A last handful of patches before the rc0. These are all bugfixes

so they could equally well go into rc1, but since my pullreq

queue is otherwise empty I might as well push them out. The

FPSCR bugfix is definitely one I'd like in rc0; the rest are

not really user-visible I think.

The following changes since commit c4107e8208d0222f9b328691b519aaee4101db87:

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2019-07-08 10:26:18 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190708

for you to fetch changes up to 85795187f416326f87177cabc39fae1911f04c50:

target/arm/vfp_helper: Call set_fpscr_to_host before updating to FPSCR (2019-07-08 14:11:31 +0100)

* tests/migration-test: Fix read off end of aarch64_kernel array

* Fix sve_zcr_len_for_el off-by-one error

* hw/arm/sbsa-ref: Silence Coverity nit

* vfp_helper: Call set_fpscr_to_host before updating to FPSCR

Peter Maydell (2):

tests/migration-test: Fix read off end of aarch64_kernel array

hw/arm/sbsa-ref: Remove unnecessary check for secure_sysmem == NULL

target/arm/vfp_helper: Call set_fpscr_to_host before updating to FPSCR

Richard Henderson (1):

target/arm: Fix sve_zcr_len_for_el

From: Richard Henderson <richard.henderson@linaro.org>

Off by one error in the EL2 and EL3 tests. Remove the test

against EL3 entirely, since it must always be true.

@@ -XXX,XX +XXX,XX @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)

if (el <= 1) {

zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);

}

- if (el < 2 && arm_feature(env, ARM_FEATURE_EL2)) {

+ if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {

zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2]);

}

- if (el < 3 && arm_feature(env, ARM_FEATURE_EL3)) {

+ if (arm_feature(env, ARM_FEATURE_EL3)) {

zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]);

}

return zcr_len;

2.20.1

The test aarch64 kernel is in an array defined with

unsigned char aarch64_kernel[] = { [...] }

which means it could be any size; currently it's quite small.

However we write it to a file using init_bootfile(), which

writes exactly 512 bytes to the file. This will break if

we ever end up with a kernel larger than that, and will

read garbage off the end of the array in the current setup

where the kernel is smaller.

Make init_bootfile() take an argument giving the length of

the data to write. This allows us to use it for all architectures

(previously s390 had a special-purpose init_bootfile_s390x

which hardcoded the file to write so it could write the

correct length). We assert that the x86 bootfile really is

exactly 512 bytes as it should be (and as we were previously

just assuming it was).

This was detected by the clang-7 asan:

==15607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a796f51d20 at pc 0x55a796b89c2f bp 0x7ffc58e89160 sp 0x7ffc58e88908

READ of size 512 at 0x55a796f51d20 thread T0

#0 0x55a796b89c2e in fwrite (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0xb0c2e)

#1 0x55a796c46492 in init_bootfile /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:99:5

#2 0x55a796c46492 in test_migrate_start /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:593

#3 0x55a796c44101 in test_baddest /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:854:9

#4 0x7f906ffd3cc9 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72cc9)

#5 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa)

#6 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa)

#7 0x7f906ffd3ea1 in g_test_run_suite (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ea1)

#8 0x7f906ffd3ec0 in g_test_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ec0)

#9 0x55a796c43707 in main /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:1187:11

#10 0x7f906e9abb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

#11 0x55a796b6c2d9 in _start (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0x932d9)

Reviewed-by: Laurent Vivier <lvivier@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-id: 20190702150311.20467-1-peter.maydell@linaro.org

tests/migration-test.c | 22 +++++++---------------

1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/tests/migration-test.c b/tests/migration-test.c

--- a/tests/migration-test.c

+++ b/tests/migration-test.c

@@ -XXX,XX +XXX,XX @@ static const char *tmpfs;

*/

#include "tests/migration/i386/a-b-bootblock.h"

#include "tests/migration/aarch64/a-b-kernel.h"

-

-static void init_bootfile(const char *bootpath, void *content)

- FILE *bootfile = fopen(bootpath, "wb");

- g_assert_cmpint(fwrite(content, 512, 1, bootfile), ==, 1);

- fclose(bootfile);

#include "tests/migration/s390x/a-b-bios.h"

-static void init_bootfile_s390x(const char *bootpath)

+static void init_bootfile(const char *bootpath, void *content, size_t len)

FILE *bootfile = fopen(bootpath, "wb");

- size_t len = sizeof(s390x_elf);

- g_assert_cmpint(fwrite(s390x_elf, len, 1, bootfile), ==, 1);

+ g_assert_cmpint(fwrite(content, len, 1, bootfile), ==, 1);

fclose(bootfile);

@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,

got_stop = false;

bootpath = g_strdup_printf("%s/bootsect", tmpfs);

if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {

- init_bootfile(bootpath, x86_bootsect);

+ /* the assembled x86 boot sector should be exactly one sector large */

+ assert(sizeof(x86_bootsect) == 512);

+ init_bootfile(bootpath, x86_bootsect, sizeof(x86_bootsect));

extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL;

cmd_src = g_strdup_printf("-machine accel=%s -m 150M"

" -name source,debug-threads=on"

@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,

start_address = X86_TEST_MEM_START;

end_address = X86_TEST_MEM_END;

} else if (g_str_equal(arch, "s390x")) {

- init_bootfile_s390x(bootpath);

+ init_bootfile(bootpath, s390x_elf, sizeof(s390x_elf));

extra_opts = use_shmem ? get_shmem_opts("128M", shmem_path) : NULL;

cmd_src = g_strdup_printf("-machine accel=%s -m 128M"

" -name source,debug-threads=on"

@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,

start_address = PPC_TEST_MEM_START;

end_address = PPC_TEST_MEM_END;

} else if (strcmp(arch, "aarch64") == 0) {

- init_bootfile(bootpath, aarch64_kernel);

+ init_bootfile(bootpath, aarch64_kernel, sizeof(aarch64_kernel));

extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL;

cmd_src = g_strdup_printf("-machine virt,accel=%s,gic-version=max "

"-name vmsource,debug-threads=on -cpu max "

2.20.1

In the virt machine, we support TrustZone being either present or

absent, and so the code must deal with the secure_sysmem pointer

possibly being NULL. In the sbsa-ref machine, TrustZone is always

present, but some code and comments copied from virt still treat

it as possibly not being present.

This causes Coverity to complain (CID 1407287) that we check

secure_sysmem for being NULL after an unconditional dereference.

Simplify the code so that instead of initializing the variable

to NULL, unconditionally assigning it, and then testing it for NULL,

we just initialize it correctly in the variable declaration and

then assume it to be non-NULL. We also delete a comment which

only applied to the non-TrustZone config.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-id: 20190704142004.7150-1-peter.maydell@linaro.org

Tested-by: Radosław Biernacki <radoslaw.biernacki@linaro.org>

Reviewed-by: Radosław Biernacki <radoslaw.biernacki@linaro.org>

hw/arm/sbsa-ref.c | 8 ++------

1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c

--- a/hw/arm/sbsa-ref.c

+++ b/hw/arm/sbsa-ref.c

@@ -XXX,XX +XXX,XX @@ static void sbsa_flash_map(SBSAMachineState *sms,

* sysmem is the system memory space. secure_sysmem is the secure view

* of the system, and the first flash device should be made visible only

* there. The second flash device is visible to both secure and nonsecure.

- * If sysmem == secure_sysmem this means there is no separate Secure

- * address space and both flash devices are generally visible.

*/

hwaddr flashsize = sbsa_ref_memmap[SBSA_FLASH].size / 2;

hwaddr flashbase = sbsa_ref_memmap[SBSA_FLASH].base;

@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)

SBSAMachineState *sms = SBSA_MACHINE(machine);

MachineClass *mc = MACHINE_GET_CLASS(machine);

MemoryRegion *sysmem = get_system_memory();

- MemoryRegion *secure_sysmem = NULL;

+ MemoryRegion *secure_sysmem = g_new(MemoryRegion, 1);

MemoryRegion *ram = g_new(MemoryRegion, 1);

bool firmware_loaded;

const CPUArchIdList *possible_cpus;

@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)

* containing the system memory at low priority; any secure-only

* devices go in at higher priority and take precedence.

*/

- secure_sysmem = g_new(MemoryRegion, 1);

memory_region_init(secure_sysmem, OBJECT(machine), "secure-memory",

UINT64_MAX);

memory_region_add_subregion_overlap(secure_sysmem, 0, sysmem, -1);

- firmware_loaded = sbsa_firmware_init(sms, sysmem,

- secure_sysmem ?: sysmem);

+ firmware_loaded = sbsa_firmware_init(sms, sysmem, secure_sysmem);

if (machine->kernel_filename && firmware_loaded) {

error_report("sbsa-ref: No fw_cfg device on this machine, "

2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In commit e9d652824b0 we extracted the vfp_set_fpscr_to_host()

function but failed at calling it in the correct place, we call

it after xregs[ARM_VFP_FPSCR] is modified.

Fix by calling this function before we update FPSCR.

Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>

Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>

Message-id: 20190705124318.1075-1-philmd@redhat.com

target/arm/vfp_helper.c | 4 ++--

diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c

--- a/target/arm/vfp_helper.c

+++ b/target/arm/vfp_helper.c

@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)

val &= 0xf7c0009f;

}

+ vfp_set_fpscr_to_host(env, val);

+

/*

* We don't implement trapped exception handling, so the

* trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)

@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)

env->vfp.qc[1] = 0;

env->vfp.qc[2] = 0;

env->vfp.qc[3] = 0;

-

- vfp_set_fpscr_to_host(env, val);

}

void vfp_set_fpscr(CPUARMState *env, uint32_t val)

2.20.1