- 21 2月, 2020 21 次提交
-
-
由 Chen Qun 提交于
The device tree blob returned by load_device_tree is malloced. We should free it after cpu_physical_memory_write(). Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NChen Qun <kuhn.chenqun@huawei.com> Message-Id: <20200218091154.21696-3-kuhn.chenqun@huawei.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Greg Kurz 提交于
We already detect if a device is being hot plugged before CAS to trigger a CAS reboot and during migration to migrate the state of the associated DRC. But hot unplugging a device is also an asynchronous operation that requires the guest to take action. This means that if the guest is migrated after the hot unplug event was sent but before it could release the device with RTAS, the destination QEMU doesn't know about the pending unplug operation and doesn't actually remove the device when the guest finally releases it. Similarly, if the unplug request is fired before CAS, the guest isn't notified of the change, just like with hotplug. It ends up booting with the device still present in the DT and configures it, just like it was never removed. Even weirder, since the event is still queued, it will be eventually processed when some other unrelated event is posted to the guest. Enhance spapr_drc_transient() to also return true if an unplug request is pending. This fixes the issue at CAS with a CAS reboot request and causes the DRC state to be migrated. Some extra care is still needed to inform the destination that an unplug request is pending : migrate the unplug_requested field of the DRC in an optional subsection. This might break backwards migration, but this is still better than ending with an inconsistent guest. Signed-off-by: NGreg Kurz <groug@kaod.org> Message-Id: <158169248798.3465937.1108351365840514270.stgit@bahia.lan> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Greg Kurz 提交于
We currently don't support hotplug of devices between boot and CAS. If this happens a CAS reboot is triggered. We detect this during CAS using the spapr_drc_needed() function which is essentially a VMStateDescription .needed callback. Even if the condition for CAS reboot happens to be the same as for DRC migration, it looks wrong to piggyback a migration helper for this. Introduce a helper with slightly more explicit name and use it in both CAS and DRC migration code. Since a subsequent patch will enhance this helper to cover the case of hot unplug, let's go for spapr_drc_transient(). While here convert spapr_hotplugged_dev_before_cas() to the "transient" wording as well. This doesn't change any behaviour. Signed-off-by: NGreg Kurz <groug@kaod.org> Message-Id: <158169248180.3465937.9531405453362718771.stgit@bahia.lan> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Pan Nengyuan 提交于
'fdt' forgot to clean both e500 and pnv when we call 'system_reset' on ppc, this patch fix it. The leak stacks are as follow: Direct leak of 4194304 byte(s) in 4 object(s) allocated from: #0 0x7fafe37dd970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) #1 0x7fafe2e3149d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) #2 0x561876f7f80d in create_device_tree /mnt/sdb/qemu-new/qemu/device_tree.c:40 #3 0x561876b7ac29 in ppce500_load_device_tree /mnt/sdb/qemu-new/qemu/hw/ppc/e500.c:364 #4 0x561876b7f437 in ppce500_reset_device_tree /mnt/sdb/qemu-new/qemu/hw/ppc/e500.c:617 #5 0x56187718b1ae in qemu_devices_reset /mnt/sdb/qemu-new/qemu/hw/core/reset.c:69 #6 0x561876f6938d in qemu_system_reset /mnt/sdb/qemu-new/qemu/vl.c:1412 #7 0x561876f6a25b in main_loop_should_exit /mnt/sdb/qemu-new/qemu/vl.c:1645 #8 0x561876f6a398 in main_loop /mnt/sdb/qemu-new/qemu/vl.c:1679 #9 0x561876f7da8e in main /mnt/sdb/qemu-new/qemu/vl.c:4438 #10 0x7fafde16b812 in __libc_start_main ../csu/libc-start.c:308 #11 0x5618765c055d in _start (/mnt/sdb/qemu-new/qemu/build/ppc64-softmmu/qemu-system-ppc64+0x2b1555d) Direct leak of 1048576 byte(s) in 1 object(s) allocated from: #0 0x7fc0a6f1b970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) #1 0x7fc0a656f49d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) #2 0x55eb05acd2ca in pnv_dt_create /mnt/sdb/qemu-new/qemu/hw/ppc/pnv.c:507 #3 0x55eb05ace5bf in pnv_reset /mnt/sdb/qemu-new/qemu/hw/ppc/pnv.c:578 #4 0x55eb05f2f395 in qemu_system_reset /mnt/sdb/qemu-new/qemu/vl.c:1410 #5 0x55eb05f43850 in main /mnt/sdb/qemu-new/qemu/vl.c:4403 #6 0x7fc0a18a9812 in __libc_start_main ../csu/libc-start.c:308 #7 0x55eb0558655d in _start (/mnt/sdb/qemu-new/qemu/build/ppc64-softmmu/qemu-system-ppc64+0x2b1555d) Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NPan Nengyuan <pannengyuan@huawei.com> Message-Id: <20200214033206.4395-1-pannengyuan@huawei.com> Reviewed-by: NGreg Kurz <groug@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 BALATON Zoltan 提交于
The cpu env struct is quite complex but comments supposed to explain it in its definition just make it harder to read. Reformat and reword some comments to make it clearer and more readable. Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu> Message-Id: <8707144ab1ccf9c5c89a39c2d7a0b02307ca25d4.1581888834.git.balaton@eik.bme.hu> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 BALATON Zoltan 提交于
Move fp_status and fpscr closer to other floating point and vector related members in cpu env definition so they are in one group. Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu> Message-Id: <5b50e9e7eec2c383ae878b397d0b2927efc9ea43.1581888834.git.balaton@eik.bme.hu> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 BALATON Zoltan 提交于
"Deferred" was misspelled as "differed" in some comments, correct this typo, Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu> Message-Id: <20200214155748.0896B745953@zero.eik.bme.hu> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Alexey Kardashevskiy 提交于
This allows moving the kernel in the guest memory. The option is useful for step debugging (as Linux is linked at 0x0); it also allows loading grub which is normally linked to run at 0x20000. This uses the existing kernel address by default. Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru> Message-Id: <20200203032943.121178-6-aik@ozlabs.ru> Reviewed-by: NFabiano Rosas <farosas@linux.ibm.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Greg Kurz 提交于
We obviously don't want to print out an error message if addr points to a valid register. Reported-by: Coverity CID 1419391 Missing break in switch Fixes: 9ae1329e "ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge" Signed-off-by: NGreg Kurz <groug@kaod.org> Message-Id: <158153365202.3229002.11521084761048102466.stgit@bahia.lan> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Greg Kurz 提交于
Obviously, we want to pass &local_err so that we can check it then line below, not errp. Reported-by: Coverity CID 1419395 'Constant' variable guards dead code Fixes: 4f9924c4 "ppc/pnv: Add models for POWER9 PHB4 PCIe Host bridge" Signed-off-by: NGreg Kurz <groug@kaod.org> Message-Id: <158153364605.3229002.2796177658957390343.stgit@bahia.lan> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Greg Kurz 提交于
As reported by Coverity defect CID 1419397, the 'j' variable goes up to 63 and shouldn't be used to left shift a 32-bit integer. The result of the operation goes to a 64-bit integer : use a 64-bit constant. Reported-by: Coverity CID 1419397 Bad bit shift operation Fixes: 9ae1329e "ppc/pnv: Add models for POWER8 PHB3 PCIe Host bridge" Signed-off-by: NGreg Kurz <groug@kaod.org> Message-Id: <158153364010.3229002.8004283672455615950.stgit@bahia.lan> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 BALATON Zoltan 提交于
Commit 74433bf0 added some includes but added them twice. Since these are guarded against multiple inclusion including them once is enough. Signed-off-by: NBALATON Zoltan <balaton@eik.bme.hu> Message-Id: <20200212223207.5A37574637F@zero.eik.bme.hu> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Shivaprasad G Bhat 提交于
This patch implements few of the necessary hcalls for the nvdimm support. PAPR semantics is such that each NVDIMM device is comprising of multiple SCM(Storage Class Memory) blocks. The guest requests the hypervisor to bind each of the SCM blocks of the NVDIMM device using hcalls. There can be SCM block unbind requests in case of driver errors or unplug(not supported now) use cases. The NVDIMM label read/writes are done through hcalls. Since each virtual NVDIMM device is divided into multiple SCM blocks, the bind, unbind, and queries using hcalls on those blocks can come independently. This doesn't fit well into the qemu device semantics, where the map/unmap are done at the (whole)device/object level granularity. The patch doesnt actually bind/unbind on hcalls but let it happen at the device_add/del phase itself instead. The guest kernel makes bind/unbind requests for the virtual NVDIMM device at the region level granularity. Without interleaving, each virtual NVDIMM device is presented as a separate guest physical address range. So, there is no way a partial bind/unbind request can come for the vNVDIMM in a hcall for a subset of SCM blocks of a virtual NVDIMM. Hence it is safe to do bind/unbind everything during the device_add/del. Signed-off-by: NShivaprasad G Bhat <sbhat@linux.ibm.com> Message-Id: <158131059899.2897.11515211602702956854.stgit@lep8c.aus.stglabs.ibm.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Shivaprasad G Bhat 提交于
Add support for NVDIMM devices for sPAPR. Piggyback on existing nvdimm device interface in QEMU to support virtual NVDIMM devices for Power. Create the required DT entries for the device (some entries have dummy values right now). The patch creates the required DT node and sends a hotplug interrupt to the guest. Guest is expected to undertake the normal DR resource add path in response and start issuing PAPR SCM hcalls. The device support is verified based on the machine version unlike x86. This is how it can be used .. Ex : For coldplug, the device to be added in qemu command line as shown below -object memory-backend-file,id=memnvdimm0,prealloc=yes,mem-path=/tmp/nvdimm0,share=yes,size=1073872896 -device nvdimm,label-size=128k,uuid=75a3cdd7-6a2f-4791-8d15-fe0a920e8e9e,memdev=memnvdimm0,id=nvdimm0,slot=0 For hotplug, the device to be added from monitor as below object_add memory-backend-file,id=memnvdimm0,prealloc=yes,mem-path=/tmp/nvdimm0,share=yes,size=1073872896 device_add nvdimm,label-size=128k,uuid=75a3cdd7-6a2f-4791-8d15-fe0a920e8e9e,memdev=memnvdimm0,id=nvdimm0,slot=0 Signed-off-by: NShivaprasad G Bhat <sbhat@linux.ibm.com> Signed-off-by: NBharata B Rao <bharata@linux.ibm.com> [Early implementation] Message-Id: <158131058078.2897.12767731856697459923.stgit@lep8c.aus.stglabs.ibm.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Shivaprasad G Bhat 提交于
For ppc64, PAPR requires the nvdimm device to have UUID property set in the device tree. Add an option to get it from the user. Signed-off-by: NShivaprasad G Bhat <sbhat@linux.ibm.com> Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au> Reviewed-by: NIgor Mammedov <imammedo@redhat.com> Message-Id: <158131056931.2897.14057087440721445976.stgit@lep8c.aus.stglabs.ibm.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Shivaprasad G Bhat 提交于
nvdimm_device_list is required for parsing the list for devices in subsequent patches. Move it to common utility area. Signed-off-by: NShivaprasad G Bhat <sbhat@linux.ibm.com> Reviewed-by: NIgor Mammedov <imammedo@redhat.com> Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au> Message-Id: <158131055857.2897.15658377276504711773.stgit@lep8c.aus.stglabs.ibm.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Michael S. Tsirkin 提交于
We are going to add more init for the latest machine, so move the setup to a function so we don't have to change the DEFINE_SPAPR_MACHINE macro each time. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Message-Id: <20200207064628.1196095-1-mst@redhat.com> Reviewed-by: NLaurent Vivier <lvivier@redhat.com> Reviewed-by: NGreg Kurz <groug@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Laurent Vivier 提交于
When PHB4 bridge has been added, the dependencies to PCIE_PORT has been added to XIVE_SPAPR and indirectly to PSERIES. The build of the PowerNV machine is fine while we also build the PSERIES machine. If we disable the PSERIES machine, the PowerNV build fails because the PCI Express files are not built: /usr/bin/ld: hw/ppc/pnv.o: in function `pnv_chip_power8_pic_print_info': .../hw/ppc/pnv.c:623: undefined reference to `pnv_phb3_msi_pic_print_info' /usr/bin/ld: hw/ppc/pnv.o: in function `pnv_chip_power9_pic_print_info': .../hw/ppc/pnv.c:639: undefined reference to `pnv_phb4_pic_print_info' /usr/bin/ld: ../hw/usb/hcd-ehci-pci.o: in function `usb_ehci_pci_write_config': .../hw/usb/hcd-ehci-pci.c:129: undefined reference to `pci_default_write_config' /usr/bin/ld: ../hw/usb/hcd-ehci-pci.o: in function `usb_ehci_pci_realize': .../hw/usb/hcd-ehci-pci.c:68: undefined reference to `pci_allocate_irq' /usr/bin/ld: .../hw/usb/hcd-ehci-pci.c:72: undefined reference to `pci_register_bar' /usr/bin/ld: ../hw/usb/hcd-ehci-pci.o:(.data.rel+0x50): undefined reference to `vmstate_pci_device' This patch fixes the problem by adding needed dependencies to POWERNV. Fixes: 4f9924c4 ("ppc/pnv: Add models for POWER9 PHB4 PCIe Host bridge") Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Message-Id: <20200205232016.588202-3-lvivier@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Laurent Vivier 提交于
qtest "rtas" command is only available with pseries not all ppc64 targets, so if I try to compile only powernv machine, the build fails with: /usr/bin/ld: qtest.o: in function `qtest_process_command': .../qtest.c:645: undefined reference to `qtest_rtas_call' We fix this by enabling rtas command only with pseries machine. Fixes: eeddd59f ("tests: add RTAS command in the protocol") Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Message-Id: <20200205232016.588202-2-lvivier@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Alexey Kardashevskiy 提交于
The "ibm,os-term" RTAS call has a single parameter which is a pointer to a message from the guest kernel about the termination cause; this prints it. Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru> Message-Id: <20200203032044.118585-1-aik@ozlabs.ru> Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
-
由 Peter Maydell 提交于
Fix memory leak with fdt cosmetic change in code and logs update mailmap # gpg: Signature made Wed 19 Feb 2020 10:15:56 GMT # gpg: using RSA key CD2F75DDC8E3A4DC2E4F5173F30C38BD3F2FBE3C # gpg: issuer "laurent@vivier.eu" # gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>" [full] # gpg: aka "Laurent Vivier <laurent@vivier.eu>" [full] # gpg: aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>" [full] # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F 5173 F30C 38BD 3F2F BE3C * remotes/vivier2/tags/trivial-branch-pull-request: hw/xtensa/xtfpga:fix leak of fdevice tree blob hw/nios2:fix leak of fdevice tree blob hw/net/rocker: Report unimplemented feature with qemu_log_mask(UNIMP) hw/block/pflash_cfi02: Remove unneeded variable assignment hw/display/qxl: Remove unneeded variable assignment contrib/rdmacm-mux: Remove superfluous semicolon tests/qtest/libqos/qgraph: Remove superfluous semicolons target/i386/whpx: Remove superfluous semicolon ui/input-barrier: Remove superfluous semicolon hw/vfio/display: Remove superfluous semicolon hw/scsi/esp: Remove superfluous semicolon hw/m68k/next-cube: Remove superfluous semicolon hw/arm/xlnx-versal: Remove superfluous semicolon audio/alsaaudio: Remove superfluous semicolons scripts/checkpatch.pl: Detect superfluous semicolon in C code Report stringified errno in VFIO related errors mailmap: Add entry for Yu-Chen Lin Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 20 2月, 2020 1 次提交
-
-
由 Peter Maydell 提交于
Fixes for Dino and Artist. # gpg: Signature made Tue 18 Feb 2020 19:35:09 GMT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full] # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * remotes/rth/tags/pull-pa-20200218: hw/hppa/dino: Do not accept accesses to registers 0x818 and 0x82c hw/hppa/dino: Fix bitmask for the PCIROR register hw/hppa/dino: Fix reg800_keep_bits overrun (CID 1419387 1419393 1419394) hw/hppa/dino: Add comments with register name hw/display/artist: Remove dead code (CID 1419388 & 1419389) hw/display/artist: Avoid drawing line when nothing to display hw/display/artist: Delay some variables initialization hw/display/artist: Remove pointless initialization hw/display/artist: Move trace event to draw_line() Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 19 2月, 2020 18 次提交
-
-
由 Chen Qun 提交于
The device tree blob returned by load_device_tree is malloced. We should free it after cpu_physical_memory_write(). Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NChen Qun <kuhn.chenqun@huawei.com> Acked-by: NMax Filippov <jcmvbkbc@gmail.com> Reviewed-by: NLaurent Vivier <laurent@vivier.eu> Message-Id: <20200218091154.21696-4-kuhn.chenqun@huawei.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Chen Qun 提交于
The device tree blob returned by load_device_tree is malloced. We should free it after cpu_physical_memory_write(). Reported-by: NEuler Robot <euler.robot@huawei.com> Signed-off-by: NChen Qun <kuhn.chenqun@huawei.com> Reviewed-by: NLaurent Vivier <laurent@vivier.eu> Message-Id: <20200218091154.21696-2-kuhn.chenqun@huawei.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Register 0x818 is documented as 'undefined', and register 0x82c is not documented. Refuse their access. Acked-by: NHelge Deller <deller@gmx.de> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200218063355.18577-5-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Only 24 bits of the PCIROR register are documented (see pp. 37 of datasheet referenced in this file header). Acked-by: NHelge Deller <deller@gmx.de> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200218063355.18577-4-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Coverity reports: *** CID 1419387: Memory - illegal accesses (OVERRUN) /hw/hppa/dino.c: 267 in dino_chip_read_with_attrs() 261 val = s->ilr & s->imr & s->icr; 262 break; 263 case DINO_TOC_ADDR: 264 val = s->toc_addr; 265 break; 266 case DINO_GMASK ... DINO_TLTIM: >>> CID 1419387: Memory - illegal accesses (OVERRUN) >>> Overrunning array "s->reg800" of 12 4-byte elements at element index 12 (byte offset 48) using index "(addr - 2048UL) / 4UL" (which evaluates to 12). 267 val = s->reg800[(addr - DINO_GMASK) / 4]; 268 if (addr == DINO_PAMR) { 269 val &= ~0x01; /* LSB is hardwired to 0 */ 270 } 271 if (addr == DINO_MLTIM) { 272 val &= ~0x07; /* 3 LSB are hardwired to 0 */ *** CID 1419393: Memory - corruptions (OVERRUN) /hw/hppa/dino.c: 363 in dino_chip_write_with_attrs() 357 /* These registers are read-only. */ 358 break; 359 360 case DINO_GMASK ... DINO_TLTIM: 361 i = (addr - DINO_GMASK) / 4; 362 val &= reg800_keep_bits[i]; >>> CID 1419393: Memory - corruptions (OVERRUN) >>> Overrunning array "s->reg800" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12). 363 s->reg800[i] = val; 364 break; 365 366 default: 367 /* Controlled by dino_chip_mem_valid above. */ 368 g_assert_not_reached(); *** CID 1419394: Memory - illegal accesses (OVERRUN) /hw/hppa/dino.c: 362 in dino_chip_write_with_attrs() 356 case DINO_IRR1: 357 /* These registers are read-only. */ 358 break; 359 360 case DINO_GMASK ... DINO_TLTIM: 361 i = (addr - DINO_GMASK) / 4; >>> CID 1419394: Memory - illegal accesses (OVERRUN) >>> Overrunning array "reg800_keep_bits" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12). 362 val &= reg800_keep_bits[i]; 363 s->reg800[i] = val; 364 break; 365 366 default: 367 /* Controlled by dino_chip_mem_valid above. */ Indeed the array should contain 13 entries, the undocumented register 0x82c is missing. Fix by increasing the array size and adding the missing register. CID 1419387 can be verified with: $ echo x 0xfff80830 | hppa-softmmu/qemu-system-hppa -S -monitor stdio -display none QEMU 4.2.50 monitor - type 'help' for more information (qemu) x 0xfff80830 qemu/hw/hppa/dino.c:267:15: runtime error: index 12 out of bounds for type 'uint32_t [12]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/phil/source/qemu/hw/hppa/dino.c:267:15 in 00000000fff80830: 0x00000000 and CID 1419393/1419394 with: $ echo writeb 0xfff80830 0x69 \ | hppa-softmmu/qemu-system-hppa -S -accel qtest -qtest stdio -display none [I 1581634452.654113] OPENED [R +4.105415] writeb 0xfff80830 0x69 qemu/hw/hppa/dino.c:362:16: runtime error: index 12 out of bounds for type 'const uint32_t [12]' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior qemu/hw/hppa/dino.c:362:16 in ================================================================= ==29607==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5577dae32f30 at pc 0x5577d93f2463 bp 0x7ffd97ea11b0 sp 0x7ffd97ea11a8 READ of size 4 at 0x5577dae32f30 thread T0 #0 0x5577d93f2462 in dino_chip_write_with_attrs qemu/hw/hppa/dino.c:362:16 #1 0x5577d9025664 in memory_region_write_with_attrs_accessor qemu/memory.c:503:12 #2 0x5577d9024920 in access_with_adjusted_size qemu/memory.c:539:18 #3 0x5577d9023608 in memory_region_dispatch_write qemu/memory.c:1482:13 #4 0x5577d8e3177a in flatview_write_continue qemu/exec.c:3166:23 #5 0x5577d8e20357 in flatview_write qemu/exec.c:3206:14 #6 0x5577d8e1fef4 in address_space_write qemu/exec.c:3296:18 #7 0x5577d8e20693 in address_space_rw qemu/exec.c:3306:16 #8 0x5577d9011595 in qtest_process_command qemu/qtest.c:432:13 #9 0x5577d900d19f in qtest_process_inbuf qemu/qtest.c:705:9 #10 0x5577d900ca22 in qtest_read qemu/qtest.c:717:5 #11 0x5577da8c4254 in qemu_chr_be_write_impl qemu/chardev/char.c:183:9 #12 0x5577da8c430c in qemu_chr_be_write qemu/chardev/char.c:195:9 #13 0x5577da8cf587 in fd_chr_read qemu/chardev/char-fd.c:68:9 #14 0x5577da9836cd in qio_channel_fd_source_dispatch qemu/io/channel-watch.c:84:12 #15 0x7faf44509ecc in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4fecc) #16 0x5577dab75f96 in glib_pollfds_poll qemu/util/main-loop.c:219:9 #17 0x5577dab74797 in os_host_main_loop_wait qemu/util/main-loop.c:242:5 #18 0x5577dab7435a in main_loop_wait qemu/util/main-loop.c:518:11 #19 0x5577d9514eb3 in main_loop qemu/vl.c:1682:9 #20 0x5577d950699d in main qemu/vl.c:4450:5 #21 0x7faf41a87f42 in __libc_start_main (/lib64/libc.so.6+0x23f42) #22 0x5577d8cd4d4d in _start (qemu/build/sanitizer/hppa-softmmu/qemu-system-hppa+0x1256d4d) 0x5577dae32f30 is located 0 bytes to the right of global variable 'reg800_keep_bits' defined in 'qemu/hw/hppa/dino.c:87:23' (0x5577dae32f00) of size 48 SUMMARY: AddressSanitizer: global-buffer-overflow qemu/hw/hppa/dino.c:362:16 in dino_chip_write_with_attrs Shadow bytes around the buggy address: 0x0aaf7b5be590: 00 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 0x0aaf7b5be5a0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 0x0aaf7b5be5b0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0aaf7b5be5c0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0aaf7b5be5d0: 00 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9 =>0x0aaf7b5be5e0: 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 00 00 00 00 0x0aaf7b5be5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf7b5be600: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 0x0aaf7b5be610: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0aaf7b5be620: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9 0x0aaf7b5be630: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==29607==ABORTING Fixes: Covertiy CID 1419387 / 1419393 / 1419394 (commit 18092598) Acked-by: NHelge Deller <deller@gmx.de> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200218063355.18577-3-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Add a comment with the name of each register in the 0x800-0x8ff range. Acked-by: NHelge Deller <deller@gmx.de> Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200218063355.18577-2-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Coverity reports: *** CID 1419388: Control flow issues (DEADCODE) /hw/display/artist.c: 739 in draw_line_xy() 733 if (endy < 0) { 734 endy = 0; 735 } 736 737 738 if (endx < 0) { >>> CID 1419388: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return;". 739 return; 740 } 741 742 if (endy < 0) { 743 return; 744 } *** CID 1419389: Control flow issues (DEADCODE) /hw/display/artist.c: 743 in draw_line_xy() 737 738 if (endx < 0) { 739 return; 740 } 741 742 if (endy < 0) { >>> CID 1419389: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return;". 743 return; 744 } 745 746 trace_artist_draw_line(startx, starty, endx, endy); 747 draw_line(s, startx, starty, endx, endy, false, -1, -1); 748 } Fixes: Covertiy CID 1419388 and 1419389 (commit 4765384c) Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: NSven Schnelle <svens@stackframe.org> Message-Id: <20200214001303.12873-6-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200214001303.12873-5-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
We want to have an early exit path. Delay some initializations before the variables are used. Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: NSven Schnelle <svens@stackframe.org> Message-Id: <20200214001303.12873-4-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
We are initializating incy inconditionally: if (y1 <= y2) { incy = 1; } else { incy = -1; } Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: NSven Schnelle <svens@stackframe.org> Message-Id: <20200214001303.12873-3-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Instead of emitting the trace event before each call to draw_line(), call it once at draw_line() entrance. Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: NSven Schnelle <svens@stackframe.org> Message-Id: <20200214001303.12873-2-f4bug@amsat.org> Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
-
由 Philippe Mathieu-Daudé 提交于
Fix warnings reported by Clang static code analyzer: CC hw/net/rocker/rocker.o hw/net/rocker/rocker.c:213:9: warning: Value stored to 'tx_tso_mss' is never read tx_tso_mss = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_TSO_MSS]); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hw/net/rocker/rocker.c:217:9: warning: Value stored to 'tx_tso_hdr_len' is never read tx_tso_hdr_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_TSO_HDR_LEN]); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hw/net/rocker/rocker.c:255:9: warning: Value stored to 'tx_l3_csum_off' is never read tx_l3_csum_off += tx_tso_mss = tx_tso_hdr_len = 0; ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: dc488f88 Reported-by: Clang Static Analyzer Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Message-Id: <20200217101637.27558-1-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Fix warning reported by Clang static code analyzer: CC hw/block/pflash_cfi02.o hw/block/pflash_cfi02.c:311:5: warning: Value stored to 'ret' is never read ret = -1; ^ ~~ Reported-by: Clang Static Analyzer Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Message-Id: <20200215161557.4077-4-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Fix warning reported by Clang static code analyzer: hw/display/qxl.c:1634:14: warning: Value stored to 'orig_io_port' during its initialization is never read uint32_t orig_io_port = io_port; ^~~~~~~~~~~~ ~~~~~~~ Reported-by: Clang Static Analyzer Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NRichard Henderson <richard.henderson@linaro.org> Message-Id: <20200215161557.4077-3-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Fixes: a5d2f6f8Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: NJuan Quintela <quintela@redhat.com> Message-Id: <20200218094402.26625-14-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Fixes: fc281c80Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: NJuan Quintela <quintela@redhat.com> Message-Id: <20200218094402.26625-13-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Fixes: 812d49f2Signed-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: NJuan Quintela <quintela@redhat.com> Message-Id: <20200218094402.26625-12-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-
由 Philippe Mathieu-Daudé 提交于
Fixes: 6105683dSigned-off-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Acked-by: NPaolo Bonzini <pbonzini@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: NJuan Quintela <quintela@redhat.com> Message-Id: <20200218094402.26625-11-philmd@redhat.com> Signed-off-by: NLaurent Vivier <laurent@vivier.eu>
-