Title versal/efuse: valid MMIO write aborts on a bad owner cast Version commit: 2339d0a1 tag: v10.2.0-690-g2339d0a1cf version: v10.2.0-690-g2339d0a1cf-dirty Device and source file hw/nvram/xlnx-versal-efuse-ctrl.c (`xlnx-versal-efuse-ctrl`) After starting the board, `info mtree -f` shows the accessed register in `0xf1240000-0xf1240103` (`xlnx-versal-efuse`), so the access at `0xf1240004` is in-range. Description of problem This is the same ownership-pattern bug as the ZynqMP eFuse issue, just in a different device. `efuse_ctrl_reg_write()` recovers the device object from `reg_array->mem.owner`, but `register_init_block32()` created the backing `MemoryRegion` with `OBJECT(r_array)` as the owner. So the first valid MMIO write does not reach the register semantics at all. It aborts during the QOM cast. Key code: ```c /* hw/nvram/xlnx-versal-efuse-ctrl.c */ static void efuse_ctrl_reg_write(void *opaque, hwaddr addr, uint64_t data, unsigned size) { RegisterInfoArray *reg_array = opaque; Object *dev; dev = reg_array->mem.owner; assert(dev); s = XLNX_VERSAL_EFUSE_CTRL(dev); ... } /* hw/core/register.c */ r->opaque = owner; memory_region_init_io(&r_array->mem, OBJECT(r_array), ops, r_array, device_prefix, memory_size); ``` Root cause analysis Input source: legal guest MMIO write to the Versal eFuse control register space. Missing validation: the write path reconstructs the device from `reg_array->mem.owner`, which is not the device object. Bug class: invalid object cast / host abort. Impact: a single register write kills QEMU before any device logic runs. Steps to Reproduce Configuration ```bash ./configure --target-list=aarch64-softmmu --enable-debug --disable-strip make -j"$(nproc)" ``` Reproducer (qtest) With the runtime layout confirmed first, this is the qtest sequence I used: ```bash cat <<'EOF' | ./qemu-system-aarch64 -audio none -display none -machine accel=qtest -M amd-versal-virt -nographic -monitor none -serial none -nodefaults -qtest stdio writel 0xf1240004 0x00000000 EOF ``` Observed output (excerpt) ```text [I 0.000001] OPENED [R +0.222801] writel 0xf1240004 0x00000000 /home/ubuntu/qemu_bug/qemu-2339d0a1cfac6ecc667e6e062a593865c1541c35/include/hw/nvram/xlnx-versal-efuse.h:35:XLNX_VERSAL_EFUSE_CTRL: Object 0x5fb3f1071800 is not an instance of type xlnx-versal-efuse [local] exit code: -6 ``` Note I also checked a read from the same register block. The read returns normally; the write crashes immediately.