Commit 3cee183ff9 for qemu.org

commit 3cee183ff9a1a644fcc027ce2751276a5525b123
Author: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Date:   Fri Jun 26 19:05:29 2026 -0300

    hw/riscv/riscv-iommu.c: fix MSI MRIF interrupt-pending offset

    We're doing a wrong shift when calculating the offset for the
    interrupt-pending bits, off by one right shift order.

    This went undercover for awhile because the calculation works for
    interrupt entities 1 to 63.  The math goes wrong when using interrupt
    entities 64 or greater.

    Instead of fixing the issue and running we're also adding some notes
    on where this calc comes from.

    Fixes: 0c54acb8243d ("hw/riscv: add RISC-V IOMMU base emulation")
    Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3561
    Signed-off-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
    Acked-by: Alistair Francis <alistair.francis@wdc.com>
    Message-ID: <20260626220529.3800372-1-daniel.barboza@oss.qualcomm.com>
    Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
index c65e273dbb..01f5634f04 100644
--- a/hw/riscv/riscv-iommu.c
+++ b/hw/riscv/riscv-iommu.c
@@ -686,7 +686,26 @@ static MemTxResult riscv_iommu_msi_write(RISCVIOMMUState *s,

     /* MRIF pending bit address */
     addr = get_field(pte[0], RISCV_IOMMU_MSI_PTE_MRIF_ADDR) << 9;
-    addr = addr | ((data & 0x7c0) >> 3);
+    /*
+     * AIA spec section "Format of a memory-resident interrupt file":
+     * address offset 0x000 contains interrupt-pending bits for
+     * identities 1-63, offfset 0x010 for identities 64-127, and
+     * so it goes up to 0x1F0 for identities 1984-2047.
+     *
+     * Hence each batch of identities advances offset by 16 (0x010)
+     * for every interrupt-pending bits.  This means that doing
+     * (data & 0x7c0) will filter out the first 6 bits, then
+     * a >> 2 will turn the result in the 0x10 steps we need.
+     *
+     * E.g:
+     *
+     * - (1-63 & 0x7c0) = 0, 0 >> 2 = 0, offset 0x000
+     * - (64-127 & 0x7c0) = 64, 64 >> 2 = 16, offset 0x010
+     * - (128-191 & 0x7c0) = 128, 128 >> 2 = 32, offset 0x020
+     *
+     * and so on.
+     */
+    addr = addr | ((data & 0x7c0) >> 2);

     trace_riscv_iommu_msi(s->parent_obj.id, PCI_BUS_NUM(ctx->devid),
                           PCI_SLOT(ctx->devid), PCI_FUNC(ctx->devid),