From c251191eae40e0e26680d0d8a8a065735acadef8 Mon Sep 17 00:00:00 2001 From: Niek Linnenbank Date: Mon, 30 Mar 2020 13:18:58 +0100 Subject: [PATCH 1/6] hw/arm/orangepi: check for potential NULL pointer when calling blk_is_available The Orange Pi PC initialization function needs to verify that the SD card block backend is usable before calling the Boot ROM setup routine. When calling blk_is_available() the input parameter should not be NULL. This commit ensures that blk_is_available is only called with non-NULL input. Reported-by: Peter Maydell Signed-off-by: Niek Linnenbank Message-id: 20200322205439.15231-1-nieklinnenbank@gmail.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/arm/orangepi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c index 181f5badab..a9f64c5680 100644 --- a/hw/arm/orangepi.c +++ b/hw/arm/orangepi.c @@ -104,7 +104,7 @@ static void orangepi_init(MachineState *machine) machine->ram); /* Load target kernel or start using BootROM */ - if (!machine->kernel_filename && blk_is_available(blk)) { + if (!machine->kernel_filename && blk && blk_is_available(blk)) { /* Use Boot ROM to copy data from SD card to SRAM */ allwinner_h3_bootrom_setup(h3, blk); } From 34d8df2a1d8cd9f24e29cc9b27c233da471b2ad1 Mon Sep 17 00:00:00 2001 From: Niek Linnenbank Date: Mon, 30 Mar 2020 13:18:58 +0100 Subject: [PATCH 2/6] hw/misc/allwinner-h3-dramc: enforce 64-bit multiply when calculating row mirror address The allwinner_h3_dramc_map_rows function simulates row addressing behavior when bootloader software attempts to detect the amount of available SDRAM. Currently the line that calculates the 64-bit address of the mirrored row uses a signed 32-bit multiply operation that in theory could result in the upper 32-bit be all 1s. This commit ensures that the row mirror address is calculated using only 64-bit operations. Reported-by: Peter Maydell Signed-off-by: Niek Linnenbank Message-id: 20200323192944.5967-1-nieklinnenbank@gmail.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/misc/allwinner-h3-dramc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/misc/allwinner-h3-dramc.c b/hw/misc/allwinner-h3-dramc.c index 2b5260260e..1d37cf422c 100644 --- a/hw/misc/allwinner-h3-dramc.c +++ b/hw/misc/allwinner-h3-dramc.c @@ -85,8 +85,8 @@ static void allwinner_h3_dramc_map_rows(AwH3DramCtlState *s, uint8_t row_bits, } else if (row_bits_actual) { /* Row bits not matching ram_size, install the rows mirror */ - hwaddr row_mirror = s->ram_addr + ((1 << (row_bits_actual + - bank_bits)) * page_size); + hwaddr row_mirror = s->ram_addr + ((1ULL << (row_bits_actual + + bank_bits)) * page_size); memory_region_set_enabled(&s->row_mirror_alias, true); memory_region_set_address(&s->row_mirror_alias, row_mirror); From e22684e34d41d4ea24ec31602a75f1224eeb1e12 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 30 Mar 2020 13:18:59 +0100 Subject: [PATCH 3/6] docs/conf.py: Raise ConfigError for bad Sphinx Python version Raise ConfigError rather than VersionRequirementError when we detect that the Python being used by Sphinx is too old. Currently the way we flag the Python version problem up to the user causes Sphinx to print an unnecessary Python stack trace as well as the information about the problem; in most versions of Sphinx this is unavoidable. The upstream Sphinx developers kindly added a feature to allow conf.py to report errors to the user without the backtrace: https://github.com/sphinx-doc/sphinx/commit/be608ca2313fc08eb842f3dc19d0f5d2d8227d08 but the exception type they chose for this was ConfigError. Switch to ConfigError, which won't make any difference with currently deployed Sphinx versions, but will be prettier one day when the user is using a Sphinx version with the new feature. Signed-off-by: Peter Maydell Reviewed-by: John Snow Message-id: 20200313163616.30674-1-peter.maydell@linaro.org --- docs/conf.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index af55f506d5..7768611e89 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -29,14 +29,15 @@ import os import sys import sphinx -from sphinx.errors import VersionRequirementError +from sphinx.errors import ConfigError # Make Sphinx fail cleanly if using an old Python, rather than obscurely # failing because some code in one of our extensions doesn't work there. -# Unfortunately this doesn't display very neatly (there's an unavoidable -# Python backtrace) but at least the information gets printed... +# In newer versions of Sphinx this will display nicely; in older versions +# Sphinx will also produce a Python backtrace but at least the information +# gets printed... if sys.version_info < (3,5): - raise VersionRequirementError( + raise ConfigError( "QEMU requires a Sphinx that uses Python 3.5 or better\n") # The per-manual conf.py will set qemu_docdir for a single-manual build; From 63fef6287e555651e1a27d595ad677f21e04de32 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 30 Mar 2020 13:18:59 +0100 Subject: [PATCH 4/6] hw/arm/xlnx-zynqmp.c: Avoid memory leak in error-return path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In xlnx_zynqmp_realize() if the attempt to realize the SD controller object fails then the error-return path will leak the 'bus_name' string. Fix this by deferring the allocation until after the realize has succeeded. Fixes: Coverity CID 1421911 Signed-off-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Alistair Francis Message-id: 20200324134947.15384-2-peter.maydell@linaro.org --- hw/arm/xlnx-zynqmp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c index 49f1c8d0de..a13dbeeace 100644 --- a/hw/arm/xlnx-zynqmp.c +++ b/hw/arm/xlnx-zynqmp.c @@ -520,7 +520,7 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, gic_spi[SATA_INTR]); for (i = 0; i < XLNX_ZYNQMP_NUM_SDHCI; i++) { - char *bus_name = g_strdup_printf("sd-bus%d", i); + char *bus_name; SysBusDevice *sbd = SYS_BUS_DEVICE(&s->sdhci[i]); Object *sdhci = OBJECT(&s->sdhci[i]); @@ -541,6 +541,7 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) sysbus_connect_irq(sbd, 0, gic_spi[sdhci_intr[i]]); /* Alias controller SD bus to the SoC itself */ + bus_name = g_strdup_printf("sd-bus%d", i); object_property_add_alias(OBJECT(s), bus_name, sdhci, "sd-bus", &error_abort); g_free(bus_name); From 660b4e70422bd19b09fa979733645ad6a55d88f2 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 30 Mar 2020 13:18:59 +0100 Subject: [PATCH 5/6] hw/arm/xlnx-zynqmp.c: Add missing error-propagation code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In some places in xlnx_zynqmp_realize() we were putting an error into our local Error*, but forgetting to check for failure and pass it back to the caller. Add the missing code. Signed-off-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Alistair Francis Message-id: 20200324134947.15384-3-peter.maydell@linaro.org --- hw/arm/xlnx-zynqmp.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c index a13dbeeace..b84d153d56 100644 --- a/hw/arm/xlnx-zynqmp.c +++ b/hw/arm/xlnx-zynqmp.c @@ -530,8 +530,20 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) * - eMMC Specification Version 4.51 */ object_property_set_uint(sdhci, 3, "sd-spec-version", &err); + if (err) { + error_propagate(errp, err); + return; + } object_property_set_uint(sdhci, SDHCI_CAPABILITIES, "capareg", &err); + if (err) { + error_propagate(errp, err); + return; + } object_property_set_uint(sdhci, UHS_I, "uhs", &err); + if (err) { + error_propagate(errp, err); + return; + } object_property_set_bool(sdhci, true, "realized", &err); if (err) { error_propagate(errp, err); @@ -551,6 +563,10 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) gchar *bus_name; object_property_set_bool(OBJECT(&s->spi[i]), true, "realized", &err); + if (err) { + error_propagate(errp, err); + return; + } sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0, spi_addr[i]); sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi[i]), 0, @@ -565,6 +581,10 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) } object_property_set_bool(OBJECT(&s->qspi), true, "realized", &err); + if (err) { + error_propagate(errp, err); + return; + } sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR); sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR); sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]); @@ -619,6 +639,10 @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) for (i = 0; i < XLNX_ZYNQMP_NUM_GDMA_CH; i++) { object_property_set_uint(OBJECT(&s->gdma[i]), 128, "bus-width", &err); + if (err) { + error_propagate(errp, err); + return; + } object_property_set_bool(OBJECT(&s->gdma[i]), true, "realized", &err); if (err) { error_propagate(errp, err); From 88828bf133b64b7a860c166af3423ef1a47c5d3b Mon Sep 17 00:00:00 2001 From: Changbin Du Date: Sat, 28 Mar 2020 22:02:32 +0800 Subject: [PATCH 6/6] target/arm: fix incorrect current EL bug in aarch32 exception emulation The arm_current_el() should be invoked after mode switching. Otherwise, we get a wrong current EL value, since current EL is also determined by current mode. Fixes: 4a2696c0d4 ("target/arm: Set PAN bit as required on exception entry") Signed-off-by: Changbin Du Reviewed-by: Richard Henderson Message-id: 20200328140232.17278-1-changbin.du@gmail.com Signed-off-by: Peter Maydell --- target/arm/helper.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index b7b6887241..163c91a1cc 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -9172,7 +9172,6 @@ static void take_aarch32_exception(CPUARMState *env, int new_mode, /* Change the CPU state so as to actually take the exception. */ switch_mode(env, new_mode); - new_el = arm_current_el(env); /* * For exceptions taken to AArch32 we must clear the SS bit in both @@ -9184,6 +9183,10 @@ static void take_aarch32_exception(CPUARMState *env, int new_mode, env->condexec_bits = 0; /* Switch to the new mode, and to the correct instruction set. */ env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode; + + /* This must be after mode switching. */ + new_el = arm_current_el(env); + /* Set new mode endianness */ env->uncached_cpsr &= ~CPSR_E; if (env->cp15.sctlr_el[new_el] & SCTLR_EE) {