From 6a02a73211c5bc634fccd652777230954b83ccba Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Mon, 8 Jul 2019 14:11:30 +0100 Subject: target/arm: Fix sve_zcr_len_for_el Off by one error in the EL2 and EL3 tests. Remove the test against EL3 entirely, since it must always be true. Signed-off-by: Richard Henderson Reviewed-by: Peter Maydell Message-id: 20190702104732.31154-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index 2df7152a9c..20f8728be1 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -5283,10 +5283,10 @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el) if (el <= 1) { zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]); } - if (el < 2 && arm_feature(env, ARM_FEATURE_EL2)) { + if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) { zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2]); } - if (el < 3 && arm_feature(env, ARM_FEATURE_EL3)) { + if (arm_feature(env, ARM_FEATURE_EL3)) { zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]); } return zcr_len; -- cgit v1.2.3 From 2785f196318c759d2ba97a36c168e848ec38d362 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 8 Jul 2019 14:11:31 +0100 Subject: tests/migration-test: Fix read off end of aarch64_kernel array MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test aarch64 kernel is in an array defined with unsigned char aarch64_kernel[] = { [...] } which means it could be any size; currently it's quite small. However we write it to a file using init_bootfile(), which writes exactly 512 bytes to the file. This will break if we ever end up with a kernel larger than that, and will read garbage off the end of the array in the current setup where the kernel is smaller. Make init_bootfile() take an argument giving the length of the data to write. This allows us to use it for all architectures (previously s390 had a special-purpose init_bootfile_s390x which hardcoded the file to write so it could write the correct length). We assert that the x86 bootfile really is exactly 512 bytes as it should be (and as we were previously just assuming it was). This was detected by the clang-7 asan: ==15607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a796f51d20 at pc 0x55a796b89c2f bp 0x7ffc58e89160 sp 0x7ffc58e88908 READ of size 512 at 0x55a796f51d20 thread T0 #0 0x55a796b89c2e in fwrite (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0xb0c2e) #1 0x55a796c46492 in init_bootfile /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:99:5 #2 0x55a796c46492 in test_migrate_start /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:593 #3 0x55a796c44101 in test_baddest /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:854:9 #4 0x7f906ffd3cc9 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72cc9) #5 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa) #6 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa) #7 0x7f906ffd3ea1 in g_test_run_suite (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ea1) #8 0x7f906ffd3ec0 in g_test_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ec0) #9 0x55a796c43707 in main /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:1187:11 #10 0x7f906e9abb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #11 0x55a796b6c2d9 in _start (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0x932d9) Signed-off-by: Peter Maydell Reviewed-by: Laurent Vivier Reviewed-by: Philippe Mathieu-Daudé Message-id: 20190702150311.20467-1-peter.maydell@linaro.org --- tests/migration-test.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/tests/migration-test.c b/tests/migration-test.c index 0cd014dbe5..b6434628e1 100644 --- a/tests/migration-test.c +++ b/tests/migration-test.c @@ -91,23 +91,13 @@ static const char *tmpfs; */ #include "tests/migration/i386/a-b-bootblock.h" #include "tests/migration/aarch64/a-b-kernel.h" - -static void init_bootfile(const char *bootpath, void *content) -{ - FILE *bootfile = fopen(bootpath, "wb"); - - g_assert_cmpint(fwrite(content, 512, 1, bootfile), ==, 1); - fclose(bootfile); -} - #include "tests/migration/s390x/a-b-bios.h" -static void init_bootfile_s390x(const char *bootpath) +static void init_bootfile(const char *bootpath, void *content, size_t len) { FILE *bootfile = fopen(bootpath, "wb"); - size_t len = sizeof(s390x_elf); - g_assert_cmpint(fwrite(s390x_elf, len, 1, bootfile), ==, 1); + g_assert_cmpint(fwrite(content, len, 1, bootfile), ==, 1); fclose(bootfile); } @@ -537,7 +527,9 @@ static int test_migrate_start(QTestState **from, QTestState **to, got_stop = false; bootpath = g_strdup_printf("%s/bootsect", tmpfs); if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { - init_bootfile(bootpath, x86_bootsect); + /* the assembled x86 boot sector should be exactly one sector large */ + assert(sizeof(x86_bootsect) == 512); + init_bootfile(bootpath, x86_bootsect, sizeof(x86_bootsect)); extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL; cmd_src = g_strdup_printf("-machine accel=%s -m 150M" " -name source,debug-threads=on" @@ -555,7 +547,7 @@ static int test_migrate_start(QTestState **from, QTestState **to, start_address = X86_TEST_MEM_START; end_address = X86_TEST_MEM_END; } else if (g_str_equal(arch, "s390x")) { - init_bootfile_s390x(bootpath); + init_bootfile(bootpath, s390x_elf, sizeof(s390x_elf)); extra_opts = use_shmem ? get_shmem_opts("128M", shmem_path) : NULL; cmd_src = g_strdup_printf("-machine accel=%s -m 128M" " -name source,debug-threads=on" @@ -590,7 +582,7 @@ static int test_migrate_start(QTestState **from, QTestState **to, start_address = PPC_TEST_MEM_START; end_address = PPC_TEST_MEM_END; } else if (strcmp(arch, "aarch64") == 0) { - init_bootfile(bootpath, aarch64_kernel); + init_bootfile(bootpath, aarch64_kernel, sizeof(aarch64_kernel)); extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL; cmd_src = g_strdup_printf("-machine virt,accel=%s,gic-version=max " "-name vmsource,debug-threads=on -cpu max " -- cgit v1.2.3 From c8ead5712486edb5058475fdef2c616857f5056f Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 8 Jul 2019 14:11:31 +0100 Subject: hw/arm/sbsa-ref: Remove unnecessary check for secure_sysmem == NULL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the virt machine, we support TrustZone being either present or absent, and so the code must deal with the secure_sysmem pointer possibly being NULL. In the sbsa-ref machine, TrustZone is always present, but some code and comments copied from virt still treat it as possibly not being present. This causes Coverity to complain (CID 1407287) that we check secure_sysmem for being NULL after an unconditional dereference. Simplify the code so that instead of initializing the variable to NULL, unconditionally assigning it, and then testing it for NULL, we just initialize it correctly in the variable declaration and then assume it to be non-NULL. We also delete a comment which only applied to the non-TrustZone config. Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20190704142004.7150-1-peter.maydell@linaro.org Tested-by: Radosław Biernacki Reviewed-by: Radosław Biernacki --- hw/arm/sbsa-ref.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c index e8c65e31c7..9c67d5c6f9 100644 --- a/hw/arm/sbsa-ref.c +++ b/hw/arm/sbsa-ref.c @@ -254,8 +254,6 @@ static void sbsa_flash_map(SBSAMachineState *sms, * sysmem is the system memory space. secure_sysmem is the secure view * of the system, and the first flash device should be made visible only * there. The second flash device is visible to both secure and nonsecure. - * If sysmem == secure_sysmem this means there is no separate Secure - * address space and both flash devices are generally visible. */ hwaddr flashsize = sbsa_ref_memmap[SBSA_FLASH].size / 2; hwaddr flashbase = sbsa_ref_memmap[SBSA_FLASH].base; @@ -591,7 +589,7 @@ static void sbsa_ref_init(MachineState *machine) SBSAMachineState *sms = SBSA_MACHINE(machine); MachineClass *mc = MACHINE_GET_CLASS(machine); MemoryRegion *sysmem = get_system_memory(); - MemoryRegion *secure_sysmem = NULL; + MemoryRegion *secure_sysmem = g_new(MemoryRegion, 1); MemoryRegion *ram = g_new(MemoryRegion, 1); bool firmware_loaded; const CPUArchIdList *possible_cpus; @@ -615,13 +613,11 @@ static void sbsa_ref_init(MachineState *machine) * containing the system memory at low priority; any secure-only * devices go in at higher priority and take precedence. */ - secure_sysmem = g_new(MemoryRegion, 1); memory_region_init(secure_sysmem, OBJECT(machine), "secure-memory", UINT64_MAX); memory_region_add_subregion_overlap(secure_sysmem, 0, sysmem, -1); - firmware_loaded = sbsa_firmware_init(sms, sysmem, - secure_sysmem ?: sysmem); + firmware_loaded = sbsa_firmware_init(sms, sysmem, secure_sysmem); if (machine->kernel_filename && firmware_loaded) { error_report("sbsa-ref: No fw_cfg device on this machine, " -- cgit v1.2.3 From 85795187f416326f87177cabc39fae1911f04c50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 8 Jul 2019 14:11:31 +0100 Subject: target/arm/vfp_helper: Call set_fpscr_to_host before updating to FPSCR MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In commit e9d652824b0 we extracted the vfp_set_fpscr_to_host() function but failed at calling it in the correct place, we call it after xregs[ARM_VFP_FPSCR] is modified. Fix by calling this function before we update FPSCR. Reported-by: Laurent Desnogues Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Laurent Desnogues Tested-by: Laurent Desnogues Message-id: 20190705124318.1075-1-philmd@redhat.com Signed-off-by: Peter Maydell --- target/arm/vfp_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c index 46041e3294..9710ef1c3e 100644 --- a/target/arm/vfp_helper.c +++ b/target/arm/vfp_helper.c @@ -197,6 +197,8 @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val) val &= 0xf7c0009f; } + vfp_set_fpscr_to_host(env, val); + /* * We don't implement trapped exception handling, so the * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!) @@ -217,8 +219,6 @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val) env->vfp.qc[1] = 0; env->vfp.qc[2] = 0; env->vfp.qc[3] = 0; - - vfp_set_fpscr_to_host(env, val); } void vfp_set_fpscr(CPUARMState *env, uint32_t val) -- cgit v1.2.3