Commit 13c2fc34f1 for qemu.org
commit 13c2fc34f18491c7b74451cc64e91139bc5db272
Author: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Date: Sat Jun 27 16:46:40 2026 -0300
hw/riscv/riscv-iommu: check DC.TC reserved bits
We are not checking for reserved TC bits being set during device context
validation.
Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3548
Signed-off-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20260627194640.4130073-1-daniel.barboza@oss.qualcomm.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
diff --git a/hw/riscv/riscv-iommu-bits.h b/hw/riscv/riscv-iommu-bits.h
index a938fd3eb4..f9b6f35170 100644
--- a/hw/riscv/riscv-iommu-bits.h
+++ b/hw/riscv/riscv-iommu-bits.h
@@ -308,6 +308,9 @@ struct riscv_iommu_dc {
#define RISCV_IOMMU_DC_IOHGATP_GSCID GENMASK_ULL(59, 44)
#define RISCV_IOMMU_DC_IOHGATP_MODE RISCV_IOMMU_ATP_MODE_FIELD
+#define RISCV_IOMMU_DC_TC_RESERVED (GENMASK_ULL(23, 12) \
+ | GENMASK_ULL(63, 32))
+
enum riscv_iommu_dc_iohgatp_modes {
RISCV_IOMMU_DC_IOHGATP_MODE_BARE = 0,
RISCV_IOMMU_DC_IOHGATP_MODE_SV32X4 = 8,
diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
index c9687e01a8..c2c470b5df 100644
--- a/hw/riscv/riscv-iommu.c
+++ b/hw/riscv/riscv-iommu.c
@@ -752,6 +752,10 @@ static bool riscv_iommu_validate_device_ctx(RISCVIOMMUState *s,
uint32_t fsc_mode, msi_mode;
uint64_t gatp;
+ if (ctx->tc & RISCV_IOMMU_DC_TC_RESERVED) {
+ return false;
+ }
+
if (!(s->cap & RISCV_IOMMU_CAP_ATS) &&
(ctx->tc & RISCV_IOMMU_DC_TC_EN_ATS ||
ctx->tc & RISCV_IOMMU_DC_TC_EN_PRI ||