aboutsummaryrefslogtreecommitdiff
path: root/hw/intc
AgeCommit message (Collapse)Author
2021-06-15hw/intc/armv7m_nvic: Remove stale commentPeter Maydell
In commit da6d674e509f0939b we split the NVIC code out from the GIC. This allowed us to specify the NVIC's default value for the num-irq property (64) in the usual way in its property list, and we deleted the previous hack where we updated the value in the state struct in the instance init function. Remove a stale comment about that hack which we forgot to delete at that time. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20210614161243.14211-1-peter.maydell@linaro.org
2021-06-15hw/intc/arm_gicv3_cpuif: Tolerate spurious EOIR writesJean-Philippe Brucker
Commit 382c7160d1cd ("hw/intc/arm_gicv3_cpuif: Fix EOIR write access check logic") added an assert_not_reached() if the guest writes the EOIR register while no interrupt is active. It turns out some software does this: EDK2, in GicV3ExitBootServicesEvent(), unconditionally write EOIR for all interrupts that it manages. This now causes QEMU to abort when running UEFI on a VM with GICv3. Although it is UNPREDICTABLE behavior and EDK2 does need fixing, the punishment seems a little harsh, especially since icc_eoir_write() already tolerates writes of nonexistent interrupt numbers. Display a guest error and tolerate spurious EOIR writes. Fixes: 382c7160d1cd ("hw/intc/arm_gicv3_cpuif: Fix EOIR write access check logic") Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Message-id: 20210604130352.1887560-1-jean-philippe@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-06-05misc: Correct relative include pathPhilippe Mathieu-Daudé
Headers should be included from the 'include/' directory, not from the root directory. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Message-Id: <20210516205034.694788-1-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-06-02docs: fix references to docs/devel/tracing.rstStefano Garzarella
Commit e50caf4a5c ("tracing: convert documentation to rST") converted docs/devel/tracing.txt to docs/devel/tracing.rst. We still have several references to the old file, so let's fix them with the following command: sed -i s/tracing.txt/tracing.rst/ $(git grep -l docs/devel/tracing.txt) Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210517151702.109066-2-sgarzare@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-05-25hw/intc/arm_gicv3_cpuif: Fix EOIR write access check logicPeter Maydell
In icc_eoir_write() we assume that we can identify the group of the IRQ being completed based purely on which register is being written to and the current CPU state, and that "CPU state matches group indicated by register" is the only necessary access check. This isn't correct: if the CPU is not in Secure state then EOIR1 will only complete Group 1 NS IRQs, but if the CPU is in EL3 it can complete both Group 1 S and Group 1 NS IRQs. (The pseudocode ICC_EOIR1_EL1 makes this clear.) We were also missing the logic to prevent EOIR0 writes completing G0 IRQs when they should not. Rearrange the logic to first identify the group of the current highest priority interrupt and then look at whether we should complete it or ignore the access based on which register was accessed and the state of the CPU. The resulting behavioural change is: * EL3 can now complete G1NS interrupts * G0 interrupt completion is now ignored if the GIC and the CPU have the security extension enabled and the CPU is not secure Reported-by: Chan Kim <ckim@etri.re.kr> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20210510150016.24910-1-peter.maydell@linaro.org
2021-05-13Merge remote-tracking branch 'remotes/armbru/tags/pull-misc-2021-05-12' into ↵Peter Maydell
staging Miscellaneous patches for 2021-05-12 # gpg: Signature made Wed 12 May 2021 17:22:15 BST # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "armbru@redhat.com" # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full] # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full] # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-misc-2021-05-12: Drop the deprecated unicore32 target Drop the deprecated lm32 target block: Drop the sheepdog block driver Remove the deprecated moxie target monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-05-12Drop the deprecated unicore32 targetMarkus Armbruster
Target unicore32 was deprecated in commit 8e4ff4a8d2b, v5.2.0. See there for rationale. Cc: Guan Xuetao <gxt@mprc.pku.edu.cn> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210503084034.3804963-3-armbru@redhat.com> Acked-by: Thomas Huth <thuth@redhat.com>
2021-05-12Drop the deprecated lm32 targetMarkus Armbruster
Target lm32 was deprecated in commit d8498005122, v5.2.0. See there for rationale. Some of its code lives on in device models derived from milkymist ones: hw/char/digic-uart.c and hw/display/bcm2835_fb.c. Cc: Michael Walle <michael@walle.cc> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210503084034.3804963-2-armbru@redhat.com> Acked-by: Michael Walle <michael@walle.cc> [Trivial conflicts resolved, reST markup fixed]
2021-05-11hw/opentitan: Update the interrupt layoutAlistair Francis
Update the OpenTitan interrupt layout to match the latest OpenTitan bitstreams. This involves changing the Ibex PLIC memory layout and the UART interrupts. Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Message-id: e92b696f1809c9fa4410da2e9f23c414db5a6960.1617202791.git.alistair.francis@wdc.com
2021-05-05Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.1-20210504' ↵Peter Maydell
into staging ppc patch queue 2021-05-04 Here's the first ppc pull request for qemu-6.1. It has a wide variety of stuff accumulated during the 6.0 freeze. Highlights are: * Multi-phase reset cleanups for PAPR * Preliminary cleanups towards allowing !CONFIG_TCG for the ppc target * Cleanup of AIL logic and extension to POWER10 * Further improvements to handling of hot unplug failures on PAPR * Allow much larger numbers of CPU on pseries * Support for the H_SCM_HEALTH hypercall * Add support for the Pegasos II board * Substantial cleanup to hflag handling * Assorted minor fixes and cleanups # gpg: Signature made Tue 04 May 2021 06:52:39 BST # gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full] # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full] # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full] # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown] # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dg-gitlab/tags/ppc-for-6.1-20210504: (46 commits) hw/ppc/pnv_psi: Use device_cold_reset() instead of device_legacy_reset() hw/ppc/spapr_vio: Reset TCE table object with device_cold_reset() hw/intc/spapr_xive: Use device_cold_reset() instead of device_legacy_reset() target/ppc: removed VSCR from SPR registration target/ppc: Reduce the size of ppc_spr_t target/ppc: Clean up _spr_register et al target/ppc: Add POWER10 exception model target/ppc: rework AIL logic in interrupt delivery target/ppc: move opcode table logic to translate.c target/ppc: code motion from translate_init.c.inc to gdbstub.c spapr_drc.c: handle hotunplug errors in drc_unisolate_logical() spapr.h: increase FDT_MAX_SIZE spapr.c: do not use MachineClass::max_cpus to limit CPUs ppc: Rename current DAWR macros and variables target/ppc: POWER10 supports scv target/ppc: Fix POWER9 radix guest HV interrupt AIL behaviour docs/system: ppc: Add documentation for ppce500 machine roms/u-boot: Bump ppce500 u-boot to v2021.04 to fix broken pci support roms/Makefile: Update ppce500 u-boot build directory name ppc/spapr: Add support for implement support for H_SCM_HEALTH ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-05-04hw/intc/spapr_xive: Use device_cold_reset() instead of device_legacy_reset()Peter Maydell
The h_int_reset() function resets the XIVE interrupt controller via device_legacy_reset(). We know that the interrupt controller does not have a qbus of its own, so the new device_cold_reset() function (which resets both the device and its child buses) is equivalent here to device_legacy_reset() and we can just switch to the new API. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20210503151849.8766-2-peter.maydell@linaro.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-05-02Do not include exec/address-spaces.h if it's not really necessaryThomas Huth
Stop including exec/address-spaces.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-5-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02Do not include cpu.h if it's not really necessaryThomas Huth
Stop including cpu.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-4-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02Do not include hw/boards.h if it's not really necessaryThomas Huth
Stop including hw/boards.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-3-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02Do not include sysemu/sysemu.h if it's not really necessaryThomas Huth
Stop including sysemu/sysemu.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-2-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02hw: Do not include qemu/log.h if it is not necessaryThomas Huth
Many files include qemu/log.h without needing it. Remove the superfluous include statements. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20210328054833.2351597-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02hw: Do not include hw/sysbus.h if it is not necessaryThomas Huth
Many files include hw/sysbus.h without needing it. Remove the superfluous include statements. Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210327082804.2259480-1-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-03-19Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into ↵Peter Maydell
staging * fixes for i386 TCG paging * fixes for Hyper-V enlightenments * avoid uninitialized variable warning # gpg: Signature made Fri 19 Mar 2021 14:38:12 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: tests/qtest: cleanup the testcase for bug 1878642 hw/intc/i8259: Refactor pic_read_irq() to avoid uninitialized variable i386: Make migration fail when Hyper-V reenlightenment was enabled but 'user_tsc_khz' is unset i386: Fix 'hypercall_hypercall' typo target/i386: svm: do not discard high 32 bits of EXITINFO1 target/i386: fail if toggling LA57 in 64-bit mode target/i386: allow modifying TCG phys-addr-bits qom: use qemu_printf to print help for user-creatable objects Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-03-19hw: Replace anti-social QOM type namesMarkus Armbruster
Several QOM type names contain ',': ARM,bitband-memory etraxfs,pic etraxfs,serial etraxfs,timer fsl,imx25 fsl,imx31 fsl,imx6 fsl,imx6ul fsl,imx7 grlib,ahbpnp grlib,apbpnp grlib,apbuart grlib,gptimer grlib,irqmp qemu,register SUNW,bpp SUNW,CS4231 SUNW,DBRI SUNW,DBRI.prom SUNW,fdtwo SUNW,sx SUNW,tcx xilinx,zynq_slcr xlnx,zynqmp xlnx,zynqmp-pmu-soc xlnx,zynq-xadc These are all device types. They can't be plugged with -device / device_add, except for xlnx,zynqmp-pmu-soc, and I doubt that one actually works. They *can* be used with -device / device_add to request help. Usability is poor, though: you have to double the comma, like this: $ qemu-system-x86_64 -device SUNW,,fdtwo,help Trap for the unwary. The fact that this was broken in device-introspect-test for more than six years until commit e27bd49876 fixed it demonstrates that "the unwary" includes seasoned developers. One QOM type name contains ' ': "ICH9 SMB". Because having to remember just one way to quote would be too easy. Rename the "SUNW,FOO types to "sun-FOO". Summarily replace ',' and ' ' by '-' in the other type names. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210304140229.575481-2-armbru@redhat.com> Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-19hw/intc/i8259: Refactor pic_read_irq() to avoid uninitialized variablePhilippe Mathieu-Daudé
Some compiler versions are smart enough to detect a potentially uninitialized variable, but are not smart enough to detect that this cannot happen due to the code flow: ../hw/intc/i8259.c: In function ‘pic_read_irq’: ../hw/intc/i8259.c:203:13: error: ‘irq2’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 203 | irq = irq2 + 8; | ~~~~^~~~~~~~~~ Restrict irq2 variable use to the inner statement. Fixes: 78ef2b6989f ("i8259: Reorder intack in pic_read_irq") Reported-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210318163059.3686596-1-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-15m68k: add an interrupt controllerLaurent Vivier
A (generic) copy of the GLUE device we already have for q800 to use with the m68k-virt machine. The q800 one would disappear in the future as q800 uses actually the djMEMC controller. Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210312214145.2936082-4-laurent@vivier.eu>
2021-03-15hw/intc: add goldfish-picLaurent Vivier
Implement the goldfish pic device as defined in https://android.googlesource.com/platform/external/qemu/+/master/docs/GOLDFISH-VIRTUAL-HARDWARE.TXT Signed-off-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210312214145.2936082-3-laurent@vivier.eu>
2021-03-09sysemu: Let VMChangeStateHandler take boolean 'running' argumentPhilippe Mathieu-Daudé
The 'running' argument from VMChangeStateHandler does not require other value than 0 / 1. Make it a plain boolean. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Acked-by: David Gibson <david@gibson.dropbear.id.au> Message-Id: <20210111152020.1422021-3-philmd@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-03-09hw/lm32/Kconfig: Rename CONFIG_LM32 -> CONFIG_LM32_DEVICESPhilippe Mathieu-Daudé
We want to be able to use the 'LM32' config for architecture specific features. As CONFIG_LM32 is only used to select peripherals, rename it CONFIG_LM32_DEVICES. Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210221225626.2589247-3-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-03-08Merge remote-tracking branch 'remotes/philmd-gitlab/tags/renesas-20210306' ↵Peter Maydell
into staging Renesas patches queue - MMU prototype cleanups - Clarify licenses - Fine-grained Kconfig entries for SH-4 devices # gpg: Signature made Sat 06 Mar 2021 15:30:46 GMT # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * remotes/philmd-gitlab/tags/renesas-20210306: hw/sh4/sh7750_regs: Replace link to license by its full content hw/sh4: Remove now unused CONFIG_SH4 from Kconfig hw/pci-host: Introduce SH_PCI Kconfig entry hw/block: Introduce TC58128 eeprom Kconfig entry hw/timer: Introduce SH_TIMER Kconfig entry hw/char: Introduce SH_SCI Kconfig entry hw/intc: Introduce SH_INTC Kconfig entry hw/sh4: Add missing Kconfig dependency on SH7750 for the R2D board hw/sh4: Add missing license target/sh4: Remove unused definitions target/sh4: Let get_physical_address() use MMUAccessType access_type target/sh4: Remove unused 'int access_type' argument target/sh4: Replace magic value by MMUAccessType definitions target/sh4: Fix code style for checkpatch.pl Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-03-06hw/intc: Introduce SH_INTC Kconfig entryPhilippe Mathieu-Daudé
We want to be able to use the 'SH4' config for architecture specific features. Add more fine-grained selection by adding a CONFIG_SH_INTC selector for the SH4 interrupt controller. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20210222141514.2646278-4-f4bug@amsat.org>
2021-03-06KVM: x86: deprecate -M kernel-irqchip=off except for -M isapcPaolo Bonzini
The userspace local APIC is basically untested and does not support many features such as TSC deadline timer, x2APIC or PV spinlocks. On the other hand, the PIT and IOAPIC are okay as they are not tied to the processor and are tested with -M kernel-irqchip=split. Therefore, deprecate the local APIC and, with it, limit -M kernel-irqchip=off to the ISA PC machine type, which does not have a local APIC at all. Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-02-21hw/intc/loongson_liointc: Fix per core ISR handlingJiaxun Yang
Per core ISR is a set of 32-bit registers spaced by 8 bytes. This patch fixed calculation of it's size and also added check of alignment at reading & writing. Fixes: Coverity CID 1438965 and CID 1438967 Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com> Reviewed-by: Huacai Chen <chenhuacai@kernel.org> Message-Id: <20210112012527.28927-1-jiaxun.yang@flygoat.com> [PMD: Added Coverity CID] Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-10ppc/xive: Add firmware bit when dumping the ENDsCédric Le Goater
ENDs allocated by OPAL for the HW thread VPs are tagged as owned by FW. Dump the state in 'info pic'. Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20210126171059.307867-3-clg@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-02-10ppc/pnv: Add trace events for PCI event notificationCédric Le Goater
On POWER9 systems, PHB controllers signal the XIVE interrupt controller of a source interrupt notification using a store on a MMIO region. Add traces for such events. Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20210126171059.307867-2-clg@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-02-02hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR registerPhilippe Mathieu-Daudé
Per the ARM Generic Interrupt Controller Architecture specification (document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, not 10: - 4.3 Distributor register descriptions - 4.3.15 Software Generated Interrupt Register, GICD_SG - Table 4-21 GICD_SGIR bit assignments The Interrupt ID of the SGI to forward to the specified CPU interfaces. The value of this field is the Interrupt ID, in the range 0-15, for example a value of 0b0011 specifies Interrupt ID 3. Correct the irq mask to fix an undefined behavior (which eventually lead to a heap-buffer-overflow, see [Buglink]): $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio [I 1612088147.116987] OPENED [R +0.278293] writel 0x8000f00 0xff4affb0 ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 This fixes a security issue when running with KVM on Arm with kernel-irqchip=off. (The default is kernel-irqchip=on, which is unaffected, and which is also the correct choice for performance.) Cc: qemu-stable@nongnu.org Fixes: CVE-2021-20221 Fixes: 9ee6e8bb853 ("ARMv7 support.") Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20210131103401.217160-1-f4bug@amsat.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-02-02hw/intc/arm_gic: Allow to use QTest without crashingPhilippe Mathieu-Daudé
Alexander reported an issue in gic_get_current_cpu() using the fuzzer. Yet another "deref current_cpu with QTest" bug, reproducible doing: $ echo readb 0xf03ff000 | qemu-system-arm -M npcm750-evb,accel=qtest -qtest stdio [I 1611849440.651452] OPENED [R +0.242498] readb 0xf03ff000 hw/intc/arm_gic.c:63:29: runtime error: member access within null pointer of type 'CPUState' (aka 'struct CPUState') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/intc/arm_gic.c:63:29 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==3719691==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000082a0 (pc 0x5618790ac882 bp 0x7ffca946f4f0 sp 0x7ffca946f4a0 T0) ==3719691==The signal is caused by a READ memory access. #0 0x5618790ac882 in gic_get_current_cpu hw/intc/arm_gic.c:63:29 #1 0x5618790a8901 in gic_dist_readb hw/intc/arm_gic.c:955:11 #2 0x5618790a7489 in gic_dist_read hw/intc/arm_gic.c:1158:17 #3 0x56187adc573b in memory_region_read_with_attrs_accessor softmmu/memory.c:464:9 #4 0x56187ad7903a in access_with_adjusted_size softmmu/memory.c:552:18 #5 0x56187ad766d6 in memory_region_dispatch_read1 softmmu/memory.c:1426:16 #6 0x56187ad758a8 in memory_region_dispatch_read softmmu/memory.c:1449:9 #7 0x56187b09e84c in flatview_read_continue softmmu/physmem.c:2822:23 #8 0x56187b0a0115 in flatview_read softmmu/physmem.c:2862:12 #9 0x56187b09fc9e in address_space_read_full softmmu/physmem.c:2875:18 #10 0x56187aa88633 in address_space_read include/exec/memory.h:2489:18 #11 0x56187aa88633 in qtest_process_command softmmu/qtest.c:558:13 #12 0x56187aa81881 in qtest_process_inbuf softmmu/qtest.c:797:9 #13 0x56187aa80e02 in qtest_read softmmu/qtest.c:809:5 current_cpu is NULL because QTest accelerator does not use CPU. Fix by skipping the check and returning the first CPU index when QTest accelerator is used, similarly to commit c781a2cc423 ("hw/i386/vmport: Allow QTest use without crashing"). Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-id: 20210128161417.3726358-1-philmd@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-01-19hw/intc/ppc-uic: Make default dcr-base 0xc0, not 0x30Peter Maydell
In commit 34d0831f38fd8 the ppc-uic device was added, with a dcr-base property. The intention was that the default value of dcr-base should be the one that most of our boards need, so that in the common case they don't need to specify a property value. All QEMU boards with a UIC use a dcr-base of 0xc0, with the exception of sam460ex which has four UICs and so puts them at 0xc0, 0xd0, 0xe0, 0xf0. So 0xc0 is the obvious right choice for the default dcr-base. The board code conversions in commits 0270d74ef88623505 (bamboo) and c5ac9dc64fa552a6 (virtex_ml507) assumed that default was 0xc0. Unfortunately the actual default in 34d0831f38fd8 was 0x30, by mistake, so the bamboo and virtex_ml507 boards were broken as they were converted away from ppcuic_init() (which always specifies the dcr_base property value explicitly). Set the default dcr-base to 0xc0 as was intended, fixing bamboo and virtex_ml507. Fixes: 34d0831f38fd8 Reported-by: Nathan Chancellor <natechancellor@gmail.com> Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20210111213007.7381-1-peter.maydell@linaro.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-01-08Remove superfluous timer_del() callsPeter Maydell
This commit is the result of running the timer-del-timer-free.cocci script on the whole source tree. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Corey Minyard <cminyard@mvista.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20201215154107.3255-4-peter.maydell@linaro.org
2021-01-08hw/intc/armv7m_nvic: Correct handling of CCR.BFHFNMIGNPeter Maydell
The CCR is a register most of whose bits are banked between security states but where BFHFNMIGN is not, and we keep it in the non-secure entry of the v7m.ccr[] array. The logic which tries to handle this bit fails to implement the "RAZ/WI from Nonsecure if AIRCR.BFHFNMINS is zero" requirement; correct the omission. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20201210201433.26262-2-peter.maydell@linaro.org
2021-01-08intc/arm_gic: Fix gic_irq_signaling_enabled() for vCPUsEdgar E. Iglesias
Correct the indexing into s->cpu_ctlr for vCPUs. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Luc Michel <luc.michel@greensocs.com> Message-id: 20201214222154.3480243-2-edgar.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-01-06Merge remote-tracking branch 'remotes/mcayland/tags/qemu-sparc-20210106' ↵Peter Maydell
into staging qemu-sparc queue # gpg: Signature made Wed 06 Jan 2021 11:43:02 GMT # gpg: using RSA key CC621AB98E82200D915CC9C45BC2C56FAE0F321F # gpg: issuer "mark.cave-ayland@ilande.co.uk" # gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>" [full] # Primary key fingerprint: CC62 1AB9 8E82 200D 915C C9C4 5BC2 C56F AE0F 321F * remotes/mcayland/tags/qemu-sparc-20210106: sun4m: don't connect two qemu_irqs directly to the same input include/hw/sparc/grlib.h: Remove unused set_pil_in_fn typedef hw/sparc: Make grlib-irqmp device handle its own inbound IRQ lines hw/timer/slavio_timer: Allow 64-bit accesses Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-01-06hw/sparc: Make grlib-irqmp device handle its own inbound IRQ linesPeter Maydell
Currently the GRLIB_IRQMP device is used in one place (the leon3 board), but instead of the device providing inbound gpio lines for the board to wire up, the board code itself calls qemu_allocate_irqs() with the handler function being a set_irq function defined in the code for the device. Refactor this into the standard setup of a device having input gpio lines. This fixes a trivial Coverity memory leak report (the leon3 board code leaks the IRQ array returned from qemu_allocate_irqs()). Fixes: Coverity CID 1421922 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20201212144134.29594-2-peter.maydell@linaro.org> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
2021-01-06Merge remote-tracking branch 'remotes/dg-gitlab/tags/ppc-for-6.0-20210106' ↵Peter Maydell
into staging ppc patch queue 2021-01-06 First pull request for 2021, which has a bunch of things accumulated over the holidays. Includes: * A number of cleanups to sam460ex and ppc440 code from BALATON Zoltan * Several fixes for builds with --without-default-devices from Greg Kurz * Fixes for some DRC reset problems from Greg Kurz * QOM conversion of the PPC 4xx UIC devices from Peter Maydell * Some other assorted fixes and cleanups # gpg: Signature made Wed 06 Jan 2021 03:33:19 GMT # gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 # gpg: Good signature from "David Gibson <david@gibson.dropbear.id.au>" [full] # gpg: aka "David Gibson (Red Hat) <dgibson@redhat.com>" [full] # gpg: aka "David Gibson (ozlabs.org) <dgibson@ozlabs.org>" [full] # gpg: aka "David Gibson (kernel.org) <dwg@kernel.org>" [unknown] # Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 * remotes/dg-gitlab/tags/ppc-for-6.0-20210106: (22 commits) ppc440_pcix: Fix up pci config access ppc440_pcix: Fix register write trace event ppc440_pcix: Improve comment for IRQ mapping sam460ex: Remove FDT_PPC dependency from KConfig ppc4xx: Move common dependency on serial to common option pnv: Fix reverse dependency on PCI express root ports ppc: Simplify reverse dependencies of POWERNV and PSERIES on XICS and XIVE ppc: Fix build with --without-default-devices spapr: Add drc_ prefix to the DRC realize and unrealize functions spapr: Use spapr_drc_reset_all() at machine reset spapr: Introduce spapr_drc_reset_all() spapr: Fix reset of transient DR connectors spapr: Call spapr_drc_reset() for all DRCs at CAS spapr: Fix buffer overflow in spapr_numa_associativity_init() spapr: Allow memory unplug to always succeed spapr: Fix DR properties of the root node spapr/xive: Make spapr_xive_pic_print_info() static spapr: DRC lookup cannot fail hw/ppc/ppc440_bamboo: Drop use of ppcuic_init() hw/ppc/virtex_ml507: Drop use of ppcuic_init() ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-01-06ppc: Simplify reverse dependencies of POWERNV and PSERIES on XICS and XIVEGreg Kurz
Have PSERIES to select XICS and XIVE, and directly check PSERIES in hw/intc/meson.build to enable build of the XICS and XIVE sPAPR backends, like POWERNV already does. This allows to get rid of the intermediate XICS_SPAPR and XIVE_SPAPR. Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <160883057560.253005.4206568349917633920.stgit@bahia.lan> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-01-06ppc: Fix build with --without-default-devicesGreg Kurz
Linking of the qemu-system-ppc64 fails on a POWER9 host when --without-default-devices is passed to configure: $ ./configure --without-default-devices \ --target-list=ppc64-softmmu && make ... libqemu-ppc64-softmmu.fa.p/hw_ppc_e500.c.o: In function `ppce500_init_mpic_kvm': /home/greg/Work/qemu/qemu-ppc/build/../hw/ppc/e500.c:777: undefined reference to `kvm_openpic_connect_vcpu' libqemu-ppc64-softmmu.fa.p/hw_ppc_spapr_irq.c.o: In function `spapr_irq_check': /home/greg/Work/qemu/qemu-ppc/build/../hw/ppc/spapr_irq.c:189: undefined reference to `xics_kvm_has_broken_disconnect' libqemu-ppc64-softmmu.fa.p/hw_intc_spapr_xive.c.o: In function `spapr_xive_post_load': /home/greg/Work/qemu/qemu-ppc/build/../hw/intc/spapr_xive.c:530: undefined reference to `kvmppc_xive_post_load' ... and tons of other symbols belonging to the KVM backend of the openpic, XICS and XIVE interrupt controllers. It turns out that OPENPIC_KVM, XICS_KVM and XIVE_KVM are marked to depend on KVM but this has no effect when minikconf runs in allnoconfig mode. Such reverse dependencies should rather be handled with a 'select' statement, eg. config OPENPIC select OPENPIC_KVM if KVM or even better by getting rid of the intermediate _KVM config and directly checking CONFIG_KVM in the meson.build file: specific_ss.add(when: ['CONFIG_KVM', 'CONFIG_OPENPIC'], if_true: files('openpic_kvm.c')) Go for the latter with OPENPIC, XICS and XIVE. This went unnoticed so far because CI doesn't test the build with --without-default-devices and KVM enabled on a POWER host. Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <160883056791.253005.14924294027763955653.stgit@bahia.lan> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-01-06spapr/xive: Make spapr_xive_pic_print_info() staticCédric Le Goater
Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20201215174025.2636824-1-clg@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-01-06ppc: Convert PPC UIC to a QOM devicePeter Maydell
Currently the PPC UIC ("Universal Interrupt Controller") is implemented as a non-QOM device in ppc4xx_devs.c. Convert it to a proper QOM device in hw/intc. The ppcuic_init() function is retained for the moment with its current interface; in subsequent commits this will be tidied up to avoid the allocation of an irq array. This conversion adds VMState support. It leaves the LOG_UIC() macro as-is to maximise the extent to which this is simply code-movement rather than a rewrite (in new code it would be better to use tracepoints). The default property values for dcr-base and use-vectors are set to match those use by most of our boards with a UIC. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20201212001537.24520-3-peter.maydell@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2021-01-04hw/intc: Rework Loongson LIOINTCHuacai Chen
As suggested by Philippe Mathieu-Daudé, rework Loongson's liointc: 1, Move macro definitions to loongson_liointc.h; 2, Remove magic values and use macros instead; 3, Replace dead D() code by trace events. Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Huacai Chen <chenhuacai@kernel.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20201221110538.3186646-2-chenhuacai@kernel.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-01-01Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2020-12-19' into ↵Peter Maydell
staging QAPI patches patches for 2020-12-19 # gpg: Signature made Sat 19 Dec 2020 09:40:05 GMT # gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653 # gpg: issuer "armbru@redhat.com" # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full] # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full] # Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 * remotes/armbru/tags/pull-qapi-2020-12-19: (33 commits) qobject: Make QString immutable block: Use GString instead of QString to build filenames keyval: Use GString to accumulate value strings json: Use GString instead of QString to accumulate strings migration: Replace migration's JSON writer by the general one qobject: Factor JSON writer out of qobject_to_json() qobject: Factor quoted_str() out of to_json() qobject: Drop qstring_get_try_str() qobject: Drop qobject_get_try_str() Revert "qobject: let object_property_get_str() use new API" block: Avoid qobject_get_try_str() qmp: Fix tracing of non-string command IDs qobject: Move internals to qobject-internal.h hw/rdma: Replace QList by GQueue Revert "qstring: add qstring_free()" qobject: Change qobject_to_json()'s value to GString qobject: Use GString instead of QString to accumulate JSON qobject: Make qobject_to_json_pretty() take a pretty argument monitor: Use GString instead of QString for output buffer hmp: Simplify how qmp_human_monitor_command() gets output ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-12-30Merge remote-tracking branch ↵Peter Maydell
'remotes/huth-gitlab/tags/pull-request-2020-12-18' into staging * Compile QEMU with -Wimplicit-fallthrough=2 to avoid bugs in switch-case statements # gpg: Signature made Fri 18 Dec 2020 08:19:04 GMT # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "thuth@redhat.com" # gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full] # gpg: aka "Thomas Huth <thuth@redhat.com>" [full] # gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full] # gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown] # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5 * remotes/huth-gitlab/tags/pull-request-2020-12-18: configure: Compile with -Wimplicit-fallthrough=2 hw/rtc/twl92230: Add missing 'break' bsd-user: Silence warnings about missing fallthrough statement tests/fp: Do not emit implicit-fallthrough warnings in the softfloat tests tcg/optimize: Add fallthrough annotations target/sparc/win_helper: silence the compiler warnings target/sparc/translate: silence the compiler warnings accel/tcg/user-exec: silence the compiler warnings hw/intc/arm_gicv3_kvm: silence the compiler warnings target/i386: silence the compiler warnings in gen_shiftd_rm_T1 hw/timer/renesas_tmr: silence the compiler warnings hw/rtc/twl92230: Silence warnings about missing fallthrough statements target/unicore32/translate: Add missing fallthrough annotations disas/libvixl: Fix fall-through annotation for GCC >= 7 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-12-19migration: Replace migration's JSON writer by the general oneMarkus Armbruster
Commit 8118f0950f "migration: Append JSON description of migration stream" needs a JSON writer. The existing qobject_to_json() wasn't a good fit, because it requires building a QObject to convert. Instead, migration got its very own JSON writer, in commit 190c882ce2 "QJSON: Add JSON writer". It tacitly limits numbers to int64_t, and strings contents to characters that don't need escaping, unlike qobject_to_json(). The previous commit factored the JSON writer out of qobject_to_json(). Replace migration's JSON writer by it. Cc: Juan Quintela <quintela@redhat.com> Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20201211171152.146877-17-armbru@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2020-12-18hw/intc/arm_gicv3_kvm: silence the compiler warningsChen Qun
When using -Wimplicit-fallthrough in our CFLAGS, the compiler showed warning: hw/intc/arm_gicv3_kvm.c: In function ‘kvm_arm_gicv3_put’: hw/intc/arm_gicv3_kvm.c:484:13: warning: this statement may fall through [-Wimplicit-fallthrough=] kvm_gicc_access(s, ICC_AP0R_EL1(1), ncpu, &reg64, true); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hw/intc/arm_gicv3_kvm.c:485:9: note: here default: ^~~~~~~ hw/intc/arm_gicv3_kvm.c:495:13: warning: this statement may fall through [-Wimplicit-fallthrough=] kvm_gicc_access(s, ICC_AP1R_EL1(2), ncpu, &reg64, true); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hw/intc/arm_gicv3_kvm.c:496:9: note: here case 6: ^~~~ hw/intc/arm_gicv3_kvm.c:498:13: warning: this statement may fall through [-Wimplicit-fallthrough=] kvm_gicc_access(s, ICC_AP1R_EL1(1), ncpu, &reg64, true); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hw/intc/arm_gicv3_kvm.c:499:9: note: here default: ^~~~~~~ hw/intc/arm_gicv3_kvm.c: In function ‘kvm_arm_gicv3_get’: hw/intc/arm_gicv3_kvm.c:634:37: warning: this statement may fall through [-Wimplicit-fallthrough=] c->icc_apr[GICV3_G0][2] = reg64; ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ hw/intc/arm_gicv3_kvm.c:635:9: note: here case 6: ^~~~ hw/intc/arm_gicv3_kvm.c:637:37: warning: this statement may fall through [-Wimplicit-fallthrough=] c->icc_apr[GICV3_G0][1] = reg64; ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ hw/intc/arm_gicv3_kvm.c:638:9: note: here default: ^~~~~~~ hw/intc/arm_gicv3_kvm.c:648:39: warning: this statement may fall through [-Wimplicit-fallthrough=] c->icc_apr[GICV3_G1NS][2] = reg64; ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ hw/intc/arm_gicv3_kvm.c:649:9: note: here case 6: ^~~~ hw/intc/arm_gicv3_kvm.c:651:39: warning: this statement may fall through [-Wimplicit-fallthrough=] c->icc_apr[GICV3_G1NS][1] = reg64; ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ hw/intc/arm_gicv3_kvm.c:652:9: note: here default: ^~~~~~~ Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com> Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20201211152426.350966-7-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-17intc/ibex_plic: Clear interrupts that occur during claim processAlistair Francis
Previously if an interrupt occured during the claim process (after the interrupt is claimed but before it's completed) it would never be cleared. This patch ensures that we also clear the hidden_pending bits as well. Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Tested-by: Jackie Ke <jackieke724@hotmail.com> Message-id: 4e9786084a86f220689123cc8a7837af8fa071cf.1607100423.git.alistair.francis@wdc.com
2020-12-15target/nios2: Move IIC code into CPU object properPeter Maydell
The Nios2 architecture supports two different interrupt controller options: * The IIC (Internal Interrupt Controller) is part of the CPU itself; it has 32 IRQ input lines and no NMI support. Interrupt status is queried and controlled via the CPU's ipending and istatus registers. * The EIC (External Interrupt Controller) interface allows the CPU to connect to an external interrupt controller. The interface allows the interrupt controller to present a packet of information containing: - handler address - interrupt level - register set - NMI mode QEMU does not model an EIC currently. We do model the IIC, but its implementation is split across code in hw/nios2/cpu_pic.c and hw/intc/nios2_iic.c. The code in those two files has no state of its own -- the IIC state is in the Nios2CPU state struct. Because CPU objects now inherit (indirectly) from TYPE_DEVICE, they can have GPIO input lines themselves, so we can implement the IIC directly in the CPU object the same way that real hardware does. Create named "IRQ" GPIO inputs to the Nios2 CPU object, and make the only user of the IIC wire up directly to those instead. Note that the old code had an "NMI" concept which was entirely unused and also as far as I can see not architecturally correct, since only the EIC has a concept of an NMI. This fixes a Coverity-reported trivial memory leak of the IRQ array allocated in nios2_cpu_pic_init(). Fixes: Coverity CID 1421916 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20201129174022.26530-2-peter.maydell@linaro.org Reviewed-by: Wentong Wu <wentong.wu@intel.com> Tested-by: Wentong Wu <wentong.wu@intel.com>