From a62ee00aa063b8fa27076ec5100b2475fcd677ed Mon Sep 17 00:00:00 2001 From: Doug Evans Date: Tue, 30 Mar 2021 14:05:33 +0100 Subject: [PATCH 1/5] net/npcm7xx_emc.c: Fix handling of receiving packets when RSDR not set Turning REG_MCMDR_RXON is enough to start receiving packets. Signed-off-by: Doug Evans Message-id: 20210319195044.741821-1-dje@google.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/net/npcm7xx_emc.c | 4 +++- tests/qtest/npcm7xx_emc-test.c | 30 +++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c index 714a742ba7..7c892f820f 100644 --- a/hw/net/npcm7xx_emc.c +++ b/hw/net/npcm7xx_emc.c @@ -702,7 +702,9 @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset, !(value & REG_MCMDR_RXON)) { emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA; } - if (!(value & REG_MCMDR_RXON)) { + if (value & REG_MCMDR_RXON) { + emc->rx_active = true; + } else { emc_halt_rx(emc, 0); } break; diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c index 7a28173195..9eec71d87c 100644 --- a/tests/qtest/npcm7xx_emc-test.c +++ b/tests/qtest/npcm7xx_emc-test.c @@ -492,9 +492,6 @@ static void enable_tx(QTestState *qts, const EMCModule *mod, mcmdr |= REG_MCMDR_TXON; emc_write(qts, mod, REG_MCMDR, mcmdr); } - - /* Prod the device to send the packet. */ - emc_write(qts, mod, REG_TSDR, 1); } static void emc_send_verify1(QTestState *qts, const EMCModule *mod, int fd, @@ -558,6 +555,9 @@ static void emc_send_verify(QTestState *qts, const EMCModule *mod, int fd, enable_tx(qts, mod, &desc[0], NUM_TX_DESCRIPTORS, desc_addr, with_irq ? REG_MIEN_ENTXINTR : 0); + /* Prod the device to send the packet. */ + emc_write(qts, mod, REG_TSDR, 1); + /* * It's problematic to observe the interrupt for each packet. * Instead just wait until all the packets go out. @@ -643,13 +643,10 @@ static void enable_rx(QTestState *qts, const EMCModule *mod, mcmdr |= REG_MCMDR_RXON | mcmdr_flags; emc_write(qts, mod, REG_MCMDR, mcmdr); } - - /* Prod the device to accept a packet. */ - emc_write(qts, mod, REG_RSDR, 1); } static void emc_recv_verify(QTestState *qts, const EMCModule *mod, int fd, - bool with_irq) + bool with_irq, bool pump_rsdr) { NPCM7xxEMCRxDesc desc[NUM_RX_DESCRIPTORS]; uint32_t desc_addr = DESC_ADDR; @@ -679,6 +676,15 @@ static void emc_recv_verify(QTestState *qts, const EMCModule *mod, int fd, enable_rx(qts, mod, &desc[0], NUM_RX_DESCRIPTORS, desc_addr, with_irq ? REG_MIEN_ENRXINTR : 0, 0); + /* + * If requested, prod the device to accept a packet. + * This isn't necessary, the linux driver doesn't do this. + * Test doing/not-doing this for robustness. + */ + if (pump_rsdr) { + emc_write(qts, mod, REG_RSDR, 1); + } + /* Send test packet to device's socket. */ ret = iov_send(fd, iov, 2, 0, sizeof(len) + sizeof(test)); g_assert_cmpint(ret, == , sizeof(test) + sizeof(len)); @@ -826,8 +832,14 @@ static void test_rx(gconstpointer test_data) qtest_irq_intercept_in(qts, "/machine/soc/a9mpcore/gic"); - emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false); - emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true); + emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false, + /*pump_rsdr=*/false); + emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/false, + /*pump_rsdr=*/true); + emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true, + /*pump_rsdr=*/false); + emc_recv_verify(qts, td->module, test_sockets[0], /*with_irq=*/true, + /*pump_rsdr=*/true); emc_test_ptle(qts, td->module, test_sockets[0]); qtest_quit(qts); From c8aaa24537cb87ebe5a2a6a1ea9cfff337e98bb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Tue, 30 Mar 2021 14:05:33 +0100 Subject: [PATCH 2/5] hw/display/xlnx_dp: Free FIFOs adding xlnx_dp_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When building with --enable-sanitizers we get: Direct leak of 16 byte(s) in 1 object(s) allocated from: #0 0x5618479ec7cf in malloc (qemu-system-aarch64+0x233b7cf) #1 0x7f675745f958 in g_malloc (/lib64/libglib-2.0.so.0+0x58958) #2 0x561847c2dcc9 in xlnx_dp_init hw/display/xlnx_dp.c:1259:5 #3 0x56184a5bdab8 in object_init_with_type qom/object.c:375:9 #4 0x56184a5a2bda in object_initialize_with_type qom/object.c:517:5 #5 0x56184a5a24d5 in object_initialize qom/object.c:536:5 #6 0x56184a5a2f6c in object_initialize_child_with_propsv qom/object.c:566:5 #7 0x56184a5a2e60 in object_initialize_child_with_props qom/object.c:549:10 #8 0x56184a5a3a1e in object_initialize_child_internal qom/object.c:603:5 #9 0x5618495aa431 in xlnx_zynqmp_init hw/arm/xlnx-zynqmp.c:273:5 The RX/TX FIFOs are created in xlnx_dp_init(), add xlnx_dp_finalize() to destroy them. Fixes: 58ac482a66d ("introduce xlnx-dp") Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Alistair Francis Message-id: 20210323182958.277654-1-f4bug@amsat.org Signed-off-by: Peter Maydell --- hw/display/xlnx_dp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index c56e6ec593..4fd6aeb18b 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -1260,6 +1260,14 @@ static void xlnx_dp_init(Object *obj) fifo8_create(&s->tx_fifo, 16); } +static void xlnx_dp_finalize(Object *obj) +{ + XlnxDPState *s = XLNX_DP(obj); + + fifo8_destroy(&s->tx_fifo); + fifo8_destroy(&s->rx_fifo); +} + static void xlnx_dp_realize(DeviceState *dev, Error **errp) { XlnxDPState *s = XLNX_DP(dev); @@ -1359,6 +1367,7 @@ static const TypeInfo xlnx_dp_info = { .parent = TYPE_SYS_BUS_DEVICE, .instance_size = sizeof(XlnxDPState), .instance_init = xlnx_dp_init, + .instance_finalize = xlnx_dp_finalize, .class_init = xlnx_dp_class_init, }; From 6c1bd93954cbdd70d8bdcd67b1f01d759747d895 Mon Sep 17 00:00:00 2001 From: Zenghui Yu Date: Tue, 30 Mar 2021 14:05:33 +0100 Subject: [PATCH 3/5] hw/arm/smmuv3: Drop unused CDM_VALID() and is_cd_valid() They were introduced in commit 9bde7f0674fe ("hw/arm/smmuv3: Implement translate callback") but never actually used. Drop them. Signed-off-by: Zenghui Yu Acked-by: Eric Auger Message-id: 20210325142702.790-1-yuzenghui@huawei.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- hw/arm/smmuv3-internal.h | 7 ------- 1 file changed, 7 deletions(-) diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h index b6f7e53b7c..3dac5766ca 100644 --- a/hw/arm/smmuv3-internal.h +++ b/hw/arm/smmuv3-internal.h @@ -595,13 +595,6 @@ static inline int pa_range(STE *ste) #define CD_A(x) extract32((x)->word[1], 14, 1) #define CD_AARCH64(x) extract32((x)->word[1], 9 , 1) -#define CDM_VALID(x) ((x)->word[0] & 0x1) - -static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd) -{ - return CD_VALID(cd); -} - /** * tg2granule - Decodes the CD translation granule size field according * to the ttbr in use From f7fb73b8cdd3f77e26f9fcff8cf24ff1b58d200f Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 30 Mar 2021 14:05:33 +0100 Subject: [PATCH 4/5] target/arm: Make number of counters in PMCR follow the CPU Currently we give all the v7-and-up CPUs a PMU with 4 counters. This means that we don't provide the 6 counters that are required by the Arm BSA (Base System Architecture) specification if the CPU supports the Virtualization extensions. Instead of having a single PMCR_NUM_COUNTERS, make each CPU type specify the PMCR reset value (obtained from the appropriate TRM), and use the 'N' field of that value to define the number of counters provided. This means that we now supply 6 counters for Cortex-A53, A57, A72, A15 and A9 as well as '-cpu max'; Cortex-A7 and A8 stay at 4; and Cortex-R5 goes down to 3. Note that because we now use the PMCR reset value of the specific implementation, we no longer set the LC bit out of reset. This has an UNKNOWN value out of reset for all cores with any AArch32 support, so guest software should be setting it anyway if it wants it. Signed-off-by: Peter Maydell Tested-by: Marcin Juszkiewicz Message-id: 20210311165947.27470-1-peter.maydell@linaro.org Reviewed-by: Richard Henderson --- target/arm/cpu.h | 1 + target/arm/cpu64.c | 3 +++ target/arm/cpu_tcg.c | 5 +++++ target/arm/helper.c | 29 +++++++++++++++++------------ target/arm/kvm64.c | 2 ++ 5 files changed, 28 insertions(+), 12 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index 193a49ec7f..fe68f464b3 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -942,6 +942,7 @@ struct ARMCPU { uint64_t id_aa64mmfr2; uint64_t id_aa64dfr0; uint64_t id_aa64dfr1; + uint64_t reset_pmcr_el0; } isar; uint64_t midr; uint32_t revidr; diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index f0a9e968c9..5d9d56a33c 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -141,6 +141,7 @@ static void aarch64_a57_initfn(Object *obj) cpu->gic_num_lrs = 4; cpu->gic_vpribits = 5; cpu->gic_vprebits = 5; + cpu->isar.reset_pmcr_el0 = 0x41013000; define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo); } @@ -194,6 +195,7 @@ static void aarch64_a53_initfn(Object *obj) cpu->gic_num_lrs = 4; cpu->gic_vpribits = 5; cpu->gic_vprebits = 5; + cpu->isar.reset_pmcr_el0 = 0x41033000; define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo); } @@ -245,6 +247,7 @@ static void aarch64_a72_initfn(Object *obj) cpu->gic_num_lrs = 4; cpu->gic_vpribits = 5; cpu->gic_vprebits = 5; + cpu->isar.reset_pmcr_el0 = 0x41023000; define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo); } diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c index 046e476f65..8252fd29f9 100644 --- a/target/arm/cpu_tcg.c +++ b/target/arm/cpu_tcg.c @@ -301,6 +301,7 @@ static void cortex_a8_initfn(Object *obj) cpu->ccsidr[1] = 0x2007e01a; /* 16k L1 icache. */ cpu->ccsidr[2] = 0xf0000000; /* No L2 icache. */ cpu->reset_auxcr = 2; + cpu->isar.reset_pmcr_el0 = 0x41002000; define_arm_cp_regs(cpu, cortexa8_cp_reginfo); } @@ -373,6 +374,7 @@ static void cortex_a9_initfn(Object *obj) cpu->clidr = (1 << 27) | (1 << 24) | 3; cpu->ccsidr[0] = 0xe00fe019; /* 16k L1 dcache. */ cpu->ccsidr[1] = 0x200fe019; /* 16k L1 icache. */ + cpu->isar.reset_pmcr_el0 = 0x41093000; define_arm_cp_regs(cpu, cortexa9_cp_reginfo); } @@ -443,6 +445,7 @@ static void cortex_a7_initfn(Object *obj) cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */ cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */ cpu->ccsidr[2] = 0x711fe07a; /* 4096K L2 unified cache */ + cpu->isar.reset_pmcr_el0 = 0x41072000; define_arm_cp_regs(cpu, cortexa15_cp_reginfo); /* Same as A15 */ } @@ -485,6 +488,7 @@ static void cortex_a15_initfn(Object *obj) cpu->ccsidr[0] = 0x701fe00a; /* 32K L1 dcache */ cpu->ccsidr[1] = 0x201fe00a; /* 32K L1 icache */ cpu->ccsidr[2] = 0x711fe07a; /* 4096K L2 unified cache */ + cpu->isar.reset_pmcr_el0 = 0x410F3000; define_arm_cp_regs(cpu, cortexa15_cp_reginfo); } @@ -717,6 +721,7 @@ static void cortex_r5_initfn(Object *obj) cpu->isar.id_isar6 = 0x0; cpu->mp_is_up = true; cpu->pmsav7_dregion = 16; + cpu->isar.reset_pmcr_el0 = 0x41151800; define_arm_cp_regs(cpu, cortexr5_cp_reginfo); } diff --git a/target/arm/helper.c b/target/arm/helper.c index d9220be7c5..8fb6cc96e4 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -38,7 +38,6 @@ #endif #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */ -#define PMCR_NUM_COUNTERS 4 /* QEMU IMPDEF choice */ #ifndef CONFIG_USER_ONLY @@ -1149,7 +1148,9 @@ static const ARMCPRegInfo v6_cp_reginfo[] = { static inline uint32_t pmu_num_counters(CPUARMState *env) { - return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT; + ARMCPU *cpu = env_archcpu(env); + + return (cpu->isar.reset_pmcr_el0 & PMCRN_MASK) >> PMCRN_SHIFT; } /* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */ @@ -5753,13 +5754,6 @@ static const ARMCPRegInfo el2_cp_reginfo[] = { .resetvalue = 0, .writefn = gt_hyp_ctl_write, .raw_writefn = raw_write }, #endif - /* The only field of MDCR_EL2 that has a defined architectural reset value - * is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N. - */ - { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH, - .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1, - .access = PL2_RW, .resetvalue = PMCR_NUM_COUNTERS, - .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2), }, { .name = "HPFAR", .state = ARM_CP_STATE_AA32, .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4, .access = PL2_RW, .accessfn = access_el3_aa32ns, @@ -6689,7 +6683,7 @@ static void define_pmu_regs(ARMCPU *cpu) * field as main ID register, and we implement four counters in * addition to the cycle count register. */ - unsigned int i, pmcrn = PMCR_NUM_COUNTERS; + unsigned int i, pmcrn = pmu_num_counters(&cpu->env); ARMCPRegInfo pmcr = { .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0, .access = PL0_RW, @@ -6704,10 +6698,10 @@ static void define_pmu_regs(ARMCPU *cpu) .access = PL0_RW, .accessfn = pmreg_access, .type = ARM_CP_IO, .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr), - .resetvalue = (cpu->midr & 0xff000000) | (pmcrn << PMCRN_SHIFT) | - PMCRLC, + .resetvalue = cpu->isar.reset_pmcr_el0, .writefn = pmcr_write, .raw_writefn = raw_write, }; + define_one_arm_cp_reg(cpu, &pmcr); define_one_arm_cp_reg(cpu, &pmcr64); for (i = 0; i < pmcrn; i++) { @@ -7825,6 +7819,17 @@ void register_cp_regs_for_features(ARMCPU *cpu) .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) }, REGINFO_SENTINEL }; + /* + * The only field of MDCR_EL2 that has a defined architectural reset + * value is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N. + */ + ARMCPRegInfo mdcr_el2 = { + .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH, + .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1, + .access = PL2_RW, .resetvalue = pmu_num_counters(env), + .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el2), + }; + define_one_arm_cp_reg(cpu, &mdcr_el2); define_arm_cp_regs(cpu, vpidr_regs); define_arm_cp_regs(cpu, el2_cp_reginfo); if (arm_feature(env, ARM_FEATURE_V8)) { diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c index dff85f6db9..581335e49d 100644 --- a/target/arm/kvm64.c +++ b/target/arm/kvm64.c @@ -566,6 +566,8 @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf) ARM64_SYS_REG(3, 0, 0, 7, 1)); err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64mmfr2, ARM64_SYS_REG(3, 0, 0, 7, 2)); + err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0, + ARM64_SYS_REG(3, 3, 9, 12, 0)); /* * Note that if AArch32 support is not present in the host, From b9e3f1579a4b06fc63dfa8cdb68df1c58eeb0cf1 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Tue, 30 Mar 2021 14:05:34 +0100 Subject: [PATCH 5/5] hw/timer/renesas_tmr: Add default-case asserts in read_tcnt() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In commit 81b3ddaf8772ec we fixed a use of uninitialized data in read_tcnt(). However this change wasn't enough to placate Coverity, which is not smart enough to see that if we read a 2 bit field and then handle cases 0, 1, 2 and 3 then there cannot be a flow of execution through the switch default. Add explicit default cases which assert that they can't be reached, which should help silence Coverity. Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-id: 20210319162458.13760-1-peter.maydell@linaro.org --- hw/timer/renesas_tmr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/timer/renesas_tmr.c b/hw/timer/renesas_tmr.c index eed39917fe..d96002e1ee 100644 --- a/hw/timer/renesas_tmr.c +++ b/hw/timer/renesas_tmr.c @@ -146,6 +146,8 @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch) case CSS_CASCADING: tcnt[1] = tmr->tcnt[1]; break; + default: + g_assert_not_reached(); } switch (FIELD_EX8(tmr->tccr[0], TCCR, CSS)) { case CSS_INTERNAL: @@ -159,6 +161,8 @@ static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch) case CSS_EXTERNAL: /* QEMU doesn't implement this */ tcnt[0] = tmr->tcnt[0]; break; + default: + g_assert_not_reached(); } } else { tcnt[0] = tmr->tcnt[0];