Commit fa2cf74883 for qemu.org

commit fa2cf7488379d9b14041a7bcd76867c9bdad2b5e
Author: Inochi Amaoto <inochiama@gmail.com>
Date:   Mon Jun 22 19:34:01 2026 +0800

    target/riscv: Check PMP before updating PTE

    According to the RISC-V spec, the PTE update is a supervisor write
    operations, and it should also follow the CPU PMP configuration like
    the PTE read.

    Cc: qemu-stable@nongnu.org
    Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
    Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
    Message-ID: <20260622113402.563196-1-inochiama@gmail.com>
    Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 59edcdd370..2db07f5dfb 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1655,10 +1655,18 @@ static int get_physical_address(CPURISCVState *env, hwaddr *physical,

     /* Page table updates need to be atomic with MTTCG enabled */
     if (updated_pte != pte && !is_debug) {
+        int pmp_prot, pmp_ret;
+
         if (!adue) {
             return TRANSLATE_FAIL;
         }

+        pmp_ret = get_physical_address_pmp(env, &pmp_prot, pte_addr,
+                                           sxlen_bytes, MMU_DATA_STORE, PRV_S);
+        if (pmp_ret != TRANSLATE_SUCCESS) {
+            return TRANSLATE_PMP_FAIL;
+        }
+
         /*
          * - if accessed or dirty bits need updating, and the PTE is
          *   in RAM, then we do so atomically with a compare and swap.