[PULL 0/2] loongarch-to-apply queue

[PULL 0/2] loongarch-to-apply queue

[Song Gao]

The following changes since commit 31ee190665dd50054c39cef5ad740680aabda382:

  Merge tag 'hw-misc-20260309' of https://github.com/philmd/qemu into staging (2026-03-09 17:19:26 +0000)

are available in the Git repository at:

  https://github.com/gaosong715/qemu.git tags/pull-loongarch-20260310

for you to fetch changes up to db2325f79481fab87211e5a287580d753f582cb8:

  target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch (2026-03-10 19:50:01 +0800)

----------------------------------------------------------------
loongarch bug fix

----------------------------------------------------------------
rail5 (2):
      target/loongarch: Preserve PTE permission bits in LDPTE
      target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch

 target/loongarch/cpu.c            | 11 +++++++++++
 target/loongarch/cpu.h            |  1 +
 target/loongarch/tcg/tcg_cpu.c    |  2 +-
 target/loongarch/tcg/tlb_helper.c | 24 +++++++++++++++++++++---
 4 files changed, 34 insertions(+), 4 deletions(-)

[PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Song Gao]

From: rail5 <andrew@rail5.org>

The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.

That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.

Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.

Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319

Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
---
 target/loongarch/cpu.c            | 11 +++++++++++
 target/loongarch/cpu.h            |  1 +
 target/loongarch/tcg/tlb_helper.c | 24 +++++++++++++++++++++---
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 8e8b10505d..e22568c84a 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -596,6 +596,17 @@ static void loongarch_cpu_reset_hold(Object *obj, ResetType type)
 
 #ifdef CONFIG_TCG
     env->fcsr0_mask = FCSR0_M1 | FCSR0_M2 | FCSR0_M3;
+
+    if (is_la64(env)) {
+        env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_64_PPN_MASK |
+                           R_TLBENTRY_64_NR_MASK |
+                           R_TLBENTRY_64_NX_MASK |
+                           R_TLBENTRY_64_RPLV_MASK;
+    } else {
+        env->hw_pte_mask = MAKE_64BIT_MASK(0, 9) |
+                           R_TLBENTRY_32_PPN_MASK;
+    }
 #endif
     env->fcsr0 = 0x0;
 
diff --git a/target/loongarch/cpu.h b/target/loongarch/cpu.h
index d2dfdc8520..4d333806ed 100644
--- a/target/loongarch/cpu.h
+++ b/target/loongarch/cpu.h
@@ -406,6 +406,7 @@ typedef struct CPUArchState {
     uint64_t llval;
     uint64_t llval_high; /* For 128-bit atomic SC.Q */
     uint64_t llbit_scq; /* Potential LL.D+LD.D+SC.Q sequence in effect */
+    uint64_t hw_pte_mask; /* Mask of architecturally-defined (hardware) PTE bits. */
 #endif
 #ifndef CONFIG_USER_ONLY
 #ifdef CONFIG_TCG
diff --git a/target/loongarch/tcg/tlb_helper.c b/target/loongarch/tcg/tlb_helper.c
index c1dc77a8f8..c0fd8527fe 100644
--- a/target/loongarch/tcg/tlb_helper.c
+++ b/target/loongarch/tcg/tlb_helper.c
@@ -686,6 +686,21 @@ bool loongarch_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     cpu_loop_exit_restore(cs, retaddr);
 }
 
+static inline uint64_t loongarch_sanitize_hw_pte(CPULoongArchState *env,
+                                                 uint64_t pte)
+{
+    uint64_t palen_mask = loongarch_palen_mask(env);
+    uint64_t ppn_mask = is_la64(env) ? R_TLBENTRY_64_PPN_MASK : R_TLBENTRY_32_PPN_MASK;
+
+    /*
+     * Keep only architecturally-defined PTE bits. Guests may use some
+     * otherwise-unused bits for software purposes.
+     */
+    pte &= env->hw_pte_mask;
+
+    return (pte & ~ppn_mask) | ((pte & ppn_mask) & palen_mask);
+}
+
 target_ulong helper_lddir(CPULoongArchState *env, target_ulong base,
                           uint32_t level, uint32_t mem_idx)
 {
@@ -729,6 +744,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
 {
     CPUState *cs = env_cpu(env);
     hwaddr phys, tmp0, ptindex, ptoffset0, ptoffset1;
+    uint64_t pte_raw;
     uint64_t badv;
     uint64_t ptbase = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTBASE);
     uint64_t ptwidth = FIELD_EX64(env->CSR_PWCL, CSR_PWCL, PTWIDTH);
@@ -744,7 +760,6 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
      * and the other is the huge page entry,
      * whose bit 6 should be 1.
      */
-    base = base & palen_mask;
     if (FIELD_EX64(base, TLBENTRY, HUGE)) {
         /*
          * Gets the huge page level and Gets huge page size.
@@ -768,7 +783,7 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
          * when loaded into the tlb,
          * so the tlb page size needs to be divided by 2.
          */
-        tmp0 = base;
+        tmp0 = loongarch_sanitize_hw_pte(env, base);
         if (odd) {
             tmp0 += MAKE_64BIT_MASK(ps, 1);
         }
@@ -780,12 +795,15 @@ void helper_ldpte(CPULoongArchState *env, target_ulong base, target_ulong odd,
     } else {
         badv = env->CSR_TLBRBADV;
 
+        base = base & palen_mask;
+
         ptindex = (badv >> ptbase) & ((1 << ptwidth) - 1);
         ptindex = ptindex & ~0x1;   /* clear bit 0 */
         ptoffset0 = ptindex << 3;
         ptoffset1 = (ptindex + 1) << 3;
         phys = base | (odd ? ptoffset1 : ptoffset0);
-        tmp0 = ldq_le_phys(cs->as, phys) & palen_mask;
+        pte_raw = ldq_le_phys(cs->as, phys);
+        tmp0 = loongarch_sanitize_hw_pte(env, pte_raw);
         ps = ptbase;
     }
 
-- 
2.52.0

[PULL 2/2] target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch

[Song Gao]

From: rail5 <andrew@rail5.org>

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction with cpu_ldl_code_mmu().

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Fixes: 410dfbf620a ("target/loongarch: Move TCG specified functions to tcg_cpu.c")
Cc: qemu-stable@nongnu.org
Signed-off-by: rail5 (Andrew S. Rightenburg) <andrew@rail5.org>
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
---
 target/loongarch/tcg/tcg_cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/loongarch/tcg/tcg_cpu.c b/target/loongarch/tcg/tcg_cpu.c
index af92277669..31d3db6e8e 100644
--- a/target/loongarch/tcg/tcg_cpu.c
+++ b/target/loongarch/tcg/tcg_cpu.c
@@ -109,6 +109,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause = cs->exception_index;
         update_badinstr = 0;
@@ -129,7 +130,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause = cs->exception_index;
         break;
-- 
2.52.0

Re: [PULL 0/2] loongarch-to-apply queue

[Peter Maydell]

On Tue, 10 Mar 2026 at 12:10, Song Gao <gaosong@loongson.cn> wrote:
>
> The following changes since commit 31ee190665dd50054c39cef5ad740680aabda382:
>
>   Merge tag 'hw-misc-20260309' of https://github.com/philmd/qemu into staging (2026-03-09 17:19:26 +0000)
>
> are available in the Git repository at:
>
>   https://github.com/gaosong715/qemu.git tags/pull-loongarch-20260310
>
> for you to fetch changes up to db2325f79481fab87211e5a287580d753f582cb8:
>
>   target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch (2026-03-10 19:50:01 +0800)
>
> ----------------------------------------------------------------
> loongarch bug fix
>
> ----------------------------------------------------------------
> rail5 (2):
>       target/loongarch: Preserve PTE permission bits in LDPTE
>       target/loongarch: Avoid recursive PNX exception on CSR_BADI fetch




Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.0
for any user-visible changes.

-- PMM

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Michael Tokarev]

On 10.03.2026 14:44, Song Gao wrote:
> From: rail5 <andrew@rail5.org>
> 
> The LDPTE helper loads a page table entry (or huge page entry) from guest
> memory and currently applies the PALEN mask to the whole 64-bit value.
> 
> That mask is intended to constrain the physical address bits, but masking
> the full entry also clears upper permission bits in the PTE, including NX
> (bit 62). As a result, LoongArch TCG can incorrectly allow instruction
> fetches from NX mappings when translation is driven through software
> page-walk.
> 
> Fix this by masking only the PPN/address field with PALEN while preserving
> permission bits, and by clearing any non-architectural (software) bits
> using a hardware PTE mask. LDDIR is unchanged since it returns the base
> address of the next page table level.
> 
> Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319
> 
> Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
> Cc: qemu-stable@nongnu.org

As far as I can see, 56599a705f2 is past 10.2.0 release, so is not
present in any released version of qemu.  This commit also hasn't
been back-ported to any stable series.

So I'm not picking up this one, despite it is marked as for qemu-stable.
Please let me know if I should pick it up regardless.

Thanks,

/mjt

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Andrew S. Rightenburg via qemu development]

On Tue, 2026-03-10 at 19:04 +0300, Michael Tokarev wrote:
> 
> As far as I can see, 56599a705f2 is past 10.2.0 release, so is not
> present in any released version of qemu.  This commit also hasn't
> been back-ported to any stable series.
> 
> So I'm not picking up this one, despite it is marked as for qemu-stable.
> Please let me know if I should pick it up regardless.
> 
> Thanks,
> 
> /mjt

Hi Michael,

The commit in question changed how the masking is applied, but the bug itself
existed before it. I've reproduced the issue in 10.0.7 and 10.2.0. I believe the
patch is still relevant for stable

Sorry if the 'Fixes:' tag was misdirected. This is my first contribution and I'm
unfamiliar with the workflow. I used 'git blame' to find the line, but that line
was just a refactor, not the origin of the bug. If it would help I'd be happy to
try to re-base the patch on the current release version instead of the current
state of master

Thanks again

-- 
Regards,
Andrew S. Rightenburg

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Michael Tokarev]

On 11.03.2026 05:29, Andrew S. Rightenburg wrote:

> The commit in question changed how the masking is applied, but the bug itself
> existed before it. I've reproduced the issue in 10.0.7 and 10.2.0. I believe the
> patch is still relevant for stable

Aha.  So this new change (Preserve PTE bits) has to be backported.

Please take a look at https://gitlab.com/mjt0k/qemu/-/commits/staging-10.2
-- hopefully my back-port makes sense.

The same's for staging-10.1 and staging-10.0 (10.0 needed additional
small tweak).

> Sorry if the 'Fixes:' tag was misdirected. This is my first contribution and I'm
> unfamiliar with the workflow. I used 'git blame' to find the line, but that line
> was just a refactor, not the origin of the bug. If it would help I'd be happy to
> try to re-base the patch on the current release version instead of the current
> state of master

Yeah the Fixes tag is obviously misleading.  What's the actual commit
which introduced the issue, if it's easy to find? :)

Thank you!

/mjt

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Andrew S. Rightenburg via qemu development]

On Wed, 2026-03-11 at 13:30 +0300, Michael Tokarev wrote:
> Please take a look at https://gitlab.com/mjt0k/qemu/-/commits/staging-10.2
> -- hopefully my back-port makes sense.
> 
> The same's for staging-10.1 and staging-10.0 (10.0 needed additional
> small tweak).
> 

It makes sense to me, but 10.1 and 10.0 still have the recursive PNX bug. I've
included backported patches for those two down below

> 
> Yeah the Fixes tag is obviously misleading.  What's the actual commit
> which introduced the issue, if it's easy to find? :)

It looks like the "mask the whole PTE" bug was introduced in d2cba6f7ce
("target/loongarch: Add other core instructions support") when LDPTE was added
initially

Likewise I screwed up the 'Fixes:' tag for the other part of the patch as well.
The recursive PNX exception bug was actually introduced in f757a2cd69
("target/loongarch: Add LoongArch interrupt and exception handle")

Sorry about that. In any future patches I'll make sure to be more careful about
identifying the origin.

Thanks for having been so patient with me


---8<--- PATCH for staging-10.1 ---8<---
From caca7e3b52c369722eae921365613319596d9c81 Mon Sep 17 00:00:00 2001
From: "Andrew S. Rightenburg" <andrew@rail5.org>
Date: Fri, 13 Mar 2026 09:48:19 +0800
Subject: [PATCH] target/loongarch: Avoid recursive PNX exception on CSR_BADI
 fetch

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction.

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Backport of commit 67638dba.

Signed-off-by: Andrew S. Rightenburg <andrew@rail5.org>
---
 target/loongarch/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 266b0b97d0..b62d720258 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -198,6 +198,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause = cs->exception_index;
         update_badinstr = 0;
@@ -218,7 +219,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause = cs->exception_index;
         break;
-- 
2.47.3


---8<--- end PATCH for staging-10.1 ---8<---


---8<--- PATCH for staging-10.0 ---8<---
From f2f1305d88d58743574d1da71f0fef4a60b65122 Mon Sep 17 00:00:00 2001
From: "Andrew S. Rightenburg" <andrew@rail5.org>
Date: Fri, 13 Mar 2026 09:48:19 +0800
Subject: [PATCH] target/loongarch: Avoid recursive PNX exception on CSR_BADI
 fetch

loongarch_cpu_do_interrupt() updates CSR_BADI by fetching the faulting
instruction.

For a PNX exception (instruction fetch prohibited by NX), fetching the
instruction at env->pc will fault with PNX again. This can lead to an
infinite exception loop.

Treat PNX like other instruction-fetch exceptions (PIF/ADEF) and do not
update CSR_BADI for it.

Backport of commit 67638dba.

Signed-off-by: Andrew S. Rightenburg <andrew@rail5.org>
---
 target/loongarch/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/loongarch/cpu.c b/target/loongarch/cpu.c
index 84b86da308..a5f6b7cdc5 100644
--- a/target/loongarch/cpu.c
+++ b/target/loongarch/cpu.c
@@ -197,6 +197,7 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
         }
         QEMU_FALLTHROUGH;
     case EXCCODE_PIF:
+    case EXCCODE_PNX:
     case EXCCODE_ADEF:
         cause = cs->exception_index;
         update_badinstr = 0;
@@ -217,7 +218,6 @@ static void loongarch_cpu_do_interrupt(CPUState *cs)
     case EXCCODE_PIS:
     case EXCCODE_PME:
     case EXCCODE_PNR:
-    case EXCCODE_PNX:
     case EXCCODE_PPI:
         cause = cs->exception_index;
         break;
-- 
2.47.3


---8<--- end PATCH for staging-10.0 ---8<---

-- 
Regards,
Andrew S. Rightenburg

Re: [PULL 1/2] target/loongarch: Preserve PTE permission bits in LDPTE

[Michael Tokarev]

On 13.03.2026 05:04, Andrew S. Rightenburg wrote:
> On Wed, 2026-03-11 at 13:30 +0300, Michael Tokarev wrote:
>> Please take a look at https://gitlab.com/mjt0k/qemu/-/commits/staging-10.2
>> -- hopefully my back-port makes sense.
>>
>> The same's for staging-10.1 and staging-10.0 (10.0 needed additional
>> small tweak).
>>
> 
> It makes sense to me, but 10.1 and 10.0 still have the recursive PNX bug. I've
> included backported patches for those two down below

Aha.  I wondered about that one for a moment too, but didn't look close
enough, being distracte dby the PTE permission bits change :)

>> Yeah the Fixes tag is obviously misleading.  What's the actual commit
>> which introduced the issue, if it's easy to find? :)
> 
> It looks like the "mask the whole PTE" bug was introduced in d2cba6f7ce
> ("target/loongarch: Add other core instructions support") when LDPTE was added
> initially
> 
> Likewise I screwed up the 'Fixes:' tag for the other part of the patch as well.
> The recursive PNX exception bug was actually introduced in f757a2cd69
> ("target/loongarch: Add LoongArch interrupt and exception handle")

Aha.  This makes perfect sense!

> Sorry about that. In any future patches I'll make sure to be more careful about
> identifying the origin.

> Thanks for having been so patient with me

That's entirely okay, Andrew!  Thank *you* very much for taking care of
finding and fixing the bugs, and for thinking about qemu-stable in the
first place - the most important things here.  The rest isn't really
that relevant.  Yes, it'd be nice to have all the proper tags, good
wording in comments etc yadda, - but that all is just cosmetics.
Another very good thing is that we managed to sort it out - you managed,
I'm just a follower here.

As for the backports you did - it isn't necessary for simple changes
like this one.  This is just moving single line from one group of
"case" statements to another, in a particular function.  I've had
plenty of such cases already which I had to apply across various
renames, splits, merges etc, - sure I found 410dfbf620 "Move TCG
specified functions to tcg_cpu.c" (I guess it should've been
"specific" not "specified", but ok), -- especially since you already
mentioned it in the Fixes: tag - and found where this function were
located previously.  Also, when I apply patches to stable branches,
I should keep track of what's applied; and I prefer the commit
messages to be exactly the same as in master - unless the patch
differs significantly..  All that to say - I cherry-picked this
patch (db2325f79 "Avoid recursive PNX exception..") to 10.0 & 10.1
directly, - without using backports you provided, it was easier
this way to keep all the info in place.  So your work providing
the backports wasn't used - which is unfortunate..

Anyway, thank you very much for cooperation, this is excellent!
Such attention from the maintainer is a good driver to continue
maintaining the stable branches!

I re-arranged the patches to include proper Fixes tags in stable
branches, and added the second one.  You can see how it looks like
in the end at https://gitlab.com/mjt0k/qemu - in respective branches.

/mjt