Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 11dac41f2e830bcd7ba74969dc50f5740e3ce7e7
https://github.com/qemu/qemu/commit/11dac41f2e830bcd7ba74969dc50f5740e3ce7e7
Author: Laurent Vivier <[email protected]>
Date: 2026-01-12 (Mon, 12 Jan 2026)
Changed paths:
M target/m68k/op_helper.c
Log Message:
-----------
m68k: fix CAS2 writeback when Dc1==Dc2
According to Programmer's Reference Manual, if Dc1 and Dc2 specify the
same data register and the comparison fails, memory operand 1 is stored
in the data register.
The current helpers wrote Dc1 then Dc2, leaving operand 2 in the shared
register.
Swap the writeback order for cas2w/cas2l so memory operand 1 wins.
Signed-off-by: Laurent Vivier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Message-ID: <[email protected]>
Commit: c8f7fdd1228269387d1821df2b43ce5df0412423
https://github.com/qemu/qemu/commit/c8f7fdd1228269387d1821df2b43ce5df0412423
Author: Laurent Vivier <[email protected]>
Date: 2026-01-12 (Mon, 12 Jan 2026)
Changed paths:
M target/m68k/cpu.c
M target/m68k/cpu.h
M target/m68k/translate.c
Log Message:
-----------
m68k: link.l is only available with 68020+
Base 68000 only supports word size.
Signed-off-by: Laurent Vivier <[email protected]>
Reviewed-by: Richard Henderson <[email protected]>
Reviewed-by: William Hooper <[email protected]>
Message-ID: <[email protected]>
Commit: cad529260a8503b79d76589f1427ee592e31a801
https://github.com/qemu/qemu/commit/cad529260a8503b79d76589f1427ee592e31a801
Author: William Hooper <[email protected]>
Date: 2026-01-12 (Mon, 12 Jan 2026)
Changed paths:
M target/m68k/helper.h
M target/m68k/op_helper.c
M target/m68k/translate.c
M tests/tcg/m68k/trap.c
Log Message:
-----------
target/m68k: Improve CHK and CHK2; implement CMP2
Some CHK2 (Check Register Against Bounds) instructions, such as opcode
02FA, cause spurious illegal instruction exceptions, despite being valid
on Motorola MC68020 and later processors and used in existing software.
With this patch, QEMU:
- Translates CHK2 and CMP2 (Compare Register Against Bounds)
instructions [1] having any valid size or effective address. CHK2 and
CMP2 use the same opcodes but differ in bit 11 of the extension word.
(BITREV or BYTEREV instructions for ColdFire family processors [2],
which use similar opcodes, are not captured, however.)
- Implements CMP2, which "is identical to CHK2 except that it sets
condition codes rather than taking an exception" [1].
- Populates the correct "logical address of the instruction following
the instruction that caused the trap" [3] in the exception stack frame
for CHK and CHK2 exceptions, according to the number of words in the
instruction, including extension words, rather than default lengths.
An existing test for CHK2 is enabled, and tests are added for CHK, CHK2,
and CMP2.
References:
[1] Motorola M68000 Family Programmer's Reference Manual (M68000PM/AD),
Rev. 1, 1992, pages 4-72 to 4-73 and 4-82 to 4-83.
[2] Freescale Semiconductor, ColdFire Family Programmer's Reference Manual
(CFPRM), Rev. 3, 2005, pages 4-19 and 4-26.
[3] Motorola M68040 User's Manual (M68040UM/AD), 1993, page 8-8.
Signed-off-by: William Hooper <[email protected]>
Reviewed-by: Laurent Vivier <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Laurent Vivier <[email protected]>
Commit: fe12f7c8a88c097134c9a885270154a52582f887
https://github.com/qemu/qemu/commit/fe12f7c8a88c097134c9a885270154a52582f887
Author: Paolo Bonzini <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M target/i386/tcg/cc_helper.c
M target/i386/tcg/emit.c.inc
Log Message:
-----------
target/i386/tcg: do not leave non-arithmetic flags in CC_SRC after PUSHF
The value that is pushed by PUSHF is the full EFLAGS, while CC_OP_EFLAGS
only wants arithmetic flags in CC_SRC. To avoid this, follow what other
helpers do and set CC_SRC/CC_OP directly in helper_read_eflags. This
is basically free and fixes an issue booting Windows 3.11.
Reported-by: Mark Cave-Ayland <[email protected]>
Fixes: e661e2d7a37 ("target/i386/tcg: update cc_op after PUSHF", 2025-12-27)
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: df5c2ef7cd3ee3817c86b952e380dd56f563a6a1
https://github.com/qemu/qemu/commit/df5c2ef7cd3ee3817c86b952e380dd56f563a6a1
Author: Paolo Bonzini <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M target/i386/tcg/translate.c
Log Message:
-----------
target/i386/tcg: remove dead code
Remove dead code; it arose when I noticed that, because 0x3? opcodes do
have a pop, case 0x32 works just fine as fcomp (even though 0x?2 is fcom):
there is no need to hack the op to 0x03.
Reported by Coverity as CID 1643922.
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 73dd6e4a36dd8d85548292f382a4d479e2810371
https://github.com/qemu/qemu/commit/73dd6e4a36dd8d85548292f382a4d479e2810371
Author: Paolo Bonzini <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/decode-new.h
Log Message:
-----------
target/i386/tcg: do not mark all SSE instructions as unaligned
If the vex_special field was not initialized, it was considered to be
X86_VEX_SSEUnaligned (whose value was zero). Add a new value to
fix that.
Cc: [email protected]
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 5e3572ef2e94608568b1a73eab9d382b250936eb
https://github.com/qemu/qemu/commit/5e3572ef2e94608568b1a73eab9d382b250936eb
Author: Paolo Bonzini <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M target/i386/ops_sse.h
M target/i386/tcg/emit.c.inc
M target/i386/tcg/ops_sse_header.h.inc
Log Message:
-----------
target/i386/tcg: mask addresses for VSIB
VSIB can have either 32-bit or 64-bit addresses, pass a constant mask to
the helper and apply it before the load.
Cc: [email protected]
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: ed88bdcfbdcf9d411607cd690f93f915feff6a5b
https://github.com/qemu/qemu/commit/ed88bdcfbdcf9d411607cd690f93f915feff6a5b
Author: Paolo Bonzini <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M target/i386/tcg/decode-new.c.inc
Log Message:
-----------
target/i386/tcg: allow VEX in 16-bit protected mode
VEX is only forbidden in real and vm86 mode; 16-bit protected mode supports
it for some unfathomable reason.
Cc: [email protected]
Reviewed-by: Richard Henderson <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: c7504ba2a560fd884557f6e5142f03b491aad0c7
https://github.com/qemu/qemu/commit/c7504ba2a560fd884557f6e5142f03b491aad0c7
Author: Vulnerability Report <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M hw/i386/kvm/xen_evtchn.c
Log Message:
-----------
hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().
Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
Fixes: CVE-2026-0665
Reported-by: DARKNAVY (@DarkNavyOrg) <[email protected]>
Reviewed-by: David Woodhouse <[email protected]>
Signed-off-by: Vulnerability Report <[email protected]>
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: a24f045228271391b5c5064ebf049e1f50b6d712
https://github.com/qemu/qemu/commit/a24f045228271391b5c5064ebf049e1f50b6d712
Author: Zhao Liu <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
M rust/Cargo.lock
Log Message:
-----------
rust: Update Cargo.lock
`cargo +nightly build` updates Cargo.lock file.
Reported-by: Philippe Mathieu-Daudé <[email protected]>
Signed-off-by: Zhao Liu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Bonzini <[email protected]>
Commit: 9ac1aa8b79c7d88926731971f6e608ba6e023f70
https://github.com/qemu/qemu/commit/9ac1aa8b79c7d88926731971f6e608ba6e023f70
Author: Richard Henderson <[email protected]>
Date: 2026-01-15 (Thu, 15 Jan 2026)
Changed paths:
M target/m68k/cpu.c
M target/m68k/cpu.h
M target/m68k/helper.h
M target/m68k/op_helper.c
M target/m68k/translate.c
M tests/tcg/m68k/trap.c
Log Message:
-----------
Merge tag 'm68k-for-11.0-pull-request' of https://github.com/vivier/qemu-m68k
into staging
Pull request for M68K emulation (20250113)
# -----BEGIN PGP SIGNATURE-----
#
# iQJGBAABCgAwFiEEzS913cjjpNwuT1Fz8ww4vT8vvjwFAmlmGEASHGxhdXJlbnRA
# dml2aWVyLmV1AAoJEPMMOL0/L748b/QP/19OY8lzZtUazK5RVTNCZVXkRrr2vQBV
# Geey+OywZiCkREbgS5CniQ8mNUMgajY0RCyrDO5Eb7xLffBdXxGBRBpocnAbsQtj
# HJbgPS7Fg8GJKCecgzwHOhkyb6Yy9A9sleijXGq9CUoJaJAwDQGGO1MPm4jUsMVt
# GVjJG8vm3KbVNXCzgLUfHh72wSoE4S8Fn94DNJxCAEb2FC0C5T24+Yf80JA55hgT
# FRnTIbEbrJyOTVvxwZim3Ye3o2/hk3oQcaFd3ugSKXdJh58/DQi1FSAPyVM26DQu
# qXFK5Zaj9VCMpXG8vjd0SUhJWauJ9WXIRGh+S8HHcWBIxqhRxULBCvjTrPzAN2eJ
# VftrYHQe2ruqocSxWMKAIaX8RY/Og58bMwqWDkWj9r9GT3gttFRLISYdry5KS/mS
# NAlEeLNNazatCgldOrdpfvSm7rMLausuqdNgDLG6tRHwxCDR5SQMnj1hHNE+sn2O
# /Ek7gQ+JfzR5nKw1oBlWyv8ZG9DXJXLgjxX/bxR4FC+xp/QOo+ono59Ma9SjHt/2
# zpWXoIm2YgrfzRJbm7NUHnKkbd8titA1EYO9JZ0/EzPAL+pCwx6WQx+/GnxMKjA8
# 42vaRmi9lGcukXQ3gQeHR+wt/s0SOYNGTgK8tcMuDt28yn9iODijmcQSDyLLAVx4
# FNkp9jL4U+fc
# =LQA5
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 13 Jan 2026 09:02:40 PM AEDT
# gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C
# gpg: issuer "[email protected]"
# gpg: Good signature from "Laurent Vivier <[email protected]>" [unknown]
# gpg: aka "Laurent Vivier <[email protected]>" [unknown]
# gpg: aka "Laurent Vivier (Red Hat) <[email protected]>"
[unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C
* tag 'm68k-for-11.0-pull-request' of https://github.com/vivier/qemu-m68k:
target/m68k: Improve CHK and CHK2; implement CMP2
m68k: link.l is only available with 68020+
m68k: fix CAS2 writeback when Dc1==Dc2
Signed-off-by: Richard Henderson <[email protected]>
Commit: 4cfa1ce0365f56832f46ed8a82d8bd954d16be11
https://github.com/qemu/qemu/commit/4cfa1ce0365f56832f46ed8a82d8bd954d16be11
Author: Richard Henderson <[email protected]>
Date: 2026-01-15 (Thu, 15 Jan 2026)
Changed paths:
M hw/i386/kvm/xen_evtchn.c
M rust/Cargo.lock
M target/i386/ops_sse.h
M target/i386/tcg/cc_helper.c
M target/i386/tcg/decode-new.c.inc
M target/i386/tcg/decode-new.h
M target/i386/tcg/emit.c.inc
M target/i386/tcg/ops_sse_header.h.inc
M target/i386/tcg/translate.c
Log Message:
-----------
Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging
* target/i386/tcg fixes
* hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
# -----BEGIN PGP SIGNATURE-----
#
# iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmlmFmIUHHBib256aW5p
# QHJlZGhhdC5jb20ACgkQv/vSX3jHroOyDAgAiDTglXIUzvbM1AGRcufyjKMzFeaH
# /aI1UrVno0XT0BsxGqOyR2d8EhtDiBXZe0nS0WBc0KtdUFjVDbnzPT4YF9PPDYwY
# 6KOp7dbfCLuK9gmvSPji3rlEsRrGkawy/WwI7HSzpMT2r/yMUBN/mWUqK359NgUI
# mHZkHyyf78wqSYiSsuKs8SRLfEXa2p3u9kH6F7yZ/CWSUO9o8yanu83nVvF2b12K
# m87SBKGJutuJrp266Id5DyArkbn+vIfpT1wTgsRIAWpRSAZFm/t2xSX/6UTQhmtg
# 5kAL7OCkKh/iHePx5JxtVrkFGGffhZeoSToo8amroyZ1SEXCnk/U1Ksiyg==
# =0p8Y
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 13 Jan 2026 08:54:42 PM AEDT
# gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg: issuer "[email protected]"
# gpg: Good signature from "Paolo Bonzini <[email protected]>" [unknown]
# gpg: aka "Paolo Bonzini <[email protected]>" [unknown]
# gpg: WARNING: The key's User ID is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* tag 'for-upstream' of https://gitlab.com/bonzini/qemu:
rust: Update Cargo.lock
hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()
target/i386/tcg: allow VEX in 16-bit protected mode
target/i386/tcg: mask addresses for VSIB
target/i386/tcg: do not mark all SSE instructions as unaligned
target/i386/tcg: remove dead code
target/i386/tcg: do not leave non-arithmetic flags in CC_SRC after PUSHF
Signed-off-by: Richard Henderson <[email protected]>
Compare: https://github.com/qemu/qemu/compare/d03c3e522eb0...4cfa1ce0365f
To unsubscribe from these emails, change your notification settings at
https://github.com/qemu/qemu/settings/notifications
