HPPA patches for qemu-v11
A few late fixes for the HPPA architecture for QEMU v11:
- graphics support was broken for 64-bit machines. This series adds
support for VGA graphics for Linux guests
- the various memory ranges were not correctly implemented
- TOC/NMI was not working on 64-bit machines
- minor 64-bit HP-UX boot fixes (but HP-UX 64-bit still crashes)
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCacwXxAAKCRD3ErUQojoP
# X7NxAQCBszDUKsNX5KiB+cxW1AfT1Gyzo4q9T0NNULO5v2Fn7gD/YVzgtZ6F+crK
# 1eG1R0aVekPmx+NClsCLvy/dX1YmTww=
# =L+6i
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue Mar 31 19:51:48 2026 BST
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-more-v11-fixes-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 24
hw/hppa: Implement memory ranges
target/hppa: Fix TOC handler for 64-bit CPUs
hw/pci-host/astro: Add GMMIO mapping
hw/pci-host/astro: Fix LMMIO DIRECT mappings
hw/pci-host/astro: Implement LMMIO registers
hw/pci-host/astro: Fix initial addresses in IOC
hw/pci-host/astro: Make astro address arrays accessible for other users
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When the TOC handler is triggered, e.g. by using the "NMI" command
in the QEMU monitor, make sure to call the full 64-bit TOC handler
address in SeaBIOS-hppa firmware.
This fixes the TOC handler on 64-bit CPUs (and 64-bit SeaBIOS).
Signed-off-by: Helge Deller <deller@gmx.de>
In x86_cpu_get_supported_feature_word() we figure out the supported
features differently for each accelerator. The default case is
"set all feature bits"; however this triggers a warning because
it enables two features which conflict with each other:
$ ./build/x86/qemu-system-x86_64 -cpu max -accel qtest -S
qemu-system-x86_64: warning: this feature conflicts with APX: CPUID[eax=07h,ecx=00h].EBX.mpx [bit 14]
qemu-system-x86_64: warning: this feature conflicts with MPX: CPUID[eax=07h,ecx=01h].EDX.apxf [bit 21]
Treat qtest like TCG here, to avoid the complaint.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Message-ID: <20260330151437.1787008-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Fix a minor error in the grammar of the warning messages
produced if both MPX and APX are enabled:
$ ./build/x86/qemu-system-x86_64 -cpu max -accel qtest -S
qemu-system-x86_64: warning: this feature conflicts with APX: CPUID[eax=07h,ecx=00h].EBX.mpx [bit 14]
qemu-system-x86_64: warning: this feature conflicts with MPX: CPUID[eax=07h,ecx=01h].EDX.apxf [bit 21]
Fixes: 91bc4d8107 ("i386/cpu: Add APX EGPRs into xsave area")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260330151309.1786787-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
The MIPS R4K CP0 timer (env->timer) is not included in vmstate_mips_cpu,
so after loadvm the QEMUTimer has no scheduled expiry. This causes
qemu_poll_ns() to block indefinitely and the guest to freeze until an
external I/O event (e.g. a keypress) wakes the main loop.
Fix by adding an optional vmstate subsection for the timer, following
the same pattern used by ARM (gt_timer), RISC-V (env.stimer), SPARC
(qtimer), and OpenRISC (timer).
The .needed callback returns false when env->timer is NULL (KVM mode),
keeping the subsection optional for backwards compatibility with
existing snapshots.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1987
Signed-off-by: Trieu Huynh <vikingtc4@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260329113732.482619-1-vikingtc4@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
As per the pseudo code from DDI0487 M.a.a (on J1-16021) AArch64.S1Walk():
// Check descriptor AF bit
elsif (descriptor<10> == '0' && walkparams.ha == '0' &&
(!accdesc.acctype IN {AccessType_DC, AccessType_IC} ||
boolean IMPLEMENTATION_DEFINED "Generate access flag fault on IC/DC operations")) then
fault.statuscode = Fault_AccessFlag;
an access flag fault should be generated for AccessType_AT, if the AF bit
is 0 and !param.ha.
Besides, we should continue to not raise the access flag fault for
in_debug = true which is what we've been doing previously (before commit
efebeec13d) for LPAE and is what intention of the debugger access
codepath is.
Cc: qemu-stable@nongnu.org
Fixes: efebeec13d ("target/arm: Skip AF and DB updates for AccessType_AT")
Signed-off-by: Zenghui Yu <zenghui.yu@linux.dev>
Message-id: 20260324160321.96347-1-zenghui.yu@linux.dev
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Windows Server 2022 and later support
WHvCapabilityCodeProcessorPerfmonFeatures and
WHvPartitionPropertyCodeSyntheticProcessorFeaturesBanks.
Windows 10 supports neither of those.
As the QEMU executable doesn't have a manifest, OS version
queries do not return the actual Windows version but 6.2.9200
which corresponds to Windows 8. Windows Server 2022 and Windows
11 still use the 10.0 number, with distinction being the build
number.
As such, use the absence of perf monitoring feature query as
a cutoff to detect if a legacy OS is present.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Link: https://lore.kernel.org/r/20260324151323.74473-2-mohamed@unpredictable.fr
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The version is never set on 2.5+ machine types, so qemu_hw_version() and
qemu_set_hw_version() are not needed anymore.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This is mostly harmless right now because the "if" is never
hit, but the code as written makes no sense.
Reported-by: Stefan Weil <sw@weilnetz.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Commit a811c5dafb ("target/arm: Implement get_S2prot_indirect")
changed get_phys_addr_twostage() to combine stage 1 and stage 2
permissions using the new s2prot field:
result->f.prot = s1_prot & result->s2prot;
The LPAE stage 2 path sets result->s2prot explicitly, but the PMSA
stage 2 path (get_phys_addr_pmsav8) only sets result->f.prot, leaving
s2prot at zero. This causes the combined permission to be zero,
resulting in addr_read being set to -1 in the TLB entry and triggering
an assertion in atomic_mmu_lookup() when the guest executes an atomic
instruction on a two-stage PMSA platform (e.g. Cortex-R52 with EL2).
Set s2prot from f.prot after the PMSA stage 2 lookup, consistent with
what the LPAE path does.
Cc: qemu-stable@nongnu.org
Fixes: a811c5dafb ("target/arm: Implement get_S2prot_indirect")
Signed-off-by: Jose Martins <josemartins90@gmail.com>
[PMM: refer to the right commit in the commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321231916.2852653-1-josemartins90@gmail.com
Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
hyperv_is_synic_enabled() is a global flag that returns true after the
first CPU initializes SynIC. With -smp N, all subsequent CPUs skip
hyperv_x86_synic_add(), leaving them without a synic object. This causes
get_synic() to return NULL, making hyperv_sint_route_new() fail and
triggering an assertion crash in hyperv_testdev.
Fix by introducing hyperv_is_synic_present() which checks per-CPU
whether a synic object is already attached instead of using the global
flag.
Fixes: c4cf32fc63 ("kvm/hyperv: add synic feature to CPU only if its not enabled")
Reported-by: Xudong Hao <xudong.hao@intel.com>
Co-authored-by: Ani Sinha <anisinha@redhat.com>
Signed-off-by: Sourav Poddar <souravpoddar93042@gmail.com>
Tested-by: Xudong Hao <xudong.hao@intel.com>
Message-ID: <20260320154752.204725-1-anisinha@redhat.com>
[PMD: Reworded subject]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Add a new call hyperv_enable_synic() that can be called whether or not
CONFIG_HYPERV is enabled. This way genetic code in i396/kvm.c can call this
function to enable synic for hyperv. For non-hyperv cases, the stub will
be a noop.
Reported-by: Michale Tokarev <mjt@tls.msk.ru>
Signed-off-by: Ani Sinha <anisinha@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Message-ID: <20260319122137.142178-3-anisinha@redhat.com>
Tested-by: Xudong Hao <xudong.hao@intel.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Unconditionally enable some more enlightenments for whpx. In
particular, linux uses AccessVpRegs without checking availability and
panics if it's not there, so it's important to expose it.
We also had a duplicate line where we set AccessHypercallRegs = 1
twice; remove the duplicate.
Microsoft’s VMM exposes SyncContext on arm64 and FastHypercallOutput
regardless of architecture unconditionally, so add those two to match
that configuration.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Message-id: 20260314221529.47841-4-mohamed@unpredictable.fr
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Replace TCG_COND_EQ/NE comparisons against 0 with TCG_COND_TSTEQ/TSTNE
comparisons against 1 for all predicate-conditional branches. This tests
bit 0 of the predicate register directly, eliminating redundant andi
operations that previously extracted the LSB before the comparison.
For predicate-conditional jumps (jumpt, jumpf, jumptnew, etc.) and
jump-register variants (jumprt, jumprf, etc.), pass the raw predicate
value directly instead of going through fLSBOLD/fLSBNEW extraction.
For callers that produce a 0/1 result via setcond (compare-and-jump,
jumprz, etc.), the TSTEQ/TSTNE test on bit 0 is equivalent to the
previous EQ/NE test against 0.
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
J2_jumptnew and J2_jumptnewpt passed the raw predicate value to
gen_cond_jump(), checking if the full 8-bit value was non-zero.
Refer to PRM Section 6.1.2 "predicate-consuming instructions examine
only the least-significant bit".
This inconsistency caused if (p0.new) jumps and if (p0.new) loads
within the same packet to disagree when the predicate had values
other than the ones generated by predicate-generating instructions
(e.g. 0x80 or 0xAA where bit 0 is clear but the value is
non-zero): the jump would be taken while the loads were skipped.
Fix by routing both macros through fGEN_TCG_cond_jumpt(fLSBNEW(PuN)),
matching the pattern used by every other predicated jump.
Discovered-by: Alexey Karyakin <akaryaki@qti.qualcomm.com>
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com>
Signed-off-by: Brian Cain <brian.cain@oss.qualcomm.com>
HPPA fixes for v11
Some late fixes for QEMU-v11
Various fixes in SeaBIOS-hppa and qemu code, most importantly
this fixes boot of the C3700, which broke while we added
support for CPUs with 40 and 44 bits physical address space.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCabxmmwAKCRD3ErUQojoP
# X5z0AP4h0hBe/jDlQ8VLs0LtdG4bBnyPSVl+4rahw10mmgkvZwD7B/wimiCUBOJZ
# Jj9nKpNWtgZRXwRIM4XOl/a6pYcbCw8=
# =MzWS
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Mar 19 21:11:55 2026 GMT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-fixes-for-v11-pull-request' of https://github.com/hdeller/qemu-hppa:
target/hppa: Update SeaBIOS-hppa to version 23
hw/hppa: Fix crash of 64-bit HP-UX 11 while flushing caches
hw/pci-host/astro: Use proper region names
target/hppa: Always map 64-bit firmware at 0xfffffff0f0000000
hw/hppa: Adjust physical addresses of Astro and Elroy
hw/hppa: Fix description of the HP A400-44 server
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit 17288e38be ("optimize the memory probing for vector
fault-only-first loads") introduced an optimization that moved from
per-element probing to a fast-path broad probe. Unfortunately it
introduced following bugs in cross-page handling:
- Wrong condition for second page probing: checked "env->vl > elems"
instead of "env->vl > elems + env->vstart", failing to account for
the vstart offset.
- Incorrect second page address calculation: used
"addr + (elems << log2_esz)" instead of "addr + page_split".
For segment loads (nf > 1), this would probe the wrong address,not
at the page boundary.
- Wrong second page probe size: used "elems * msize" (the first page
size) instead of calculating the remaining size as
"(env->vl - env->vstart) * msize - page_split". This would probe
too little memory and could miss faults.
This commit fixes these bugs by leveraging the probe_pages helper
which automatically handles cross-page memory accesses correctly.
Fixes: 17288e38be ("optimize the memory probing for vector fault-only-first loads.")
Signed-off-by: Max Chou <max.chou@sifive.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-3-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
When probe_pages probes a memory region that spans two pages, it calls
probe_access_flags twice - once for each page. However, the flags from
the second page probe were overwriting the flags from the first page
instead of being merged together.
Signed-off-by: Max Chou <max.chou@sifive.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260318013805.1920377-2-max.chou@sifive.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
I checked on a physical A500, C3700 and C8000 machine and all load their
64-bit PDC (Firmware) at 0xfffffff0f0000000, independed if the CPU uses
40 or 44 physical address bits.
For qemu we will do the same and load the 64-bit SeaBIOS-hppa at the
same address for our emulated machines.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Anton Johansson <anjo@rev.ng>
The check that xcc->model is not NULL occurs after it is dereferenced
inside x86_cpu_get_versioned_cache_info(), so something like
`-cpu host,legacy-cache=off` leads to a segfault rather than an error.
This patch fixes that.
Fixes: cca0a000d0 ("target/i386: allow versioned CPUs to specify new cache_info")
Signed-off-by: Sergei Heifetz <heifetz@yandex-team.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
[Mjt: simplify the following condition too]
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
When introspecting the Loongson-3A4000 CPUs from the command line, QEMU
currently crashes:
$ ./qemu-system-mips64el -device Loongson-3A4000-mips64-cpu,help
qemu-system-mips64el: ../../devel/qemu/system/physmem.c:1401:
register_multipage: Assertion `num_pages' failed.
Aborted (core dumped)
Move the initialization of the memory regions to the realize function
to fix this problem.
Reported-by: Markus Armbruster <armbru@redhat.com>
Message-ID: <87y0jxzdrk.fsf@pond.sub.org>
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260311211629.118608-1-thuth@redhat.com>
When introspecting the xtensa CPUs from the command line, QEMU currently
crashes:
$ ./qemu-system-xtensa -device dc233c-xtensa-cpu,help
qemu-system-xtensa: ../../devel/qemu/system/physmem.c:1401:
register_multipage: Assertion `num_pages' failed.
Aborted (core dumped)
Move the initialization of the memory regions to the realize function
to fix this problem.
Reported-by: Markus Armbruster <armbru@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20260311202503.107026-1-thuth@redhat.com>
