[PULL 0/2] loongarch-to-apply queue

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit efcd0ec14b0fe9ee0ee70277763b2d538d19238d:

  Merge tag 'misc-fixes-20230330' of https://github.com/philmd/qemu into staging (2023-03-30 14:22:29 +0100)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20230404

for you to fetch changes up to ec28dd6c6fc1366504003c25828953cac49e2da7:

  target/loongarch: Enables plugins to get instruction codes (2023-04-04 19:33:23 +0800)

----------------------------------------------------------------
pull-loongarch-20230404

----------------------------------------------------------------
Tianrui Zhao (1):
      hw/loongarch/virt: Fix virt_to_phys_addr function

tanhongze (1):
      target/loongarch: Enables plugins to get instruction codes

 hw/loongarch/virt.c          | 2 +-
 target/loongarch/translate.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Re: [PULL 0/2] loongarch-to-apply queue

[Peter Maydell]

On Tue, 4 Apr 2023 at 12:38, Song Gao <gaosong@loongson.cn> wrote:
>
> The following changes since commit efcd0ec14b0fe9ee0ee70277763b2d538d19238d:
>
>   Merge tag 'misc-fixes-20230330' of https://github.com/philmd/qemu into staging (2023-03-30 14:22:29 +0100)
>
> are available in the Git repository at:
>
>   https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20230404
>
> for you to fetch changes up to ec28dd6c6fc1366504003c25828953cac49e2da7:
>
>   target/loongarch: Enables plugins to get instruction codes (2023-04-04 19:33:23 +0800)
>
> ----------------------------------------------------------------
> pull-loongarch-20230404
>


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.0
for any user-visible changes.

-- PMM

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit a3cb6d5004ff638aefe686ecd540718a793bd1b1:

  Merge tag 'pull-tcg-20230525' of https://gitlab.com/rth7680/qemu into staging (2023-05-25 11:11:52 -0700)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20230526

for you to fetch changes up to 65bfaaae6ac79ebc623acc0ce28cc3bd4fe8b5e5:

  target/loongarch: Fix the vinsgr2vr/vpickve2gr instructions cause system coredump (2023-05-26 17:21:16 +0800)

----------------------------------------------------------------
pull-loongarch-20230526

----------------------------------------------------------------
Song Gao (2):
      target/loongarch: Fix LD/ST{LE/GT} instructions get wrong CSR_ERA and CSR_BADV
      target/loongarch: Fix the vinsgr2vr/vpickve2gr instructions cause system coredump

 target/loongarch/cpu.c                      |  2 +-
 target/loongarch/insn_trans/trans_lsx.c.inc | 39 +++++++++++++++++++----------
 target/loongarch/op_helper.c                |  6 +++--
 3 files changed, 31 insertions(+), 16 deletions(-)

Re: [PULL 0/2] loongarch-to-apply queue

[Richard Henderson]

On 5/26/23 02:27, Song Gao wrote:
> The following changes since commit a3cb6d5004ff638aefe686ecd540718a793bd1b1:
> 
>    Merge tag 'pull-tcg-20230525' ofhttps://gitlab.com/rth7680/qemu  into staging (2023-05-25 11:11:52 -0700)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/gaosong/qemu.git  tags/pull-loongarch-20230526
> 
> for you to fetch changes up to 65bfaaae6ac79ebc623acc0ce28cc3bd4fe8b5e5:
> 
>    target/loongarch: Fix the vinsgr2vr/vpickve2gr instructions cause system coredump (2023-05-26 17:21:16 +0800)
> 
> ----------------------------------------------------------------
> pull-loongarch-20230526

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/8.1 as appropriate.


r~

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 2f3913f4b2ad74baeb5a6f1d36efbd9ecdf1057d:

  Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu into staging (2023-10-05 09:01:01 -0400)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20231008

for you to fetch changes up to e1fc0cf1fb65c5f049bef4661d0e3278e51e2560:

  target/loongarch: Add preldx instruction (2023-10-08 15:02:15 +0800)

----------------------------------------------------------------
pull-loongarch-20231008

----------------------------------------------------------------
Jiajie Chen (1):
      target/loongarch: fix ASXE flag conflict

Song Gao (1):
      target/loongarch: Add preldx instruction

 target/loongarch/cpu.h                         | 4 ++--
 target/loongarch/disas.c                       | 7 +++++++
 target/loongarch/insn_trans/trans_memory.c.inc | 5 +++++
 target/loongarch/insns.decode                  | 3 +++
 4 files changed, 17 insertions(+), 2 deletions(-)

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 191710c221f65b1542f6ea7fa4d30dde6e134fd7:

  Merge tag 'pull-request-2023-12-20' of https://gitlab.com/thuth/qemu into staging (2023-12-20 09:40:16 -0500)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20231221

for you to fetch changes up to be45144bee708d3b84c3c474a4d4aeb7e5c4733a:

  target/loongarch: Add timer information dump support (2023-12-21 16:07:47 +0800)

----------------------------------------------------------------
pull-loongarch-20231221

----------------------------------------------------------------
Bibo Mao (2):
      hw/loongarch/virt: Align high memory base address with super page size
      target/loongarch: Add timer information dump support

 include/hw/loongarch/virt.h | 2 +-
 target/loongarch/cpu.c      | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

Re: [PULL 0/2] loongarch-to-apply queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/9.0 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit d328fef93ae757a0dd65ed786a4086e27952eef3:

  Merge tag 'pull-20231230' of https://gitlab.com/rth7680/qemu into staging (2024-01-04 10:23:34 +0000)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240105

for you to fetch changes up to 0cd8b379081fa71c23836052feb65da4685f8ec7:

  target/loongarch: move translate modules to tcg/ (2024-01-05 09:31:05 +0800)

----------------------------------------------------------------
pull-loongarch-20240105

----------------------------------------------------------------
Song Gao (2):
      target/loongarch/meson: move gdbstub.c to loongarch.ss
      target/loongarch: move translate modules to tcg/

 target/loongarch/meson.build                          | 15 +--------------
 target/loongarch/{ => tcg}/constant_timer.c           |  0
 target/loongarch/{ => tcg}/csr_helper.c               |  0
 target/loongarch/{ => tcg}/fpu_helper.c               |  0
 .../loongarch/{ => tcg}/insn_trans/trans_arith.c.inc  |  0
 .../loongarch/{ => tcg}/insn_trans/trans_atomic.c.inc |  0
 target/loongarch/{ => tcg}/insn_trans/trans_bit.c.inc |  0
 .../loongarch/{ => tcg}/insn_trans/trans_branch.c.inc |  0
 .../loongarch/{ => tcg}/insn_trans/trans_extra.c.inc  |  0
 .../loongarch/{ => tcg}/insn_trans/trans_farith.c.inc |  0
 .../loongarch/{ => tcg}/insn_trans/trans_fcmp.c.inc   |  0
 .../loongarch/{ => tcg}/insn_trans/trans_fcnv.c.inc   |  0
 .../{ => tcg}/insn_trans/trans_fmemory.c.inc          |  0
 .../loongarch/{ => tcg}/insn_trans/trans_fmov.c.inc   |  0
 .../loongarch/{ => tcg}/insn_trans/trans_memory.c.inc |  0
 .../{ => tcg}/insn_trans/trans_privileged.c.inc       |  0
 .../loongarch/{ => tcg}/insn_trans/trans_shift.c.inc  |  0
 target/loongarch/{ => tcg}/insn_trans/trans_vec.c.inc |  0
 target/loongarch/{ => tcg}/iocsr_helper.c             |  0
 target/loongarch/tcg/meson.build                      | 19 +++++++++++++++++++
 target/loongarch/{ => tcg}/op_helper.c                |  0
 target/loongarch/{ => tcg}/tlb_helper.c               |  0
 target/loongarch/{ => tcg}/translate.c                |  0
 target/loongarch/{ => tcg}/vec_helper.c               |  0
 24 files changed, 20 insertions(+), 14 deletions(-)
 rename target/loongarch/{ => tcg}/constant_timer.c (100%)
 rename target/loongarch/{ => tcg}/csr_helper.c (100%)
 rename target/loongarch/{ => tcg}/fpu_helper.c (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_arith.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_atomic.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_bit.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_branch.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_extra.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_farith.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_fcmp.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_fcnv.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_fmemory.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_fmov.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_memory.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_privileged.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_shift.c.inc (100%)
 rename target/loongarch/{ => tcg}/insn_trans/trans_vec.c.inc (100%)
 rename target/loongarch/{ => tcg}/iocsr_helper.c (100%)
 create mode 100644 target/loongarch/tcg/meson.build
 rename target/loongarch/{ => tcg}/op_helper.c (100%)
 rename target/loongarch/{ => tcg}/tlb_helper.c (100%)
 rename target/loongarch/{ => tcg}/translate.c (100%)
 rename target/loongarch/{ => tcg}/vec_helper.c (100%)

Re: [PULL 0/2] loongarch-to-apply queue

[Peter Maydell]

On Fri, 5 Jan 2024 at 01:30, Song Gao <gaosong@loongson.cn> wrote:
>
> The following changes since commit d328fef93ae757a0dd65ed786a4086e27952eef3:
>
>   Merge tag 'pull-20231230' of https://gitlab.com/rth7680/qemu into staging (2024-01-04 10:23:34 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240105
>
> for you to fetch changes up to 0cd8b379081fa71c23836052feb65da4685f8ec7:
>
>   target/loongarch: move translate modules to tcg/ (2024-01-05 09:31:05 +0800)
>
> ----------------------------------------------------------------
> pull-loongarch-20240105
>
> ----------------------------------------------------------------
> Song Gao (2):
>       target/loongarch/meson: move gdbstub.c to loongarch.ss
>       target/loongarch: move translate modules to tcg/

Hi; this fails to build, with

../target/loongarch/tcg/meson.build:1:3: ERROR: Unknown variable "config_all".

(eg https://gitlab.com/qemu-project/qemu/-/jobs/5868662017)

I think your pullreq has unfortunately got a conflict with the
meson cleanup patches that I just applied from Paolo.

Could you have a look at this and respin the pullreq, please?

thanks
-- PMM

Re: [PULL 0/2] loongarch-to-apply queue

[gaosong]

在 2024/1/5 下午9:34, Peter Maydell 写道:
> On Fri, 5 Jan 2024 at 01:30, Song Gao <gaosong@loongson.cn> wrote:
>> The following changes since commit d328fef93ae757a0dd65ed786a4086e27952eef3:
>>
>>    Merge tag 'pull-20231230' of https://gitlab.com/rth7680/qemu into staging (2024-01-04 10:23:34 +0000)
>>
>> are available in the Git repository at:
>>
>>    https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240105
>>
>> for you to fetch changes up to 0cd8b379081fa71c23836052feb65da4685f8ec7:
>>
>>    target/loongarch: move translate modules to tcg/ (2024-01-05 09:31:05 +0800)
>>
>> ----------------------------------------------------------------
>> pull-loongarch-20240105
>>
>> ----------------------------------------------------------------
>> Song Gao (2):
>>        target/loongarch/meson: move gdbstub.c to loongarch.ss
>>        target/loongarch: move translate modules to tcg/
> Hi; this fails to build, with
>
> ../target/loongarch/tcg/meson.build:1:3: ERROR: Unknown variable "config_all".
>
> (eg https://gitlab.com/qemu-project/qemu/-/jobs/5868662017)
>
> I think your pullreq has unfortunately got a conflict with the
> meson cleanup patches that I just applied from Paolo.
>
> Could you have a look at this and respin the pullreq, please?
Sure, I will.

Thanks.
Song Gao.

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 4a4efae44f19528589204581e9e2fab69c5d39aa:

  Merge tag 'pull-hex-20240121' of https://github.com/quic/qemu into staging (2024-01-23 13:40:45 +0000)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240125

for you to fetch changes up to fc70099621fe7002d30fc1509456d1ae57264aa6:

  target/loongarch/kvm: Enable LSX/LASX extension (2024-01-25 15:25:31 +0800)

----------------------------------------------------------------
pull-loongarch-20240125

----------------------------------------------------------------
Bibo Mao (1):
      target/loongarch: Set cpuid CSR register only once with kvm mode

Song Gao (1):
      target/loongarch/kvm: Enable LSX/LASX extension

 linux-headers/asm-loongarch/kvm.h |  1 +
 target/loongarch/kvm/kvm.c        | 54 +++++++++++++++++++++++++++++++--------
 2 files changed, 45 insertions(+), 10 deletions(-)

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 4a4efae44f19528589204581e9e2fab69c5d39aa:

  Merge tag 'pull-hex-20240121' of https://github.com/quic/qemu into staging (2024-01-23 13:40:45 +0000)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240125

for you to fetch changes up to fc70099621fe7002d30fc1509456d1ae57264aa6:

  target/loongarch/kvm: Enable LSX/LASX extension (2024-01-25 15:25:31 +0800)

----------------------------------------------------------------
pull-loongarch-20240125

----------------------------------------------------------------
Bibo Mao (1):
      target/loongarch: Set cpuid CSR register only once with kvm mode

Song Gao (1):
      target/loongarch/kvm: Enable LSX/LASX extension

 linux-headers/asm-loongarch/kvm.h |  1 +
 target/loongarch/kvm/kvm.c        | 54 +++++++++++++++++++++++++++++++--------
 2 files changed, 45 insertions(+), 10 deletions(-)

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 4a4efae44f19528589204581e9e2fab69c5d39aa:

  Merge tag 'pull-hex-20240121' of https://github.com/quic/qemu into staging (2024-01-23 13:40:45 +0000)

are available in the Git repository at:

  https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240125

for you to fetch changes up to fc70099621fe7002d30fc1509456d1ae57264aa6:

  target/loongarch/kvm: Enable LSX/LASX extension (2024-01-25 15:25:31 +0800)

----------------------------------------------------------------
pull-loongarch-20240125

----------------------------------------------------------------
Bibo Mao (1):
      target/loongarch: Set cpuid CSR register only once with kvm mode

Song Gao (1):
      target/loongarch/kvm: Enable LSX/LASX extension

 linux-headers/asm-loongarch/kvm.h |  1 +
 target/loongarch/kvm/kvm.c        | 54 +++++++++++++++++++++++++++++++--------
 2 files changed, 45 insertions(+), 10 deletions(-)

Re: [PULL 0/2] loongarch-to-apply queue

[Peter Maydell]

On Thu, 25 Jan 2024 at 07:31, Song Gao <gaosong@loongson.cn> wrote:
>
> The following changes since commit 4a4efae44f19528589204581e9e2fab69c5d39aa:
>
>   Merge tag 'pull-hex-20240121' of https://github.com/quic/qemu into staging (2024-01-23 13:40:45 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/gaosong/qemu.git tags/pull-loongarch-20240125
>
> for you to fetch changes up to fc70099621fe7002d30fc1509456d1ae57264aa6:
>
>   target/loongarch/kvm: Enable LSX/LASX extension (2024-01-25 15:25:31 +0800)
>
> ----------------------------------------------------------------
> pull-loongarch-20240125
>
> ----------------------------------------------------------------


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/9.0
for any user-visible changes.

-- PMM

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 4e06566dbd1b1251c2788af26a30bd148d4eb6c1:

  Merge tag 'pull-riscv-to-apply-20250730-2' of https://github.com/alistair23/qemu into staging (2025-07-30 09:59:30 -0400)

are available in the Git repository at:

  https://github.com/gaosong715/qemu.git tags/pull-loongarch-20250731

for you to fetch changes up to 31995cc4087123a13e9345153e0c39ffb44b9277:

  hw/intc/loongarch_ipi: Fix start fail with smp cpu < smp maxcpus on KVM (2025-07-31 16:57:01 +0800)

----------------------------------------------------------------
pull-loongarch-2025-0731-for-10.1

----------------------------------------------------------------
Bibo Mao (1):
      target/loongarch: Fix valid virtual address checking

Song Gao (1):
      hw/intc/loongarch_ipi: Fix start fail with smp cpu < smp maxcpus on KVM

 hw/intc/loongarch_ipi_kvm.c   | 27 ++++++++++++++++-----------
 target/loongarch/cpu_helper.c |  4 ++--
 2 files changed, 18 insertions(+), 13 deletions(-)

Re: [PULL 0/2] loongarch-to-apply queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/10.1 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit ca18b336e12c8433177a3cd639c5bf757952adaa:

  Merge tag 'pull-lu-20250828' of https://gitlab.com/rth7680/qemu into staging (2025-08-28 09:24:36 +1000)

are available in the Git repository at:

  https://github.com/gaosong715/qemu.git tags/pull-loongarch-20250828

for you to fetch changes up to 86bca40402316891b8b9a920c2e3bf8cf37ba9a4:

  hw/intc/loongarch_pch_pic: Fix ubsan warning and endianness issue (2025-08-28 20:06:27 +0800)

----------------------------------------------------------------
pull-loongarch-20250828

----------------------------------------------------------------
Thomas Huth (1):
      hw/intc/loongarch_pch_pic: Fix ubsan warning and endianness issue

WANG Rui (1):
      target/loongarch: Guard 64-bit-only insn translation with TRANS64 macro

 hw/intc/loongarch_pch_pic.c                        | 15 ++++-----
 target/loongarch/tcg/insn_trans/trans_atomic.c.inc | 36 +++++++++++-----------
 target/loongarch/tcg/insn_trans/trans_extra.c.inc  |  8 +++--
 target/loongarch/tcg/insn_trans/trans_farith.c.inc |  8 ++---
 target/loongarch/tcg/insn_trans/trans_fcnv.c.inc   |  4 +--
 .../loongarch/tcg/insn_trans/trans_fmemory.c.inc   | 16 +++++-----
 .../tcg/insn_trans/trans_privileged.c.inc          |  4 +--
 target/loongarch/tcg/insn_trans/trans_shift.c.inc  |  4 +--
 target/loongarch/translate.h                       |  4 +++
 9 files changed, 54 insertions(+), 45 deletions(-)

Re: [PULL 0/2] loongarch-to-apply queue

[Richard Henderson]

On 8/28/25 22:02, Song Gao wrote:
> The following changes since commit ca18b336e12c8433177a3cd639c5bf757952adaa:
> 
>    Merge tag 'pull-lu-20250828' of https://gitlab.com/rth7680/qemu into staging (2025-08-28 09:24:36 +1000)
> 
> are available in the Git repository at:
> 
>    https://github.com/gaosong715/qemu.git tags/pull-loongarch-20250828
> 
> for you to fetch changes up to 86bca40402316891b8b9a920c2e3bf8cf37ba9a4:
> 
>    hw/intc/loongarch_pch_pic: Fix ubsan warning and endianness issue (2025-08-28 20:06:27 +0800)
> 
> ----------------------------------------------------------------
> pull-loongarch-20250828


Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/10.2 as appropriate.

r~

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 31ee190665dd50054c39cef5ad740680aabda382:

  Merge tag 'hw-misc-20260309' of https://github.com/philmd/qemu into staging (2026-03-09 17:19:26 +0000)

are available in the Git repository at:

  https://github.com/gaosong715/qemu.git tags/pull-loongarch-20260310

for you to fetch changes up to db2325f79481fab87211e5a287580d753f582cb8:

  target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch (2026-03-10 19:50:01 +0800)

----------------------------------------------------------------
loongarch bug fix

----------------------------------------------------------------
rail5 (2):
      target/loongarch: Preserve PTE permission bits in LDPTE
      target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch

 target/loongarch/cpu.c            | 11 +++++++++++
 target/loongarch/cpu.h            |  1 +
 target/loongarch/tcg/tcg_cpu.c    |  2 +-
 target/loongarch/tcg/tlb_helper.c | 24 +++++++++++++++++++++---
 4 files changed, 34 insertions(+), 4 deletions(-)

[PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Song Gao]

From: rail5 <andrew@rail5.org>

The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.

That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.

Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.

Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319

Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
---
 target/loongarch/cpu.c            | 11 +++++++++++
 target/loongarch/cpu.h            |  1 +
 target/loongarch/tcg/tlb_helper.c | 24 +++++++++++++++++++++---
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 8e8b10505d..e22568c84a 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -596,6 +596,17 @@ static void loongarch_cpu_reset_hold(Object *obj, ResetType type)
 
 #ifdef CONFIG_TCG
     env->fcsr0_mask = FCSR0_M1 | FCSR0_M2 | FCSR0_M3;
+
+    if (is_la64(env)) {
+        env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_64_PPN_MASK |
+                           R_TLBENTRY_64_NR_MASK |
+                           R_TLBENTRY_64_NX_MASK |
+                           R_TLBENTRY_64_RPLV_MASK;
+    } else {
+        env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_32_PPN_MASK;
+    }
 #endif
     env->fcsr0 = 0x0;
 
diff --git a/target/loongarch/cpu.h b/target/loongarch/cpu.h
index d2dfdc8520..4d333806ed 100644
--- a/target/loongarch/cpu.h
+++ b/target/loongarch/cpu.h
@@ -406,6 +406,7 @@ typedef struct CPUArchState {
     uint64_t llval;
     uint64_t llval_high; /* For 128-bit atomic SC.Q */
     uint64_t llbit_scq; /* Potential LL.D+LD.D+SC.Q sequence in effect */
+    uint64_t hw_pte_mask; /* Mask of architecturally-defined (hardware) PTE bits. */
 #endif
 #ifndef CONFIG_USER_ONLY
 #ifdef CONFIG_TCG
diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c
index c1dc77a8f8..c0fd8527fe 100644
--- a/target/loongarch/tcg/tlb_helper.c
+++ b/target/loongarch/tcg/tlb_helper.c
@@ -686,6 +686,21 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     cpu_loop_exit_restore(cs, retaddr);
 }
 
+static inline uint64_t loongarch_sanitize_hw_pte(CPULoongArchState *env,
+                                                 uint64_t pte)
+{
+    uint64_t palen_mask = loongarch_palen_mask(env);
+    uint64_t ppn_mask = is_la64(env) ? R_TLBENTRY_64_PPN_MASK : R_TLBENTRY_32_PPN_MASK;
+
+    /*
+     * Keep only architecturally-defined PTE bits. Guests may use some
+     * otherwise-unused bits for software purposes.
+     */
+    pte &= env->hw_pte_mask;
+
+    return (pte & ~ppn_mask) | ((pte & ppn_mask) & palen_mask);
+}
+
 target_ulong helper_lddir(CPULoongArchState *env, target_ulong base,
                           uint32_t level, uint32_t mem_idx)
 {
@@ -729,6 +744,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
 {
     CPUState *cs = env_cpu(env);
     hwaddr phys, tmp0, ptindex, ptoffset0, ptoffset1;
+    uint64_t pte_raw;
     uint64_t badv;
     uint64_t ptbase = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTBASE);
     uint64_t ptwidth = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTWIDTH);
@@ -744,7 +760,6 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
      * and the other is the huge page entry,
      * whose bit 6 should be 1.
      */
-    base = base & palen_mask;
     if (FIELD_EX64(base, TLBENTRY, HUGE)) {
         /*
          * Gets the huge page level and Gets huge page size.
@@ -768,7 +783,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
          * when loaded into the tlb,
          * so the tlb page size needs to be divided by 2.
          */
-        tmp0 = base;
+        tmp0 = loongarch_sanitize_hw_pte(env, base);
         if (odd) {
             tmp0 += MAKE_64BIT_MASK(ps, 1);
         }
@@ -780,12 +795,15 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
     } else {
         badv = env->CSR_TLBRBADV;
 
+        base = base & palen_mask;
+
         ptindex = (badv >> ptbase) & ((1 << ptwidth) - 1);
         ptindex = ptindex & ~0x1;   /* clear bit 0 */
         ptoffset0 = ptindex << 3;
         ptoffset1 = (ptindex + 1) << 3;
         phys = base | (odd ? ptoffset1 : ptoffset0);
-        tmp0 = ldq_le_phys(cs->as, phys) & palen_mask;
+        pte_raw = ldq_le_phys(cs->as, phys);
+        tmp0 = loongarch_sanitize_hw_pte(env, pte_raw);
         ps = ptbase;
     }
 
-- 
2.52.0

[PULL 2/2] target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch

[Song Gao]

From: rail5 <andrew@rail5.org>

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction with cpu_ldl_code_mmu().

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Fixes: 410dfbf620a ("target/loongarch: Move TCG specified functions to tcg_cpu.c")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
---
 target/loongarch/tcg/tcg_cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/loongarch/tcg/tcg_cpu.c b/target/loongarch/tcg/tcg_cpu.c
index af92277669..31d3db6e8e 100644
--- a/target/loongarch/tcg/tcg_cpu.c
+++ b/target/loongarch/tcg/tcg_cpu.c
@@ -109,6 +109,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause = cs->exception_index;
         update_badinstr = 0;
@@ -129,7 +130,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause = cs->exception_index;
         break;
-- 
2.52.0

Re: [PULL 0/2] loongarch-to-apply queue

[Peter Maydell]

On Tue, 10 Mar 2026 at 12:10, Song Gao <gaosong@loongson.cn> wrote:
>
> The following changes since commit 31ee190665dd50054c39cef5ad740680aabda382:
>
>   Merge tag 'hw-misc-20260309' of https://github.com/philmd/qemu into staging (2026-03-09 17:19:26 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/gaosong715/qemu.git tags/pull-loongarch-20260310
>
> for you to fetch changes up to db2325f79481fab87211e5a287580d753f582cb8:
>
>   target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch (2026-03-10 19:50:01 +0800)
>
> ----------------------------------------------------------------
> loongarch bug fix
>
> ----------------------------------------------------------------
> rail5 (2):
>       target/loongarch: Preserve PTE permission bits in LDPTE
>       target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch




Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.0
for any user-visible changes.

-- PMM

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Michael Tokarev]

On 10.03.2026 14:44, Song Gao wrote:
> From: rail5 <andrew@rail5.org>
> 
> The LDPTE helper loads a page table entry (or huge page entry) from guest
> memory and currently applies the PALEN mask to the whole 64-bit value.
> 
> That mask is intended to constrain the physical address bits, but masking
> the full entry also clears upper permission bits in the PTE, including NX
> (bit 62). As a result, LoongArch TCG can incorrectly allow instruction
> fetches from NX mappings when translation is driven through software
> page-walk.
> 
> Fix this by masking only the PPN/address field with PALEN while preserving
> permission bits, and by clearing any non-architectural (software) bits
> using a hardware PTE mask. LDDIR is unchanged since it returns the base
> address of the next page table level.
> 
> Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319
> 
> Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
> Cc: qemu-stable@nongnu.org

As far as I can see, 56599a705f2 is past 10.2.0 release, so is not
present in any released version of qemu.  This commit also hasn't
been back-ported to any stable series.

So I'm not picking up this one, despite it is marked as for qemu-stable.
Please let me know if I should pick it up regardless.

Thanks,

/mjt

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Andrew S. Rightenburg via qemu development]

On Tue, 2026-03-10 at 19:04 +0300, Michael Tokarev wrote:
> 
> As far as I can see, 56599a705f2 is past 10.2.0 release, so is not
> present in any released version of qemu.  This commit also hasn't
> been back-ported to any stable series.
> 
> So I'm not picking up this one, despite it is marked as for qemu-stable.
> Please let me know if I should pick it up regardless.
> 
> Thanks,
> 
> /mjt

Hi Michael,

The commit in question changed how the masking is applied, but the bug itself
existed before it. I've reproduced the issue in 10.0.7 and 10.2.0. I believe the
patch is still relevant for stable

Sorry if the 'Fixes:' tag was misdirected. This is my first contribution and I'm
unfamiliar with the workflow. I used 'git blame' to find the line, but that line
was just a refactor, not the origin of the bug. If it would help I'd be happy to
try to re-base the patch on the current release version instead of the current
state of master

Thanks again

-- 
Regards,
Andrew S. Rightenburg

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Michael Tokarev]

On 11.03.2026 05:29, Andrew S. Rightenburg wrote:

> The commit in question changed how the masking is applied, but the bug itself
> existed before it. I've reproduced the issue in 10.0.7 and 10.2.0. I believe the
> patch is still relevant for stable

Aha.  So this new change (Preserve PTE bits) has to be backported.

Please take a look at https://gitlab.com/mjt0k/qemu/-/commits/staging-10.2
-- hopefully my back-port makes sense.

The same's for staging-10.1 and staging-10.0 (10.0 needed additional
small tweak).

> Sorry if the 'Fixes:' tag was misdirected. This is my first contribution and I'm
> unfamiliar with the workflow. I used 'git blame' to find the line, but that line
> was just a refactor, not the origin of the bug. If it would help I'd be happy to
> try to re-base the patch on the current release version instead of the current
> state of master

Yeah the Fixes tag is obviously misleading.  What's the actual commit
which introduced the issue, if it's easy to find? :)

Thank you!

/mjt

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Andrew S. Rightenburg via qemu development]

On Wed, 2026-03-11 at 13:30 +0300, Michael Tokarev wrote:
> Please take a look at https://gitlab.com/mjt0k/qemu/-/commits/staging-10.2
> -- hopefully my back-port makes sense.
> 
> The same's for staging-10.1 and staging-10.0 (10.0 needed additional
> small tweak).
> 

It makes sense to me, but 10.1 and 10.0 still have the recursive PNX bug. I've
included backported patches for those two down below

> 
> Yeah the Fixes tag is obviously misleading.  What's the actual commit
> which introduced the issue, if it's easy to find? :)

It looks like the "mask the whole PTE" bug was introduced in d2cba6f7ce
("target/loongarch: Add other core instructions support") when LDPTE was added
initially

Likewise I screwed up the 'Fixes:' tag for the other part of the patch as well.
The recursive PNX exception bug was actually introduced in f757a2cd69
("target/loongarch: Add LoongArch interrupt and exception handle")

Sorry about that. In any future patches I'll make sure to be more careful about
identifying the origin.

Thanks for having been so patient with me


---8<--- PATCH for staging-10.1 ---8<---
From caca7e3b52c369722eae921365613319596d9c81 Mon Sep 17 00:00:00 2001
From: "Andrew S. Rightenburg" <andrew@rail5.org>
Date: Fri, 13 Mar 2026 09:48:19 +0800
Subject: [PATCH] target/loongarch: Avoid recursive PNX exception on CSR_BADI
 fetch

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction.

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Backport of commit 67638dba.

Signed-off-by: Andrew S. Rightenburg <andrew@rail5.org>
---
 target/loongarch/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 266b0b97d0..b62d720258 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -198,6 +198,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause = cs->exception_index;
         update_badinstr = 0;
@@ -218,7 +219,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause = cs->exception_index;
         break;
-- 
2.47.3


---8<--- end PATCH for staging-10.1 ---8<---


---8<--- PATCH for staging-10.0 ---8<---
From f2f1305d88d58743574d1da71f0fef4a60b65122 Mon Sep 17 00:00:00 2001
From: "Andrew S. Rightenburg" <andrew@rail5.org>
Date: Fri, 13 Mar 2026 09:48:19 +0800
Subject: [PATCH] target/loongarch: Avoid recursive PNX exception on CSR_BADI
 fetch

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction.

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Backport of commit 67638dba.

Signed-off-by: Andrew S. Rightenburg <andrew@rail5.org>
---
 target/loongarch/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 84b86da308..a5f6b7cdc5 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -197,6 +197,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause = cs->exception_index;
         update_badinstr = 0;
@@ -217,7 +218,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause = cs->exception_index;
         break;
-- 
2.47.3


---8<--- end PATCH for staging-10.0 ---8<---

-- 
Regards,
Andrew S. Rightenburg

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Michael Tokarev]

On 13.03.2026 05:04, Andrew S. Rightenburg wrote:
> On Wed, 2026-03-11 at 13:30 +0300, Michael Tokarev wrote:
>> Please take a look at https://gitlab.com/mjt0k/qemu/-/commits/staging-10.2
>> -- hopefully my back-port makes sense.
>>
>> The same's for staging-10.1 and staging-10.0 (10.0 needed additional
>> small tweak).
>>
> 
> It makes sense to me, but 10.1 and 10.0 still have the recursive PNX bug. I've
> included backported patches for those two down below

Aha.  I wondered about that one for a moment too, but didn't look close
enough, being distracte dby the PTE permission bits change :)

>> Yeah the Fixes tag is obviously misleading.  What's the actual commit
>> which introduced the issue, if it's easy to find? :)
> 
> It looks like the "mask the whole PTE" bug was introduced in d2cba6f7ce
> ("target/loongarch: Add other core instructions support") when LDPTE was added
> initially
> 
> Likewise I screwed up the 'Fixes:' tag for the other part of the patch as well.
> The recursive PNX exception bug was actually introduced in f757a2cd69
> ("target/loongarch: Add LoongArch interrupt and exception handle")

Aha.  This makes perfect sense!

> Sorry about that. In any future patches I'll make sure to be more careful about
> identifying the origin.

> Thanks for having been so patient with me

That's entirely okay, Andrew!  Thank *you* very much for taking care of
finding and fixing the bugs, and for thinking about qemu-stable in the
first place - the most important things here.  The rest isn't really
that relevant.  Yes, it'd be nice to have all the proper tags, good
wording in comments etc yadda, - but that all is just cosmetics.
Another very good thing is that we managed to sort it out - you managed,
I'm just a follower here.

As for the backports you did - it isn't necessary for simple changes
like this one.  This is just moving single line from one group of
"case" statements to another, in a particular function.  I've had
plenty of such cases already which I had to apply across various
renames, splits, merges etc, - sure I found 410dfbf620 "Move TCG
specified functions to tcg_cpu.c" (I guess it should've been
"specific" not "specified", but ok), -- especially since you already
mentioned it in the Fixes: tag - and found where this function were
located previously.  Also, when I apply patches to stable branches,
I should keep track of what's applied; and I prefer the commit
messages to be exactly the same as in master - unless the patch
differs significantly..  All that to say - I cherry-picked this
patch (db2325f79 "Avoid recursive PNX exception..") to 10.0 & 10.1
directly, - without using backports you provided, it was easier
this way to keep all the info in place.  So your work providing
the backports wasn't used - which is unfortunate..

Anyway, thank you very much for cooperation, this is excellent!
Such attention from the maintainer is a good driver to continue
maintaining the stable branches!

I re-arranged the patches to include proper Fixes tags in stable
branches, and added the second one.  You can see how it looks like
in the end at https://gitlab.com/mjt0k/qemu - in respective branches.

/mjt