From nobody Wed Feb 11 03:24:35 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=reject dis=none)  header.from=oss.qualcomm.com
ARC-Seal: i=1; a=rsa-sha256; t=1770730495; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LAzA9qmjjjB1KSs8GZkAOnJPgWH2aI5xNZBVN9M7yjpZrsk4QIIZpUq4KlEoJIvGM6/eCENR4NZCTU9PrdtylH8cGOi8rymd+HY8vyCE/GE8rB5WV3qLDOfR6yJgCwEFYzsozIqBjN3D/LYmJ6vEv05hukY5rz1qvrkQJm+/H00=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1770730495;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=l37Zxlyi9mO3iVC6cC8zZBYMzG8H0SBlmrQTeaH80AI=;
	b=SsztMaSKnBEPy7i5G85Wa7+kbE6GnfaOTq2LbhgGwSOj2TbfHQq3bs+0qjzt7xd6zapYXV+m0254zfAAQ7VFTWBJ9lp7p/PrjUuBamp1YyaMHqPS8pRsRO8tDzEZaFO6VnUb4YS1OwkfyMSxlzbAuxyBhmWGq/Nz+k7EopYOreQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<brian.cain@oss.qualcomm.com> (p=reject dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1770730495020917.2959550192935;
 Tue, 10 Feb 2026 05:34:55 -0800 (PST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1vpnsr-0005ep-EF; Tue, 10 Feb 2026 08:34:29 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <brian.cain@oss.qualcomm.com>)
 id 1vpnsl-0005dm-Uf
 for qemu-devel@nongnu.org; Tue, 10 Feb 2026 08:34:23 -0500
Received: from mx0b-0031df01.pphosted.com ([205.220.180.131])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <brian.cain@oss.qualcomm.com>)
 id 1vpnsj-0001nc-Nf
 for qemu-devel@nongnu.org; Tue, 10 Feb 2026 08:34:23 -0500
Received: from pps.filterd (m0279870.ppops.net [127.0.0.1])
 by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 61A7diKF1419509
 for <qemu-devel@nongnu.org>; Tue, 10 Feb 2026 13:34:19 GMT
Received: from mail-dy1-f199.google.com (mail-dy1-f199.google.com
 [74.125.82.199])
 by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4c7rpvtjev-1
 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
 for <qemu-devel@nongnu.org>; Tue, 10 Feb 2026 13:34:18 +0000 (GMT)
Received: by mail-dy1-f199.google.com with SMTP id
 5a478bee46e88-2b7a28264c1so3616648eec.0
 for <qemu-devel@nongnu.org>; Tue, 10 Feb 2026 05:34:18 -0800 (PST)
Received: from hu-bcain-lv.qualcomm.com (Global_NAT1.qualcomm.com.
 [129.46.96.20]) by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2ba7e149c58sm2716162eec.26.2026.02.10.05.34.16
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 10 Feb 2026 05:34:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
 cc:content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to; s=qcppdkim1; bh=
 l37Zxlyi9mO3iVC6cC8zZBYMzG8H0SBlmrQTeaH80AI=; b=U4K3K2yX4XQR4jC9
 frDnxtbzugsIr4CgvZQKglHOsrqjzS2VDVt7nfsib2qr97z4TH+T0hvVyCVX01W6
 NZXUTNvxdKRcOy/v0zNRKzoikaE3LK/XmpjPrcZl8zTn9jyHuj/FDSU+ol/7kz25
 eatpKvL7aIaemq3LOm4MU+AhFShPNg3YvbgjiIHrcAz25HYqPdvjfP3TUoxhRQMz
 wFBO1t2XUgCtVeUANBmZ8iWSidXbt//j7yBv7Azwd8/P30PW1C3dFjmybPe9GlL5
 WNvctO2UmeQOHCwAtM2UsL6FWbLJHYJsMyeClVLvxwNKQku5xQDRK3nCKJo9iBY1
 guCJVg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=oss.qualcomm.com; s=google; t=1770730458; x=1771335258; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=l37Zxlyi9mO3iVC6cC8zZBYMzG8H0SBlmrQTeaH80AI=;
 b=JnzKYnXAQGgguaFPo/rBOVs9Ttsv9ONEmdcjaFt73A44K9zLWKKs3rBqMypofRxsu/
 1peq5rrjXfUCpSJtMkhNe95mjvdKVvJl621B9bm8xgoHD9hbWcGJtGUBTUnWiI3RBbYf
 FuJtGmrS6cjm3TWOx7xgd7Y6E243NZ1NYBAoNxYlj0vNn7Ek9eRjCz8Qff0EWqpzlOC4
 laWgKOojujBob0mNuNZeBvNHpfFLI/UhFhddNBHnRXJSyUZ5NnF2/sM+I4YaUE+IMeIi
 pfXgIaLAq7rMZkBHLVJhhrmKsuAj50QX8A0T8g4NFYnaEE6SE+xVx6d1hWJ6HBxJjLhz
 WcEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1770730458; x=1771335258;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
 :to:cc:subject:date:message-id:reply-to;
 bh=l37Zxlyi9mO3iVC6cC8zZBYMzG8H0SBlmrQTeaH80AI=;
 b=f5+qDWPWz/16dQ7e4dprOgI/X8LnDwEh6aWYNrMPtqewCE2cAgchKvEW4THZKBGstc
 G79im0KkOxUxwZJoi8Teom4cWwvHNGRF/2h+hpumWzgYIHiIlDzO4xyR1B/zxzt9EJ49
 TNd2ctUubUJv2pB/Ckb4kparaUo+MXm2UEhGNyV6Nyc9u95Qrrd+N0p661YpAo/QxeFx
 BLnnGq+C2IxBjomOPCs42KvwWSPJ2zV6Reb6lhEP3rBARkT4gfK2PArKTffN1oIq+GZ2
 rpHj2qq5Iwar86kYEvjXUHZE27A5YB8iz0nZLZc9hQmgyTPd5v9vSmbB6lx+zb2e1mco
 ddYw==
X-Gm-Message-State: AOJu0YzQLYMg9ll6L87SASKUGf80lp/TGsZtwklDVUKgxFHzr+z8pEod
 +ynYoi3IYAw+E5AeKK9T6IgM4fofAB5htoGqNEP7eT1gsvPM+XIhG4C0ujTUlwzcK622nNy6KKw
 5FUd5S4POsQfsCunE2xy1DGFGk0dj+Kb9xW8F6MfJmWf7kQiGEdrNnnSva3eaP3wEig==
X-Gm-Gg: AZuq6aLC6uVVQrW1vjU3F0rn/ei6S0fK4JvjpEagmMyCsA3xbBftvwOiNev4DujRkbD
 WI7vJ/0EvmlrGw5FlNxPwG/ne+oKOZniOYKYRavJzoKkCvXCuRrr2q6t/7HhXOtgNga+ZHRjDcW
 XC8mCWrq2ZemxCuwnrygfqJDkJtjjLqtvMpZjaboVqPY5FICAURUSmHdI1EV+rS3p/dMC6Phb3v
 t1Vjug5R/hLCIIesBehYE5f6U2wVrIO0Y2c6knVFemaxmaXfI63UTOI1Ohss5jbeePUenxK7p9c
 BSHU/UekXFhBjCETY3DitXTflSYSj4m9K16tBqMVXit8oe5sr+PgkljUb4TOldlLeqdV5+CNENU
 dvh9ThIycc70vedYRXBKyr96/MuMk7829KS0eLqoy6LWGi3iBdInLN5wB8Dzu9/G9z6S90g==
X-Received: by 2002:a05:7301:6784:b0:2ba:8aa8:9c04 with SMTP id
 5a478bee46e88-2ba8aa8a736mr737110eec.2.1770730457364;
 Tue, 10 Feb 2026 05:34:17 -0800 (PST)
X-Received: by 2002:a05:7301:6784:b0:2ba:8aa8:9c04 with SMTP id
 5a478bee46e88-2ba8aa8a736mr737091eec.2.1770730456730;
 Tue, 10 Feb 2026 05:34:16 -0800 (PST)
From: Brian Cain <brian.cain@oss.qualcomm.com>
To: qemu-devel@nongnu.org
Cc: brian.cain@oss.qualcomm.com, ltaylorsimpson@gmail.com, alex@alexrp.com,
 Brian Cain <bcain@quicinc.com>,
 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
 Laurent Vivier <laurent@vivier.eu>
Subject: [PATCH v3 1/4] target/hexagon: Fix invalid duplex decoding
Date: Tue, 10 Feb 2026 05:33:51 -0800
Message-Id: <20260210133355.16093-2-brian.cain@oss.qualcomm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260210133355.16093-1-brian.cain@oss.qualcomm.com>
References: <20260210133355.16093-1-brian.cain@oss.qualcomm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjEwMDExNCBTYWx0ZWRfXzSE+HqQcu9Qp
 3JvfgRG/wzicM6YIdaCdQpC4KRbCYkXVpUfyKsA4qfVSNZwHGdzUeee+oTU6TBlNUbrFrqaeFoQ
 KFjRHrPivYEuieCyJEJeBTz1AhZF75/dx35D/nyHOoZl6ePMKrQW6I4u8dtfWi0Jn1Eo2rFJOqR
 t3AFJkU5VoY1ecvxWAqvZEqn89PHqEdAXXbmI/fTzim3K1AwFHAZTow3sn0V+F+0g9wuaxv4QDG
 VAqwk2KYnmFrS6q0JtrHAeN6ybTDtHfPG1P9/HtzJ+1hXbTpbGSoVoE94Hsa0vv/woVA2c1bl4Q
 eO2XmqQPekcrfTZP8GP8hlJ54pLc3+qJVRvfTOhXCaQe7jfVLXrFxV9BD46KWmzxd5o44it/Ywl
 Vi3liwms+HZo1IpOLWZy8EvOYkCYWnYT3mkGQ3HgK9aVZmFOL/1PL2OmeZD0EMIUQ91IGnrB3eT
 xvNfKBqV+8w3u5KTXIA==
X-Authority-Analysis: v=2.4 cv=KKZXzVFo c=1 sm=1 tr=0 ts=698b33da cx=c_pps
 a=cFYjgdjTJScbgFmBucgdfQ==:117 a=ouPCqIW2jiPt+lZRy3xVPw==:17
 a=IkcTkHD0fZMA:10 a=HzLeVaNsDn8A:10 a=s4-Qcg_JpJYA:10
 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22
 a=p0WdMEafAAAA:8 a=COk6AnOGAAAA:8 a=KKAkSRfTAAAA:8 a=pGLkceISAAAA:8
 a=OCWrEZw6VeUBrM89gJgA:9 a=QEXdDO2ut3YA:10 a=scEy_gLbYbu1JhEsrz4S:22
 a=TjNXssC_j7lpFel5tvFf:22 a=cvBusfyB2V15izCimMoJ:22
X-Proofpoint-ORIG-GUID: XmSuPz42c789r6S_anpMQzGqBSf45oK3
X-Proofpoint-GUID: XmSuPz42c789r6S_anpMQzGqBSf45oK3
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-02-10_01,2026-02-10_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 bulkscore=0 lowpriorityscore=0 suspectscore=0 impostorscore=0 spamscore=0
 adultscore=0 malwarescore=0 priorityscore=1501 phishscore=0 clxscore=1015
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602100114
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=205.220.180.131;
 envelope-from=brian.cain@oss.qualcomm.com; helo=mx0b-0031df01.pphosted.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @qualcomm.com)
X-ZM-MESSAGEID: 1770730497661154100

When decoding a duplex instruction, if the slot0 sub-instruction fails
to decode after slot1 succeeds, QEMU was leaving the packet in a
partially-decoded state. This allowed invalid duplex encodings (where
one sub-instruction doesn't match any valid pattern) to be executed
incorrectly.

Fix by resetting the decoder state when slot0 fails, returning an empty
instruction that triggers an exception.

Add gen_exception_decode_fail() for raising exceptions when decode fails
before ctx->next_PC is initialized. This keeps gen_exception_end_tb()
semantics unchanged (it continues to use ctx->next_PC for the exception
PC after successful decode).

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3291
Signed-off-by: Brian Cain <bcain@quicinc.com>
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Reviewed-by: Taylor Simpson <ltaylorsimpson@gmail.com>
---
 linux-user/hexagon/cpu_loop.c        |  4 ++
 target/hexagon/decode.c              | 13 ++++-
 target/hexagon/translate.c           | 18 ++++++-
 tests/tcg/hexagon/invalid-encoding.c | 81 ++++++++++++++++++++++++++++
 tests/tcg/hexagon/Makefile.target    |  1 +
 5 files changed, 113 insertions(+), 4 deletions(-)
 create mode 100644 tests/tcg/hexagon/invalid-encoding.c

diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
index 1941f4c9c1..c0e1098e3f 100644
--- a/linux-user/hexagon/cpu_loop.c
+++ b/linux-user/hexagon/cpu_loop.c
@@ -64,6 +64,10 @@ void cpu_loop(CPUHexagonState *env)
             force_sig_fault(TARGET_SIGBUS, TARGET_BUS_ADRALN,
                             env->gpr[HEX_REG_R31]);
             break;
+        case HEX_CAUSE_INVALID_PACKET:
+            force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPC,
+                            env->gpr[HEX_REG_PC]);
+            break;
         case EXCP_ATOMIC:
             cpu_exec_step_atomic(cs);
             break;
diff --git a/target/hexagon/decode.c b/target/hexagon/decode.c
index b5ece60450..69ba1ec96c 100644
--- a/target/hexagon/decode.c
+++ b/target/hexagon/decode.c
@@ -509,8 +509,14 @@ decode_insns(DisasContext *ctx, Insn *insn, uint32_t e=
ncoding)
                 insn->iclass =3D iclass_bits(encoding);
                 return 2;
             }
+            /*
+             * Slot0 decode failed after slot1 succeeded. This is an inval=
id
+             * duplex encoding (both sub-instructions must be valid).
+             */
+            ctx->insn =3D --insn;
         }
-        g_assert_not_reached();
+        /* Invalid duplex encoding - return 0 to signal failure */
+        return 0;
     }
 }
=20
@@ -674,7 +680,10 @@ int decode_packet(DisasContext *ctx, int max_words, co=
nst uint32_t *words,
         encoding32 =3D words[words_read];
         end_of_packet =3D is_packet_end(encoding32);
         new_insns =3D decode_insns(ctx, insn, encoding32);
-        g_assert(new_insns > 0);
+        if (new_insns =3D=3D 0) {
+            /* Invalid instruction encoding */
+            return 0;
+        }
         /*
          * If we saw an extender, mark next word extended so immediate
          * decode works
diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index e88e19cc1a..7fe8b35351 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -195,7 +195,21 @@ static void gen_exception_end_tb(DisasContext *ctx, in=
t excp)
     tcg_gen_movi_tl(hex_gpr[HEX_REG_PC], ctx->next_PC);
     gen_exception_raw(excp);
     ctx->base.is_jmp =3D DISAS_NORETURN;
+}
=20
+/*
+ * Generate exception for decode failures. Unlike gen_exception_end_tb,
+ * this is used when decode fails before ctx->next_PC is initialized.
+ */
+static void gen_exception_decode_fail(DisasContext *ctx, int nwords, int e=
xcp)
+{
+    target_ulong fail_pc =3D ctx->base.pc_next + nwords * sizeof(uint32_t);
+
+    gen_exec_counters(ctx);
+    tcg_gen_movi_tl(hex_gpr[HEX_REG_PC], fail_pc);
+    gen_exception_raw(excp);
+    ctx->base.is_jmp =3D DISAS_NORETURN;
+    ctx->base.pc_next =3D fail_pc;
 }
=20
 static int read_packet_words(CPUHexagonState *env, DisasContext *ctx,
@@ -935,7 +949,7 @@ static void decode_and_translate_packet(CPUHexagonState=
 *env, DisasContext *ctx)
=20
     nwords =3D read_packet_words(env, ctx, words);
     if (!nwords) {
-        gen_exception_end_tb(ctx, HEX_CAUSE_INVALID_PACKET);
+        gen_exception_decode_fail(ctx, 0, HEX_CAUSE_INVALID_PACKET);
         return;
     }
=20
@@ -950,7 +964,7 @@ static void decode_and_translate_packet(CPUHexagonState=
 *env, DisasContext *ctx)
         gen_commit_packet(ctx);
         ctx->base.pc_next +=3D pkt.encod_pkt_size_in_bytes;
     } else {
-        gen_exception_end_tb(ctx, HEX_CAUSE_INVALID_PACKET);
+        gen_exception_decode_fail(ctx, nwords, HEX_CAUSE_INVALID_PACKET);
     }
 }
=20
diff --git a/tests/tcg/hexagon/invalid-encoding.c b/tests/tcg/hexagon/inval=
id-encoding.c
new file mode 100644
index 0000000000..010a5eb741
--- /dev/null
+++ b/tests/tcg/hexagon/invalid-encoding.c
@@ -0,0 +1,81 @@
+/*
+ * Test that invalid instruction encodings are properly rejected.
+ *
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include <assert.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static void *resume_pc;
+
+static void handle_sigill(int sig, siginfo_t *info, void *puc)
+{
+    ucontext_t *uc =3D (ucontext_t *)puc;
+
+    if (sig !=3D SIGILL) {
+        _exit(EXIT_FAILURE);
+    }
+
+    uc->uc_mcontext.r0 =3D SIGILL;
+    uc->uc_mcontext.pc =3D (unsigned long)resume_pc;
+}
+
+/*
+ * Each test function:
+ *   - Sets r0 to something other than SIGILL
+ *   - Stores the resume address into resume_pc
+ *   - Executes the invalid encoding
+ *   - The handler sets r0 =3D SIGILL and resumes after the faulting packet
+ *   - Returns the value in r0
+ */
+
+/*
+ * Invalid duplex encoding (issue #3291):
+ * - Word 0: 0x0fff6fff =3D immext(#0xfffbffc0), parse bits =3D 01
+ * - Word 1: 0x600237b0 =3D duplex with:
+ *     - slot0 =3D 0x17b0 (invalid S2 subinstruction encoding)
+ *     - slot1 =3D 0x0002 (valid SA1_addi)
+ *     - duplex iclass =3D 7 (S2 for slot0, A for slot1)
+ *
+ * Since slot0 doesn't decode to any valid S2 subinstruction, this packet
+ * should be rejected and raise SIGILL.
+ */
+static int test_invalid_duplex(void)
+{
+    int sig;
+
+    asm volatile(
+        "r0 =3D #0\n"
+        "r1 =3D ##1f\n"
+        "memw(%1) =3D r1\n"
+        ".word 0x0fff6fff\n"  /* immext(#0xfffbffc0), parse=3D01 */
+        ".word 0x600237b0\n"  /* duplex: slot0=3D0x17b0 (invalid) */
+        "1:\n"
+        "%0 =3D r0\n"
+        : "=3Dr"(sig)
+        : "r"(&resume_pc)
+        : "r0", "r1", "memory");
+
+    return sig;
+}
+
+int main()
+{
+    struct sigaction act;
+
+    memset(&act, 0, sizeof(act));
+    act.sa_sigaction =3D handle_sigill;
+    act.sa_flags =3D SA_SIGINFO;
+    assert(sigaction(SIGILL, &act, NULL) =3D=3D 0);
+
+    assert(test_invalid_duplex() =3D=3D SIGILL);
+
+    puts("PASS");
+    return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/hexagon/Makefile.target b/tests/tcg/hexagon/Makefile=
.target
index e5182c01d8..16669e04a8 100644
--- a/tests/tcg/hexagon/Makefile.target
+++ b/tests/tcg/hexagon/Makefile.target
@@ -51,6 +51,7 @@ HEX_TESTS +=3D scatter_gather
 HEX_TESTS +=3D hvx_misc
 HEX_TESTS +=3D hvx_histogram
 HEX_TESTS +=3D invalid-slots
+HEX_TESTS +=3D invalid-encoding
 HEX_TESTS +=3D unaligned_pc
=20
 run-and-check-exception =3D $(call run-test,$2,$3 2>$2.stderr; \
--=20
2.34.1