cipher register moves remain direct
TCG loads and stores from the earlier register-selector patch.

This completes the block-cipher selector coverage without reintroducing a
generic runtime selector dispatch path.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-18-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
b6ed5076a3 target/mips: decode Octeon ZUC and SNOW3G COP2 selectors
Add explicit decodetree entries and translator bindings for the Octeon
ZUC and SNOW3G COP2 operation selectors.  These stream-cipher selectors
operate on the shared HSH register window state, so dispatch them through
the per-operation helpers added with the corresponding engine support.

Keep stream-cipher decode separate because these selectors share the HSH
register window with unrelated engines.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-17-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
ac28df97e5 target/mips: decode Octeon HSH and SHA3 COP2 selectors
Add explicit decodetree entries and translator bindings for the Octeon
HSH shared-window selectors and SHA3 operation selectors. Simple SHA3 DAT
register moves and XORDAT selectors use direct TCG transfers, while HSH
operation selectors and SHA3 STARTOP remain helper-backed for their
visible side effects.

Keep HSH/SHA3 decode separate from direct register transfers because the
shared hash-window aliases and side-effecting operations need their own
selector coverage.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-16-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
9679d839f8 target/mips: decode Octeon CRC and GFM COP2 selectors
Add explicit decodetree entries and translator bindings for the Octeon
CRC and GFM COP2 operation selectors. Unlike simple register moves,
these selectors update CRC or Galois-field state and therefore remain
per-operation helper calls.

Keep CRC/GFM decode next to the helpers that implement these side
effects while avoiding a monolithic selector-dispatch helper.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-15-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
e32e36298e target/mips: decode Octeon COP2 register selectors
Add explicit decodetree entries and translator bindings for Octeon
DMFC2/DMTC2 selectors that are simple COP2 register transfers.

Emit direct TCG loads and stores for register moves. Use signed 32-bit
loads for 32-bit DMFC2 readback and mask narrow writable fields such as
AESKEYLEN and CRCLEN on DMTC2.

Keep operation selectors with side effects in later functional decode
patches.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-14-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
e3c6d52fa0 target/mips: add Octeon CHORD and LLM COP2 helpers
Add the Octeon CHORD hardware register access path and the LLM 36-bit
and 64-bit read and write windows. Model both CHORD access forms,
including the RDHWR $30 path and the legacy DMFC2 alias.

Implement sparse backing storage for the two LLM sets so user-mode code
can save, restore, and probe the architectural state without allocating a
full hardware-sized backing array.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-13-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
900c423717 target/mips: add Octeon HSH COP2 helpers
Add helper support for the Octeon HSH hash selectors. This includes the
base HSH data/IV windows, MD5, SHA1, SHA256, and SHA512 transform paths,
and the shared HSH/SHA512 register-window readback and write operations.

The SHA512 path shares the wide HSH register bank with SHA3, SNOW3G, and
ZUC. Keep the aliased readback and write paths centralized so selector
decode can route register accesses through these helpers when side
effects are required.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-12-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
c75e3503c8 target/mips: add Octeon Camellia COP2 helpers
Add helper support for the Octeon Camellia ROUND, FL, and FLINV
selectors. The engine reuses the AES RESINP bank, and guest-managed key
schedules drive the Camellia F-function and FL layers through these COP2
operations.

Implement the Camellia F-function and FL layers directly from RFC 3713.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-11-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
ff155dd718 target/mips: add Octeon 3DES and KASUMI COP2 helpers
Add helper support for the Octeon 3DES and KASUMI operation selectors.
The 3DES helpers implement ECB and CBC encrypt/decrypt over the shared
3DES key, IV, and result bank. KASUMI reuses the same register bank and
adds its own encrypt selectors.

Only the operation selectors require helper code. Simple key, IV, and
result register transfers are handled by direct selector decode.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-10-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
e94d1a2fe0 target/mips: add Octeon SMS4 COP2 helpers
Add helper support for the Octeon SMS4 operation selectors. SMS4 reuses
the AES RESINP, IV, and key banks, so the helpers share the existing AES
state while implementing the SMS4 ECB/CBC encrypt and decrypt operations.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-9-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
9bf93903f7 target/mips: add Octeon AES COP2 helpers
Add helper support for the Octeon AES operation selectors. Direct
register-transfer selectors do not need helpers; the ECB/CBC encrypt and
decrypt operations consume the AES input, key, IV, and key-length state.

AESRESINP is modeled as one architectural register bank; operation
helpers consume the current AESRESINP block and write the result back to
the same bank.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-8-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
e3ba2fd89c target/mips: add Octeon SNOW3G COP2 helpers
Add helper support for the Octeon SNOW3G START and MORE selectors. The
engine state and result are represented through the architectural HSH IV
and DAT register banks that SNOW3G aliases for save and restore.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-7-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:46 +02:00
James Hilliard
27ab71de26 target/mips: add Octeon ZUC COP2 helpers
Add the Octeon ZUC START and MORE helper operations and model the shared
state window used by the hardware interface. This covers the keystream
and MAC engine state, including the save-and-restore view that overlaps
the HSH/SHA3 bank.

Keep the LFSR words in the architectural HSH DAT input registers and the
runtime MAC/FSM/result state in the documented HASHIV window. The third
MAC lookahead word is generated on demand instead of being kept in a
non-architectural shadow slot.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-6-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:14:38 +02:00
James Hilliard
20d1f0e842 target/mips: add Octeon SHA3 COP2 helpers
Add the Octeon SHA3 helper operations for the architectural 25-lane
Keccak state view and implement the Keccak-f[1600] permutation used by
the STARTOP selector.

The simple SHA3 DAT register moves and XORDAT selectors are decoded as
direct TCG transfers in the selector decode patch. This helper patch only
keeps the side-effecting SHA3 operation support.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-5-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:09:13 +02:00
James Hilliard
c69401bbf6 target/mips: add Octeon GFM COP2 helpers
Add helper support for the Octeon GFM carryless multiply selectors. This
models the normal and reflected multiplication paths, including the
XOR-and-multiply forms that update the result/input state used by Octeon
crypto code.

Reflected selectors operate on the architectural GFM register bank using
bit-reflected register transfers rather than a separate shadow state.
Keep the 64-bit UIA2 reduction path used by SNOW3G F9 and share that
shortcut between the normal and reflected XORMUL1 paths.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-4-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:09:13 +02:00
James Hilliard
e1ac6b2775 target/mips: add Octeon CRC COP2 helpers
Add helper support for the Octeon COP2 CRC register interface. This
covers normal and reflected CRC state handling, byte/halfword/word/
doubleword/variable-width update selectors, and the reflected IV readback
operation.

Register moves that can be represented as direct TCG loads/stores do not
need helpers. Add only the side-effecting CRC helper implementation here.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-3-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:09:13 +02:00
James Hilliard
3bbe7ae19e target/mips: add Octeon COP2 crypto helper plumbing
Add the Octeon COP2 crypto helper source file and build it with the MIPS
TCG target. This provides the common compilation unit for the COP2 engine
helpers.

The instruction dispatch itself remains fully decoded by decodetree, and
operation selectors call per-operation helpers rather than a common
selector-dispatch helper.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-2-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:09:13 +02:00
James Hilliard
304df6d35e target/mips: add Octeon COP2 crypto state
Add the common architectural state needed by Octeon's selector-driven
COP2 crypto interfaces. This includes storage for the base hash, AES,
CRC, GFM, 3DES, KASUMI, and overlapping HSH/SHA512/SHA3/SNOW3G/ZUC
selector windows.

Keep selector values and helper-local aliasing logic out of the CPU state
header so the state definition remains limited to architectural storage.
Helper code uses the same register banks instead of adding
non-architectural shadow state. Model the SHA3 view as a direct 25-lane
alias of the architectural HSH DAT/IV/SHA3_DAT24 storage.

Migrate the state in an Octeon-only subsection so non-Octeon CPU models
do not grow migration data.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260608-mips-octeon-missing-insns-v2-v16-1-daef7a0d8b04@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
2026-07-07 20:09:13 +02:00
Stefan Hajnoczi
3be363aa8b Merge tag 's390x-20260707' of https://gitlab.com/cohuck/qemu into staging
s390x updates:
- fix some errors when IPLing from PCI devices
- a number of fixes for guest->host error handling
- add ASTFLE facility 2 support (with headers update)
- regenerate s390-ccw.img

# -----BEGIN PGP SIGNATURE-----
#
# iIgEABYKADAWIQRpo7U29cv8ZSCAJsHeiLtWQd5mwQUCakz2uBIcY29odWNrQHJl
# ZGhhdC5jb20ACgkQ3oi7VkHeZsFLFQD9F0Bf7fy1yD1TMRw64iSU56FbBWzCpb9F
# irXWxz9v3mIBANO/yVamhRffubE1DPIk0FVR8gu1jxtAb/tUPnf00oIH
# =QrlD
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 07 Jul 2026 14:53:12 CEST
# gpg:                using EDDSA key 69A3B536F5CBFC65208026C1DE88BB5641DE66C1
# gpg:                issuer "cohuck@redhat.com"
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>" [unknown]
# gpg:                 aka "Cornelia Huck <cohuck@kernel.org>" [unknown]
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <huckc@linux.vnet.ibm.com>" [full]
# gpg:                 aka "Cornelia Huck <cohuck@redhat.com>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0  18CE DECF 6B93 C6F0 2FAF
#      Subkey fingerprint: 69A3 B536 F5CB FC65 2080  26C1 DE88 BB56 41DE 66C1

* tag 's390x-20260707' of https://gitlab.com/cohuck/qemu:
  pc-bios/s390-ccw.img: update s390x bios
  s390x/css: limit number of CHPIDs in description
  s390x/ioinst: Require strict length and format for SEI CHSC handler
  s390x/pci: Shrink RPCIT ranges to registered window
  s390x/pci: Tighten region detection for BAR read/write
  s390x/sclp: reject invalid write event data headers
  target/s390x: Fix wrong address handling in address loops
  s390x/kvm: Add ASTFLE facility 2 for nested virtualization
  linux-headers: Update to Linux v7.2-rc1 with KVM_S390_VM_CPU_FEAT_ASTFLEIE2
  s390x: Enable boot menu for virtio pci device
  pc-bios/s390-ccw: write IPLB location for non-net virtio devices
  pc-bios/s390-ccw: Verify virtio support when booting from virtio PCI device on s390x
  pc-bios/s390-ccw: Add per-queue notification offset for multi-queue virtio configurations
  pc-bios/s390-ccw/virtio.c: Fix missing break for PCI notifications
  pc-bios/s390-ccw: Refactor byte swapping

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2026-07-07 19:18:55 +02:00
Miao Wang
e819c126a8 target/loongarch: Enable TARGET_PAGE_BITS_VARY for loongarch64 user-only
Hard coding PAGE_SIZE to 4K will prevent user-only emulation from
working on hosts with 16K page size.

Fixes: 1d832c19db ("target/loongarch: Support 4K page size")
Fixes: qemu-project/qemu#3651

Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Message-ID: <20260630-loong64-vary-page-sz-v1-1-1d1a894674be@gmail.com>
Signed-off-by: Song Gao <gaosong@loongson.cn>
2026-07-07 08:41:28 -04:00
Tao Cui
87da979a96 target/loongarch/kvm: fix cpucfg sync error handling
In kvm_loongarch_get_cpucfg() and kvm_loongarch_put_cpucfg(), ret is
overwritten on each iteration, so only the last register's result is
returned and earlier failures are lost. On a failed read, env->cpucfg[i]
is stored from a stale or uninitialized val.

Accumulate errors with ret |=, matching kvm_loongarch_get_csr()/put_csr(),
and only update env->cpucfg[i] on a successful read. Keep the cpucfg2
negotiation check in put_cpucfg() on a separate variable so its early
return does not overwrite the accumulated result.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20260626052742.810726-5-cui.tao@linux.dev>
Signed-off-by: Song Gao <gaosong@loongson.cn>
2026-07-07 08:41:28 -04:00
Tao Cui
5f59ac6169 target/loongarch/kvm: remove redundant cpucfg failure traces
kvm_get_one_reg() and kvm_set_one_reg() already trace on failure, so the
trace_kvm_failed_get_cpucfg()/trace_kvm_failed_put_cpucfg() calls in
kvm_loongarch_get_cpucfg() and kvm_loongarch_put_cpucfg() duplicate that.
Remove the calls and the now-unused trace events.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20260626052742.810726-4-cui.tao@linux.dev>
Signed-off-by: Song Gao <gaosong@loongson.cn>
2026-07-07 08:41:28 -04:00
Tao Cui
f029c634ee target/loongarch/kvm: pass device attr by reference to kvm_vcpu_ioctl
kvm_vcpu_ioctl() is variadic and reads its argument as a pointer, but
kvm_get_stealtime(), kvm_set_stealtime() and kvm_set_pv_features() pass
the local struct kvm_device_attr by value. It currently works because of
how the calling convention passes large structs; pass &attr so the
argument is passed as intended.

Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Message-ID: <20260626052742.810726-3-cui.tao@linux.dev>
Signed-off-by: Song Gao <gaosong@loongson.cn>
2026-07-07 08:41:28 -04:00
Tao Cui
bf7f2ee96f target/loongarch/kvm: fix uninitialized val and unchecked GET in cpucfg2 check
kvm_check_cpucfg2() discards the return value of KVM_GET_DEVICE_ATTR and
uses the local val (the host cpucfg2 mask) without checking whether the
read succeeded. val is also declared without an initializer, so on a GET
failure env->cpucfg[2] &= val reads an uninitialized value.

The &= mask is best-effort feature negotiation: if KVM_HAS_DEVICE_ATTR
succeeds, a GET failure is most likely a copy_{from,to}_user issue, not a
reason to fail the whole register sync. Check the GET return value, warn and
skip the mask on failure (the guest keeps the cpucfg2 it already has), and
initialize val to 0.

Signed-off-by: Tao Cui <cuitao@kylinos.cn>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Message-ID: <20260626052742.810726-2-cui.tao@linux.dev>
Signed-off-by: Song Gao <gaosong@loongson.cn>
2026-07-07 08:41:15 -04:00
Matthew Rosato
386268daea s390x/ioinst: Require strict length and format for SEI CHSC handler
Ensure SEI commands that are received are of the appropriate length and
format before handling.

Cc: qemu-stable@nongnu.org
Fixes: 8cba80c3a0 ("s390: Add PCI bus support")
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Message-ID: <20260707070728.147203-5-borntraeger@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2026-07-07 12:01:59 +02:00
Stefan Hajnoczi
94826ec137 Merge tag 'accel-20260706' of https://github.com/philmd/qemu into staging
Accelerators patches queue

- Various cleanups around debugging APIs
- Correctly check singlestep flag enabled in CPUState
- Fix possible memory corruption with MSHV (CID 1660876)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmpLsRwACgkQ4+MsLN6t
# wN7TRRAAhTnAG0VuUat9MYUCuWWSiTrNKm6m2vVcO+Zec/bBbU1+twBSBzVQ/rwm
# kGzImAWip6nYorU5BxTKePlpCy6Rm+t0evYaA5ixF0aXtmm3n6IGIMSsi5yEJxF5
# YHDXxvpD56Z1p8kRvkp4ynABiiF5gfBFqbSuI7/gxSI2tcJ2uSx8MC+HEO/X4vJc
# +Clich5n4eyN7YL7vqGrVl84cqHOwe40bXAm1OOa5S83/y2hc//SHgFqTB8BL1P7
# 9SafbFIFiqbfy4kWV86mSu3LDsSYLoIU7bgpRb9mX9WVrvfuoQeVUf7XH+fjmqIo
# s/2uHN6ha/h12jS1q0nCYu585EzXCuPRF3upSslPaoEd16sFEO6ZiODmaMIsomA2
# SlCM3jGYUUw+vkfS/+SJUF17QEHtv0R8Dp5IfseE9Tp+huYvJuwn3Qh4UwbVRg0P
# YHoRa2KiXvBPntY/GkyhCL9Y5oWC5RaRHyKxMs83tdUouOeBy2t/ftnVtDqeRn3p
# 04W+pilUEodSnzcNfAGxQhkqDeGIOveRubaeNICgmxO0Bp9dMUZIOju84hY77KEw
# hClBI87cOc1REC7YNXkoouWcr8moNSZlKAyIbTf/Ag5cAheYOSvO5UDDVVepudSl
# kER+S1iuPkeb0uVvnvk5Kh4UBCMwdfYKe9bNu/SB0ab6N3IpY4s=
# =knBq
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 06 Jul 2026 15:43:56 CEST
# gpg:                using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD  6BB2 E3E3 2C2C DEAD C0DE

* tag 'accel-20260706' of https://github.com/philmd/qemu: (32 commits)
  cpu: Only check SSTEP_ENABLE flag in cpu_single_stepping()
  cpu: Rename CPUState @singlestep_enabled -> @singlestep_flags
  cpu: Introduce cpu_single_stepping() helper
  cpu: Better name cpu_single_step() trace event
  accel/tcg: Improve docstrings around TCGCPUOps::*watchpoint* handlers
  target/ppc: Ensure TCG is used in ppc_update_daw()
  target/arm: Inline check_watchpoints() in arm_debug_check_watchpoint()
  accel: Use GdbBreakpointType enum
  gdbstub: Introduce GdbBreakpointType enumerator
  gdbstub: Reduce @type variable scope
  gdbstub/user: Directly call gdb_breakpoint_remove_all() in user mode
  accel: Remove unnecessary 'inline' qualifier in remove_all_breakpoints
  cpu: Move BREAKPOINT definitions to 'exec/breakpoint.h'
  cpu: Move cpu_breakpoint_test out of line
  accel: Remove AccelOpsClass::supports_guest_debug
  accel: Hold @can_reverse information in AccelGdbConfig
  gdbstub: Make default replay_mode value explicit in stubs
  accel: Have each implementation return their AccelGdbConfig
  gdbstub: Move supported_sstep_flags in AccelGdbConfig structure
  gdbstub: Reduce gdb_supports_guest_debug() scope
  ...

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2026-07-06 18:38:14 +02:00
Stefan Hajnoczi
d0edff8ee1 Merge tag 'pull-target-arm-20260706' of https://gitlab.com/pm215/qemu into staging
target-arm queue:
 * hw/net/fsl_etsec: validate FCB offsets in process_tx_fcb()
 * hw/arm/smmuv3-accel: Fix veventq read returning true on EAGAIN/EINTR
 * target/arm: Only evaluate SCR_EL3.PIEN if ARM_FEATURE_EL3 is present
 * hw/arm: use cortex-a9 mpcore base for CBAR on npcm7xx machines
 * docs/specs/fw_cfg: Document all architecture register layouts
 * hw/nvram/fw_cfg: Simplify functions so board models don't have
   the opportunity to create non-standard fw_cfg register layouts
 * hw/misc: use tracepoints rather than DPRINTF in imx ccm models
 * hw/arm: add support for shim loading
 * docs/system/arm: Document Zynq Buildroot boot
 * target/arm: Report correct syndrome to AArch32 EL2 for trapped
   Neon/VFP insns
 * target/arm: implement WFET to not be a NOP
 * target/arm: Emulate FEAT_SME_MOP4
 * target/arm: Emulate FEAT_FPRCVT
 * target/arm: Emulate FEAT_SSVE_FEXPA

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmpLhTkZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3vssD/wOwsb9NZ4E7TfpK3JFl3WH
# ePkwg0dg/etzbMR+fQagij3oI0+1qFUn6qU5PJddAcP1Zwz8NouKJjfvJgnmAQoZ
# eIfoI29j1da6aOywicnKGlvjM3oEBZKxrC+ChJeF+8E0u1V0+msR9osluUa3ZNDf
# 4Zcik/h6hJxva8JMPjdds2ZJBDsVuLbNM6jBfbE3Bp7Lg7HZ48u6++YaZAFUFqHC
# gWHKs9jKAnzcL05cCLUU4LdyhJH1M3vLFnKbugn1zUlSb6L5oLrhCIIPKMcAuUjd
# 6OWOzVJEsooxf8iqvAcAFmXpZEzLal12zjYUPowCZGUzHx6kqBFfv7KoDMXKZXI9
# kYFhOsTmpWrE+VLT/ZwVExk/xdgUMlfyEy8aJzetexvaLIs7C7hWQH/FQn1h395Q
# ot79co3m6D3F11HQvSlJZthCZk0SE5A8hZQP8joPhSBJ3rM24nejINT5Lz6wbjm0
# ovMBjvBtvUiQm2KrqJ+dIFCOdabQXxnokDZSAxFUcPXd526MALyzhcR5Q5op9/OA
# 3A2KUOlkch4rdROifuRniN/UuN/oWHOkVzp7B/WOAn/KFVKFnuBwPcFvFfQjq81b
# G8RJ5jZyDmSLCf66pHT0xxC8cFhilwF56QxRH4vNPVbTvLdHgRHbJbF1f1hd1eMa
# Gy8zZGTXfo2hBz2qZmixfA==
# =NpV8
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 06 Jul 2026 12:36:41 CEST
# gpg:                using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg:                issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg:                 aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg:                 aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83  15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20260706' of https://gitlab.com/pm215/qemu: (49 commits)
  target/arm: Define fields for NSACR
  target/arm: Report correct syndrome to AArch32 EL2 for trapped Neon/VFP insns
  target/arm: Separate syndrome functions for A32 and A64
  target/arm: Separate out Neon from VFP access checks
  target/arm: Enable FEAT_SME_MOP4 for -cpu max
  target/arm: Implement USMOP4[AS]
  target/arm: Implement UMOP4[AS] (4-way)
  target/arm: Implement UMOP4[AS] (2-way)
  target/arm: Implement SUMOP4[AS]
  target/arm: Implement SMOP4[AS] (4-way)
  target/arm: Implement SMOP4[AS] (2-way)
  target/arm: Implement FMOP4A (widening, 2-way, FP8 to FP16)
  target/arm: Implement FMOP4 (widening, 4-way fp8 to fp32)
  target/arm: Implement FMOP4 (widening, 2-way fp16 to fp32)
  target/arm: Implement BFMOP4 (widening)
  target/arm: Implement BFMOP4 (non-widening)
  target/arm: Implement FMOP4 (non-widening) for float64
  target/arm: Implement FMOP4 (non-widening) for float16
  target/arm: Implement FMOP4 (non-widening) for float32
  docs/system/arm: Document Zynq Buildroot boot
  ...

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2026-07-06 18:37:28 +02:00
Stefan Hajnoczi
48560f0d96 Merge tag 'pull-ppc-for-11.1-sf-20260706' of https://gitlab.com/harshpb/qemu into staging
PPC PR for 11.1 Soft-freeze

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEa4EM1tK+EPOIPSFCRUTplPnWj7sFAmpLZTwACgkQRUTplPnW
# j7vb/w//XmleEwlL+p+YKndc4Su+qj9c3lApEFEiFi78biATrXpFTNbOxhOpWdv4
# jaI1kWyINrTPgnXgHEKNJuhhsSjy5/HURCgkivPnnvhK95mWMi/0f1SzICmc9DCo
# hjDeQfHw5zhF6hu6QknTfcworpsdA9uVtbx0+8s0lMMDmWze2WLg6f9OXioxhseN
# vJoRaJoEo1f/vwwDFOdGngz36p0xD+eUynPTRlOymMJfW271KtNlZqouCCryI92I
# ksaYa+jorE16l608SyG1Yhf/oDSlj9BufFHmgAngvlDwPFglhoJx0kPeKIrT7QE0
# oGzwnOwXJH0lGuwQwISvgrtquD8unY9gTZvrF6NPIPtpMJSE+TGluoNdf/Sr2c3l
# xMG/+yIwHehgXa/Lh4UN3G7yALaIjVdkcSdexuo1pfFemUCwLYPDMGoaksda+SZd
# m4Xd05ZCvp2RZHRNbWheu6TxZKEHKWO8UV8U0zNgKZTz7muVURrtLpoQJFLRq9V7
# krqyeLOePZtGC15a8unAbIVJVK2vOOnoqQPbuqZ57GTVqcmmcTSIEkRDcbMTADKo
# Qv8WEqOWo9OYQvGF/BMP+ed1UiNzGXY2WnVrF40D3K/I/wT11mHbuKZY3gbFZ5At
# 1y2I59EvV/xYHdjBmDoT8smzuQwywSKZnzeKptbIVGFbuPPVFFs=
# =icWo
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 06 Jul 2026 10:20:12 CEST
# gpg:                using RSA key 6B810CD6D2BE10F3883D21424544E994F9D68FBB
# gpg: Good signature from "Harsh Prateek Bora <harsh.prateek.bora@gmail.com>" [full]
# gpg:                 aka "Harsh Prateek Bora <harshpb@linux.ibm.com>" [full]
# Primary key fingerprint: 6B81 0CD6 D2BE 10F3 883D  2142 4544 E994 F9D6 8FBB

* tag 'pull-ppc-for-11.1-sf-20260706' of https://gitlab.com/harshpb/qemu:
  MAINTAINERS: Add self as maintainer for PowerNV
  ppc/pnv: Remove Power8E and Power8NVL CPUs
  ppc/pnv: Remove Power8E and Power8NVL pnv chips
  ppc/pnv: Replace Power8E with Power11 for 'none' machine test
  tests/functional: Use default powernv machine instead of power10
  tests/qtest: Add Power11 chip & machine to qtests
  tests/qtest/pnv_spi: Test Power11 PNV_SPI
  tests/functional: Add remote interrupts test for PowerNV

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2026-07-06 18:36:52 +02:00
Stefan Hajnoczi
9040c6f5c6 Merge tag 'hppa-fixes-for-v11.1-pull-request' of https://github.com/hdeller/qemu-hppa into staging
Updates for hppa architecture for qemu v11.1

A few patches to fix TLB for HP-UX 9, and a lasi irq fix,
as well as a new SeaBIOS-hppa v25 firmware.

# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCakp8eQAKCRD3ErUQojoP
# X0S0AP9snfMLNer3zkojMLVsUNJtNUGmcRSNpmapiEN59lHRJwEAv30x2P3CnXLZ
# ObN+XV79pTNHtrBAGRYKHUtaLPddlgQ=
# =RRlH
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 05 Jul 2026 17:47:05 CEST
# gpg:                using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg:                 aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg:                 aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D  25F8 3E5F 3D04 A7A2 4603
#      Subkey fingerprint: BCE9 123E 1AD2 9F07 C049  BBDE F712 B510 A23A 0F5F

* tag 'hppa-fixes-for-v11.1-pull-request' of https://github.com/hdeller/qemu-hppa:
  target/hppa: Update SeaBIOS-hppa to version 25
  hw/misc/lasi: derive IRR from pending and unmasked requests
  target/hppa: Delay MMU update until TLB protection bits were set
  target/hppa: Work-around for Fast TLB insert instruction on HP-UX 9

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2026-07-06 18:36:12 +02:00
Harald Freudenberger
fbd0f95225 target/s390x: Fix wrong address handling in address loops
The loop increments addr by the element stride (+= 4) before calling
wrap_address, but then overwrites the loop addr with the wrapped
value. On the next iteration the stride is applied to the wrapped
address of the previous element, not to the original unwrapped
address. This results in every element after the first is read from a
wrong (wrapped) address.

Fixes: 9f17bfdab4 ("target/s390x: support SHA-512 extensions")
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Message-ID: <20260706094317.17032-2-freude@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2026-07-06 17:34:19 +02:00
Philippe Mathieu-Daudé
7e28b7c897 cpu: Rename CPUState @singlestep_enabled -> @singlestep_flags
CPUState::singlestep_enabled contains multiple flags since
commit 60897d369f ("Debugger single step without interrupts").
Use an unsigned type and rename the field to avoid mistakes.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-32-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
0a8bc0f251 cpu: Introduce cpu_single_stepping() helper
Access CPUState::@singlestep_enabled field with a helper.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-31-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
cbdbbfaf76 target/ppc: Ensure TCG is used in ppc_update_daw()
Per commit d5ee641cfc ("target/ppc: Implement watchpoint debug
facility for v2.07S"), only TCG is implemented:

    ISA v2.07S introduced the watchpoint facility based on the DAWR0
    and DAWRX0 SPRs. Implement this in TCG.
                     ^^^^^^^^^^^^^^^^^^^^^

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260705215729.62196-28-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
0b55b519c6 target/arm: Inline check_watchpoints() in arm_debug_check_watchpoint()
check_watchpoints() is called once, by arm_debug_check_watchpoint(),
which doesn't do more than this call. Merge both. No logical change
intended.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-27-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
0c4f68b2e3 accel: Use GdbBreakpointType enum
Include '_gdbstub_' in the AccelOpsClass handlers to emphasize
we are handling gdbstub-related requests.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-26-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
0533f08413 accel: Remove AccelOpsClass::supports_guest_debug
Now accelerators hold the 'guest debug supported' information
in their state, accessible by the common code. No need to call
a per-accelerator handler, simply check for the SSTEP_ENABLE
in AccelGdbConfig::sstep_flags.

Remove all AccelOpsClass::supports_guest_debug implementations,
inline gdb_supports_guest_debug() and remove the now unnecessary
KVMState::have_guest_debug field.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-18-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
8c60f7f38e accel: Have each implementation return their AccelGdbConfig
Hold the per-accelerator AccelGdbConfig in AccelState, set its
single @sstep_flags field in AccelClass::init_machine handlers.

Remove the AccelClass::gdbstub_supported_sstep_flags() getter
and inline the single accel_supported_gdbstub_sstep_flags() call
in gdb_init_gdbserver_state().

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-15-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
67ae20cc4a accel/whpx: Implement missing AccelClass::gdbstub_supported_sstep_flags
Correct gdbstub support requires some gdbstub_supported_sstep_flags.
Apparently missed in commit d7482ffe97 ("whpx: Added support for
breakpoints and stepping"), even with the recent 19b48084f7 ("whpx:
i386: re-enable guest debug support") fixes.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-9-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
abdd572a43 accel/mshv: Replace @dirty field by generic CPUState::vcpu_dirty field
No need for accel-specific @dirty field when we have
a generic one in CPUState. (Other accelerators already
did that in commits 6f13a0ada01..36ab216b81d).

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Tested-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20260705215729.62196-6-philmd@oss.qualcomm.com>
2026-07-06 15:42:18 +02:00
Philippe Mathieu-Daudé
c1b47f48eb target/i386: Remove duplicate tlb_flush() call in cpu_post_load()
Common vCPU cpu_common_post_load() handler calls tlb_flush() since
commit 9656f324d2 ("Move interrupt_request and user_mode_only to
common cpu state..."), no need to call it twice.

Signed-off-by: Philippe Mathieu-Daudé <philmd@oss.qualcomm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Message-ID: <20260705215729.62196-3-philmd@oss.qualcomm.com>
2026-07-06 14:57:07 +02:00
Christoph Schlameuss
2d2b5c13c9 s390x/kvm: Add ASTFLE facility 2 for nested virtualization
Allow propagation of the ASTFLEIE2 feature bit.

If the host does have the ASTFLE Interpretive Execution Facility 2 the
guest can enable the ASTFLE format 2 for its guests.

Signed-off-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Reviewed-by: Nina Schoetterl-Glausch <nsg@linux.ibm.com>
Message-ID: <20260701-astfleie2-v3-2-f692dc7f4f24@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
2026-07-06 13:37:54 +02:00
Peter Maydell
3455eac92d target/arm: Define fields for NSACR
Currently we handle cp15.nsacr with raw bit numbers in the few places
we need to work with it.  We're about to add some more uses of this
field, so define its fields with the FIELD macro and use the macros
in the places that were previously using bit numbers.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260702184019.3431139-5-peter.maydell@linaro.org
2026-07-06 11:32:01 +01:00
Peter Maydell
da8179efd6 target/arm: Report correct syndrome to AArch32 EL2 for trapped Neon/VFP insns
When an AArch32 Neon or VFP insn is trapped to AArch64 EL2, bits
[19:0] of the syndrome in ESR_EL2 are RES0.  However, when it is
trapped to AArch32 EL2, the HSR syndrome information defines some
extra fields:
 [5] : TA
 [3:0] : coproc

where the TA bit is 1 for a trapped Neon insn and 0 for a trapped
VFP insn, and the coproc field is 0b1010 when TA is 0, and 0 when
TA is 1.

We attempted to address this in commit fa33eead ("target/arm: Add
coproc parameter to syn_fp_access_trap"), but got it wrong: we
thought the RES0 condition was "is v8A" rather than "is EL2 AArch32",
and we made all insns be TA=0 coproc = 0b1010 rather than only the
VFP ones.  Correct the condition we use to decide the coproc and TA
fields.  We set these fields unconditionally; later on in
arm_cpu_do_interrupt_aarch64() we will squash them to zero if we are
taking the exception to AArch64.

NB: there is some disagreement between different revisions of the
Arm ARM about the exact handling of 'coproc':
 * the v8A Arm ARM text says coproc is 0b1010 when TA is 1
 * the v8A Arm ARM pseudocode in AArch32_CheckFPAdvSIMDTrap()
   sets coproc to 0b1010 when TA is 0
 * the v7A Arm ARM text says coproc is 0b1010 when TA is 0
 * the v7A Arm ARM pseudocode sets coproc to 0b1010 when TA is 0

The v7A Arm ARM pseudocode also disagrees with the v7A text, v8A text
and v8A pseudocode in only setting TA to 1 for traps caused by
HCPTR.TASE; the others set Ta for all trapped AdvSIMD insns
(i.e. including traps caused by HCPTR.TCP10).

We assume that the v8A pseudocode is incorrect about coproc (as it is
the odd one out) and that the v7A pseudocode is incorrect about when
TA is set (again, as it is the odd one out).

Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/1153
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260702184019.3431139-4-peter.maydell@linaro.org
2026-07-06 11:32:01 +01:00
Peter Maydell
59970c372c target/arm: Separate syndrome functions for A32 and A64
Currently we have one syn_fp_access_trap() which we use for fp
traps from A64 and from VFP and Neon A32. This means that A64
has to specify arguments that are always fixed for it (coproc
and is_16bit) and A32 can't specify arguments it needs to (TA).

Split it up into syn_a64_fp_access_trap() and
syn_a32_fp_access_trap(). This is a refactor with no
behavioural change.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260702184019.3431139-3-peter.maydell@linaro.org
2026-07-06 11:32:01 +01:00
Peter Maydell
e8ffed006b target/arm: Separate out Neon from VFP access checks
Currently we use vfp_access_check() for AArch32 VFP and Neon
instructions.  This is not quite right:
 * there are optional CPACR.ASEDIS and HCPTR.TASE controls that allow
   trapping of just the Neon and not VFP instructions
 * Neon instructions are supposed to report a slightly different
   syndrome in HCR when they trap to AArch32 EL2

As a preliminary refactor so we have somewhere we can make this
distinction, separate out Neon access checks into a separate
neon_access_check(), which initially just calls vfp_access_check().

The set of insns this needs to cover are those described in section
E1.3.9 of the DDI0487M.b Arm ARM.  For us this corresponds to
everything in neon-dp.decode and neon-ls.decode and thus in
translate-neon.c, plus three insns that we handle in translate-vfp.c:
 - VDUP (general-purpose register)
 - VMOV (general-purpose register to scalar) byte and halfword
 - VMOV (scalar to general-purpose register) byte and halfword
(which are the ones in that file with ARM_FEATURE_NEON checks).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260702184019.3431139-2-peter.maydell@linaro.org
2026-07-06 11:32:01 +01:00
Richard Henderson
82d7e57204 target/arm: Enable FEAT_SME_MOP4 for -cpu max
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260702204314.79224-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2026-07-06 11:32:01 +01:00