Dev news

Commit d107b74807 for qemu.org

commit d107b748072cea3f86089a4a7b2e83f1a62745f2
Author: Alistair Francis <alistair.francis@wdc.com>
Date:   Thu Apr 16 09:37:37 2026 +1000

    target/riscv: Generate access fault if sc comparison fails

    The RISC-V spec states:

    "For the purposes of memory protection, a failed SC.W may be treated
    like a store."

    So if the comparison in sc.w fails we should still check for alignment
    and do a probe access to check permissions.

    Cc: qemu-stable@nongnu.org
    Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3323
    Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3136
    Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
    Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
    Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
    Message-ID: <20260415233740.3027321-2-alistair.francis@wdc.com>
    Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

diff --git a/target/riscv/helper.h b/target/riscv/helper.h
index 54d2331966..36cdacfb0e 100644
--- a/target/riscv/helper.h
+++ b/target/riscv/helper.h
@@ -1351,3 +1351,6 @@ DEF_HELPER_4(vsm4r_vs, void, ptr, ptr, env, i32)
 #ifndef CONFIG_USER_ONLY
 DEF_HELPER_1(ssamoswap_disabled, void, env)
 #endif
+
+/* Zalrsc SC write probe */
+DEF_HELPER_FLAGS_3(sc_probe_write, TCG_CALL_NO_WG, void, env, tl, tl)
diff --git a/target/riscv/insn_trans/trans_rva.c.inc b/target/riscv/insn_trans/trans_rva.c.inc
index a7a3278d24..62c0fe673d 100644
--- a/target/riscv/insn_trans/trans_rva.c.inc
+++ b/target/riscv/insn_trans/trans_rva.c.inc
@@ -90,6 +90,12 @@ static bool gen_sc(DisasContext *ctx, arg_atomic *a, MemOp mop)
      */
     TCGBar bar_strl = (ctx->ztso || a->rl) ? TCG_BAR_STRL : 0;
     tcg_gen_mb(TCG_MO_ALL + a->aq * TCG_BAR_LDAQ + bar_strl);
+    /*
+     * "For the purposes of memory protection, a failed SC.W may be treated
+     * like a store." so let's check the write access permissions
+     */
+    gen_helper_sc_probe_write(tcg_env, src1,
+                              tcg_constant_tl(memop_size(mop)));
     gen_set_gpr(ctx, a->rd, tcg_constant_tl(1));

     gen_set_label(l2);
diff --git a/target/riscv/op_helper.c b/target/riscv/op_helper.c
index dde40a5549..81873014cb 100644
--- a/target/riscv/op_helper.c
+++ b/target/riscv/op_helper.c
@@ -267,6 +267,20 @@ void helper_cbo_inval(CPURISCVState *env, target_ulong address)
     /* We don't emulate the cache-hierarchy, so we're done. */
 }

+void helper_sc_probe_write(CPURISCVState *env, target_ulong addr,
+                           target_ulong size)
+{
+    uintptr_t ra = GETPC();
+    int mmu_idx = riscv_env_mmu_index(env, false);
+
+    if (addr & (size - 1)) {
+        env->badaddr = addr;
+        riscv_raise_exception(env, RISCV_EXCP_STORE_AMO_ADDR_MIS, ra);
+    }
+
+    probe_write(env, addr, size, mmu_idx, ra);
+}
+
 #ifndef CONFIG_USER_ONLY

 target_ulong helper_sret(CPURISCVState *env)