Commit a824f3531a for qemu.org

commit a824f3531a44cbd19bcd9dd0ca48e5805c781e02
Author: Peter Maydell <peter.maydell@linaro.org>
Date:   Fri May 1 17:26:34 2026 +0100

    hw/i2c/microbit_i2c: Don't index off end of twi_read_sequence[]

    If the guest tries to read more bytes from our fake stub I2C device
    than we have provided, we incorrectly read one byte beyond the end of
    this array. Avoid this, and instead keep reporting the RXD register
    as containing the last byte of the "data transfer".

    Cc: qemu-stable@nongnu.org
    Fixes: 9d68bf564ec ("arm: Stub out NRF51 TWI magnetometer/accelerometer detection")
    Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3408
    Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
    Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
    Message-ID: <20260501162634.4092394-1-peter.maydell@linaro.org>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/i2c/microbit_i2c.c b/hw/i2c/microbit_i2c.c
index 2291d6370e..d9689b6f1a 100644
--- a/hw/i2c/microbit_i2c.c
+++ b/hw/i2c/microbit_i2c.c
@@ -41,8 +41,13 @@ static uint64_t microbit_i2c_read(void *opaque, hwaddr addr, unsigned int size)
         data = 0x01;
         break;
     case NRF51_TWI_REG_RXD:
+        /*
+         * Return the next byte from our fake data sequence. If
+         * the guest keeps reading the register after that, keep
+         * returning the same last byte value.
+         */
         data = twi_read_sequence[s->read_idx];
-        if (s->read_idx < G_N_ELEMENTS(twi_read_sequence)) {
+        if (s->read_idx + 1 < G_N_ELEMENTS(twi_read_sequence)) {
             s->read_idx++;
         }
         break;