This series adds emulation of the FlexCAN CAN controller, version 2,
found in NXP i.MX6 series SoCs. The controller is integrated into
fsl-imx6 and the Sabrelite ARM board.

The chip has two FlexCAN controllers, but the Linux Sabrelite
device tree enables only one by default. Linux kernel with both
controllers enabled has been tested to work properly (using a custom
device tree).
See docs/system/devices/can.rst for an example of QEMU command line
invocation.

More information about the implementation can be found in my bachelor
thesis [1].

Changes from v3:
- corrected attribution for definitions borrowed from the Linux kernel
- rebased onto latest master
- Link to v3: https://lore.kernel.org/qemu-devel/cover.1777571962.git.matyas.bobek@gmail.com/

Changes from v2 to v3:
- moved variable declarations to the top-of-the-block
- cleanup
- removed redundant license boilerplate
- rebased onto latest master
- Link to v2: https://lore.kernel.org/qemu-devel/cover.1773866323.git.matyas.bobek@gmail.com/

Changes from v1 to v2:
- removed DPRINTF (turned into traces or guest errors)
- removed gotos and unnecessary continues
- register memory region shortened to actual length w/o padding
- make flexcan_* fns private
- used DEVICE(s)->canonical_path instead of allocating new strings
- changed DEVICE_NATIVE_ENDIAN to DEVICE_LITTLE_ENDIAN
- removed ugly USE macro
- used enums instead of define sequences in flexcan.c
- fixed FlexCAN KConfig conf (fixes build on non-arm-softmmu)
- fixed style and other issues from Bernhard's review
- better wording in docs
- rebased onto latest master
- Link to v1: https://lore.kernel.org/qemu-devel/cover.1765826753.git.matyas.bobek@gmail.com

Thanks Bernhard Beschow for the review and his patience.
I borrowed some fixes from his flexcan branch at [2].

[1] http://dspace.cvut.cz/bitstream/handle/10467/122654/F3-BP-2025-Bobek-Matyas-BP_Bobek_FlexCAN_final_4.pdf
[2] https://github.com/shentok/qemu/tree/flexcan

Matyáš Bobek (7):
  hw/arm/sabrelite: Open code DEFINE_MACHINE_ARM
  hw/arm/sabrelite: Introduce class SabreliteMachineState
  hw/misc/imx6_ccm: Add PLL3 and CAN clock
  hw/net/can/flexcan: NXP FlexCAN core emulation
  hw/arm: Plug FlexCAN into FSL_IMX6 and Sabrelite
  tests: Add qtests for FlexCAN
  docs/arm/sabrelite: Mention FlexCAN support

 MAINTAINERS                   |    9 +
 docs/system/arm/sabrelite.rst |    1 +
 docs/system/devices/can.rst   |   24 +
 hw/arm/Kconfig                |    1 +
 hw/arm/fsl-imx6.c             |   29 +
 hw/arm/sabrelite.c            |   68 +-
 hw/misc/imx6_ccm.c            |   24 +
 hw/misc/trace-events          |    2 +
 hw/net/Kconfig                |    5 +
 hw/net/can/flexcan.c          | 1395 +++++++++++++++++++++++++++++++++
 hw/net/can/flexcan_regs.h     |  196 +++++
 hw/net/can/meson.build        |    1 +
 hw/net/can/trace-events       |   18 +
 include/hw/arm/fsl-imx6.h     |    6 +
 include/hw/misc/imx6_ccm.h    |    4 +
 include/hw/misc/imx_ccm.h     |    1 +
 include/hw/net/flexcan.h      |  144 ++++
 tests/qtest/flexcan-test.c    |  421 ++++++++++
 tests/qtest/meson.build       |    1 +
 19 files changed, 2340 insertions(+), 10 deletions(-)
 create mode 100644 hw/net/can/flexcan.c
 create mode 100644 hw/net/can/flexcan_regs.h
 create mode 100644 include/hw/net/flexcan.h
 create mode 100644 tests/qtest/flexcan-test.c

-- 
2.54.0

On Thu, 28 May 2026 at 18:17, Matyáš Bobek <matyas.bobek@gmail.com> wrote:
>
> This series adds emulation of the FlexCAN CAN controller, version 2,
> found in NXP i.MX6 series SoCs. The controller is integrated into
> fsl-imx6 and the Sabrelite ARM board.
>
> The chip has two FlexCAN controllers, but the Linux Sabrelite
> device tree enables only one by default. Linux kernel with both
> controllers enabled has been tested to work properly (using a custom
> device tree).
> See docs/system/devices/can.rst for an example of QEMU command line
> invocation.

If I run "make check" under a build with the clang sanitizers
enabled, the test fails with an array out of bounds access:

test:         qtest+qtest-arm - qemu:qtest-arm/flexcan-test
start time:   08:46:34
duration:     3.22s
result:       killed by signal 6 SIGABRT
command:      QTEST_QEMU_STORAGE_DAEMON_BINARY=./storage-daemon/qemu-storage-daemon
QTEST_QEMU_VNC_BINARY=./tools/qemu-vnc/qemu-vnc MESON_TEST_ITERATION=1
MSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1
QTEST_QEMU_BINARY=./qemu-system-arm RUST_BACKTRACE=1
PYTHON=/home/pm215/qemu/build/arm-clang/pyvenv/bin/python3
MALLOC_PERTURB_=136
UBSAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1:print_stacktrace=1
G_TEST_DBUS_DAEMON=/home/pm215/qemu/tests/dbus-daemon.sh
QTEST_QEMU_IMG=./qemu-img
ASAN_OPTIONS=halt_on_error=1:abort_on_error=1:print_summary=1
/home/pm215/qemu/build/arm-clang/tests/qtest/flexcan-test --tap -k
----------------------------------- stdout -----------------------------------
TAP version 13
# random seed: R02S02bc6ca307d8afe2f7478a86cd8f0c6a
1..5
# Start of arm tests
# Start of net tests
# Start of flexcan tests
# starting QEMU: exec ./qemu-system-arm -qtest
unix:/tmp/qtest-3845367.sock -qtest-log /dev/null -chardev
socket,path=/tmp/qtest-3845367.qmp,id=char0 -mon
chardev=char0,mode=control -display none -audio none -run-with
exit-with-parent=on -nographic -M sabrelite -object can-bus,id=qcan0
-machine canbus0=qcan0 -machine canbus1=qcan0  -accel qtest
ok 1 /arm/net/flexcan/linux_probe
# starting QEMU: exec ./qemu-system-arm -qtest
unix:/tmp/qtest-3845367.sock -qtest-log /dev/null -chardev
socket,path=/tmp/qtest-3845367.qmp,id=char0 -mon
chardev=char0,mode=control -display none -audio none -run-with
exit-with-parent=on -nographic -M sabrelite -object can-bus,id=qcan0
-machine canbus0=qcan0 -machine canbus1=qcan0  -accel qtest
ok 2 /arm/net/flexcan/freeze_disable_interaction
# starting QEMU: exec ./qemu-system-arm -qtest
unix:/tmp/qtest-3845367.sock -qtest-log /dev/null -chardev
socket,path=/tmp/qtest-3845367.qmp,id=char0 -mon
chardev=char0,mode=control -display none -audio none -run-with
exit-with-parent=on -nographic -M sabrelite -object can-bus,id=qcan0
-machine canbus0=qcan0 -machine canbus1=qcan0  -accel qtest
----------------------------------- stderr -----------------------------------
../../hw/net/can/flexcan.c:305:24: runtime error: index 80 out of
bounds for type 'FlexcanRegsMessageBuffer[64]' (aka 'struct
FlexcanRegsMessageBuffer[64]')
    #0 0x5b5c6378e3c9 in flexcan_get_last_enabled_mailbox
/home/pm215/qemu/build/arm-clang/../../hw/net/can/flexcan.c:305:24
    #1 0x5b5c6378a9a1 in flexcan_mb_write
/home/pm215/qemu/build/arm-clang/../../hw/net/can/flexcan.c:700:30
    #2 0x5b5c6378a9a1 in flexcan_mem_write
/home/pm215/qemu/build/arm-clang/../../hw/net/can/flexcan.c:1232:17
    #3 0x5b5c63c6de46 in memory_region_write_accessor
/home/pm215/qemu/build/arm-clang/../../system/memory.c:492:5
    #4 0x5b5c63c6d3cd in access_with_adjusted_size
/home/pm215/qemu/build/arm-clang/../../system/memory.c:568:18
    #5 0x5b5c63c6ce92 in memory_region_dispatch_write
/home/pm215/qemu/build/arm-clang/../../system/memory.c
    #6 0x5b5c63ca7008 in flatview_write_continue_step
/home/pm215/qemu/build/arm-clang/../../system/physmem.c:3263:18
    #7 0x5b5c63c9e5b6 in flatview_write_continue
/home/pm215/qemu/build/arm-clang/../../system/physmem.c:3293:19
    #8 0x5b5c63c9e5b6 in flatview_write
/home/pm215/qemu/build/arm-clang/../../system/physmem.c:3324:12
    #9 0x5b5c63c9e4a8 in address_space_write
/home/pm215/qemu/build/arm-clang/../../system/physmem.c:3444:18
    #10 0x5b5c63caf690 in qtest_process_command
/home/pm215/qemu/build/arm-clang/../../system/qtest.c
    #11 0x5b5c63cacb8d in qtest_process_inbuf
/home/pm215/qemu/build/arm-clang/../../system/qtest.c:778:9
    #12 0x5b5c646888b7 in tcp_chr_read
/home/pm215/qemu/build/arm-clang/../../chardev/char-socket.c:511:13
    #13 0x7d3004bd245d
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d45d) (BuildId:
116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
    #14 0x7d3004bd26cf in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d6cf) (BuildId:
116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
    #15 0x5b5c64866a4b in glib_pollfds_poll
/home/pm215/qemu/build/arm-clang/../../util/main-loop.c:290:9
    #16 0x5b5c64866a4b in os_host_main_loop_wait
/home/pm215/qemu/build/arm-clang/../../util/main-loop.c:313:5
    #17 0x5b5c64866a4b in main_loop_wait
/home/pm215/qemu/build/arm-clang/../../util/main-loop.c:592:11
    #18 0x5b5c63cb5cd6 in qemu_main_loop
/home/pm215/qemu/build/arm-clang/../../system/runstate.c:950:9
    #19 0x5b5c647026bb in qemu_default_main
/home/pm215/qemu/build/arm-clang/../../system/main.c:50:14
    #20 0x5b5c64702693 in main
/home/pm215/qemu/build/arm-clang/../../system/main.c:93:9
    #21 0x7d300282a1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #23 0x5b5c63077684 in _start
(/home/pm215/qemu/build/arm-clang/qemu-system-arm+0x1546684) (BuildId:
46de6576c6cf821195d15a70a05dd4e75e97f22d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
../../hw/net/can/flexcan.c:305:24
Broken pipe
../../tests/qtest/libqtest.c:210: kill_qemu() detected QEMU death from
signal 6 (Aborted) (core dumped)



You can do a sanitizer enabled build by running configure with options like:

'--cc=clang' '--cxx=clang++' '--enable-ubsan'

and then run 'make check' as normal.


You can also do a build with the address sanitizer enabled
as well, but it's a little bit more involved:

'../../configure' '--cc=clang' '--cxx=clang++' '--enable-ubsan'
'--enable-asan'
'--target-list=arm-softmmu,arm-linux-user,aarch64-softmmu,aarch64-linux-user'

For an asan build, you will need to set ASAN_OPTIONS and LSAN_OPTIONSwhen
running make check, like this:

TIMEOUT_MULTIPLIER=3 ASAN_OPTIONS="fast_unwind_on_malloc=0"
LSAN_OPTIONS="suppressions=$PWD/scripts/lsan_suppressions.txt" make -C
build/arm-san/ -j15 check

(Current head-of-git has a leak in the tpm-tis device which is
fixed by this patch:
https://patchew.org/QEMU/20260528093123.55403-1-mbawa@redhat.com/
That should get upstream shortly, but if you don't have it yet
you'll also see leak reports about that.)

thanks
-- PMM