From: Philippe Mathieu-Daudé <philmd@redhat.com>

Alexander reported an issue in gic_get_current_cpu() using the

fuzzer. Yet another "deref current_cpu with QTest" bug, reproducible

doing:

$ echo readb 0xf03ff000 | qemu-system-arm -M npcm750-evb,accel=qtest -qtest stdio

[I 1611849440.651452] OPENED

[R +0.242498] readb 0xf03ff000

hw/intc/arm_gic.c:63:29: runtime error: member access within null pointer of type 'CPUState' (aka 'struct CPUState')

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/intc/arm_gic.c:63:29 in

AddressSanitizer:DEADLYSIGNAL

=================================================================

==3719691==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000082a0 (pc 0x5618790ac882 bp 0x7ffca946f4f0 sp 0x7ffca946f4a0 T0)

==3719691==The signal is caused by a READ memory access.

#0 0x5618790ac882 in gic_get_current_cpu hw/intc/arm_gic.c:63:29

#1 0x5618790a8901 in gic_dist_readb hw/intc/arm_gic.c:955:11

#2 0x5618790a7489 in gic_dist_read hw/intc/arm_gic.c:1158:17

#3 0x56187adc573b in memory_region_read_with_attrs_accessor softmmu/memory.c:464:9

#4 0x56187ad7903a in access_with_adjusted_size softmmu/memory.c:552:18

#5 0x56187ad766d6 in memory_region_dispatch_read1 softmmu/memory.c:1426:16

#6 0x56187ad758a8 in memory_region_dispatch_read softmmu/memory.c:1449:9

#7 0x56187b09e84c in flatview_read_continue softmmu/physmem.c:2822:23

#8 0x56187b0a0115 in flatview_read softmmu/physmem.c:2862:12

#9 0x56187b09fc9e in address_space_read_full softmmu/physmem.c:2875:18

#10 0x56187aa88633 in address_space_read include/exec/memory.h:2489:18

#11 0x56187aa88633 in qtest_process_command softmmu/qtest.c:558:13

#12 0x56187aa81881 in qtest_process_inbuf softmmu/qtest.c:797:9

#13 0x56187aa80e02 in qtest_read softmmu/qtest.c:809:5

current_cpu is NULL because QTest accelerator does not use CPU.

Fix by skipping the check and returning the first CPU index when

QTest accelerator is used, similarly to commit c781a2cc423

("hw/i386/vmport: Allow QTest use without crashing").

Reported-by: Alexander Bulekov <alxndr@bu.edu>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>

Reviewed-by: Alexander Bulekov <alxndr@bu.edu>

Message-id: 20210128161417.3726358-1-philmd@redhat.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/intc/arm_gic.c | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/intc/arm_gic.c

+++ b/hw/intc/arm_gic.c

@@ -XXX,XX +XXX,XX @@

#include "qemu/module.h"

#include "trace.h"

#include "sysemu/kvm.h"

+#include "sysemu/qtest.h"

/* #define DEBUG_GIC */

@@ -XXX,XX +XXX,XX @@ static const uint8_t gic_id_gicv2[] = {

static inline int gic_get_current_cpu(GICState *s)

{

- if (s->num_cpu > 1) {

+ if (!qtest_enabled() && s->num_cpu > 1) {

return current_cpu->cpu_index;

}

return 0;

--

2.20.1

From: Iris Johnson <iris@modwiz.com>

Currently the Exynos 4210 UART code always reports available FIFO space

when the backend checks for buffer space. When the FIFO is disabled this

is behavior causes the backend chardev code to replace the data before the

guest can read it.

This patch changes adds the logic to report the capacity properly when the

FIFO is not being used.

Buglink: https://bugs.launchpad.net/qemu/+bug/1913344

Signed-off-by: Iris Johnson <iris@modwiz.com>

Message-id: 20210128033655.1029577-1-iris@modwiz.com

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/char/exynos4210_uart.c | 6 +++++-

1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/char/exynos4210_uart.c

+++ b/hw/char/exynos4210_uart.c

@@ -XXX,XX +XXX,XX @@ static int exynos4210_uart_can_receive(void *opaque)

{

Exynos4210UartState *s = (Exynos4210UartState *)opaque;

- return fifo_empty_elements_number(&s->rx);

+ if (s->reg[I_(UFCON)] & UFCON_FIFO_ENABLE) {

+ return fifo_empty_elements_number(&s->rx);

+ } else {

+ return !(s->reg[I_(UTRSTAT)] & UTRSTAT_Rx_BUFFER_DATA_READY);

+ }

}

static void exynos4210_uart_receive(void *opaque, const uint8_t *buf, int size)

--

2.20.1

From: Iris Johnson <iris@modwiz.com>

When the frontend device has no space for a read the fd is removed

from polling to allow time for the guest to read and clear the buffer.

Without the call to qemu_chr_fe_accept_input(), the poll will not be

broken out of when the guest has cleared the buffer causing significant

IO delays that get worse with smaller buffers.

Buglink: https://bugs.launchpad.net/qemu/+bug/1913341

Signed-off-by: Iris Johnson <iris@modwiz.com>

Message-id: 20210130184016.1787097-1-iris@modwiz.com

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/char/exynos4210_uart.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/char/exynos4210_uart.c

+++ b/hw/char/exynos4210_uart.c

@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_uart_read(void *opaque, hwaddr offset,

s->reg[I_(UTRSTAT)] &= ~UTRSTAT_Rx_BUFFER_DATA_READY;

res = s->reg[I_(URXH)];

}

+ qemu_chr_fe_accept_input(&s->chr);

exynos4210_uart_update_dmabusy(s);

trace_exynos_uart_read(s->channel, offset,

exynos4210_uart_regname(offset), res);

--

2.20.1

From: Zenghui Yu <yuzenghui@huawei.com>

When handling guest range-based IOTLB invalidation, we should decode the TG

field into the corresponding translation granule size so that we can pass

the correct invalidation range to backend. Set @granule to (tg * 2 + 10) to

properly emulate the architecture.

Fixes: d52915616c05 ("hw/arm/smmuv3: Get prepared for range invalidation")

Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>

Acked-by: Eric Auger <eric.auger@redhat.com>

Message-id: 20210130043220.1345-1-yuzenghui@huawei.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/arm/smmuv3.c | 4 +++-

1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/smmuv3.c

+++ b/hw/arm/smmuv3.c

@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,

{

SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);

IOMMUTLBEvent event;

- uint8_t granule = tg;

+ uint8_t granule;

if (!tg) {

SMMUEventInfo event = {.inval_ste_allowed = true};

@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,

return;

}

granule = tt->granule_sz;

+ } else {

+ granule = tg * 2 + 10;

}

event.type = IOMMU_NOTIFIER_UNMAP;

--

2.20.1

From: Bin Meng <bin.meng@windriver.com>

Avoid using a magic number (4) everywhere for the number of chip

selects supported.

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Reviewed-by: Juan Quintela <quintela@redhat.com>

Message-id: 20210129132323.30946-2-bmeng.cn@gmail.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

include/hw/ssi/imx_spi.h | 5 ++++-

hw/ssi/imx_spi.c | 4 ++--

2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/hw/ssi/imx_spi.h b/include/hw/ssi/imx_spi.h

index XXXXXXX..XXXXXXX 100644

--- a/include/hw/ssi/imx_spi.h

+++ b/include/hw/ssi/imx_spi.h

@@ -XXX,XX +XXX,XX @@

#define EXTRACT(value, name) extract32(value, name##_SHIFT, name##_LENGTH)

+/* number of chip selects supported */

+#define ECSPI_NUM_CS 4

+

#define TYPE_IMX_SPI "imx.spi"

OBJECT_DECLARE_SIMPLE_TYPE(IMXSPIState, IMX_SPI)

@@ -XXX,XX +XXX,XX @@ struct IMXSPIState {

qemu_irq irq;

- qemu_irq cs_lines[4];

+ qemu_irq cs_lines[ECSPI_NUM_CS];

SSIBus *bus;

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/ssi/imx_spi.c

+++ b/hw/ssi/imx_spi.c

@@ -XXX,XX +XXX,XX @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,

/* We are in master mode */

- for (i = 0; i < 4; i++) {

+ for (i = 0; i < ECSPI_NUM_CS; i++) {

qemu_set_irq(s->cs_lines[i],

i == imx_spi_selected_channel(s) ? 0 : 1);

}

@@ -XXX,XX +XXX,XX @@ static void imx_spi_realize(DeviceState *dev, Error **errp)

sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);

sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);

- for (i = 0; i < 4; ++i) {

+ for (i = 0; i < ECSPI_NUM_CS; ++i) {

sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->cs_lines[i]);

}

--

2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When the block is disabled, all registers are reset with the

exception of the ECSPI_CONREG. It is initialized to zero

when the instance is created.

Ref: i.MX 6DQ Applications Processor Reference Manual (IMX6DQRM),

chapter 21.7.3: Control Register (ECSPIx_CONREG)

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Message-id: 20210129132323.30946-5-bmeng.cn@gmail.com

[bmeng: add a 'common_reset' function that does most of reset operation]

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/ssi/imx_spi.c | 32 ++++++++++++++++++++++++--------

1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/ssi/imx_spi.c

+++ b/hw/ssi/imx_spi.c

@@ -XXX,XX +XXX,XX @@ static void imx_spi_flush_txfifo(IMXSPIState *s)

fifo32_num_used(&s->tx_fifo), fifo32_num_used(&s->rx_fifo));

}

-static void imx_spi_reset(DeviceState *dev)

+static void imx_spi_common_reset(IMXSPIState *s)

{

- IMXSPIState *s = IMX_SPI(dev);

+ int i;

- DPRINTF("\n");

-

- memset(s->regs, 0, sizeof(s->regs));

-

- s->regs[ECSPI_STATREG] = 0x00000003;

+ for (i = 0; i < ARRAY_SIZE(s->regs); i++) {

+ switch (i) {

+ case ECSPI_CONREG:

+ /* CONREG is not updated on soft reset */

+ break;

+ case ECSPI_STATREG:

+ s->regs[i] = 0x00000003;

+ break;

+ default:

+ s->regs[i] = 0;

+ break;

+ }

+ }

imx_spi_rxfifo_reset(s);

imx_spi_txfifo_reset(s);

@@ -XXX,XX +XXX,XX @@ static void imx_spi_reset(DeviceState *dev)

static void imx_spi_soft_reset(IMXSPIState *s)

{

- imx_spi_reset(DEVICE(s));

+ imx_spi_common_reset(s);

imx_spi_update_irq(s);

}

+static void imx_spi_reset(DeviceState *dev)

+{

+ IMXSPIState *s = IMX_SPI(dev);

+

+ imx_spi_common_reset(s);

+ s->regs[ECSPI_CONREG] = 0;

+}

+

static uint64_t imx_spi_read(void *opaque, hwaddr offset, unsigned size)

{

uint32_t value = 0;

--

2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When the block is disabled, only the ECSPI_CONREG register can

be modified. Setting the EN bit enabled the device, clearing it

"disables the block and resets the internal logic with the

exception of the ECSPI_CONREG" register.

Ignore all other registers write except ECSPI_CONREG when the

block is disabled.

Ref: i.MX 6DQ Applications Processor Reference Manual (IMX6DQRM),

chapter 21.7.3: Control Register (ECSPIx_CONREG)

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Message-id: 20210129132323.30946-7-bmeng.cn@gmail.com

Message-Id: <20210115153049.3353008-6-f4bug@amsat.org>

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/ssi/imx_spi.c | 13 +++++++++----

1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/ssi/imx_spi.c

+++ b/hw/ssi/imx_spi.c

@@ -XXX,XX +XXX,XX @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,

DPRINTF("reg[%s] <= 0x%" PRIx32 "\n", imx_spi_reg_name(index),

(uint32_t)value);

+ if (!imx_spi_is_enabled(s)) {

+ /* Block is disabled */

+ if (index != ECSPI_CONREG) {

+ /* Ignore access */

+ return;

+ }

+ }

+

change_mask = s->regs[index] ^ value;

switch (index) {

@@ -XXX,XX +XXX,XX @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,

TYPE_IMX_SPI, __func__);

break;

case ECSPI_TXDATA:

- if (!imx_spi_is_enabled(s)) {

- /* Ignore writes if device is disabled */

- break;

- } else if (fifo32_is_full(&s->tx_fifo)) {

+ if (fifo32_is_full(&s->tx_fifo)) {

/* Ignore writes if queue is full */

break;

}

--

2.20.1

From: Xuzhou Cheng <xuzhou.cheng@windriver.com>

When a write to ECSPI_CONREG register to disable the SPI controller,

imx_spi_soft_reset() is called to reset the controller, but chip

select lines should have been disabled, otherwise the state machine

of any devices (e.g.: SPI flashes) connected to the SPI master is

stuck to its last state and responds incorrectly to any follow-up

commands.

Fixes: c906a3a01582 ("i.MX: Add the Freescale SPI Controller")

Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Message-id: 20210129132323.30946-8-bmeng.cn@gmail.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/ssi/imx_spi.c | 6 ++++++

1 file changed, 6 insertions(+)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/ssi/imx_spi.c

+++ b/hw/ssi/imx_spi.c

@@ -XXX,XX +XXX,XX @@ static void imx_spi_common_reset(IMXSPIState *s)

static void imx_spi_soft_reset(IMXSPIState *s)

{

+ int i;

+

imx_spi_common_reset(s);

imx_spi_update_irq(s);

+

+ for (i = 0; i < ECSPI_NUM_CS; i++) {

+ qemu_set_irq(s->cs_lines[i], 1);

+ }

}

static void imx_spi_reset(DeviceState *dev)

--

2.20.1

From: Bin Meng <bin.meng@windriver.com>

Current implementation of the imx spi controller expects the burst

length to be multiple of 8, which is the most common use case.

In case the burst length is not what we expect, log it to give user

a chance to notice it, and round it up to be multiple of 8.

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Message-id: 20210129132323.30946-9-bmeng.cn@gmail.com

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/ssi/imx_spi.c | 17 ++++++++++++++++-

1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/ssi/imx_spi.c

+++ b/hw/ssi/imx_spi.c

@@ -XXX,XX +XXX,XX @@ static uint8_t imx_spi_selected_channel(IMXSPIState *s)

static uint32_t imx_spi_burst_length(IMXSPIState *s)

{

- return EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;

+ uint32_t burst;

+

+ burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;

+ if (burst % 8) {

+ burst = ROUND_UP(burst, 8);

+ }

+

+ return burst;

}

static bool imx_spi_is_enabled(IMXSPIState *s)

@@ -XXX,XX +XXX,XX @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,

IMXSPIState *s = opaque;

uint32_t index = offset >> 2;

uint32_t change_mask;

+ uint32_t burst;

if (index >= ECSPI_MAX) {

qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Bad register at offset 0x%"

@@ -XXX,XX +XXX,XX @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,

case ECSPI_CONREG:

s->regs[ECSPI_CONREG] = value;

+ burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;

+ if (burst % 8) {

+ qemu_log_mask(LOG_UNIMP,

+ "[%s]%s: burst length %d not supported: rounding up to next multiple of 8\n",

+ TYPE_IMX_SPI, __func__, burst);

+ }

+

if (!imx_spi_is_enabled(s)) {

/* device is disabled, so this is a soft reset */

imx_spi_soft_reset(s);

--

2.20.1

From: Bin Meng <bin.meng@windriver.com>

For the ECSPIx_CONREG register BURST_LENGTH field, the manual says:

0x020 A SPI burst contains the 1 LSB in first word and all 32 bits in second word.

0x021 A SPI burst contains the 2 LSB in first word and all 32 bits in second word.

Current logic uses either s->burst_length or 32, whichever smaller,

to determine how many bits it should read from the tx fifo each time.

For example, for a 48 bit burst length, current logic transfers the

first 32 bit from the first word in the tx fifo, followed by a 16

bit from the second word in the tx fifo, which is wrong. The correct

logic should be: transfer the first 16 bit from the first word in

the tx fifo, followed by a 32 bit from the second word in the tx fifo.

With this change, SPI flash can be successfully probed by U-Boot on

imx6 sabrelite board.

=> sf probe

SF: Detected sst25vf016b with page size 256 Bytes, erase size 4 KiB, total 2 MiB

Fixes: c906a3a01582 ("i.MX: Add the Freescale SPI Controller")

Signed-off-by: Bin Meng <bin.meng@windriver.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Message-id: 20210129132323.30946-10-bmeng.cn@gmail.com

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---

hw/ssi/imx_spi.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/ssi/imx_spi.c

+++ b/hw/ssi/imx_spi.c

@@ -XXX,XX +XXX,XX @@ static void imx_spi_flush_txfifo(IMXSPIState *s)

DPRINTF("data tx:0x%08x\n", tx);

- tx_burst = MIN(s->burst_length, 32);

+ tx_burst = (s->burst_length % 32) ? : 32;

rx = 0;

--

2.20.1

From: Bin Meng <bin.meng@windriver.com>

The endianness of data exchange between tx and rx fifo is incorrect.

Earlier bytes are supposed to show up on MSB and later bytes on LSB,

ie: in big endian. The manual does not explicitly say this, but the