From nobody Wed May 7 12:42:26 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
permitted sender) client-ip=209.51.188.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
dkim=fail;
spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=fail(p=none dis=none) header.from=linaro.org
ARC-Seal: i=1; a=rsa-sha256; t=1563198223; cv=none;
d=zoho.com; s=zohoarc;
b=CRaWRmjQMLAMfqTT0+ZcREzgYlAwyj+vDcnWAEX3oBxVvukHiPf7z5tk03pFANNqAx1RTrFvBkx1ncd8c//kvwYk6uAj6rrxib5SRZd0E3fhSZi7BbLglW3uOdJ7x9q8wQKrrQXas2qJZWuSfSsu2HAlJekPMPy0c3TmhcU+tP4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
s=zohoarc;
t=1563198223;
h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results;
bh=lHOw/lFmFh4DCBqEH/SEFyeXO8oWbfUPsK1BSik9p+k=;
b=huUFPByWTAnqoC0eZ+MsSnDPOUcMUWbZLM+JtNsboORHtyaPE9hMVYeaMRiFDEiIuQ5E2rV5QKp7AzzcuSkqD878G4pH+WZMJdQq8u+pjR0+y9RoRLqesrH8ohDz7jMdK4vrO9GSLEElzx9qUM0Ubx1DGntILniaeNZPqJigzBE=
ARC-Authentication-Results: i=1; mx.zoho.com;
dkim=fail;
spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
dmarc=fail header.from=<peter.maydell@linaro.org> (p=none dis=none)
header.from=<peter.maydell@linaro.org>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
mx.zohomail.com
with SMTPS id 1563198223238893.0754763700016;
Mon, 15 Jul 2019 06:43:43 -0700 (PDT)
Received: from localhost ([::1]:38744 helo=lists1p.gnu.org)
by lists.gnu.org with esmtp (Exim 4.86_2)
(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
id 1hn1GX-0004bt-Ry
for importer@patchew.org; Mon, 15 Jul 2019 09:43:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51786)
by lists.gnu.org with esmtp (Exim 4.86_2)
(envelope-from <peter.maydell@linaro.org>) id 1hn1FG-0007sT-VL
for qemu-devel@nongnu.org; Mon, 15 Jul 2019 09:42:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <peter.maydell@linaro.org>) id 1hn1FF-0006Ap-8r
for qemu-devel@nongnu.org; Mon, 15 Jul 2019 09:42:22 -0400
Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c]:36202)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
(Exim 4.71) (envelope-from <peter.maydell@linaro.org>)
id 1hn1FF-00069c-2T
for qemu-devel@nongnu.org; Mon, 15 Jul 2019 09:42:21 -0400
Received: by mail-wm1-x32c.google.com with SMTP id g67so11155196wme.1
for <qemu-devel@nongnu.org>; Mon, 15 Jul 2019 06:42:20 -0700 (PDT)
Received: from orth.archaic.org.uk (orth.archaic.org.uk. [81.2.115.148])
by smtp.gmail.com with ESMTPSA id c7sm14221808wro.70.2019.07.15.06.42.18
for <qemu-devel@nongnu.org>
(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
Mon, 15 Jul 2019 06:42:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
h=from:to:subject:date:message-id:in-reply-to:references:mime-version
:content-transfer-encoding;
bh=lHOw/lFmFh4DCBqEH/SEFyeXO8oWbfUPsK1BSik9p+k=;
b=EyNgZrxGyFWbJv274Z/DHUUe6esAV/mM5X262HZ6Uzw653STIvLUSsyJshnK9MAylp
OXkwdXS0AfBgNTST1TSD/of004/rpC+QNaJ0Dt1TpAn9aqB+xu6tYpw80ApiAD3dkxRs
MCU1K07ssWn5MTsG97DTr7DN7zRU6HbG98wXXLKHzDZH4rwomxzUjIRTiGDAcOFHTajz
XQDfMxLk56zgjjtadbgatETYut880FehZZFSFkcLdAOMkG7oyc2AQDciHoCh+pGT3u/t
fhTlIyTsipKFwyQ4VLC4avxKpn1HRBiH2C13ZyLkGrlETdISAYpkT54WsLErWizKPxH0
D2ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
:references:mime-version:content-transfer-encoding;
bh=lHOw/lFmFh4DCBqEH/SEFyeXO8oWbfUPsK1BSik9p+k=;
b=e3v92ymIeRxAkc4VzutcoyBsBxCV6a5uYnprZEIBFyNvrTUHC3b1XUPQPgDV43MW9/
JcJDI2DEvXRRh24LYY1vQGkpUPzuaLgD6WQQ2Fb0yfNjXkACBdJD8XoRz9eG4gaw9Pde
Cie706XBYAhUEjviIPL4ci67VVnEql0XvXe8lCbRpyh9AMiPG6GqT9qwS4PxvyYA0gvQ
GqdTeptJon7nF1vBQDnln67sC70y7kgCJUINm18tOhKMoLgaZn2jFzXBN6kkOc8bTxpL
yA5mmVulvm0S7BXiqIf1iCLK/HGn+M7BLrM2z4ySIiPeZ3NjTnLtPMAQfHFXx51IrZgN
Px1A==
X-Gm-Message-State: APjAAAViPamRo2IDScnmnU00hxk+zBltsVdbeCRm9TD80YSxwyBI53Mt
fF7RI7QLdAXREd67e+f2LHzG3UqKfFk1OA==
X-Google-Smtp-Source:
APXvYqy2OuV9w/c+f5kAHvBgI2Dh1XMZBPEVkoLPUVzGeen12hcG7lbiWsG1eF1PFLbS5eFhnqXvag==
X-Received: by 2002:a1c:c542:: with SMTP id v63mr24181312wmf.97.1563198138969;
Mon, 15 Jul 2019 06:42:18 -0700 (PDT)
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Date: Mon, 15 Jul 2019 14:42:07 +0100
Message-Id: <20190715134211.23063-7-peter.maydell@linaro.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190715134211.23063-1-peter.maydell@linaro.org>
References: <20190715134211.23063-1-peter.maydell@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
recognized.
X-Received-From: 2a00:1450:4864:20::32c
Subject: [Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when
reading empty RX FIFO
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
From: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
In the previous commit we fixed a crash when the guest read a
register that pop from an empty FIFO.
By auditing the repository, we found another similar use with
an easy way to reproduce:
$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
QEMU 4.0.50 monitor - type 'help' for more information
(qemu) xp/b 0xfd4a0134
Aborted (core dumped)
(gdb) bt
#0 0x00007f6936dea57f in raise () at /lib64/libc.so.6
#1 0x00007f6936dd4895 in abort () at /lib64/libc.so.6
#2 0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=3D0x7f692babee70) at=
hw/display/xlnx_dp.c:431
#3 0x0000561ad3297dc0 in xlnx_dp_read (opaque=3D0x7f692babee70, offset=
=3D77, size=3D4) at hw/display/xlnx_dp.c:667
#4 0x0000561ad321b896 in memory_region_read_accessor (mr=3D0x7f692babf62=
0, addr=3D308, value=3D0x7ffe05c1db88, size=3D4, shift=3D0, mask=3D42949672=
95, attrs=3D...) at memory.c:439
#5 0x0000561ad321bd70 in access_with_adjusted_size (addr=3D308, value=3D=
0x7ffe05c1db88, size=3D1, access_size_min=3D4, access_size_max=3D4, access_=
fn=3D0x561ad321b858 <memory_region_read_accessor>, mr=3D0x7f692babf620, att=
rs=3D...) at memory.c:569
#6 0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=3D0x7f692babf6=
20, addr=3D308, pval=3D0x7ffe05c1db88, size=3D1, attrs=3D...) at memory.c:1=
420
#7 0x0000561ad321ea9d in memory_region_dispatch_read (mr=3D0x7f692babf62=
0, addr=3D308, pval=3D0x7ffe05c1db88, size=3D1, attrs=3D...) at memory.c:14=
47
#8 0x0000561ad31bd742 in flatview_read_continue (fv=3D0x561ad69c04f0, ad=
dr=3D4249485620, attrs=3D..., buf=3D0x7ffe05c1dcf0 "\020\335\301\005\376\17=
7", len=3D1, addr1=3D308, l=3D1, mr=3D0x7f692babf620) at exec.c:3385
#9 0x0000561ad31bd895 in flatview_read (fv=3D0x561ad69c04f0, addr=3D4249=
485620, attrs=3D..., buf=3D0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=
=3D1) at exec.c:3423
#10 0x0000561ad31bd90b in address_space_read_full (as=3D0x561ad5bb3020, a=
ddr=3D4249485620, attrs=3D..., buf=3D0x7ffe05c1dcf0 "\020\335\301\005\376\1=
77", len=3D1) at exec.c:3436
#11 0x0000561ad33b1c42 in address_space_read (len=3D1, buf=3D0x7ffe05c1dc=
f0 "\020\335\301\005\376\177", attrs=3D..., addr=3D4249485620, as=3D0x561ad=
5bb3020) at include/exec/memory.h:2131
#12 0x0000561ad33b1c42 in memory_dump (mon=3D0x561ad59c4530, count=3D1, f=
ormat=3D120, wsize=3D1, addr=3D4249485620, is_physical=3D1) at monitor/misc=
.c:723
#13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=3D0x561ad59c4530,=
qdict=3D0x561ad6c6fd00) at monitor/misc.c:795
#14 0x0000561ad37b4a9f in handle_hmp_command (mon=3D0x561ad59c4530, cmdli=
ne=3D0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082
Fix by checking the FIFO is not empty before popping from it.
The datasheet is not clear about the reset value of this register,
we choose to return '0'.
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/display/xlnx_dp.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index cfd4c700b7f..cc5b650df0c 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -427,11 +427,18 @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
uint8_t ret;
=20
if (fifo8_is_empty(&s->rx_fifo)) {
- DPRINTF("rx_fifo underflow..\n");
- abort();
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Reading empty RX_FIFO\n",
+ __func__);
+ /*
+ * The datasheet is not clear about the reset value, it seems
+ * to be unspecified. We choose to return '0'.
+ */
+ ret =3D 0;
+ } else {
+ ret =3D fifo8_pop(&s->rx_fifo);
+ DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
}
- ret =3D fifo8_pop(&s->rx_fifo);
- DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
return ret;
}
=20
--=20
2.20.1