From: Richard Henderson <richard.henderson@linaro.org>

Off by one error in the EL2 and EL3 tests. Remove the test

against EL3 entirely, since it must always be true.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Message-id: 20190702104732.31154-1-richard.henderson@linaro.org

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

target/arm/helper.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)

if (el <= 1) {

zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);

}

- if (el < 2 && arm_feature(env, ARM_FEATURE_EL2)) {

+ if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {

zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[2]);

}

- if (el < 3 && arm_feature(env, ARM_FEATURE_EL3)) {

+ if (arm_feature(env, ARM_FEATURE_EL3)) {

zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]);

}

return zcr_len;

--

2.20.1

The test aarch64 kernel is in an array defined with

unsigned char aarch64_kernel[] = { [...] }

which means it could be any size; currently it's quite small.

However we write it to a file using init_bootfile(), which

writes exactly 512 bytes to the file. This will break if

we ever end up with a kernel larger than that, and will

read garbage off the end of the array in the current setup

where the kernel is smaller.

Make init_bootfile() take an argument giving the length of

the data to write. This allows us to use it for all architectures

(previously s390 had a special-purpose init_bootfile_s390x

which hardcoded the file to write so it could write the

correct length). We assert that the x86 bootfile really is

exactly 512 bytes as it should be (and as we were previously

just assuming it was).

This was detected by the clang-7 asan:

==15607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a796f51d20 at pc 0x55a796b89c2f bp 0x7ffc58e89160 sp 0x7ffc58e88908

READ of size 512 at 0x55a796f51d20 thread T0

#0 0x55a796b89c2e in fwrite (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0xb0c2e)

#1 0x55a796c46492 in init_bootfile /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:99:5

#2 0x55a796c46492 in test_migrate_start /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:593

#3 0x55a796c44101 in test_baddest /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:854:9

#4 0x7f906ffd3cc9 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72cc9)

#5 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa)

#6 0x7f906ffd3bfa (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72bfa)

#7 0x7f906ffd3ea1 in g_test_run_suite (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ea1)

#8 0x7f906ffd3ec0 in g_test_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72ec0)

#9 0x55a796c43707 in main /home/petmay01/linaro/qemu-from-laptop/qemu/tests/migration-test.c:1187:11

#10 0x7f906e9abb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

#11 0x55a796b6c2d9 in _start (/home/petmay01/linaro/qemu-from-laptop/qemu/build/sanitizers/tests/migration-test+0x932d9)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Laurent Vivier <lvivier@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-id: 20190702150311.20467-1-peter.maydell@linaro.org

---

tests/migration-test.c | 22 +++++++---------------

1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/tests/migration-test.c b/tests/migration-test.c

index XXXXXXX..XXXXXXX 100644

--- a/tests/migration-test.c

+++ b/tests/migration-test.c

@@ -XXX,XX +XXX,XX @@ static const char *tmpfs;

*/

#include "tests/migration/i386/a-b-bootblock.h"

#include "tests/migration/aarch64/a-b-kernel.h"

-

-static void init_bootfile(const char *bootpath, void *content)

-{

- FILE *bootfile = fopen(bootpath, "wb");

-

- g_assert_cmpint(fwrite(content, 512, 1, bootfile), ==, 1);

- fclose(bootfile);

-}

-

#include "tests/migration/s390x/a-b-bios.h"

-static void init_bootfile_s390x(const char *bootpath)

+static void init_bootfile(const char *bootpath, void *content, size_t len)

{

FILE *bootfile = fopen(bootpath, "wb");

- size_t len = sizeof(s390x_elf);

- g_assert_cmpint(fwrite(s390x_elf, len, 1, bootfile), ==, 1);

+ g_assert_cmpint(fwrite(content, len, 1, bootfile), ==, 1);

fclose(bootfile);

}

@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,

got_stop = false;

bootpath = g_strdup_printf("%s/bootsect", tmpfs);

if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {

- init_bootfile(bootpath, x86_bootsect);

+ /* the assembled x86 boot sector should be exactly one sector large */

+ assert(sizeof(x86_bootsect) == 512);

+ init_bootfile(bootpath, x86_bootsect, sizeof(x86_bootsect));

extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL;

cmd_src = g_strdup_printf("-machine accel=%s -m 150M"

" -name source,debug-threads=on"

@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,

start_address = X86_TEST_MEM_START;

end_address = X86_TEST_MEM_END;

} else if (g_str_equal(arch, "s390x")) {

- init_bootfile_s390x(bootpath);

+ init_bootfile(bootpath, s390x_elf, sizeof(s390x_elf));

extra_opts = use_shmem ? get_shmem_opts("128M", shmem_path) : NULL;

cmd_src = g_strdup_printf("-machine accel=%s -m 128M"

" -name source,debug-threads=on"

@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,

start_address = PPC_TEST_MEM_START;

end_address = PPC_TEST_MEM_END;

} else if (strcmp(arch, "aarch64") == 0) {

- init_bootfile(bootpath, aarch64_kernel);

+ init_bootfile(bootpath, aarch64_kernel, sizeof(aarch64_kernel));

extra_opts = use_shmem ? get_shmem_opts("150M", shmem_path) : NULL;

cmd_src = g_strdup_printf("-machine virt,accel=%s,gic-version=max "

"-name vmsource,debug-threads=on -cpu max "

--

2.20.1

In the virt machine, we support TrustZone being either present or

absent, and so the code must deal with the secure_sysmem pointer

possibly being NULL. In the sbsa-ref machine, TrustZone is always

present, but some code and comments copied from virt still treat

it as possibly not being present.

This causes Coverity to complain (CID 1407287) that we check

secure_sysmem for being NULL after an unconditional dereference.

Simplify the code so that instead of initializing the variable

to NULL, unconditionally assigning it, and then testing it for NULL,

we just initialize it correctly in the variable declaration and

then assume it to be non-NULL. We also delete a comment which

only applied to the non-TrustZone config.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-id: 20190704142004.7150-1-peter.maydell@linaro.org

Tested-by: Radosław Biernacki <radoslaw.biernacki@linaro.org>

Reviewed-by: Radosław Biernacki <radoslaw.biernacki@linaro.org>

---

hw/arm/sbsa-ref.c | 8 ++------

1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/sbsa-ref.c

+++ b/hw/arm/sbsa-ref.c

@@ -XXX,XX +XXX,XX @@ static void sbsa_flash_map(SBSAMachineState *sms,

* sysmem is the system memory space. secure_sysmem is the secure view

* of the system, and the first flash device should be made visible only

* there. The second flash device is visible to both secure and nonsecure.

- * If sysmem == secure_sysmem this means there is no separate Secure

- * address space and both flash devices are generally visible.

*/

hwaddr flashsize = sbsa_ref_memmap[SBSA_FLASH].size / 2;

hwaddr flashbase = sbsa_ref_memmap[SBSA_FLASH].base;

@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)

SBSAMachineState *sms = SBSA_MACHINE(machine);

MachineClass *mc = MACHINE_GET_CLASS(machine);

MemoryRegion *sysmem = get_system_memory();

- MemoryRegion *secure_sysmem = NULL;

+ MemoryRegion *secure_sysmem = g_new(MemoryRegion, 1);

MemoryRegion *ram = g_new(MemoryRegion, 1);

bool firmware_loaded;

const CPUArchIdList *possible_cpus;

@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)

* containing the system memory at low priority; any secure-only

* devices go in at higher priority and take precedence.

*/

- secure_sysmem = g_new(MemoryRegion, 1);

memory_region_init(secure_sysmem, OBJECT(machine), "secure-memory",

UINT64_MAX);

memory_region_add_subregion_overlap(secure_sysmem, 0, sysmem, -1);

- firmware_loaded = sbsa_firmware_init(sms, sysmem,

- secure_sysmem ?: sysmem);

+ firmware_loaded = sbsa_firmware_init(sms, sysmem, secure_sysmem);

if (machine->kernel_filename && firmware_loaded) {

error_report("sbsa-ref: No fw_cfg device on this machine, "

--

2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In commit e9d652824b0 we extracted the vfp_set_fpscr_to_host()

function but failed at calling it in the correct place, we call

it after xregs[ARM_VFP_FPSCR] is modified.

Fix by calling this function before we update FPSCR.

Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>

Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>

Message-id: 20190705124318.1075-1-philmd@redhat.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

target/arm/vfp_helper.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c

index XXXXXXX..XXXXXXX 100644

--- a/target/arm/vfp_helper.c

+++ b/target/arm/vfp_helper.c

@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)

val &= 0xf7c0009f;

}

+ vfp_set_fpscr_to_host(env, val);

+

/*

* We don't implement trapped exception handling, so the

* trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)

@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)

env->vfp.qc[1] = 0;

env->vfp.qc[2] = 0;

env->vfp.qc[3] = 0;

-

- vfp_set_fpscr_to_host(env, val);

}

void vfp_set_fpscr(CPUARMState *env, uint32_t val)

--

2.20.1