target-mips: fix corner case in TLBWR causing QEMU to hang

cpu_mips_get_random() function is used to generate a random index from CP0.Wired to TLBSize-1 range. Current implementation avoids generating the same as before value, hence the while loop. If the guest sets CP0.Wired to TLBSize-1 (which actually does not sound to be very practical) QEMU will get stuck in the loop infinitely as we always generate the same index. Signed-off-by: N Leon Alrae <leon.alrae@imgtec.com> Reviewed-by: N Aurelien Jarno <aurelien@aurel32.net>

target-mips: fix corner case in TLBWR causing QEMU to hang
cpu_mips_get_random() function is used to generate a random index from CP0.Wired to TLBSize-1 range. Current implementation avoids generating the same as before value, hence the while loop. If the guest sets CP0.Wired to TLBSize-1 (which actually does not sound to be very practical) QEMU will get stuck in the loop infinitely as we always generate the same index. Signed-off-by: N Leon Alrae <leon.alrae@imgtec.com> Reviewed-by: N Aurelien Jarno <aurelien@aurel32.net>
3adafef2 · Leon Alrae · ceb0ee14 · 3adafef2
隐藏空白更改
内联并排

Showing with 7 addition and 2 deletion

hw/mips/cputimer.c hw/mips/cputimer.c +7 -2

未找到文件。
--- a/hw/mips/cputimer.c
+++ b/hw/mips/cputimer.c
@@ -33,13 +33,18 @@ uint32_t cpu_mips_get_random (CPUMIPSState *env)
    static uint32_t seed = 1;
    static uint32_t prev_idx = 0;
    uint32_t idx;
+    uint32_t nb_rand_tlb = env->tlb->nb_tlb - env->CP0_Wired;
+    if (nb_rand_tlb == 1) {
+        return env->tlb->nb_tlb - 1;
+    }
    /* Don't return same value twice, so get another value */
    do {
        /* Use a simple algorithm of Linear Congruential Generator
         * from ISO/IEC 9899 standard. */
        seed = 1103515245 * seed + 12345;
-        idx = (seed >> 16) % (env->tlb->nb_tlb - env->CP0_Wired) +
+        idx = (seed >> 16) % nb_rand_tlb + env->CP0_Wired;
-              env->CP0_Wired;
    } while (idx == prev_idx);
    prev_idx = idx;
    return idx;