From nobody Sun Apr 5 13:26:58 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1774365127; cv=none; d=zohomail.com; s=zohoarc; b=EaJjxYxagwTUaSVLpgUOb1TOfywOiOgU3A4P1c5hAQrnFFhyZ7Xvifqc0KamjU6nW82g7P0w6GPXpPqIDiESNZp7CJ8W5Xe9OVdA5zzgegzPhFm5QlLnUEvMR22upt6fyISfjG/lLvh7MA2gp5gMYL5KWSj9z6/DRkec+ZEqbOE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1774365127; h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=dfNzBGzpTKbGiyXwJIuebHg/gBlotrth/GBr1EmFLrI=; b=JwfdirAPi3NCM0YrLUqK3aGI7fYOModtk7JNNxIvvgFFslCv2hnXj3DPCzRBY9iiewUpQUEo6okLjLky/2LX5t7rKbulZMQ/+FMeDrcwi/+gOgMlHq00RyReWZpMrs4kSLhLYaROt6/xPV6YEga5MzyPaRHNoPSo5YoTFmCJ8Ok= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177436512794839.4176232004437; Tue, 24 Mar 2026 08:12:07 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w53Pi-0000id-AI; Tue, 24 Mar 2026 11:11:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w53Pd-0000f2-O7 for qemu-devel@nongnu.org; Tue, 24 Mar 2026 11:11:22 -0400 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1w53Pb-0005C8-Rv for qemu-devel@nongnu.org; Tue, 24 Mar 2026 11:11:21 -0400 Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-439b97a8a8cso4338521f8f.1 for ; Tue, 24 Mar 2026 08:11:19 -0700 (PDT) Received: from lanath.. (wildly.archaic.org.uk. [81.2.115.145]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43b64717e97sm40781916f8f.35.2026.03.24.08.11.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Mar 2026 08:11:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1774365078; x=1774969878; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dfNzBGzpTKbGiyXwJIuebHg/gBlotrth/GBr1EmFLrI=; b=L9PQlHij6P2oa62nh/6vI/myNzR7cRrJTW1xJ096HLD5FhpdUdOtrE0wu8WcyoUbz7 /lSqpgn+96ypKo4kN5tp4U8SHXbetno48LZQF+LeRBxZg5chPVdkDJW2o0oB+2bWh6eJ wAfsp2+wRCGFF3AyJJeUoef99ihbcG0M6KsPdCkftkPLAysbw4iv/3jn48TZlFwCbmWz 5AKj1idqc3qaB0zVJ5SjcvKreCfsWl9T5ZUkbax3jqrrjuaBFIouM9YAUEiyFrgsyqMf UnWgDRLxmTFOvtDVmEeyiyykzsPBhmR0hwNa2ybsvE27L9Xil5IUsalXcmi1FwRMQFr0 IEgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774365078; x=1774969878; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=dfNzBGzpTKbGiyXwJIuebHg/gBlotrth/GBr1EmFLrI=; b=Fk2AXkTHFSUXpSCxNN+x5NNDn8IqYRJckO0cK5QPbeY4/OICn35q181ZBWBqlURTCl JGJooyOv4lie917uT524DjI13LYpDhW1OYVmX0trzLpMXyZAUpgJrfB5BgiY6T83NJ90 4fPo4DJMisAEaEX2evNf+RP4ksnAi5xsvDMVBbkZZYN+yCim+QEhhdKNh0s//dKI0PJ4 jCc3iNxsErMFz7WR4sj7CQw25uv6Ih8v54lQnGS4Ylsu2lZoi2Sxif/vLmjtQAGkkFFl NNUifo3M9j5aEuD8gw7A640Z+4EP68BABi024IO9gOPfWIbumzQNxvcu7m4a4VILc8Wj kMMQ== X-Gm-Message-State: AOJu0YxBfwheIDtSsyPk4lkKzIMgd0+uZGwU3v2sBLvSb8pzYMhjlB3K 2npnxZSxd8SbRLoAnYF9Ur8gLwiZ/jRj9c7FK2oTnE8i19tuNwfSgVexZT6jLbfP0CEwoRZDxjX MxEB9WKs= X-Gm-Gg: ATEYQzzbQvboBjeVKqQLCP74EKyrVoEk/ieSlgjloWWo6D47B5JqT4beR/VlNu7/Hrh L6+vXU9wQMIOX5Oy3Zz+NrzJWnv2n4rKC0uYDrlftVUfEygbEpNbaJQKvpsEZh6LllLU9u+4vkS yji3rfapB3BFflygxZnNy+qwTq5lVoSGLPLJoTujUhMS1JRncnQ39cdRfHsSJrljcsbd2ftLMEA XSBrPbTTHWpKf8oUiWo8vX02FQwurnkMFpz04b/mo5PZZfNRPxS+MT4fD11AcVkrMmLnIGqpJ7u aRfZCBjzwF/JcdILtzHtQppfJyb0ecObJhci8KPNuV0u+gq4DOGhXcCKtfnGl0YBweF3o4Vh9pa apBnUD8EZAqYP1MfdqnyGKtmPUg+RzqlIASW2r38HThLb5LExj9t+5d1oCnb8kKHmopBPoVQMyl By/TDFs46B/Cc5AGdshs+rCHqIEGehElnqGaK+UNjBR0NGwTq6LTXsRvp3JvnwQ7Kcm4rEakyks I6uQ5IBVh7UGiUzj7LHggAbTabhzNc= X-Received: by 2002:a05:6000:2c0e:b0:439:b744:c5fe with SMTP id ffacd0b85a97d-43b6427d272mr25436263f8f.52.1774365077977; Tue, 24 Mar 2026 08:11:17 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 03/11] hw/dma/pl080: Fix transfer logic in PL080 Date: Tue, 24 Mar 2026 15:11:03 +0000 Message-ID: <20260324151111.237411-4-peter.maydell@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260324151111.237411-1-peter.maydell@linaro.org> References: <20260324151111.237411-1-peter.maydell@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::42e; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x42e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1774365128242158500 Content-Type: text/plain; charset="utf-8" From: Tao Ding The logic in the PL080 for transferring data has multiple bugs: * The TransferSize field in the channel control register counts in units of the source width; because our loop may do multiple source loads if the destination width is greater than the source width, we need to decrement it by (xsize / swidth), not by 1, each loop * It is documented in the TRM that it is a software error to program the source and destination width such that SWidth < DWidth and TransferSize * SWidth is not a multiple of DWidth. (This would mean that there isn't enough data to do a full final destination write.) We weren't doing anything sensible with this case. The TRM doesn't document what the hardware actually does (though it drops some hints that suggest that it probably over-reads from the source). * In the loop to write to the destination, each loop adds swidth to ch->dest for each loop and also uses (ch->dest + n) as the destination address. This moves the destination address on further than we should each time round the loop, and also is incrementing ch->dest by swidth when it should be dwidth. This patch fixes these problems: * decrement TransferSize by the correct amount * log and ignore the transfer size mismatch case * correct the loop logic for the destination writes A repro case which exercises some of this is as follows. It configures swidth to 1 byte, dwidth to 4 bytes, and transfer size 4, for a transfer from 0x00000000 to 0x000010000. Examining the destination memory in the QEMU monitor should show that the source data 0x44332211 has all been copied, but before this fix it is not: ./qemu-system-arm -M versatilepb -m 128M -nographic -S \ -device loader,addr=3D0x00000000,data=3D0x44332211,data-len=3D4 \ -device loader,addr=3D0x00001000,data=3D0x00000000,data-len=3D4 \ -device loader,addr=3D0x10130030,data=3D0x00000001,data-len=3D4 \ -device loader,addr=3D0x10130100,data=3D0x00000000,data-len=3D4 \ -device loader,addr=3D0x10130104,data=3D0x00001000,data-len=3D4 \ -device loader,addr=3D0x10130108,data=3D0x00000000,data-len=3D4 \ -device loader,addr=3D0x1013010C,data=3D0x9e47f004,data-len=3D4 \ -device loader,addr=3D0x10130110,data=3D0x0000c001,data-len=3D4 Without this patch the QEMU monitor shows: (qemu) xp /1wx 0x00001000 00001000: 0x00002211 Correct result: (qemu) xp /1wx 0x00001000 00001000: 0x44332211 Cc: qemu-stable@nongnu.org Suggested-by: Peter Maydell Signed-off-by: Tao Ding [PMM: Wrote up what we are fixing in the commit message] Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/dma/pl080.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/hw/dma/pl080.c b/hw/dma/pl080.c index 627ccbbd81..4a90c7bb27 100644 --- a/hw/dma/pl080.c +++ b/hw/dma/pl080.c @@ -179,23 +179,28 @@ again: c, extract32(ch->ctrl, 21, 3)); continue; } - - for (n =3D 0; n < dwidth; n+=3D swidth) { + if ((size * swidth) % dwidth) { + qemu_log_mask(LOG_GUEST_ERROR, + "pl080: channel %d: transfer size mismatch: size=3D%d = swidth=3D%d dwidth=3D%d\n", + c, size, swidth, dwidth); + continue; + } + xsize =3D MAX(swidth, dwidth); + for (n =3D 0; n < xsize; n +=3D swidth) { address_space_read(&s->downstream_as, ch->src, MEMTXATTRS_UNSPECIFIED, buff + n, swidt= h); if (ch->ctrl & PL080_CCTRL_SI) ch->src +=3D swidth; } - xsize =3D (dwidth < swidth) ? swidth : dwidth; /* ??? This may pad the value incorrectly for dwidth < 32. */ for (n =3D 0; n < xsize; n +=3D dwidth) { - address_space_write(&s->downstream_as, ch->dest + n, + address_space_write(&s->downstream_as, ch->dest, MEMTXATTRS_UNSPECIFIED, buff + n, dwid= th); if (ch->ctrl & PL080_CCTRL_DI) - ch->dest +=3D swidth; + ch->dest +=3D dwidth; } =20 - size--; + size -=3D xsize / swidth; ch->ctrl =3D (ch->ctrl & 0xfffff000) | size; if (size =3D=3D 0) { /* Transfer complete. */ --=20 2.43.0