[PULL 00/16] Misc HW & Memory API patches for 2026-02-02

[PULL 00/16] Misc HW & Memory API patches for 2026-02-02

[Philippe Mathieu-Daudé]

The following changes since commit 587f4a1805c83a4e1d59dd43cb14e0a834843d1d:

  python: fix msys64 wheel directory specification (2026-02-02 16:46:40 +1000)

are available in the Git repository at:

  https://github.com/philmd/qemu.git tags/hw-misc-20260202

for you to fetch changes up to d8316b64dfbb4fdb706f20c3b42fd9bcf70b0cdc:

  monitor: Reduce target-specific methods (2026-02-02 22:14:51 +0100)

Ignoring this checkpatch.pl error:

  ERROR: unnecessary whitespace before a quoted newline
  #85: FILE: tests/unit/test-cutils.c:3685:
  +            "s is \n";

----------------------------------------------------------------
Misc HW & memory API patches

- Add unit test for qemu_hexdump()
- Remove legacy native endianness API uses on the Alpha target
- Remove unused memory_region_init_rom_device_nomigrate()
- Fix use-after-free in NvmeNamespace "bootindex" suffix
- Correct documentation of SCSI Rotation Rate field
- Make iotlb_to_section() work with non-CPU AddressSpaces
- Reduce few monitor target-specific methods
----------------------------------------------------------------

Akihiko Odaki (1):
  hw/nvme: Fix bootindex suffix use-after-free

Alberto Garcia (1):
  hw/ide, scsi-disk: Fix typo on the rotation_rate documentation

BALATON Zoltan (2):
  memory: Remove memory_region_init_rom_device_nomigrate()
  memory: Add internal memory_region_set_ops helper function

Jim Shu (3):
  accel/tcg: Send the CPUTLBEntryFull struct into io_prepare()
  accel/tcg: Fix iotlb_to_section() for different AddressSpace
  system/physmem: Remove the assertion of page-aligned section number

Philippe Mathieu-Daudé (8):
  target/alpha: Use explicit little-endian LD/ST API
  target/alpha: Inline translator_ldl()
  configs/targets: Forbid Alpha to use legacy native endianness APIs
  target/alpha: Replace legacy ld_phys() -> address_space_ld()
  target/i386: Include missing 'svm.h' header in 'sev.h'
  monitor: Reduce target-specific declarations
  monitor: Add hmp_cmds_for_target() helper
  monitor: Reduce target-specific methods

Vladimir Sementsov-Ogievskiy (1):
  tests/unit: add unit test for qemu_hexdump()

 docs/devel/memory.rst                         |  1 -
 configs/targets/alpha-linux-user.mak          |  2 +
 configs/targets/alpha-softmmu.mak             |  2 +
 .../memory-region-housekeeping.cocci          |  8 ---
 hw/nvme/nvme.h                                |  1 +
 include/accel/tcg/iommu.h                     | 15 -----
 include/exec/cputlb.h                         |  4 +-
 include/hw/core/cpu.h                         | 17 ++---
 include/hw/ide/ide-dev.h                      |  2 +-
 include/hw/misc/mos6522.h                     |  2 -
 include/monitor/hmp-target.h                  | 14 ----
 include/monitor/hmp.h                         | 13 ++++
 include/system/memory.h                       | 27 --------
 monitor/monitor-internal.h                    |  9 ++-
 target/i386/sev.h                             |  2 +
 accel/tcg/cputlb.c                            | 32 +++++----
 hw/i386/sgx-stub.c                            |  1 +
 hw/i386/sgx.c                                 |  1 +
 hw/nvme/ns.c                                  |  7 +-
 hw/scsi/scsi-disk.c                           |  2 +-
 monitor/hmp-cmds.c                            |  1 +
 monitor/hmp-target.c                          | 66 ++-----------------
 monitor/hmp.c                                 | 63 +++++++++++++++++-
 system/memory.c                               | 56 +++++++---------
 system/physmem.c                              | 31 ---------
 target/alpha/helper.c                         | 28 ++++----
 target/alpha/translate.c                      |  2 +-
 target/i386/cpu-apic.c                        |  1 +
 target/i386/sev-system-stub.c                 |  1 +
 target/i386/sev.c                             |  1 +
 target/m68k/monitor.c                         |  1 +
 target/riscv/monitor.c                        |  1 +
 tests/unit/test-cutils.c                      | 66 +++++++++++++++++++
 util/meson.build                              |  2 +-
 34 files changed, 239 insertions(+), 243 deletions(-)

-- 
2.52.0

[PULL 01/16] tests/unit: add unit test for qemu_hexdump()

[Philippe Mathieu-Daudé]

From: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>

Test that the fix in commit 20aa05edc2c ("util/hexdump: fix
QEMU_HEXDUMP_LINE_WIDTH logic") make sense.

To not break compilation when we build without 'block', move
hexdump.c out of "if have_block" in meson.build.

Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20260202112826.38018-1-philmd@linaro.org>
---
 tests/unit/test-cutils.c | 66 ++++++++++++++++++++++++++++++++++++++++
 util/meson.build         |  2 +-
 2 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/tests/unit/test-cutils.c b/tests/unit/test-cutils.c
index 75fae29003a..1fa4113ef4d 100644
--- a/tests/unit/test-cutils.c
+++ b/tests/unit/test-cutils.c
@@ -3626,6 +3626,67 @@ static void test_si_prefix(void)
     g_assert_cmpstr(si_prefix(18), ==, "E");
 }
 
+static void test_qemu_hexdump_alignment(void)
+{
+    /*
+     * Test that ASCII part is properly aligned for incomplete lines.
+     * This test catches the bug that was fixed in previous commit
+     * "util/hexdump: fix QEMU_HEXDUMP_LINE_WIDTH logic".
+     *
+     * We use data that is not aligned to 16 bytes, so last line
+     * is incomplete.
+     */
+    static const uint8_t data[] = {
+        /* First line: 16 bytes */
+        0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f,  /* "Hello Wo" */
+        0x72, 0x6c, 0x64, 0x21, 0x20, 0x54, 0x68, 0x69,  /* "rld! Thi" */
+        /* Second line: 5 bytes (incomplete) */
+        0x73, 0x20, 0x69, 0x73, 0x20                     /* "s is " */
+    };
+    char *fname = NULL;
+    int fd;
+    g_autofree char *output = NULL;
+    size_t size, bytes_read;
+    FILE *f;
+
+    fd = g_file_open_tmp("test-qemu-hexdump-alignment-XXXXXX", &fname, NULL);
+    g_assert(fd >= 0);
+    g_assert_nonnull(fname);
+    f = fdopen(fd, "w+");
+
+    g_assert_nonnull(f);
+
+    qemu_hexdump(f, "test", data, sizeof(data));
+
+    size = ftell(f);
+    fseek(f, 0, SEEK_SET);
+
+    output = g_malloc(size + 1);
+    bytes_read = 0;
+    while (bytes_read < size) {
+        size_t chunk = fread(output + bytes_read, 1, size - bytes_read, f);
+        if (chunk == 0) {
+            break;
+        }
+        bytes_read += chunk;
+    }
+    g_assert_cmpuint(bytes_read, ==, size);
+    output[size] = '\0';
+
+    fclose(f);
+    unlink(fname);
+    g_free(fname);
+
+    /* We expect proper alignment of "s is" part on the second line */
+    static const char *expected =
+        "test: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21  20 54 68 69   "
+            "Hello World! Thi\n"
+        "test: 0010: 73 20 69 73  20                                      "
+            "s is \n";
+
+    g_assert_cmpstr(output, ==, expected);
+}
+
 int main(int argc, char **argv)
 {
     g_test_init(&argc, &argv, NULL);
@@ -3995,5 +4056,10 @@ int main(int argc, char **argv)
                     test_iec_binary_prefix);
     g_test_add_func("/cutils/si_prefix",
                     test_si_prefix);
+
+    /* qemu_hexdump() test */
+    g_test_add_func("/cutils/qemu_hexdump/alignment",
+                    test_qemu_hexdump_alignment);
+
     return g_test_run();
 }
diff --git a/util/meson.build b/util/meson.build
index a0cfdc30ba6..7c9445615d7 100644
--- a/util/meson.build
+++ b/util/meson.build
@@ -33,6 +33,7 @@ endif
 util_ss.add(files('defer-call.c'))
 util_ss.add(files('envlist.c', 'path.c', 'module.c'))
 util_ss.add(files('event.c'))
+util_ss.add(files('hexdump.c'))
 util_ss.add(files('host-utils.c'))
 util_ss.add(files('bitmap.c', 'bitops.c'))
 util_ss.add(files('fifo8.c'))
@@ -90,7 +91,6 @@ if have_block
   util_ss.add(files('buffer.c'))
   util_ss.add(files('bufferiszero.c'))
   util_ss.add(files('hbitmap.c'))
-  util_ss.add(files('hexdump.c'))
   util_ss.add(files('iova-tree.c'))
   util_ss.add(files('iov.c'))
   util_ss.add(files('nvdimm-utils.c'))
-- 
2.52.0

[PULL 02/16] target/alpha: Use explicit little-endian LD/ST API

[Philippe Mathieu-Daudé]

The Alpha architecture uses little endianness. Directly
use the little-endian LD/ST API.

Mechanical change running:

  $ for a in uw w l q; do \
      sed -i -e "s/ld${a}_p(/ld${a}_le_p(/" \
        $(git grep -wlE '(ld|st)u?[wlq]_p' target/alpha/);
    done

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-2-philmd@linaro.org>
---
 target/alpha/helper.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/target/alpha/helper.c b/target/alpha/helper.c
index a9af52a928f..80542cb0665 100644
--- a/target/alpha/helper.c
+++ b/target/alpha/helper.c
@@ -214,17 +214,18 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
 
     pt = env->ptbr;
 
-    /* TODO: rather than using ldq_phys() to read the page table we should
+    /*
+     * TODO: rather than using ldq_phys_le() to read the page table we should
      * use address_space_ldq() so that we can handle the case when
      * the page table read gives a bus fault, rather than ignoring it.
-     * For the existing code the zero data that ldq_phys will return for
+     * For the existing code the zero data that ldq_phys_le will return for
      * an access to invalid memory will result in our treating the page
      * table as invalid, which may even be the right behaviour.
      */
 
     /* L1 page table read.  */
     index = (addr >> (TARGET_PAGE_BITS + 20)) & 0x3ff;
-    L1pte = ldq_phys(cs->as, pt + index*8);
+    L1pte = ldq_phys_le(cs->as, pt + index * 8);
 
     if (unlikely((L1pte & PTE_VALID) == 0)) {
         ret = MM_K_TNV;
@@ -237,7 +238,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
 
     /* L2 page table read.  */
     index = (addr >> (TARGET_PAGE_BITS + 10)) & 0x3ff;
-    L2pte = ldq_phys(cs->as, pt + index*8);
+    L2pte = ldq_phys_le(cs->as, pt + index * 8);
 
     if (unlikely((L2pte & PTE_VALID) == 0)) {
         ret = MM_K_TNV;
@@ -250,7 +251,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
 
     /* L3 page table read.  */
     index = (addr >> TARGET_PAGE_BITS) & 0x3ff;
-    L3pte = ldq_phys(cs->as, pt + index*8);
+    L3pte = ldq_phys_le(cs->as, pt + index * 8);
 
     phys = L3pte >> 32 << TARGET_PAGE_BITS;
     if (unlikely((L3pte & PTE_VALID) == 0)) {
-- 
2.52.0

[PULL 03/16] target/alpha: Inline translator_ldl()

[Philippe Mathieu-Daudé]

translator_ldl() is defined in "exec/translator.h" as:

  198 static inline uint32_t
  199 translator_ldl(CPUArchState *env, DisasContextBase *db, vaddr pc)
  200 {
  201     return translator_ldl_end(env, db, pc, MO_TE);
  202 }

Directly use the inlined form, expanding MO_TE -> MO_LE
since Alpha use little-endian order.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-5-philmd@linaro.org>
---
 target/alpha/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index 3be97057465..48ac50a7cdf 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -2905,7 +2905,7 @@ static void alpha_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
     uint32_t insn = translator_ldl_end(cpu_env(cpu), &ctx->base,
-                                       ctx->base.pc_next, MO_TE);
+                                       ctx->base.pc_next, MO_LE);
 
     ctx->base.pc_next += 4;
     ctx->base.is_jmp = translate_one(ctx, insn);
-- 
2.52.0

[PULL 04/16] configs/targets: Forbid Alpha to use legacy native endianness APIs

[Philippe Mathieu-Daudé]

All Alpha-related binaries are buildable without a single use
of the legacy "native endian" API. Unset the transitional
TARGET_USE_LEGACY_NATIVE_ENDIAN_API definition to forbid
further uses of the legacy API.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-6-philmd@linaro.org>
---
 configs/targets/alpha-linux-user.mak | 1 +
 configs/targets/alpha-softmmu.mak    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configs/targets/alpha-linux-user.mak b/configs/targets/alpha-linux-user.mak
index aa25766236e..ee505e16ef4 100644
--- a/configs/targets/alpha-linux-user.mak
+++ b/configs/targets/alpha-linux-user.mak
@@ -3,3 +3,4 @@ TARGET_SYSTBL_ABI=common
 TARGET_SYSTBL=syscall.tbl
 TARGET_LONG_BITS=64
 TARGET_XML_FILES= gdb-xml/alpha-core.xml
+TARGET_NOT_USING_LEGACY_NATIVE_ENDIAN_API=y
diff --git a/configs/targets/alpha-softmmu.mak b/configs/targets/alpha-softmmu.mak
index e31f059a52d..22fbbf0cb08 100644
--- a/configs/targets/alpha-softmmu.mak
+++ b/configs/targets/alpha-softmmu.mak
@@ -1,3 +1,4 @@
 TARGET_ARCH=alpha
 TARGET_LONG_BITS=64
 TARGET_XML_FILES= gdb-xml/alpha-core.xml
+TARGET_NOT_USING_LEGACY_NATIVE_ENDIAN_API=y
-- 
2.52.0

[PULL 05/16] target/alpha: Replace legacy ld_phys() -> address_space_ld()

[Philippe Mathieu-Daudé]

Prefer the address_space_ld/st API over the legacy ld_phys()
because it allow checking for bus access fault.

Since we removed the last legacy uses of the legacy ldst_phys()
API, set the TARGET_NOT_USING_LEGACY_LDST_PHYS_API variable to
hide the legacy API to alpha binaries, avoiding further API uses
to creep in.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20251224160040.88612-7-philmd@linaro.org>
---
 configs/targets/alpha-linux-user.mak |  1 +
 configs/targets/alpha-softmmu.mak    |  1 +
 target/alpha/helper.c                | 29 ++++++++++++++++------------
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/configs/targets/alpha-linux-user.mak b/configs/targets/alpha-linux-user.mak
index ee505e16ef4..2f1312f0362 100644
--- a/configs/targets/alpha-linux-user.mak
+++ b/configs/targets/alpha-linux-user.mak
@@ -4,3 +4,4 @@ TARGET_SYSTBL=syscall.tbl
 TARGET_LONG_BITS=64
 TARGET_XML_FILES= gdb-xml/alpha-core.xml
 TARGET_NOT_USING_LEGACY_NATIVE_ENDIAN_API=y
+TARGET_NOT_USING_LEGACY_LDST_PHYS_API=y
diff --git a/configs/targets/alpha-softmmu.mak b/configs/targets/alpha-softmmu.mak
index 22fbbf0cb08..5c6af0eafc1 100644
--- a/configs/targets/alpha-softmmu.mak
+++ b/configs/targets/alpha-softmmu.mak
@@ -2,3 +2,4 @@ TARGET_ARCH=alpha
 TARGET_LONG_BITS=64
 TARGET_XML_FILES= gdb-xml/alpha-core.xml
 TARGET_NOT_USING_LEGACY_NATIVE_ENDIAN_API=y
+TARGET_NOT_USING_LEGACY_LDST_PHYS_API=y
diff --git a/target/alpha/helper.c b/target/alpha/helper.c
index 80542cb0665..126a53c829b 100644
--- a/target/alpha/helper.c
+++ b/target/alpha/helper.c
@@ -169,6 +169,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
                                 int prot_need, int mmu_idx,
                                 target_ulong *pphys, int *pprot)
 {
+    const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
     CPUState *cs = env_cpu(env);
     target_long saddr = addr;
     target_ulong phys = 0;
@@ -176,6 +177,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
     target_ulong pt, index;
     int prot = 0;
     int ret = MM_K_ACV;
+    MemTxResult txres;
 
     /* Handle physical accesses.  */
     if (mmu_idx == MMU_PHYS_IDX) {
@@ -214,18 +216,13 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
 
     pt = env->ptbr;
 
-    /*
-     * TODO: rather than using ldq_phys_le() to read the page table we should
-     * use address_space_ldq() so that we can handle the case when
-     * the page table read gives a bus fault, rather than ignoring it.
-     * For the existing code the zero data that ldq_phys_le will return for
-     * an access to invalid memory will result in our treating the page
-     * table as invalid, which may even be the right behaviour.
-     */
-
     /* L1 page table read.  */
     index = (addr >> (TARGET_PAGE_BITS + 20)) & 0x3ff;
-    L1pte = ldq_phys_le(cs->as, pt + index * 8);
+    L1pte = address_space_ldq_le(cs->as, pt + index * 8, attrs, &txres);
+    if (txres != MEMTX_OK) {
+        /* bus fault */
+        goto exit;
+    }
 
     if (unlikely((L1pte & PTE_VALID) == 0)) {
         ret = MM_K_TNV;
@@ -238,7 +235,11 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
 
     /* L2 page table read.  */
     index = (addr >> (TARGET_PAGE_BITS + 10)) & 0x3ff;
-    L2pte = ldq_phys_le(cs->as, pt + index * 8);
+    L2pte = address_space_ldq_le(cs->as, pt + index * 8, attrs, &txres);
+    if (txres != MEMTX_OK) {
+        /* bus fault */
+        goto exit;
+    }
 
     if (unlikely((L2pte & PTE_VALID) == 0)) {
         ret = MM_K_TNV;
@@ -251,7 +252,11 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
 
     /* L3 page table read.  */
     index = (addr >> TARGET_PAGE_BITS) & 0x3ff;
-    L3pte = ldq_phys_le(cs->as, pt + index * 8);
+    L3pte = address_space_ldq_le(cs->as, pt + index * 8, attrs, &txres);
+    if (txres != MEMTX_OK) {
+        /* bus fault */
+        goto exit;
+    }
 
     phys = L3pte >> 32 << TARGET_PAGE_BITS;
     if (unlikely((L3pte & PTE_VALID) == 0)) {
-- 
2.52.0

[PULL 06/16] memory: Remove memory_region_init_rom_device_nomigrate()

[Philippe Mathieu-Daudé]

From: BALATON Zoltan <balaton@eik.bme.hu>

This function is not used outside of memory_region_init_rom_device()
which is its only caller. Inline it there and remove it.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <e6f973ff3c243fe1780bf01c3e67c9e019b08fa9.1770042013.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 docs/devel/memory.rst                         |  1 -
 .../memory-region-housekeeping.cocci          |  8 ----
 include/system/memory.h                       | 27 ------------
 system/memory.c                               | 41 ++++++-------------
 4 files changed, 13 insertions(+), 64 deletions(-)

diff --git a/docs/devel/memory.rst b/docs/devel/memory.rst
index f22146e56ce..8558f70a421 100644
--- a/docs/devel/memory.rst
+++ b/docs/devel/memory.rst
@@ -114,7 +114,6 @@ the backing memory yourself, you can call the functions:
 
 - memory_region_init_ram_nomigrate()
 - memory_region_init_rom_nomigrate()
-- memory_region_init_rom_device_nomigrate()
 
 which only initialize the MemoryRegion and leave handling
 migration to the caller.
diff --git a/scripts/coccinelle/memory-region-housekeeping.cocci b/scripts/coccinelle/memory-region-housekeeping.cocci
index 29651ebde90..7f89e9712ec 100644
--- a/scripts/coccinelle/memory-region-housekeeping.cocci
+++ b/scripts/coccinelle/memory-region-housekeeping.cocci
@@ -97,14 +97,6 @@ expression NAME;
 expression SIZE;
 expression ERRP;
 @@
--memory_region_init_rom_device_nomigrate(MR, NULL, OPS, OPAQUE, NAME, SIZE, ERRP);
-+memory_region_init_rom_device(MR, NULL, OPS, OPAQUE, NAME, SIZE, ERRP);
- ...
--vmstate_register_ram_global(MR);
-
-
-// Device is owner
-@@
 typedef DeviceState;
 identifier device_fn, dev, obj;
 expression E1, E2, E3, E4, E5;
diff --git a/include/system/memory.h b/include/system/memory.h
index 8f8725ea2d5..0562af31361 100644
--- a/include/system/memory.h
+++ b/include/system/memory.h
@@ -1614,33 +1614,6 @@ bool memory_region_init_rom_nomigrate(MemoryRegion *mr,
                                       uint64_t size,
                                       Error **errp);
 
-/**
- * memory_region_init_rom_device_nomigrate:  Initialize a ROM memory region.
- *                                 Writes are handled via callbacks.
- *
- * Note that this function does not do anything to cause the data in the
- * RAM side of the memory region to be migrated; that is the responsibility
- * of the caller.
- *
- * @mr: the #MemoryRegion to be initialized.
- * @owner: the object that tracks the region's reference count
- * @ops: callbacks for write access handling (must not be NULL).
- * @opaque: passed to the read and write callbacks of the @ops structure.
- * @name: Region name, becomes part of RAMBlock name used in migration stream
- *        must be unique within any device
- * @size: size of the region.
- * @errp: pointer to Error*, to store an error if it happens.
- *
- * Return: true on success, else false setting @errp with error.
- */
-bool memory_region_init_rom_device_nomigrate(MemoryRegion *mr,
-                                             Object *owner,
-                                             const MemoryRegionOps *ops,
-                                             void *opaque,
-                                             const char *name,
-                                             uint64_t size,
-                                             Error **errp);
-
 /**
  * memory_region_init_iommu: Initialize a memory region of a custom type
  * that translates addresses
diff --git a/system/memory.c b/system/memory.c
index 4bf00d82bcf..a9032fb2cfe 100644
--- a/system/memory.c
+++ b/system/memory.c
@@ -1748,32 +1748,6 @@ bool memory_region_init_rom_nomigrate(MemoryRegion *mr,
     return true;
 }
 
-bool memory_region_init_rom_device_nomigrate(MemoryRegion *mr,
-                                             Object *owner,
-                                             const MemoryRegionOps *ops,
-                                             void *opaque,
-                                             const char *name,
-                                             uint64_t size,
-                                             Error **errp)
-{
-    Error *err = NULL;
-    assert(ops);
-    memory_region_init(mr, owner, name, size);
-    mr->ops = ops;
-    mr->opaque = opaque;
-    mr->terminates = true;
-    mr->rom_device = true;
-    mr->destructor = memory_region_destructor_ram;
-    mr->ram_block = qemu_ram_alloc(size, 0, mr, &err);
-    if (err) {
-        mr->size = int128_zero();
-        object_unparent(OBJECT(mr));
-        error_propagate(errp, err);
-        return false;
-    }
-    return true;
-}
-
 void memory_region_init_iommu(void *_iommu_mr,
                               size_t instance_size,
                               const char *mrtypename,
@@ -3802,9 +3776,20 @@ bool memory_region_init_rom_device(MemoryRegion *mr,
                                    Error **errp)
 {
     DeviceState *owner_dev;
+    Error *err = NULL;
 
-    if (!memory_region_init_rom_device_nomigrate(mr, owner, ops, opaque,
-                                                 name, size, errp)) {
+    assert(ops);
+    memory_region_init(mr, owner, name, size);
+    mr->ops = ops;
+    mr->opaque = opaque;
+    mr->terminates = true;
+    mr->rom_device = true;
+    mr->destructor = memory_region_destructor_ram;
+    mr->ram_block = qemu_ram_alloc(size, 0, mr, &err);
+    if (err) {
+        mr->size = int128_zero();
+        object_unparent(OBJECT(mr));
+        error_propagate(errp, err);
         return false;
     }
     /* This will assert if owner is neither NULL nor a DeviceState.
-- 
2.52.0

[PULL 07/16] memory: Add internal memory_region_set_ops helper function

[Philippe Mathieu-Daudé]

From: BALATON Zoltan <balaton@eik.bme.hu>

This is a common operation used at multiple places, add a helper
function for it.

Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <25045c95c083e31c6773521ecfe41900738b7bb5.1770042013.git.balaton@eik.bme.hu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 system/memory.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/system/memory.c b/system/memory.c
index a9032fb2cfe..c51d0798a84 100644
--- a/system/memory.c
+++ b/system/memory.c
@@ -1559,6 +1559,15 @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
     }
 }
 
+static void memory_region_set_ops(MemoryRegion *mr,
+                                  const MemoryRegionOps *ops,
+                                  void *opaque)
+{
+    mr->ops = ops ?: &unassigned_mem_ops;
+    mr->opaque = opaque;
+    mr->terminates = true;
+}
+
 void memory_region_init_io(MemoryRegion *mr,
                            Object *owner,
                            const MemoryRegionOps *ops,
@@ -1567,9 +1576,7 @@ void memory_region_init_io(MemoryRegion *mr,
                            uint64_t size)
 {
     memory_region_init(mr, owner, name, size);
-    mr->ops = ops ? ops : &unassigned_mem_ops;
-    mr->opaque = opaque;
-    mr->terminates = true;
+    memory_region_set_ops(mr, ops, opaque);
 }
 
 bool memory_region_init_ram_nomigrate(MemoryRegion *mr,
@@ -1710,10 +1717,8 @@ void memory_region_init_ram_device_ptr(MemoryRegion *mr,
 {
     memory_region_init(mr, owner, name, size);
     mr->ram = true;
-    mr->terminates = true;
     mr->ram_device = true;
-    mr->ops = &ram_device_mem_ops;
-    mr->opaque = mr;
+    memory_region_set_ops(mr, &ram_device_mem_ops, mr);
     mr->destructor = memory_region_destructor_ram;
 
     /* qemu_ram_alloc_from_ptr cannot fail with ptr != NULL.  */
@@ -3780,9 +3785,7 @@ bool memory_region_init_rom_device(MemoryRegion *mr,
 
     assert(ops);
     memory_region_init(mr, owner, name, size);
-    mr->ops = ops;
-    mr->opaque = opaque;
-    mr->terminates = true;
+    memory_region_set_ops(mr, ops, opaque);
     mr->rom_device = true;
     mr->destructor = memory_region_destructor_ram;
     mr->ram_block = qemu_ram_alloc(size, 0, mr, &err);
-- 
2.52.0

[PULL 08/16] hw/nvme: Fix bootindex suffix use-after-free

[Philippe Mathieu-Daudé]

From: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>

The bootindex suffix can be used as long as the property is alive.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260125-nvme-v1-5-0658c31fade9@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/nvme/nvme.h | 1 +
 hw/nvme/ns.c   | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h
index 8f8c78c8503..d66f7dc82d5 100644
--- a/hw/nvme/nvme.h
+++ b/hw/nvme/nvme.h
@@ -239,6 +239,7 @@ typedef struct NvmeNamespace {
     DeviceState  parent_obj;
     BlockConf    blkconf;
     int32_t      bootindex;
+    char         bootindex_suffix[24];
     int64_t      size;
     int64_t      moff;
     NvmeIdNs     id_ns;
diff --git a/hw/nvme/ns.c b/hw/nvme/ns.c
index 58800b3414a..38f86a17268 100644
--- a/hw/nvme/ns.c
+++ b/hw/nvme/ns.c
@@ -944,12 +944,11 @@ static void nvme_ns_class_init(ObjectClass *oc, const void *data)
 static void nvme_ns_instance_init(Object *obj)
 {
     NvmeNamespace *ns = NVME_NS(obj);
-    char *bootindex = g_strdup_printf("/namespace@%d,0", ns->params.nsid);
+
+    sprintf(ns->bootindex_suffix, "/namespace@%" PRIu32 ",0", ns->params.nsid);
 
     device_add_bootindex_property(obj, &ns->bootindex, "bootindex",
-                                  bootindex, DEVICE(obj));
-
-    g_free(bootindex);
+                                  ns->bootindex_suffix, DEVICE(obj));
 }
 
 static const TypeInfo nvme_ns_info = {
-- 
2.52.0

[PULL 09/16] hw/ide, scsi-disk: Fix typo on the rotation_rate documentation

[Philippe Mathieu-Daudé]

From: Alberto Garcia <berto@igalia.com>

Correct values according to the Medium Rotation Rate field from the
Block Device Characteristics VPD page (B1h) of the SCSI specification.

Signed-off-by: Alberto Garcia <berto@igalia.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260128102548.224237-1-berto@igalia.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 include/hw/ide/ide-dev.h | 2 +-
 hw/scsi/scsi-disk.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/hw/ide/ide-dev.h b/include/hw/ide/ide-dev.h
index 617e8159c77..f5eaaf68e65 100644
--- a/include/hw/ide/ide-dev.h
+++ b/include/hw/ide/ide-dev.h
@@ -160,7 +160,7 @@ struct IDEDevice {
      * 0x0000        - rotation rate not reported
      * 0x0001        - non-rotating medium (SSD)
      * 0x0002-0x0400 - reserved
-     * 0x0401-0xffe  - rotations per minute
+     * 0x0401-0xfffe - rotations per minute
      * 0xffff        - reserved
      */
     uint16_t rotation_rate;
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 0f896c27f47..db7d04119e1 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -117,7 +117,7 @@ struct SCSIDiskState {
      * 0x0000        - rotation rate not reported
      * 0x0001        - non-rotating medium (SSD)
      * 0x0002-0x0400 - reserved
-     * 0x0401-0xffe  - rotations per minute
+     * 0x0401-0xfffe - rotations per minute
      * 0xffff        - reserved
      */
     uint16_t rotation_rate;
-- 
2.52.0

[PULL 10/16] accel/tcg: Send the CPUTLBEntryFull struct into io_prepare()

[Philippe Mathieu-Daudé]

From: Jim Shu <jim.shu@sifive.com>

To let io_prepare() function use the multiple members in
CPUTLBEntryFull struct, send the full struct instead of 'xlat_section'
member as the argument.

It is the preliminary patch of next commit.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Mark Burton <mburton@qti.qualcomm.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128152348.2095427-2-jim.shu@sifive.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 accel/tcg/cputlb.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 6900a126827..82c9b6389dc 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1270,14 +1270,14 @@ static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,
 }
 
 static MemoryRegionSection *
-io_prepare(hwaddr *out_offset, CPUState *cpu, hwaddr xlat,
+io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full,
            MemTxAttrs attrs, vaddr addr, uintptr_t retaddr)
 {
     MemoryRegionSection *section;
     hwaddr mr_offset;
 
-    section = iotlb_to_section(cpu, xlat, attrs);
-    mr_offset = (xlat & TARGET_PAGE_MASK) + addr;
+    section = iotlb_to_section(cpu, full->xlat_section, attrs);
+    mr_offset = (full->xlat_section & TARGET_PAGE_MASK) + addr;
     cpu->mem_io_pc = retaddr;
     if (!cpu->neg.can_do_io) {
         cpu_io_recompile(cpu, retaddr);
@@ -1981,7 +1981,7 @@ static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 0 && size <= 8);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
@@ -2002,7 +2002,7 @@ static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 8 && size <= 16);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
@@ -2499,7 +2499,7 @@ static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 0 && size <= 8);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
@@ -2519,7 +2519,7 @@ static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
     tcg_debug_assert(size > 8 && size <= 16);
 
     attrs = full->attrs;
-    section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
+    section = io_prepare(&mr_offset, cpu, full, attrs, addr, ra);
     mr = section->mr;
 
     BQL_LOCK_GUARD();
-- 
2.52.0

[PULL 11/16] accel/tcg: Fix iotlb_to_section() for different AddressSpace

[Philippe Mathieu-Daudé]

From: Jim Shu <jim.shu@sifive.com>

'CPUTLBEntryFull.xlat_section' stores section_index in last 12 bits to
find the correct section when CPU access the IO region over the IOTLB.
However, section_index is only unique inside single AddressSpace. If
address space translation is over IOMMUMemoryRegion, it could return
section from other AddressSpace. 'iotlb_to_section()' API only finds the
sections from CPU's AddressSpace so that it couldn't find section in
other AddressSpace. Thus, using 'iotlb_to_section()' API will find the
wrong section and QEMU will have wrong load/store access.

To fix this bug of iotlb_to_section(), store complete MemoryRegionSection
pointer in CPUTLBEntryFull to replace the section_index in xlat_section.
Rename 'xlat_section' to 'xlat' as we remove last 12 bits section_index
inside. Also, since we directly use section pointer in the
CPUTLBEntryFull (full->section), we can remove the unused functions:
iotlb_to_section(), memory_region_section_get_iotlb().

This bug occurs only when
(1) IOMMUMemoryRegion is in the path of CPU access.
(2) IOMMUMemoryRegion returns different target_as and the section is in
the IO region.

Common IOMMU devices don't have this issue since they are only in the
path of DMA access. Currently, the bug only occurs when ARM MPC device
(hw/misc/tz-mpc.c) returns 'blocked_io_as' to emulate blocked access
handling. Upcoming RISC-V wgChecker [1] and IOPMP [2] devices are also
affected by this bug.

[1] RISC-V WG:
https://patchew.org/QEMU/20251021155548.584543-1-jim.shu@sifive.com/
[2] RISC-V IOPMP:
https://patchew.org/QEMU/20250312093735.1517740-1-ethan84@andestech.com/

Signed-off-by: Jim Shu <jim.shu@sifive.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Mark Burton <mburton@qti.qualcomm.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128152348.2095427-3-jim.shu@sifive.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 include/accel/tcg/iommu.h | 15 ---------------
 include/exec/cputlb.h     |  4 ++--
 include/hw/core/cpu.h     | 17 +++++++++--------
 accel/tcg/cputlb.c        | 22 ++++++++++------------
 system/physmem.c          | 25 -------------------------
 5 files changed, 21 insertions(+), 62 deletions(-)

diff --git a/include/accel/tcg/iommu.h b/include/accel/tcg/iommu.h
index 90cfd6c0ed1..547f8ea0ef0 100644
--- a/include/accel/tcg/iommu.h
+++ b/include/accel/tcg/iommu.h
@@ -14,18 +14,6 @@
 #include "exec/hwaddr.h"
 #include "exec/memattrs.h"
 
-/**
- * iotlb_to_section:
- * @cpu: CPU performing the access
- * @index: TCG CPU IOTLB entry
- *
- * Given a TCG CPU IOTLB entry, return the MemoryRegionSection that
- * it refers to. @index will have been initially created and returned
- * by memory_region_section_get_iotlb().
- */
-MemoryRegionSection *iotlb_to_section(CPUState *cpu,
-                                      hwaddr index, MemTxAttrs attrs);
-
 MemoryRegionSection *address_space_translate_for_iotlb(CPUState *cpu,
                                                        int asidx,
                                                        hwaddr addr,
@@ -34,8 +22,5 @@ MemoryRegionSection *address_space_translate_for_iotlb(CPUState *cpu,
                                                        MemTxAttrs attrs,
                                                        int *prot);
 
-hwaddr memory_region_section_get_iotlb(CPUState *cpu,
-                                       MemoryRegionSection *section);
-
 #endif
 
diff --git a/include/exec/cputlb.h b/include/exec/cputlb.h
index 0d1d46429c9..3a9603a6965 100644
--- a/include/exec/cputlb.h
+++ b/include/exec/cputlb.h
@@ -44,8 +44,8 @@ void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length);
  * @full: the details of the tlb entry
  *
  * Add an entry to @cpu tlb index @mmu_idx.  All of the fields of
- * @full must be filled, except for xlat_section, and constitute
- * the complete description of the translated page.
+ * @full must be filled, except for xlat_offset & section, and
+ * constitute the complete description of the translated page.
  *
  * This is generally called by the target tlb_fill function after
  * having performed a successful page table walk to find the physical
diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index 61da2ea4331..98678704a64 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -219,15 +219,16 @@ typedef uint32_t MMUIdxMap;
  */
 struct CPUTLBEntryFull {
     /*
-     * @xlat_section contains:
-     *  - in the lower TARGET_PAGE_BITS, a physical section number
-     *  - with the lower TARGET_PAGE_BITS masked off, an offset which
-     *    must be added to the virtual address to obtain:
-     *     + the ram_addr_t of the target RAM (if the physical section
-     *       number is PHYS_SECTION_NOTDIRTY or PHYS_SECTION_ROM)
-     *     + the offset within the target MemoryRegion (otherwise)
+     * @xlat_offset: TARGET_PAGE_BITS aligned offset which must be added to
+     * the virtual address to obtain:
+     *   + the ram_addr_t of the target RAM (if the physical section
+     *     number is PHYS_SECTION_NOTDIRTY or PHYS_SECTION_ROM)
+     *   + the offset within the target MemoryRegion (otherwise)
      */
-    hwaddr xlat_section;
+    hwaddr xlat_offset;
+
+    /* @section contains physical section. */
+    MemoryRegionSection *section;
 
     /*
      * @phys_addr contains the physical address in the address space
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 82c9b6389dc..76546c66515 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -1090,7 +1090,7 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
         }
     } else {
         /* I/O or ROMD */
-        iotlb = memory_region_section_get_iotlb(cpu, section) + xlat;
+        iotlb = xlat;
         /*
          * Writes to romd devices must go through MMIO to enable write.
          * Reads to romd devices go through the ram_ptr found above,
@@ -1141,10 +1141,9 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
     /*
      * When memory region is ram, iotlb contains a TARGET_PAGE_BITS
      * aligned ram_addr_t of the page base of the target RAM.
-     * Otherwise, iotlb contains
-     *  - a physical section number in the lower TARGET_PAGE_BITS
-     *  - the offset within section->mr of the page base (I/O, ROMD) with the
-     *    TARGET_PAGE_BITS masked off.
+     * Otherwise, iotlb contains a TARGET_PAGE_BITS aligned
+     * offset within section->mr of the page base (I/O, ROMD)
+     *
      * We subtract addr_page (which is page aligned and thus won't
      * disturb the low bits) to give an offset which can be added to the
      * (non-page-aligned) vaddr of the eventual memory access to get
@@ -1154,7 +1153,8 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
      */
     desc->fulltlb[index] = *full;
     full = &desc->fulltlb[index];
-    full->xlat_section = iotlb - addr_page;
+    full->xlat_offset = iotlb - addr_page;
+    full->section = section;
     full->phys_addr = paddr_page;
 
     /* Now calculate the new entry */
@@ -1276,8 +1276,8 @@ io_prepare(hwaddr *out_offset, CPUState *cpu, CPUTLBEntryFull *full,
     MemoryRegionSection *section;
     hwaddr mr_offset;
 
-    section = iotlb_to_section(cpu, full->xlat_section, attrs);
-    mr_offset = (full->xlat_section & TARGET_PAGE_MASK) + addr;
+    section = full->section;
+    mr_offset = full->xlat_offset + addr;
     cpu->mem_io_pc = retaddr;
     if (!cpu->neg.can_do_io) {
         cpu_io_recompile(cpu, retaddr);
@@ -1336,7 +1336,7 @@ static bool victim_tlb_hit(CPUState *cpu, size_t mmu_idx, size_t index,
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUTLBEntryFull *full, uintptr_t retaddr)
 {
-    ram_addr_t ram_addr = mem_vaddr + full->xlat_section;
+    ram_addr_t ram_addr = mem_vaddr + full->xlat_offset;
 
     trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size);
 
@@ -1593,9 +1593,7 @@ bool tlb_plugin_lookup(CPUState *cpu, vaddr addr, int mmu_idx,
 
     /* We must have an iotlb entry for MMIO */
     if (tlb_addr & TLB_MMIO) {
-        MemoryRegionSection *section =
-            iotlb_to_section(cpu, full->xlat_section & ~TARGET_PAGE_MASK,
-                             full->attrs);
+        MemoryRegionSection *section = full->section;
         data->is_io = true;
         data->mr = section->mr;
     } else {
diff --git a/system/physmem.c b/system/physmem.c
index b0311f45312..d17596a77fb 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -747,31 +747,6 @@ translate_fail:
     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
 }
 
-MemoryRegionSection *iotlb_to_section(CPUState *cpu,
-                                      hwaddr index, MemTxAttrs attrs)
-{
-    int asidx = cpu_asidx_from_attrs(cpu, attrs);
-    CPUAddressSpace *cpuas = &cpu->cpu_ases[asidx];
-    AddressSpaceDispatch *d = address_space_to_dispatch(cpuas->as);
-    int section_index = index & ~TARGET_PAGE_MASK;
-    MemoryRegionSection *ret;
-
-    assert(section_index < d->map.sections_nb);
-    ret = d->map.sections + section_index;
-    assert(ret->mr);
-    assert(ret->mr->ops);
-
-    return ret;
-}
-
-/* Called from RCU critical section */
-hwaddr memory_region_section_get_iotlb(CPUState *cpu,
-                                       MemoryRegionSection *section)
-{
-    AddressSpaceDispatch *d = flatview_to_dispatch(section->fv);
-    return section - d->map.sections;
-}
-
 #endif /* CONFIG_TCG */
 
 void cpu_address_space_init(CPUState *cpu, int asidx,
-- 
2.52.0

[PULL 12/16] system/physmem: Remove the assertion of page-aligned section number

[Philippe Mathieu-Daudé]

From: Jim Shu <jim.shu@sifive.com>

We don't need to OR the physical section number anymore since we now
directly have a pointer on the memory section.

Signed-off-by: Jim Shu <jim.shu@sifive.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-ID: <20260128152348.2095427-4-jim.shu@sifive.com>
[PMD: Reworded description per Pierrick's comment]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 system/physmem.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/system/physmem.c b/system/physmem.c
index d17596a77fb..2fb0c25c93b 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -1323,12 +1323,6 @@ static subpage_t *subpage_init(FlatView *fv, hwaddr base);
 static uint16_t phys_section_add(PhysPageMap *map,
                                  MemoryRegionSection *section)
 {
-    /* The physical section number is ORed with a page-aligned
-     * pointer to produce the iotlb entries.  Thus it should
-     * never overflow into the page-aligned value.
-     */
-    assert(map->sections_nb < TARGET_PAGE_SIZE);
-
     if (map->sections_nb == map->sections_nb_alloc) {
         map->sections_nb_alloc = MAX(map->sections_nb_alloc * 2, 16);
         map->sections = g_renew(MemoryRegionSection, map->sections,
-- 
2.52.0

[PULL 13/16] target/i386: Include missing 'svm.h' header in 'sev.h'

[Philippe Mathieu-Daudé]

"target/i386/sev.h" uses the vmcb_seg structure type, which
is defined in "target/i386/svm.h". Current builds succeed
because the files including "target/i386/sev.h" also include
"monitor/hmp-target.h", itself including "cpu.h" and finally
"target/i386/svm.h".

Include the latter, otherwise removing "cpu.h" from
"monitor/hmp-target.h" triggers:

  ../target/i386/sev.h:62:21: error: field has incomplete type 'struct vmcb_seg'
     62 |     struct vmcb_seg es;
        |                     ^

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Message-Id: <20260129164039.58472-2-philmd@linaro.org>
---
 target/i386/sev.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/i386/sev.h b/target/i386/sev.h
index 9db1a802f6b..4358df40e48 100644
--- a/target/i386/sev.h
+++ b/target/i386/sev.h
@@ -14,6 +14,8 @@
 #ifndef I386_SEV_H
 #define I386_SEV_H
 
+#include "target/i386/svm.h"
+
 #ifndef CONFIG_USER_ONLY
 #include CONFIG_DEVICES /* CONFIG_SEV */
 #endif
-- 
2.52.0

[PULL 14/16] monitor: Reduce target-specific declarations

[Philippe Mathieu-Daudé]

Some declarations do not depend on target-specific types,
move them out of "monitor/hmp-target.h" to "monitor/hmp.h".

Commit 409e9f7131e ("mos6522: add "info via" HMP command
for debugging") declared hmp_info_via() is declared twice.
Remove the one in "hw/misc/mos6522.h" otherwise we get:

  In file included from ../hw/misc/mos6522.c:33:
  include/monitor/hmp.h:43:6: error: redundant redeclaration of 'hmp_info_via' [-Werror=redundant-decls]
     43 | void hmp_info_via(Monitor *mon, const QDict *qdict);
        |      ^~~~~~~~~~~~
  In file included from ../hw/misc/mos6522.c:29:
  include/hw/misc/mos6522.h:175:6: note: previous declaration of 'hmp_info_via' with type 'void(Monitor *, const QDict *)'
    175 | void hmp_info_via(Monitor *mon, const QDict *qdict);
        |      ^~~~~~~~~~~~

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20260129164039.58472-3-philmd@linaro.org>
---
 include/hw/misc/mos6522.h     |  2 --
 include/monitor/hmp-target.h  | 14 --------------
 include/monitor/hmp.h         | 13 +++++++++++++
 hw/i386/sgx-stub.c            |  1 +
 hw/i386/sgx.c                 |  1 +
 monitor/hmp-cmds.c            |  1 +
 target/i386/cpu-apic.c        |  1 +
 target/i386/sev-system-stub.c |  1 +
 target/i386/sev.c             |  1 +
 target/m68k/monitor.c         |  1 +
 target/riscv/monitor.c        |  1 +
 11 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/include/hw/misc/mos6522.h b/include/hw/misc/mos6522.h
index 150e30a2c11..82838d09106 100644
--- a/include/hw/misc/mos6522.h
+++ b/include/hw/misc/mos6522.h
@@ -172,6 +172,4 @@ extern const VMStateDescription vmstate_mos6522;
 uint64_t mos6522_read(void *opaque, hwaddr addr, unsigned size);
 void mos6522_write(void *opaque, hwaddr addr, uint64_t val, unsigned size);
 
-void hmp_info_via(Monitor *mon, const QDict *qdict);
-
 #endif /* MOS6522_H */
diff --git a/include/monitor/hmp-target.h b/include/monitor/hmp-target.h
index b679aaebbff..5167d17d41d 100644
--- a/include/monitor/hmp-target.h
+++ b/include/monitor/hmp-target.h
@@ -47,18 +47,4 @@ int target_get_monitor_def(CPUState *cs, const char *name, uint64_t *pval);
 CPUArchState *mon_get_cpu_env(Monitor *mon);
 CPUState *mon_get_cpu(Monitor *mon);
 
-void hmp_info_mem(Monitor *mon, const QDict *qdict);
-void hmp_info_tlb(Monitor *mon, const QDict *qdict);
-void hmp_mce(Monitor *mon, const QDict *qdict);
-void hmp_info_local_apic(Monitor *mon, const QDict *qdict);
-void hmp_info_sev(Monitor *mon, const QDict *qdict);
-void hmp_info_sgx(Monitor *mon, const QDict *qdict);
-void hmp_info_via(Monitor *mon, const QDict *qdict);
-void hmp_memory_dump(Monitor *mon, const QDict *qdict);
-void hmp_physical_memory_dump(Monitor *mon, const QDict *qdict);
-void hmp_info_registers(Monitor *mon, const QDict *qdict);
-void hmp_gva2gpa(Monitor *mon, const QDict *qdict);
-void hmp_gpa2hva(Monitor *mon, const QDict *qdict);
-void hmp_gpa2hpa(Monitor *mon, const QDict *qdict);
-
 #endif /* MONITOR_HMP_TARGET_H */
diff --git a/include/monitor/hmp.h b/include/monitor/hmp.h
index 83721b5ffc6..e222bea60cd 100644
--- a/include/monitor/hmp.h
+++ b/include/monitor/hmp.h
@@ -180,5 +180,18 @@ void hmp_info_mtree(Monitor *mon, const QDict *qdict);
 void hmp_info_cryptodev(Monitor *mon, const QDict *qdict);
 void hmp_dumpdtb(Monitor *mon, const QDict *qdict);
 void hmp_info_firmware_log(Monitor *mon, const QDict *qdict);
+void hmp_info_mem(Monitor *mon, const QDict *qdict);
+void hmp_info_tlb(Monitor *mon, const QDict *qdict);
+void hmp_mce(Monitor *mon, const QDict *qdict);
+void hmp_info_local_apic(Monitor *mon, const QDict *qdict);
+void hmp_info_sev(Monitor *mon, const QDict *qdict);
+void hmp_info_sgx(Monitor *mon, const QDict *qdict);
+void hmp_info_via(Monitor *mon, const QDict *qdict);
+void hmp_memory_dump(Monitor *mon, const QDict *qdict);
+void hmp_physical_memory_dump(Monitor *mon, const QDict *qdict);
+void hmp_info_registers(Monitor *mon, const QDict *qdict);
+void hmp_gva2gpa(Monitor *mon, const QDict *qdict);
+void hmp_gpa2hva(Monitor *mon, const QDict *qdict);
+void hmp_gpa2hpa(Monitor *mon, const QDict *qdict);
 
 #endif
diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
index d295e54d239..1dd8d9afbfa 100644
--- a/hw/i386/sgx-stub.c
+++ b/hw/i386/sgx-stub.c
@@ -1,5 +1,6 @@
 #include "qemu/osdep.h"
 #include "monitor/monitor.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "hw/i386/pc.h"
 #include "hw/i386/sgx-epc.h"
diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
index e2801546ad6..5e792e8e6e9 100644
--- a/hw/i386/sgx.c
+++ b/hw/i386/sgx.c
@@ -16,6 +16,7 @@
 #include "hw/mem/memory-device.h"
 #include "monitor/qdev.h"
 #include "monitor/monitor.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
index 5a673cddb2a..bad034937a9 100644
--- a/monitor/hmp-cmds.c
+++ b/monitor/hmp-cmds.c
@@ -21,6 +21,7 @@
 #include "gdbstub/enums.h"
 #include "monitor/hmp.h"
 #include "qemu/help_option.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "monitor/monitor-internal.h"
 #include "qapi/error.h"
diff --git a/target/i386/cpu-apic.c b/target/i386/cpu-apic.c
index eeee62b52a2..f7ad7b51394 100644
--- a/target/i386/cpu-apic.c
+++ b/target/i386/cpu-apic.c
@@ -10,6 +10,7 @@
 #include "qobject/qdict.h"
 #include "qapi/error.h"
 #include "monitor/monitor.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "system/hw_accel.h"
 #include "system/kvm.h"
diff --git a/target/i386/sev-system-stub.c b/target/i386/sev-system-stub.c
index 7c5c02a5657..fb84aee94d2 100644
--- a/target/i386/sev-system-stub.c
+++ b/target/i386/sev-system-stub.c
@@ -13,6 +13,7 @@
 
 #include "qemu/osdep.h"
 #include "monitor/monitor.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "qapi/error.h"
 #include "sev.h"
diff --git a/target/i386/sev.c b/target/i386/sev.c
index 1d70f96ec1f..fef9f441c61 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -36,6 +36,7 @@
 #include "migration/blocker.h"
 #include "qom/object.h"
 #include "monitor/monitor.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "qapi/qapi-commands-misc-i386.h"
 #include "confidential-guest.h"
diff --git a/target/m68k/monitor.c b/target/m68k/monitor.c
index 161f41853ec..6d101c75df0 100644
--- a/target/m68k/monitor.c
+++ b/target/m68k/monitor.c
@@ -7,6 +7,7 @@
 
 #include "qemu/osdep.h"
 #include "cpu.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "monitor/monitor.h"
 
diff --git a/target/riscv/monitor.c b/target/riscv/monitor.c
index 8a77476db93..478fd392ac6 100644
--- a/target/riscv/monitor.c
+++ b/target/riscv/monitor.c
@@ -22,6 +22,7 @@
 #include "cpu.h"
 #include "cpu_bits.h"
 #include "monitor/monitor.h"
+#include "monitor/hmp.h"
 #include "monitor/hmp-target.h"
 #include "system/memory.h"
 
-- 
2.52.0

[PULL 15/16] monitor: Add hmp_cmds_for_target() helper

[Philippe Mathieu-Daudé]

HMPCommand arrays are filled with target-specific
commands, so defined in a target-specific unit.
Introduce the hmp_cmds_for_target() to allow
target-agnostic code to access the arrays.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dave@treblig.org>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Message-Id: <20260129164039.58472-4-philmd@linaro.org>
---
 monitor/monitor-internal.h |  9 +++++++--
 monitor/hmp-target.c       | 13 ++++++++-----
 monitor/hmp.c              |  8 +++++---
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/monitor/monitor-internal.h b/monitor/monitor-internal.h
index 7735c731083..feca111ae31 100644
--- a/monitor/monitor-internal.h
+++ b/monitor/monitor-internal.h
@@ -169,8 +169,6 @@ extern QmpCommandList qmp_commands, qmp_cap_negotiation_commands;
 extern QemuMutex monitor_lock;
 extern MonitorList mon_list;
 
-extern HMPCommand hmp_cmds[];
-
 void monitor_data_init(Monitor *mon, bool is_qmp, bool skip_flush,
                        bool use_io_thread);
 void monitor_data_destroy(Monitor *mon);
@@ -187,4 +185,11 @@ int get_monitor_def(Monitor *mon, int64_t *pval, const char *name);
 void handle_hmp_command(MonitorHMP *mon, const char *cmdline);
 int hmp_compare_cmd(const char *name, const char *list);
 
+/*
+ * hmp_cmds_for_target: Return array of HMPCommand entries
+ *
+ * If @info_command is true, return the particular 'info foo' commands array.
+ */
+HMPCommand *hmp_cmds_for_target(bool info_command);
+
 #endif
diff --git a/monitor/hmp-target.c b/monitor/hmp-target.c
index 37dfd7fd4c6..59c60d13b52 100644
--- a/monitor/hmp-target.c
+++ b/monitor/hmp-target.c
@@ -44,8 +44,6 @@
 /* Make devices configuration available for use in hmp-commands*.hx templates */
 #include CONFIG_DEVICES
 
-static HMPCommand hmp_info_cmds[];
-
 /**
  * Is @name in the '|' separated list of names @list?
  */
@@ -76,11 +74,16 @@ static HMPCommand hmp_info_cmds[] = {
 };
 
 /* hmp_cmds and hmp_info_cmds would be sorted at runtime */
-HMPCommand hmp_cmds[] = {
+static HMPCommand hmp_cmds[] = {
 #include "hmp-commands.h"
     { NULL, NULL, },
 };
 
+HMPCommand *hmp_cmds_for_target(bool info_command)
+{
+    return info_command ? hmp_info_cmds : hmp_cmds;
+}
+
 /*
  * Set @pval to the value in the register identified by @name.
  * return 0 if OK, -1 if not found
@@ -148,7 +151,7 @@ static void __attribute__((__constructor__)) sortcmdlist(void)
 void monitor_register_hmp(const char *name, bool info,
                           void (*cmd)(Monitor *mon, const QDict *qdict))
 {
-    HMPCommand *table = info ? hmp_info_cmds : hmp_cmds;
+    HMPCommand *table = hmp_cmds_for_target(info);
 
     while (table->name != NULL) {
         if (strcmp(table->name, name) == 0) {
@@ -164,7 +167,7 @@ void monitor_register_hmp(const char *name, bool info,
 void monitor_register_hmp_info_hrt(const char *name,
                                    HumanReadableText *(*handler)(Error **errp))
 {
-    HMPCommand *table = hmp_info_cmds;
+    HMPCommand *table = hmp_cmds_for_target(true);
 
     while (table->name != NULL) {
         if (strcmp(table->name, name) == 0) {
diff --git a/monitor/hmp.c b/monitor/hmp.c
index 4caafbc7146..17e5756986f 100644
--- a/monitor/hmp.c
+++ b/monitor/hmp.c
@@ -301,7 +301,7 @@ void hmp_help_cmd(Monitor *mon, const char *name)
     }
 
     /* 2. dump the contents according to parsed args */
-    help_cmd_dump(mon, hmp_cmds, args, nb_args, 0);
+    help_cmd_dump(mon, hmp_cmds_for_target(false), args, nb_args, 0);
 
     free_cmdline_args(args, nb_args);
 }
@@ -1131,7 +1131,8 @@ void handle_hmp_command(MonitorHMP *mon, const char *cmdline)
 
     trace_handle_hmp_command(mon, cmdline);
 
-    cmd = monitor_parse_command(mon, cmdline, &cmdline, hmp_cmds);
+    cmd = monitor_parse_command(mon, cmdline, &cmdline,
+                                hmp_cmds_for_target(false));
     if (!cmd) {
         return;
     }
@@ -1375,7 +1376,8 @@ static void monitor_find_completion(void *opaque,
     }
 
     /* 2. auto complete according to args */
-    monitor_find_completion_by_table(mon, hmp_cmds, args, nb_args);
+    monitor_find_completion_by_table(mon, hmp_cmds_for_target(false),
+                                     args, nb_args);
 
 cleanup:
     free_cmdline_args(args, nb_args);
-- 
2.52.0

[PULL 16/16] monitor: Reduce target-specific methods

[Philippe Mathieu-Daudé]

The following methods don't use target-specific code anymore:
- hmp_compare_cmd()
- monitor_register_hmp()
- monitor_register_hmp_info_hrt()
Move them to hmp.c which is target-agnostic, being built once.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dave@treblig.org>
Message-Id: <20260129164039.58472-5-philmd@linaro.org>
---
 monitor/hmp-target.c | 57 --------------------------------------------
 monitor/hmp.c        | 55 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 57 deletions(-)

diff --git a/monitor/hmp-target.c b/monitor/hmp-target.c
index 59c60d13b52..420969bd6eb 100644
--- a/monitor/hmp-target.c
+++ b/monitor/hmp-target.c
@@ -33,8 +33,6 @@
 #include "qapi/qapi-commands-control.h"
 #include "qapi/qapi-commands-misc.h"
 #include "qapi/qapi-commands-machine.h"
-#include "qapi/error.h"
-#include "qemu/cutils.h"
 
 #if defined(TARGET_S390X)
 #include "hw/s390x/storage-keys.h"
@@ -44,29 +42,6 @@
 /* Make devices configuration available for use in hmp-commands*.hx templates */
 #include CONFIG_DEVICES
 
-/**
- * Is @name in the '|' separated list of names @list?
- */
-int hmp_compare_cmd(const char *name, const char *list)
-{
-    const char *p, *pstart;
-    int len;
-    len = strlen(name);
-    p = list;
-    for (;;) {
-        pstart = p;
-        p = qemu_strchrnul(p, '|');
-        if ((p - pstart) == len && !memcmp(pstart, name, len)) {
-            return 1;
-        }
-        if (*p == '\0') {
-            break;
-        }
-        p++;
-    }
-    return 0;
-}
-
 /* Please update hmp-commands.hx when adding or changing commands */
 static HMPCommand hmp_info_cmds[] = {
 #include "hmp-commands-info.h"
@@ -147,35 +122,3 @@ static void __attribute__((__constructor__)) sortcmdlist(void)
           sizeof(*hmp_info_cmds),
           compare_mon_cmd);
 }
-
-void monitor_register_hmp(const char *name, bool info,
-                          void (*cmd)(Monitor *mon, const QDict *qdict))
-{
-    HMPCommand *table = hmp_cmds_for_target(info);
-
-    while (table->name != NULL) {
-        if (strcmp(table->name, name) == 0) {
-            g_assert(table->cmd == NULL && table->cmd_info_hrt == NULL);
-            table->cmd = cmd;
-            return;
-        }
-        table++;
-    }
-    g_assert_not_reached();
-}
-
-void monitor_register_hmp_info_hrt(const char *name,
-                                   HumanReadableText *(*handler)(Error **errp))
-{
-    HMPCommand *table = hmp_cmds_for_target(true);
-
-    while (table->name != NULL) {
-        if (strcmp(table->name, name) == 0) {
-            g_assert(table->cmd == NULL && table->cmd_info_hrt == NULL);
-            table->cmd_info_hrt = handler;
-            return;
-        }
-        table++;
-    }
-    g_assert_not_reached();
-}
diff --git a/monitor/hmp.c b/monitor/hmp.c
index 17e5756986f..0a5bbf82197 100644
--- a/monitor/hmp.c
+++ b/monitor/hmp.c
@@ -1497,3 +1497,58 @@ void monitor_init_hmp(Chardev *chr, bool use_readline, Error **errp)
                              monitor_event, NULL, &mon->common, NULL, true);
     monitor_list_append(&mon->common);
 }
+
+/**
+ * Is @name in the '|' separated list of names @list?
+ */
+int hmp_compare_cmd(const char *name, const char *list)
+{
+    const char *p, *pstart;
+    int len;
+    len = strlen(name);
+    p = list;
+    for (;;) {
+        pstart = p;
+        p = qemu_strchrnul(p, '|');
+        if ((p - pstart) == len && !memcmp(pstart, name, len)) {
+            return 1;
+        }
+        if (*p == '\0') {
+            break;
+        }
+        p++;
+    }
+    return 0;
+}
+
+void monitor_register_hmp(const char *name, bool info,
+                          void (*cmd)(Monitor *mon, const QDict *qdict))
+{
+    HMPCommand *table = hmp_cmds_for_target(info);
+
+    while (table->name != NULL) {
+        if (strcmp(table->name, name) == 0) {
+            g_assert(table->cmd == NULL && table->cmd_info_hrt == NULL);
+            table->cmd = cmd;
+            return;
+        }
+        table++;
+    }
+    g_assert_not_reached();
+}
+
+void monitor_register_hmp_info_hrt(const char *name,
+                                   HumanReadableText *(*handler)(Error **errp))
+{
+    HMPCommand *table = hmp_cmds_for_target(true);
+
+    while (table->name != NULL) {
+        if (strcmp(table->name, name) == 0) {
+            g_assert(table->cmd == NULL && table->cmd_info_hrt == NULL);
+            table->cmd_info_hrt = handler;
+            return;
+        }
+        table++;
+    }
+    g_assert_not_reached();
+}
-- 
2.52.0

Re: [PULL 00/16] Misc HW & Memory API patches for 2026-02-02

[BALATON Zoltan]

[-- Attachment #1: Type: text/plain, Size: 4543 bytes --]

On Mon, 2 Feb 2026, Philippe Mathieu-Daudé wrote:
> The following changes since commit 587f4a1805c83a4e1d59dd43cb14e0a834843d1d:
>
>  python: fix msys64 wheel directory specification (2026-02-02 16:46:40 +1000)
>
> are available in the Git repository at:
>
>  https://github.com/philmd/qemu.git tags/hw-misc-20260202
>
> for you to fetch changes up to d8316b64dfbb4fdb706f20c3b42fd9bcf70b0cdc:
>
>  monitor: Reduce target-specific methods (2026-02-02 22:14:51 +0100)
>
> Ignoring this checkpatch.pl error:
>
>  ERROR: unnecessary whitespace before a quoted newline
>  #85: FILE: tests/unit/test-cutils.c:3685:
>  +            "s is \n";
>
> ----------------------------------------------------------------
> Misc HW & memory API patches
>
> - Add unit test for qemu_hexdump()
> - Remove legacy native endianness API uses on the Alpha target
> - Remove unused memory_region_init_rom_device_nomigrate()
> - Fix use-after-free in NvmeNamespace "bootindex" suffix
> - Correct documentation of SCSI Rotation Rate field
> - Make iotlb_to_section() work with non-CPU AddressSpaces
> - Reduce few monitor target-specific methods
> ----------------------------------------------------------------
>
> Akihiko Odaki (1):
>  hw/nvme: Fix bootindex suffix use-after-free
>
> Alberto Garcia (1):
>  hw/ide, scsi-disk: Fix typo on the rotation_rate documentation
>
> BALATON Zoltan (2):
>  memory: Remove memory_region_init_rom_device_nomigrate()
>  memory: Add internal memory_region_set_ops helper function

Thanks. You could have also picked up (rtl8139: Remove ineffective 
parameter) and meanwhile Mark gave R-b to (hw/display/{cg3,tcx}: Do not 
use memory_region_init_rom_nomigrate()) so that could also be merged.

Regards,
BALATON Zoltan

> Jim Shu (3):
>  accel/tcg: Send the CPUTLBEntryFull struct into io_prepare()
>  accel/tcg: Fix iotlb_to_section() for different AddressSpace
>  system/physmem: Remove the assertion of page-aligned section number
>
> Philippe Mathieu-Daudé (8):
>  target/alpha: Use explicit little-endian LD/ST API
>  target/alpha: Inline translator_ldl()
>  configs/targets: Forbid Alpha to use legacy native endianness APIs
>  target/alpha: Replace legacy ld_phys() -> address_space_ld()
>  target/i386: Include missing 'svm.h' header in 'sev.h'
>  monitor: Reduce target-specific declarations
>  monitor: Add hmp_cmds_for_target() helper
>  monitor: Reduce target-specific methods
>
> Vladimir Sementsov-Ogievskiy (1):
>  tests/unit: add unit test for qemu_hexdump()
>
> docs/devel/memory.rst                         |  1 -
> configs/targets/alpha-linux-user.mak          |  2 +
> configs/targets/alpha-softmmu.mak             |  2 +
> .../memory-region-housekeeping.cocci          |  8 ---
> hw/nvme/nvme.h                                |  1 +
> include/accel/tcg/iommu.h                     | 15 -----
> include/exec/cputlb.h                         |  4 +-
> include/hw/core/cpu.h                         | 17 ++---
> include/hw/ide/ide-dev.h                      |  2 +-
> include/hw/misc/mos6522.h                     |  2 -
> include/monitor/hmp-target.h                  | 14 ----
> include/monitor/hmp.h                         | 13 ++++
> include/system/memory.h                       | 27 --------
> monitor/monitor-internal.h                    |  9 ++-
> target/i386/sev.h                             |  2 +
> accel/tcg/cputlb.c                            | 32 +++++----
> hw/i386/sgx-stub.c                            |  1 +
> hw/i386/sgx.c                                 |  1 +
> hw/nvme/ns.c                                  |  7 +-
> hw/scsi/scsi-disk.c                           |  2 +-
> monitor/hmp-cmds.c                            |  1 +
> monitor/hmp-target.c                          | 66 ++-----------------
> monitor/hmp.c                                 | 63 +++++++++++++++++-
> system/memory.c                               | 56 +++++++---------
> system/physmem.c                              | 31 ---------
> target/alpha/helper.c                         | 28 ++++----
> target/alpha/translate.c                      |  2 +-
> target/i386/cpu-apic.c                        |  1 +
> target/i386/sev-system-stub.c                 |  1 +
> target/i386/sev.c                             |  1 +
> target/m68k/monitor.c                         |  1 +
> target/riscv/monitor.c                        |  1 +
> tests/unit/test-cutils.c                      | 66 +++++++++++++++++++
> util/meson.build                              |  2 +-
> 34 files changed, 239 insertions(+), 243 deletions(-)
>
>

Re: [PULL 00/16] Misc HW & Memory API patches for 2026-02-02

[Richard Henderson]

On 2/3/26 07:20, Philippe Mathieu-Daudé wrote:
> The following changes since commit 587f4a1805c83a4e1d59dd43cb14e0a834843d1d:
> 
>    python: fix msys64 wheel directory specification (2026-02-02 16:46:40 +1000)
> 
> are available in the Git repository at:
> 
>    https://github.com/philmd/qemu.git tags/hw-misc-20260202
> 
> for you to fetch changes up to d8316b64dfbb4fdb706f20c3b42fd9bcf70b0cdc:
> 
>    monitor: Reduce target-specific methods (2026-02-02 22:14:51 +0100)
> 
> Ignoring this checkpatch.pl error:
> 
>    ERROR: unnecessary whitespace before a quoted newline
>    #85: FILE: tests/unit/test-cutils.c:3685:
>    +            "s is \n";
> 
> ----------------------------------------------------------------
> Misc HW & memory API patches
> 
> - Add unit test for qemu_hexdump()
> - Remove legacy native endianness API uses on the Alpha target
> - Remove unused memory_region_init_rom_device_nomigrate()
> - Fix use-after-free in NvmeNamespace "bootindex" suffix
> - Correct documentation of SCSI Rotation Rate field
> - Make iotlb_to_section() work with non-CPU AddressSpaces
> - Reduce few monitor target-specific methods

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/11.0 as appropriate.

r~

Re: [PULL 02/16] target/alpha: Use explicit little-endian LD/ST API

[Dr. David Alan Gilbert]

* Philippe Mathieu-Daudé (philmd@linaro.org) wrote:
> The Alpha architecture uses little endianness. Directly

Wasn't there one, odd case of the T3E running it big-endian?
(I have no idea how that worked in practice).

Dave

> use the little-endian LD/ST API.
> 
> Mechanical change running:
> 
>   $ for a in uw w l q; do \
>       sed -i -e "s/ld${a}_p(/ld${a}_le_p(/" \
>         $(git grep -wlE '(ld|st)u?[wlq]_p' target/alpha/);
>     done
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
> Message-Id: <20251224160040.88612-2-philmd@linaro.org>
> ---
>  target/alpha/helper.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/target/alpha/helper.c b/target/alpha/helper.c
> index a9af52a928f..80542cb0665 100644
> --- a/target/alpha/helper.c
> +++ b/target/alpha/helper.c
> @@ -214,17 +214,18 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
>  
>      pt = env->ptbr;
>  
> -    /* TODO: rather than using ldq_phys() to read the page table we should
> +    /*
> +     * TODO: rather than using ldq_phys_le() to read the page table we should
>       * use address_space_ldq() so that we can handle the case when
>       * the page table read gives a bus fault, rather than ignoring it.
> -     * For the existing code the zero data that ldq_phys will return for
> +     * For the existing code the zero data that ldq_phys_le will return for
>       * an access to invalid memory will result in our treating the page
>       * table as invalid, which may even be the right behaviour.
>       */
>  
>      /* L1 page table read.  */
>      index = (addr >> (TARGET_PAGE_BITS + 20)) & 0x3ff;
> -    L1pte = ldq_phys(cs->as, pt + index*8);
> +    L1pte = ldq_phys_le(cs->as, pt + index * 8);
>  
>      if (unlikely((L1pte & PTE_VALID) == 0)) {
>          ret = MM_K_TNV;
> @@ -237,7 +238,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
>  
>      /* L2 page table read.  */
>      index = (addr >> (TARGET_PAGE_BITS + 10)) & 0x3ff;
> -    L2pte = ldq_phys(cs->as, pt + index*8);
> +    L2pte = ldq_phys_le(cs->as, pt + index * 8);
>  
>      if (unlikely((L2pte & PTE_VALID) == 0)) {
>          ret = MM_K_TNV;
> @@ -250,7 +251,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
>  
>      /* L3 page table read.  */
>      index = (addr >> TARGET_PAGE_BITS) & 0x3ff;
> -    L3pte = ldq_phys(cs->as, pt + index*8);
> +    L3pte = ldq_phys_le(cs->as, pt + index * 8);
>  
>      phys = L3pte >> 32 << TARGET_PAGE_BITS;
>      if (unlikely((L3pte & PTE_VALID) == 0)) {
> -- 
> 2.52.0
> 
> 
-- 
 -----Open up your eyes, open up your mind, open up your code -------   
/ Dr. David Alan Gilbert    |       Running GNU/Linux       | Happy  \ 
\        dave @ treblig.org |                               | In Hex /
 \ _________________________|_____ http://www.treblig.org   |_______/

Re: [PULL 02/16] target/alpha: Use explicit little-endian LD/ST API

[Philippe Mathieu-Daudé]

On 1/3/26 15:51, Dr. David Alan Gilbert wrote:
> * Philippe Mathieu-Daudé (philmd@linaro.org) wrote:
>> The Alpha architecture uses little endianness. Directly
> 
> Wasn't there one, odd case of the T3E running it big-endian?
> (I have no idea how that worked in practice).

Richard said it was not necessary to mention it in the code:
https://lore.kernel.org/qemu-devel/20260106155755.53646-7-philmd@linaro.org/
https://lore.kernel.org/qemu-devel/75b13774-93f3-45db-bc1a-5b8687fcb3b9@linaro.org/

I could have mentioned it here in the commit description
for clarity but didn't think about it...

> 
> Dave
> 
>> use the little-endian LD/ST API.
>>
>> Mechanical change running:
>>
>>    $ for a in uw w l q; do \
>>        sed -i -e "s/ld${a}_p(/ld${a}_le_p(/" \
>>          $(git grep -wlE '(ld|st)u?[wlq]_p' target/alpha/);
>>      done
>>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
>> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
>> Message-Id: <20251224160040.88612-2-philmd@linaro.org>
>> ---
>>   target/alpha/helper.c | 11 ++++++-----
>>   1 file changed, 6 insertions(+), 5 deletions(-)
>>
>> diff --git a/target/alpha/helper.c b/target/alpha/helper.c
>> index a9af52a928f..80542cb0665 100644
>> --- a/target/alpha/helper.c
>> +++ b/target/alpha/helper.c
>> @@ -214,17 +214,18 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
>>   
>>       pt = env->ptbr;
>>   
>> -    /* TODO: rather than using ldq_phys() to read the page table we should
>> +    /*
>> +     * TODO: rather than using ldq_phys_le() to read the page table we should
>>        * use address_space_ldq() so that we can handle the case when
>>        * the page table read gives a bus fault, rather than ignoring it.
>> -     * For the existing code the zero data that ldq_phys will return for
>> +     * For the existing code the zero data that ldq_phys_le will return for
>>        * an access to invalid memory will result in our treating the page
>>        * table as invalid, which may even be the right behaviour.
>>        */
>>   
>>       /* L1 page table read.  */
>>       index = (addr >> (TARGET_PAGE_BITS + 20)) & 0x3ff;
>> -    L1pte = ldq_phys(cs->as, pt + index*8);
>> +    L1pte = ldq_phys_le(cs->as, pt + index * 8);
>>   
>>       if (unlikely((L1pte & PTE_VALID) == 0)) {
>>           ret = MM_K_TNV;
>> @@ -237,7 +238,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
>>   
>>       /* L2 page table read.  */
>>       index = (addr >> (TARGET_PAGE_BITS + 10)) & 0x3ff;
>> -    L2pte = ldq_phys(cs->as, pt + index*8);
>> +    L2pte = ldq_phys_le(cs->as, pt + index * 8);
>>   
>>       if (unlikely((L2pte & PTE_VALID) == 0)) {
>>           ret = MM_K_TNV;
>> @@ -250,7 +251,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
>>   
>>       /* L3 page table read.  */
>>       index = (addr >> TARGET_PAGE_BITS) & 0x3ff;
>> -    L3pte = ldq_phys(cs->as, pt + index*8);
>> +    L3pte = ldq_phys_le(cs->as, pt + index * 8);
>>   
>>       phys = L3pte >> 32 << TARGET_PAGE_BITS;
>>       if (unlikely((L3pte & PTE_VALID) == 0)) {
>> -- 
>> 2.52.0
>>
>>

Re: [PULL 02/16] target/alpha: Use explicit little-endian LD/ST API

[Dr. David Alan Gilbert]

* Philippe Mathieu-Daudé (philmd@linaro.org) wrote:
> On 1/3/26 15:51, Dr. David Alan Gilbert wrote:
> > * Philippe Mathieu-Daudé (philmd@linaro.org) wrote:
> > > The Alpha architecture uses little endianness. Directly
> > 
> > Wasn't there one, odd case of the T3E running it big-endian?
> > (I have no idea how that worked in practice).
> 
> Richard said it was not necessary to mention it in the code:
> https://lore.kernel.org/qemu-devel/20260106155755.53646-7-philmd@linaro.org/
> https://lore.kernel.org/qemu-devel/75b13774-93f3-45db-bc1a-5b8687fcb3b9@linaro.org/
> 
> I could have mentioned it here in the commit description
> for clarity but didn't think about it...

Ah right, didn't spot that review.

Thanks for the reply,

Dave

> > 
> > Dave
> > 
> > > use the little-endian LD/ST API.
> > > 
> > > Mechanical change running:
> > > 
> > >    $ for a in uw w l q; do \
> > >        sed -i -e "s/ld${a}_p(/ld${a}_le_p(/" \
> > >          $(git grep -wlE '(ld|st)u?[wlq]_p' target/alpha/);
> > >      done
> > > 
> > > Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> > > Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
> > > Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
> > > Message-Id: <20251224160040.88612-2-philmd@linaro.org>
> > > ---
> > >   target/alpha/helper.c | 11 ++++++-----
> > >   1 file changed, 6 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/target/alpha/helper.c b/target/alpha/helper.c
> > > index a9af52a928f..80542cb0665 100644
> > > --- a/target/alpha/helper.c
> > > +++ b/target/alpha/helper.c
> > > @@ -214,17 +214,18 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
> > >       pt = env->ptbr;
> > > -    /* TODO: rather than using ldq_phys() to read the page table we should
> > > +    /*
> > > +     * TODO: rather than using ldq_phys_le() to read the page table we should
> > >        * use address_space_ldq() so that we can handle the case when
> > >        * the page table read gives a bus fault, rather than ignoring it.
> > > -     * For the existing code the zero data that ldq_phys will return for
> > > +     * For the existing code the zero data that ldq_phys_le will return for
> > >        * an access to invalid memory will result in our treating the page
> > >        * table as invalid, which may even be the right behaviour.
> > >        */
> > >       /* L1 page table read.  */
> > >       index = (addr >> (TARGET_PAGE_BITS + 20)) & 0x3ff;
> > > -    L1pte = ldq_phys(cs->as, pt + index*8);
> > > +    L1pte = ldq_phys_le(cs->as, pt + index * 8);
> > >       if (unlikely((L1pte & PTE_VALID) == 0)) {
> > >           ret = MM_K_TNV;
> > > @@ -237,7 +238,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
> > >       /* L2 page table read.  */
> > >       index = (addr >> (TARGET_PAGE_BITS + 10)) & 0x3ff;
> > > -    L2pte = ldq_phys(cs->as, pt + index*8);
> > > +    L2pte = ldq_phys_le(cs->as, pt + index * 8);
> > >       if (unlikely((L2pte & PTE_VALID) == 0)) {
> > >           ret = MM_K_TNV;
> > > @@ -250,7 +251,7 @@ static int get_physical_address(CPUAlphaState *env, target_ulong addr,
> > >       /* L3 page table read.  */
> > >       index = (addr >> TARGET_PAGE_BITS) & 0x3ff;
> > > -    L3pte = ldq_phys(cs->as, pt + index*8);
> > > +    L3pte = ldq_phys_le(cs->as, pt + index * 8);
> > >       phys = L3pte >> 32 << TARGET_PAGE_BITS;
> > >       if (unlikely((L3pte & PTE_VALID) == 0)) {
> > > -- 
> > > 2.52.0
> > > 
> > > 
> 
-- 
 -----Open up your eyes, open up your mind, open up your code -------   
/ Dr. David Alan Gilbert    |       Running GNU/Linux       | Happy  \ 
\        dave @ treblig.org |                               | In Hex /
 \ _________________________|_____ http://www.treblig.org   |_______/