All of lore.kernel.org
 help / color / mirror / Atom feed
* [PULL 00/21] target-arm queue
@ 2021-02-02 17:54 Peter Maydell
  2021-02-02 17:54 ` [PULL 01/21] hw/intc/arm_gic: Allow to use QTest without crashing Peter Maydell
                   ` (21 more replies)
  0 siblings, 22 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:54 UTC (permalink / raw)
  To: qemu-devel

Mostly just bug fixes. The important one here is
  hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
which fixes a buffer overrun that's a security issue if you're running
KVM on Arm with kernel-irqchip=off (which hopefully nobody is doing in
a security context, because kernel-irqchip=on is the default and the
sensible choice for performance).

-- PMM

The following changes since commit cf7ca7d5b9faca13f1f8e3ea92cfb2f741eb0c0e:

  Merge remote-tracking branch 'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging (2021-02-01 16:28:00 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210202-1

for you to fetch changes up to 14657850c9cc10948551fbb884c30eb5a3a7370a:

  hw/arm: Display CPU type in machine description (2021-02-02 17:53:44 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/intc/arm_gic: Allow to use QTest without crashing
 * hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
 * hw/char/exynos4210_uart: Fix missing call to report ready for input
 * hw/arm/smmuv3: Fix addr_mask for range-based invalidation
 * hw/ssi/imx_spi: Fix various minor bugs
 * hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
 * hw/arm: Add missing Kconfig dependencies
 * hw/arm: Display CPU type in machine description

----------------------------------------------------------------
Bin Meng (5):
      hw/ssi: imx_spi: Use a macro for number of chip selects supported
      hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset()
      hw/ssi: imx_spi: Round up the burst length to be multiple of 8
      hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic
      hw/ssi: imx_spi: Correct tx and rx fifo endianness

Iris Johnson (2):
      hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
      hw/char/exynos4210_uart: Fix missing call to report ready for input

Philippe Mathieu-Daudé (12):
      hw/intc/arm_gic: Allow to use QTest without crashing
      hw/ssi: imx_spi: Remove pointless variable initialization
      hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value
      hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled
      hw/ssi: imx_spi: Rework imx_spi_write() to handle block disabled
      hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
      hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ
      hw/arm/exynos4210: Add missing dependency on OR_IRQ
      hw/arm/xlnx-versal: Versal SoC requires ZDMA
      hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals
      hw/net/can: ZynqMP CAN device requires PTIMER
      hw/arm: Display CPU type in machine description

Xuzhou Cheng (1):
      hw/ssi: imx_spi: Disable chip selects when controller is disabled

Zenghui Yu (1):
      hw/arm/smmuv3: Fix addr_mask for range-based invalidation

 include/hw/ssi/imx_spi.h  |   5 +-
 hw/arm/digic_boards.c     |   2 +-
 hw/arm/microbit.c         |   2 +-
 hw/arm/netduino2.c        |   2 +-
 hw/arm/netduinoplus2.c    |   2 +-
 hw/arm/orangepi.c         |   2 +-
 hw/arm/smmuv3.c           |   4 +-
 hw/arm/stellaris.c        |   4 +-
 hw/char/exynos4210_uart.c |   7 ++-
 hw/intc/arm_gic.c         |   5 +-
 hw/ssi/imx_spi.c          | 153 +++++++++++++++++++++++++++++-----------------
 hw/Kconfig                |   1 +
 hw/arm/Kconfig            |   5 ++
 hw/dma/Kconfig            |   3 +
 hw/dma/meson.build        |   2 +-
 15 files changed, 130 insertions(+), 69 deletions(-)


^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PULL 01/21] hw/intc/arm_gic: Allow to use QTest without crashing
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
@ 2021-02-02 17:54 ` Peter Maydell
  2021-02-02 17:54 ` [PULL 02/21] hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled Peter Maydell
                   ` (20 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:54 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Alexander reported an issue in gic_get_current_cpu() using the
fuzzer. Yet another "deref current_cpu with QTest" bug, reproducible
doing:

  $ echo readb 0xf03ff000 | qemu-system-arm -M npcm750-evb,accel=qtest -qtest stdio
  [I 1611849440.651452] OPENED
  [R +0.242498] readb 0xf03ff000
  hw/intc/arm_gic.c:63:29: runtime error: member access within null pointer of type 'CPUState' (aka 'struct CPUState')
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/intc/arm_gic.c:63:29 in
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==3719691==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000082a0 (pc 0x5618790ac882 bp 0x7ffca946f4f0 sp 0x7ffca946f4a0 T0)
  ==3719691==The signal is caused by a READ memory access.
      #0 0x5618790ac882 in gic_get_current_cpu hw/intc/arm_gic.c:63:29
      #1 0x5618790a8901 in gic_dist_readb hw/intc/arm_gic.c:955:11
      #2 0x5618790a7489 in gic_dist_read hw/intc/arm_gic.c:1158:17
      #3 0x56187adc573b in memory_region_read_with_attrs_accessor softmmu/memory.c:464:9
      #4 0x56187ad7903a in access_with_adjusted_size softmmu/memory.c:552:18
      #5 0x56187ad766d6 in memory_region_dispatch_read1 softmmu/memory.c:1426:16
      #6 0x56187ad758a8 in memory_region_dispatch_read softmmu/memory.c:1449:9
      #7 0x56187b09e84c in flatview_read_continue softmmu/physmem.c:2822:23
      #8 0x56187b0a0115 in flatview_read softmmu/physmem.c:2862:12
      #9 0x56187b09fc9e in address_space_read_full softmmu/physmem.c:2875:18
      #10 0x56187aa88633 in address_space_read include/exec/memory.h:2489:18
      #11 0x56187aa88633 in qtest_process_command softmmu/qtest.c:558:13
      #12 0x56187aa81881 in qtest_process_inbuf softmmu/qtest.c:797:9
      #13 0x56187aa80e02 in qtest_read softmmu/qtest.c:809:5

current_cpu is NULL because QTest accelerator does not use CPU.

Fix by skipping the check and returning the first CPU index when
QTest accelerator is used, similarly to commit c781a2cc423
("hw/i386/vmport: Allow QTest use without crashing").

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-id: 20210128161417.3726358-1-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index af41e2fb448..c33b1c8c4bc 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -28,6 +28,7 @@
 #include "qemu/module.h"
 #include "trace.h"
 #include "sysemu/kvm.h"
+#include "sysemu/qtest.h"
 
 /* #define DEBUG_GIC */
 
@@ -57,7 +58,7 @@ static const uint8_t gic_id_gicv2[] = {
 
 static inline int gic_get_current_cpu(GICState *s)
 {
-    if (s->num_cpu > 1) {
+    if (!qtest_enabled() && s->num_cpu > 1) {
         return current_cpu->cpu_index;
     }
     return 0;
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 02/21] hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
  2021-02-02 17:54 ` [PULL 01/21] hw/intc/arm_gic: Allow to use QTest without crashing Peter Maydell
@ 2021-02-02 17:54 ` Peter Maydell
  2021-02-02 17:54 ` [PULL 03/21] hw/char/exynos4210_uart: Fix missing call to report ready for input Peter Maydell
                   ` (19 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:54 UTC (permalink / raw)
  To: qemu-devel

From: Iris Johnson <iris@modwiz.com>

Currently the Exynos 4210 UART code always reports available FIFO space
when the backend checks for buffer space. When the FIFO is disabled this
is behavior causes the backend chardev code to replace the data before the
guest can read it.

This patch changes adds the logic to report the capacity properly when the
FIFO is not being used.

Buglink: https://bugs.launchpad.net/qemu/+bug/1913344
Signed-off-by: Iris Johnson <iris@modwiz.com>
Message-id: 20210128033655.1029577-1-iris@modwiz.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/exynos4210_uart.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c
index 6361df2ad3c..9b21d201b34 100644
--- a/hw/char/exynos4210_uart.c
+++ b/hw/char/exynos4210_uart.c
@@ -553,7 +553,11 @@ static int exynos4210_uart_can_receive(void *opaque)
 {
     Exynos4210UartState *s = (Exynos4210UartState *)opaque;
 
-    return fifo_empty_elements_number(&s->rx);
+    if (s->reg[I_(UFCON)] & UFCON_FIFO_ENABLE) {
+        return fifo_empty_elements_number(&s->rx);
+    } else {
+        return !(s->reg[I_(UTRSTAT)] & UTRSTAT_Rx_BUFFER_DATA_READY);
+    }
 }
 
 static void exynos4210_uart_receive(void *opaque, const uint8_t *buf, int size)
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 03/21] hw/char/exynos4210_uart: Fix missing call to report ready for input
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
  2021-02-02 17:54 ` [PULL 01/21] hw/intc/arm_gic: Allow to use QTest without crashing Peter Maydell
  2021-02-02 17:54 ` [PULL 02/21] hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled Peter Maydell
@ 2021-02-02 17:54 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 04/21] hw/arm/smmuv3: Fix addr_mask for range-based invalidation Peter Maydell
                   ` (18 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:54 UTC (permalink / raw)
  To: qemu-devel

From: Iris Johnson <iris@modwiz.com>

When the frontend device has no space for a read the fd is removed
from polling to allow time for the guest to read and clear the buffer.
Without the call to qemu_chr_fe_accept_input(), the poll will not be
broken out of when the guest has cleared the buffer causing significant
IO delays that get worse with smaller buffers.

Buglink: https://bugs.launchpad.net/qemu/+bug/1913341
Signed-off-by: Iris Johnson <iris@modwiz.com>
Message-id: 20210130184016.1787097-1-iris@modwiz.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/exynos4210_uart.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c
index 9b21d201b34..80d401a3795 100644
--- a/hw/char/exynos4210_uart.c
+++ b/hw/char/exynos4210_uart.c
@@ -519,6 +519,7 @@ static uint64_t exynos4210_uart_read(void *opaque, hwaddr offset,
             s->reg[I_(UTRSTAT)] &= ~UTRSTAT_Rx_BUFFER_DATA_READY;
             res = s->reg[I_(URXH)];
         }
+        qemu_chr_fe_accept_input(&s->chr);
         exynos4210_uart_update_dmabusy(s);
         trace_exynos_uart_read(s->channel, offset,
                                exynos4210_uart_regname(offset), res);
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 04/21] hw/arm/smmuv3: Fix addr_mask for range-based invalidation
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (2 preceding siblings ...)
  2021-02-02 17:54 ` [PULL 03/21] hw/char/exynos4210_uart: Fix missing call to report ready for input Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 05/21] hw/ssi: imx_spi: Use a macro for number of chip selects supported Peter Maydell
                   ` (17 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Zenghui Yu <yuzenghui@huawei.com>

When handling guest range-based IOTLB invalidation, we should decode the TG
field into the corresponding translation granule size so that we can pass
the correct invalidation range to backend. Set @granule to (tg * 2 + 10) to
properly emulate the architecture.

Fixes: d52915616c05 ("hw/arm/smmuv3: Get prepared for range invalidation")
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210130043220.1345-1-yuzenghui@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index bbca0e9f209..98b99d4fe8e 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -801,7 +801,7 @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
 {
     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
     IOMMUTLBEvent event;
-    uint8_t granule = tg;
+    uint8_t granule;
 
     if (!tg) {
         SMMUEventInfo event = {.inval_ste_allowed = true};
@@ -821,6 +821,8 @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
             return;
         }
         granule = tt->granule_sz;
+    } else {
+        granule = tg * 2 + 10;
     }
 
     event.type = IOMMU_NOTIFIER_UNMAP;
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 05/21] hw/ssi: imx_spi: Use a macro for number of chip selects supported
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (3 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 04/21] hw/arm/smmuv3: Fix addr_mask for range-based invalidation Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 06/21] hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset() Peter Maydell
                   ` (16 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Bin Meng <bin.meng@windriver.com>

Avoid using a magic number (4) everywhere for the number of chip
selects supported.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Message-id: 20210129132323.30946-2-bmeng.cn@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/ssi/imx_spi.h | 5 ++++-
 hw/ssi/imx_spi.c         | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/hw/ssi/imx_spi.h b/include/hw/ssi/imx_spi.h
index b82b17f3643..eeaf49bbac3 100644
--- a/include/hw/ssi/imx_spi.h
+++ b/include/hw/ssi/imx_spi.h
@@ -77,6 +77,9 @@
 
 #define EXTRACT(value, name) extract32(value, name##_SHIFT, name##_LENGTH)
 
+/* number of chip selects supported */
+#define ECSPI_NUM_CS 4
+
 #define TYPE_IMX_SPI "imx.spi"
 OBJECT_DECLARE_SIMPLE_TYPE(IMXSPIState, IMX_SPI)
 
@@ -89,7 +92,7 @@ struct IMXSPIState {
 
     qemu_irq irq;
 
-    qemu_irq cs_lines[4];
+    qemu_irq cs_lines[ECSPI_NUM_CS];
 
     SSIBus *bus;
 
diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index d8885ae454e..e605049a213 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -361,7 +361,7 @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,
 
             /* We are in master mode */
 
-            for (i = 0; i < 4; i++) {
+            for (i = 0; i < ECSPI_NUM_CS; i++) {
                 qemu_set_irq(s->cs_lines[i],
                              i == imx_spi_selected_channel(s) ? 0 : 1);
             }
@@ -424,7 +424,7 @@ static void imx_spi_realize(DeviceState *dev, Error **errp)
     sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
     sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
 
-    for (i = 0; i < 4; ++i) {
+    for (i = 0; i < ECSPI_NUM_CS; ++i) {
         sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->cs_lines[i]);
     }
 
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 06/21] hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset()
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (4 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 05/21] hw/ssi: imx_spi: Use a macro for number of chip selects supported Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 07/21] hw/ssi: imx_spi: Remove pointless variable initialization Peter Maydell
                   ` (15 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Bin Meng <bin.meng@windriver.com>

Usually the approach is that the device on the other end of the line
is going to reset its state anyway, so there's no need to actively
signal an irq line change during the reset hook.

Move imx_spi_update_irq() out of imx_spi_reset(), to a new function
imx_spi_soft_reset() that is called when the controller is disabled.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210129132323.30946-3-bmeng.cn@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index e605049a213..4d488b159af 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -241,11 +241,16 @@ static void imx_spi_reset(DeviceState *dev)
     imx_spi_rxfifo_reset(s);
     imx_spi_txfifo_reset(s);
 
-    imx_spi_update_irq(s);
-
     s->burst_length = 0;
 }
 
+static void imx_spi_soft_reset(IMXSPIState *s)
+{
+    imx_spi_reset(DEVICE(s));
+
+    imx_spi_update_irq(s);
+}
+
 static uint64_t imx_spi_read(void *opaque, hwaddr offset, unsigned size)
 {
     uint32_t value = 0;
@@ -351,8 +356,9 @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,
         s->regs[ECSPI_CONREG] = value;
 
         if (!imx_spi_is_enabled(s)) {
-            /* device is disabled, so this is a reset */
-            imx_spi_reset(DEVICE(s));
+            /* device is disabled, so this is a soft reset */
+            imx_spi_soft_reset(s);
+
             return;
         }
 
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 07/21] hw/ssi: imx_spi: Remove pointless variable initialization
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (5 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 06/21] hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset() Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 08/21] hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value Peter Maydell
                   ` (14 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

'burst_length' is cleared in imx_spi_reset(), which is called
after imx_spi_realize(). Remove the initialization to simplify.

Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-id: 20210129132323.30946-4-bmeng.cn@gmail.com
Message-Id: <20210115153049.3353008-3-f4bug@amsat.org>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 4d488b159af..8fb3c9b6d1b 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -434,8 +434,6 @@ static void imx_spi_realize(DeviceState *dev, Error **errp)
         sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->cs_lines[i]);
     }
 
-    s->burst_length = 0;
-
     fifo32_create(&s->tx_fifo, ECSPI_FIFO_SIZE);
     fifo32_create(&s->rx_fifo, ECSPI_FIFO_SIZE);
 }
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 08/21] hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (6 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 07/21] hw/ssi: imx_spi: Remove pointless variable initialization Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 09/21] hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled Peter Maydell
                   ` (13 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When the block is disabled, all registers are reset with the
exception of the ECSPI_CONREG. It is initialized to zero
when the instance is created.

Ref: i.MX 6DQ Applications Processor Reference Manual (IMX6DQRM),
     chapter 21.7.3: Control Register (ECSPIx_CONREG)

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210129132323.30946-5-bmeng.cn@gmail.com
[bmeng: add a 'common_reset' function that does most of reset operation]
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 8fb3c9b6d1b..e85be6ae607 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -228,15 +228,23 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
             fifo32_num_used(&s->tx_fifo), fifo32_num_used(&s->rx_fifo));
 }
 
-static void imx_spi_reset(DeviceState *dev)
+static void imx_spi_common_reset(IMXSPIState *s)
 {
-    IMXSPIState *s = IMX_SPI(dev);
+    int i;
 
-    DPRINTF("\n");
-
-    memset(s->regs, 0, sizeof(s->regs));
-
-    s->regs[ECSPI_STATREG] = 0x00000003;
+    for (i = 0; i < ARRAY_SIZE(s->regs); i++) {
+        switch (i) {
+        case ECSPI_CONREG:
+            /* CONREG is not updated on soft reset */
+            break;
+        case ECSPI_STATREG:
+            s->regs[i] = 0x00000003;
+            break;
+        default:
+            s->regs[i] = 0;
+            break;
+        }
+    }
 
     imx_spi_rxfifo_reset(s);
     imx_spi_txfifo_reset(s);
@@ -246,11 +254,19 @@ static void imx_spi_reset(DeviceState *dev)
 
 static void imx_spi_soft_reset(IMXSPIState *s)
 {
-    imx_spi_reset(DEVICE(s));
+    imx_spi_common_reset(s);
 
     imx_spi_update_irq(s);
 }
 
+static void imx_spi_reset(DeviceState *dev)
+{
+    IMXSPIState *s = IMX_SPI(dev);
+
+    imx_spi_common_reset(s);
+    s->regs[ECSPI_CONREG] = 0;
+}
+
 static uint64_t imx_spi_read(void *opaque, hwaddr offset, unsigned size)
 {
     uint32_t value = 0;
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 09/21] hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (7 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 08/21] hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 10/21] hw/ssi: imx_spi: Rework imx_spi_write() " Peter Maydell
                   ` (12 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When the block is disabled, it stay it is 'internal reset logic'
(internal clocks are gated off). Reading any register returns
its reset value. Only update this value if the device is enabled.

Ref: i.MX 6DQ Applications Processor Reference Manual (IMX6DQRM),
     chapter 21.7.3: Control Register (ECSPIx_CONREG)

Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-id: 20210129132323.30946-6-bmeng.cn@gmail.com
Message-Id: <20210115153049.3353008-5-f4bug@amsat.org>
Reviewed-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 60 +++++++++++++++++++++++-------------------------
 1 file changed, 29 insertions(+), 31 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index e85be6ae607..21e2c9dea3e 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -279,42 +279,40 @@ static uint64_t imx_spi_read(void *opaque, hwaddr offset, unsigned size)
         return 0;
     }
 
-    switch (index) {
-    case ECSPI_RXDATA:
-        if (!imx_spi_is_enabled(s)) {
-            value = 0;
-        } else if (fifo32_is_empty(&s->rx_fifo)) {
-            /* value is undefined */
-            value = 0xdeadbeef;
-        } else {
-            /* read from the RX FIFO */
-            value = fifo32_pop(&s->rx_fifo);
+    value = s->regs[index];
+
+    if (imx_spi_is_enabled(s)) {
+        switch (index) {
+        case ECSPI_RXDATA:
+            if (fifo32_is_empty(&s->rx_fifo)) {
+                /* value is undefined */
+                value = 0xdeadbeef;
+            } else {
+                /* read from the RX FIFO */
+                value = fifo32_pop(&s->rx_fifo);
+            }
+            break;
+        case ECSPI_TXDATA:
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "[%s]%s: Trying to read from TX FIFO\n",
+                          TYPE_IMX_SPI, __func__);
+
+            /* Reading from TXDATA gives 0 */
+            break;
+        case ECSPI_MSGDATA:
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "[%s]%s: Trying to read from MSG FIFO\n",
+                          TYPE_IMX_SPI, __func__);
+            /* Reading from MSGDATA gives 0 */
+            break;
+        default:
+            break;
         }
 
-        break;
-    case ECSPI_TXDATA:
-        qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Trying to read from TX FIFO\n",
-                      TYPE_IMX_SPI, __func__);
-
-        /* Reading from TXDATA gives 0 */
-
-        break;
-    case ECSPI_MSGDATA:
-        qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Trying to read from MSG FIFO\n",
-                      TYPE_IMX_SPI, __func__);
-
-        /* Reading from MSGDATA gives 0 */
-
-        break;
-    default:
-        value = s->regs[index];
-        break;
+        imx_spi_update_irq(s);
     }
-
     DPRINTF("reg[%s] => 0x%" PRIx32 "\n", imx_spi_reg_name(index), value);
 
-    imx_spi_update_irq(s);
-
     return (uint64_t)value;
 }
 
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 10/21] hw/ssi: imx_spi: Rework imx_spi_write() to handle block disabled
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (8 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 09/21] hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 11/21] hw/ssi: imx_spi: Disable chip selects when controller is disabled Peter Maydell
                   ` (11 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

When the block is disabled, only the ECSPI_CONREG register can
be modified. Setting the EN bit enabled the device, clearing it
"disables the block and resets the internal logic with the
exception of the ECSPI_CONREG" register.

Ignore all other registers write except ECSPI_CONREG when the
block is disabled.

Ref: i.MX 6DQ Applications Processor Reference Manual (IMX6DQRM),
     chapter 21.7.3: Control Register (ECSPIx_CONREG)

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210129132323.30946-7-bmeng.cn@gmail.com
Message-Id: <20210115153049.3353008-6-f4bug@amsat.org>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 21e2c9dea3e..4cfbb73e35e 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -332,6 +332,14 @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,
     DPRINTF("reg[%s] <= 0x%" PRIx32 "\n", imx_spi_reg_name(index),
             (uint32_t)value);
 
+    if (!imx_spi_is_enabled(s)) {
+        /* Block is disabled */
+        if (index != ECSPI_CONREG) {
+            /* Ignore access */
+            return;
+        }
+    }
+
     change_mask = s->regs[index] ^ value;
 
     switch (index) {
@@ -340,10 +348,7 @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,
                       TYPE_IMX_SPI, __func__);
         break;
     case ECSPI_TXDATA:
-        if (!imx_spi_is_enabled(s)) {
-            /* Ignore writes if device is disabled */
-            break;
-        } else if (fifo32_is_full(&s->tx_fifo)) {
+        if (fifo32_is_full(&s->tx_fifo)) {
             /* Ignore writes if queue is full */
             break;
         }
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 11/21] hw/ssi: imx_spi: Disable chip selects when controller is disabled
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (9 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 10/21] hw/ssi: imx_spi: Rework imx_spi_write() " Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 12/21] hw/ssi: imx_spi: Round up the burst length to be multiple of 8 Peter Maydell
                   ` (10 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Xuzhou Cheng <xuzhou.cheng@windriver.com>

When a write to ECSPI_CONREG register to disable the SPI controller,
imx_spi_soft_reset() is called to reset the controller, but chip
select lines should have been disabled, otherwise the state machine
of any devices (e.g.: SPI flashes) connected to the SPI master is
stuck to its last state and responds incorrectly to any follow-up
commands.

Fixes: c906a3a01582 ("i.MX: Add the Freescale SPI Controller")
Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210129132323.30946-8-bmeng.cn@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 4cfbb73e35e..2fb65498c3b 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -254,9 +254,15 @@ static void imx_spi_common_reset(IMXSPIState *s)
 
 static void imx_spi_soft_reset(IMXSPIState *s)
 {
+    int i;
+
     imx_spi_common_reset(s);
 
     imx_spi_update_irq(s);
+
+    for (i = 0; i < ECSPI_NUM_CS; i++) {
+        qemu_set_irq(s->cs_lines[i], 1);
+    }
 }
 
 static void imx_spi_reset(DeviceState *dev)
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 12/21] hw/ssi: imx_spi: Round up the burst length to be multiple of 8
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (10 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 11/21] hw/ssi: imx_spi: Disable chip selects when controller is disabled Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 13/21] hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic Peter Maydell
                   ` (9 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Bin Meng <bin.meng@windriver.com>

Current implementation of the imx spi controller expects the burst
length to be multiple of 8, which is the most common use case.

In case the burst length is not what we expect, log it to give user
a chance to notice it, and round it up to be multiple of 8.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-id: 20210129132323.30946-9-bmeng.cn@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 2fb65498c3b..41fe199c9f1 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -128,7 +128,14 @@ static uint8_t imx_spi_selected_channel(IMXSPIState *s)
 
 static uint32_t imx_spi_burst_length(IMXSPIState *s)
 {
-    return EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;
+    uint32_t burst;
+
+    burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;
+    if (burst % 8) {
+        burst = ROUND_UP(burst, 8);
+    }
+
+    return burst;
 }
 
 static bool imx_spi_is_enabled(IMXSPIState *s)
@@ -328,6 +335,7 @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,
     IMXSPIState *s = opaque;
     uint32_t index = offset >> 2;
     uint32_t change_mask;
+    uint32_t burst;
 
     if (index >=  ECSPI_MAX) {
         qemu_log_mask(LOG_GUEST_ERROR, "[%s]%s: Bad register at offset 0x%"
@@ -380,6 +388,13 @@ static void imx_spi_write(void *opaque, hwaddr offset, uint64_t value,
     case ECSPI_CONREG:
         s->regs[ECSPI_CONREG] = value;
 
+        burst = EXTRACT(s->regs[ECSPI_CONREG], ECSPI_CONREG_BURST_LENGTH) + 1;
+        if (burst % 8) {
+            qemu_log_mask(LOG_UNIMP,
+                          "[%s]%s: burst length %d not supported: rounding up to next multiple of 8\n",
+                          TYPE_IMX_SPI, __func__, burst);
+        }
+
         if (!imx_spi_is_enabled(s)) {
             /* device is disabled, so this is a soft reset */
             imx_spi_soft_reset(s);
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 13/21] hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (11 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 12/21] hw/ssi: imx_spi: Round up the burst length to be multiple of 8 Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 14/21] hw/ssi: imx_spi: Correct tx and rx fifo endianness Peter Maydell
                   ` (8 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Bin Meng <bin.meng@windriver.com>

For the ECSPIx_CONREG register BURST_LENGTH field, the manual says:

0x020 A SPI burst contains the 1 LSB in first word and all 32 bits in second word.
0x021 A SPI burst contains the 2 LSB in first word and all 32 bits in second word.

Current logic uses either s->burst_length or 32, whichever smaller,
to determine how many bits it should read from the tx fifo each time.
For example, for a 48 bit burst length, current logic transfers the
first 32 bit from the first word in the tx fifo, followed by a 16
bit from the second word in the tx fifo, which is wrong. The correct
logic should be: transfer the first 16 bit from the first word in
the tx fifo, followed by a 32 bit from the second word in the tx fifo.

With this change, SPI flash can be successfully probed by U-Boot on
imx6 sabrelite board.

  => sf probe
  SF: Detected sst25vf016b with page size 256 Bytes, erase size 4 KiB, total 2 MiB

Fixes: c906a3a01582 ("i.MX: Add the Freescale SPI Controller")
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210129132323.30946-10-bmeng.cn@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index 41fe199c9f1..a34194c1b06 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -185,7 +185,7 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
 
         DPRINTF("data tx:0x%08x\n", tx);
 
-        tx_burst = MIN(s->burst_length, 32);
+        tx_burst = (s->burst_length % 32) ? : 32;
 
         rx = 0;
 
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 14/21] hw/ssi: imx_spi: Correct tx and rx fifo endianness
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (12 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 13/21] hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 15/21] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register Peter Maydell
                   ` (7 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Bin Meng <bin.meng@windriver.com>

The endianness of data exchange between tx and rx fifo is incorrect.
Earlier bytes are supposed to show up on MSB and later bytes on LSB,
ie: in big endian. The manual does not explicitly say this, but the
U-Boot and Linux driver codes have a swap on the data transferred
to tx fifo and from rx fifo.

With this change, U-Boot read from / write to SPI flash tests pass.

  => sf test 1ff000 1000
  SPI flash test:
  0 erase: 0 ticks, 4096000 KiB/s 32768.000 Mbps
  1 check: 3 ticks, 1333 KiB/s 10.664 Mbps
  2 write: 235 ticks, 17 KiB/s 0.136 Mbps
  3 read: 2 ticks, 2000 KiB/s 16.000 Mbps
  Test passed
  0 erase: 0 ticks, 4096000 KiB/s 32768.000 Mbps
  1 check: 3 ticks, 1333 KiB/s 10.664 Mbps
  2 write: 235 ticks, 17 KiB/s 0.136 Mbps
  3 read: 2 ticks, 2000 KiB/s 16.000 Mbps

Fixes: c906a3a01582 ("i.MX: Add the Freescale SPI Controller")
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210129132323.30946-11-bmeng.cn@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/imx_spi.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/hw/ssi/imx_spi.c b/hw/ssi/imx_spi.c
index a34194c1b06..189423bb3a5 100644
--- a/hw/ssi/imx_spi.c
+++ b/hw/ssi/imx_spi.c
@@ -169,7 +169,6 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
 
     while (!fifo32_is_empty(&s->tx_fifo)) {
         int tx_burst = 0;
-        int index = 0;
 
         if (s->burst_length <= 0) {
             s->burst_length = imx_spi_burst_length(s);
@@ -190,7 +189,7 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
         rx = 0;
 
         while (tx_burst > 0) {
-            uint8_t byte = tx & 0xff;
+            uint8_t byte = tx >> (tx_burst - 8);
 
             DPRINTF("writing 0x%02x\n", (uint32_t)byte);
 
@@ -199,13 +198,11 @@ static void imx_spi_flush_txfifo(IMXSPIState *s)
 
             DPRINTF("0x%02x read\n", (uint32_t)byte);
 
-            tx = tx >> 8;
-            rx |= (byte << (index * 8));
+            rx = (rx << 8) | byte;
 
             /* Remove 8 bits from the actual burst */
             tx_burst -= 8;
             s->burst_length -= 8;
-            index++;
         }
 
         DPRINTF("data rx:0x%08x\n", rx);
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 15/21] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (13 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 14/21] hw/ssi: imx_spi: Correct tx and rx fifo endianness Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 16/21] hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ Peter Maydell
                   ` (6 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:

  - 4.3 Distributor register descriptions
  - 4.3.15 Software Generated Interrupt Register, GICD_SG

    - Table 4-21 GICD_SGIR bit assignments

    The Interrupt ID of the SGI to forward to the specified CPU
    interfaces. The value of this field is the Interrupt ID, in
    the range 0-15, for example a value of 0b0011 specifies
    Interrupt ID 3.

Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):

   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
   [I 1612088147.116987] OPENED
  [R +0.278293] writel 0x8000f00 0xff4affb0
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13

This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)

Cc: qemu-stable@nongnu.org
Fixes: 9ee6e8bb853 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index c33b1c8c4bc..a994b1f0245 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -1477,7 +1477,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
         int target_cpu;
 
         cpu = gic_get_current_cpu(s);
-        irq = value & 0x3ff;
+        irq = value & 0xf;
         switch ((value >> 24) & 3) {
         case 0:
             mask = (value >> 16) & ALL_CPU_MASK;
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 16/21] hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (14 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 15/21] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 17/21] hw/arm/exynos4210: " Peter Maydell
                   ` (5 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The STM32F405 SoC uses an OR gate on its ADC IRQs.

Fixes: 529fc5fd3e1 ("hw/arm: Add the STM32F4xx SoC")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210131184449.382425-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 13cc42dcc84..a320a124855 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -336,6 +336,7 @@ config STM32F205_SOC
 config STM32F405_SOC
     bool
     select ARM_V7M
+    select OR_IRQ
     select STM32F4XX_SYSCFG
     select STM32F4XX_EXTI
 
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 17/21] hw/arm/exynos4210: Add missing dependency on OR_IRQ
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (15 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 16/21] hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 18/21] hw/arm/xlnx-versal: Versal SoC requires ZDMA Peter Maydell
                   ` (4 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The Exynos4210 SoC uses an OR gate on the PL330 IRQ lines.

Fixes: dab15fbe2ab ("hw/arm/exynos4210: Fix DMA initialization")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131184449.382425-3-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index a320a124855..223016bb4e8 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -52,6 +52,7 @@ config EXYNOS4
     select PTIMER
     select SDHCI
     select USB_EHCI_SYSBUS
+    select OR_IRQ
 
 config HIGHBANK
     bool
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 18/21] hw/arm/xlnx-versal: Versal SoC requires ZDMA
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (16 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 17/21] hw/arm/exynos4210: " Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 19/21] hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals Peter Maydell
                   ` (3 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The Versal SoC instantiates the TYPE_XLNX_ZDMA object in
versal_create_admas(). Introduce the XLNX_ZDMA configuration
and select it to fix:

  $ qemu-system-aarch64 -M xlnx-versal-virt ...
  qemu-system-aarch64: missing object type 'xlnx.zdma'

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210131184449.382425-4-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Kconfig     | 2 ++
 hw/dma/Kconfig     | 3 +++
 hw/dma/meson.build | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 223016bb4e8..09298881f2f 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -354,6 +354,7 @@ config XLNX_ZYNQMP_ARM
     select XILINX_AXI
     select XILINX_SPIPS
     select XLNX_ZYNQMP
+    select XLNX_ZDMA
 
 config XLNX_VERSAL
     bool
@@ -362,6 +363,7 @@ config XLNX_VERSAL
     select CADENCE
     select VIRTIO_MMIO
     select UNIMP
+    select XLNX_ZDMA
 
 config NPCM7XX
     bool
diff --git a/hw/dma/Kconfig b/hw/dma/Kconfig
index d67492d36c1..5d6be1a7a7a 100644
--- a/hw/dma/Kconfig
+++ b/hw/dma/Kconfig
@@ -18,6 +18,9 @@ config ZYNQ_DEVCFG
     bool
     select REGISTER
 
+config XLNX_ZDMA
+    bool
+
 config STP2000
     bool
 
diff --git a/hw/dma/meson.build b/hw/dma/meson.build
index b991d7698c7..47b4a7cb47b 100644
--- a/hw/dma/meson.build
+++ b/hw/dma/meson.build
@@ -9,7 +9,7 @@ softmmu_ss.add(when: 'CONFIG_ZYNQ_DEVCFG', if_true: files('xlnx-zynq-devcfg.c'))
 softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_dma.c'))
 softmmu_ss.add(when: 'CONFIG_STP2000', if_true: files('sparc32_dma.c'))
 softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx_dpdma.c'))
-softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_ARM', if_true: files('xlnx-zdma.c'))
+softmmu_ss.add(when: 'CONFIG_XLNX_ZDMA', if_true: files('xlnx-zdma.c'))
 softmmu_ss.add(when: 'CONFIG_OMAP', if_true: files('omap_dma.c', 'soc_dma.c'))
 softmmu_ss.add(when: 'CONFIG_PXA2XX', if_true: files('pxa2xx_dma.c'))
 softmmu_ss.add(when: 'CONFIG_RASPI', if_true: files('bcm2835_dma.c'))
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 19/21] hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (17 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 18/21] hw/arm/xlnx-versal: Versal SoC requires ZDMA Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 20/21] hw/net/can: ZynqMP CAN device requires PTIMER Peter Maydell
                   ` (2 subsequent siblings)
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The Versal SoC instantiates the TYPE_XLNX_ZYNQMP_RTC object in
versal_create_rtc()(). Select CONFIG_XLNX_ZYNQMP to fix:

  $ make check-qtest-aarch64
  ...
  Running test qtest-aarch64/qom-test
  qemu-system-aarch64: missing object type 'xlnx-zynmp.rtc'
  Broken pipe

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210131184449.382425-5-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index 09298881f2f..be017b997ab 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -364,6 +364,7 @@ config XLNX_VERSAL
     select VIRTIO_MMIO
     select UNIMP
     select XLNX_ZDMA
+    select XLNX_ZYNQMP
 
 config NPCM7XX
     bool
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 20/21] hw/net/can: ZynqMP CAN device requires PTIMER
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (18 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 19/21] hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-02 17:55 ` [PULL 21/21] hw/arm: Display CPU type in machine description Peter Maydell
  2021-02-03  9:22 ` [PULL 00/21] target-arm queue Philippe Mathieu-Daudé
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Add a dependency XLNX_ZYNQMP -> PTIMER to fix:

  /usr/bin/ld:
  libcommon.fa.p/hw_net_can_xlnx-zynqmp-can.c.o: in function `xlnx_zynqmp_can_realize':
  hw/net/can/xlnx-zynqmp-can.c:1082: undefined reference to `ptimer_init'
  hw/net/can/xlnx-zynqmp-can.c:1085: undefined reference to `ptimer_transaction_begin'
  hw/net/can/xlnx-zynqmp-can.c:1087: undefined reference to `ptimer_set_freq'
  hw/net/can/xlnx-zynqmp-can.c:1088: undefined reference to `ptimer_set_limit'
  hw/net/can/xlnx-zynqmp-can.c:1089: undefined reference to `ptimer_run'
  hw/net/can/xlnx-zynqmp-can.c:1090: undefined reference to `ptimer_transaction_commit'
  libcommon.fa.p/hw_net_can_xlnx-zynqmp-can.c.o:(.data.rel+0x2c8): undefined reference to `vmstate_ptimer'

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210131184449.382425-6-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/Kconfig b/hw/Kconfig
index 5ad3c6b5a4b..d4cec9e476c 100644
--- a/hw/Kconfig
+++ b/hw/Kconfig
@@ -81,3 +81,4 @@ config XLNX_ZYNQMP
     bool
     select REGISTER
     select CAN_BUS
+    select PTIMER
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PULL 21/21] hw/arm: Display CPU type in machine description
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (19 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 20/21] hw/net/can: ZynqMP CAN device requires PTIMER Peter Maydell
@ 2021-02-02 17:55 ` Peter Maydell
  2021-02-03  9:22 ` [PULL 00/21] target-arm queue Philippe Mathieu-Daudé
  21 siblings, 0 replies; 24+ messages in thread
From: Peter Maydell @ 2021-02-02 17:55 UTC (permalink / raw)
  To: qemu-devel

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Most of ARM machines display their CPU when QEMU list the available
machines (-M help). Some machines do not. Fix to unify the help
output.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20210131184449.382425-7-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/digic_boards.c  | 2 +-
 hw/arm/microbit.c      | 2 +-
 hw/arm/netduino2.c     | 2 +-
 hw/arm/netduinoplus2.c | 2 +-
 hw/arm/orangepi.c      | 2 +-
 hw/arm/stellaris.c     | 4 ++--
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/hw/arm/digic_boards.c b/hw/arm/digic_boards.c
index be12873673b..6cdc1d83fca 100644
--- a/hw/arm/digic_boards.c
+++ b/hw/arm/digic_boards.c
@@ -142,7 +142,7 @@ static void canon_a1100_init(MachineState *machine)
 
 static void canon_a1100_machine_init(MachineClass *mc)
 {
-    mc->desc = "Canon PowerShot A1100 IS";
+    mc->desc = "Canon PowerShot A1100 IS (ARM946)";
     mc->init = &canon_a1100_init;
     mc->ignore_memory_transaction_failures = true;
     mc->default_ram_size = 64 * MiB;
diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
index 0947491cb97..e9494334ce7 100644
--- a/hw/arm/microbit.c
+++ b/hw/arm/microbit.c
@@ -64,7 +64,7 @@ static void microbit_machine_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
 
-    mc->desc = "BBC micro:bit";
+    mc->desc = "BBC micro:bit (Cortex-M0)";
     mc->init = microbit_init;
     mc->max_cpus = 1;
 }
diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
index 8f103341443..1733b71507c 100644
--- a/hw/arm/netduino2.c
+++ b/hw/arm/netduino2.c
@@ -54,7 +54,7 @@ static void netduino2_init(MachineState *machine)
 
 static void netduino2_machine_init(MachineClass *mc)
 {
-    mc->desc = "Netduino 2 Machine";
+    mc->desc = "Netduino 2 Machine (Cortex-M3)";
     mc->init = netduino2_init;
     mc->ignore_memory_transaction_failures = true;
 }
diff --git a/hw/arm/netduinoplus2.c b/hw/arm/netduinoplus2.c
index 68abd3ec69d..d3ad7a2b675 100644
--- a/hw/arm/netduinoplus2.c
+++ b/hw/arm/netduinoplus2.c
@@ -55,7 +55,7 @@ static void netduinoplus2_init(MachineState *machine)
 
 static void netduinoplus2_machine_init(MachineClass *mc)
 {
-    mc->desc = "Netduino Plus 2 Machine";
+    mc->desc = "Netduino Plus 2 Machine (Cortex-M4)";
     mc->init = netduinoplus2_init;
 }
 
diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
index d6306dfddae..40cdb5c6d2c 100644
--- a/hw/arm/orangepi.c
+++ b/hw/arm/orangepi.c
@@ -113,7 +113,7 @@ static void orangepi_init(MachineState *machine)
 
 static void orangepi_machine_init(MachineClass *mc)
 {
-    mc->desc = "Orange Pi PC";
+    mc->desc = "Orange Pi PC (Cortex-A7)";
     mc->init = orangepi_init;
     mc->block_default_type = IF_SD;
     mc->units_per_default_bus = 1;
diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index ad72c0959f1..27292ec4113 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -1538,7 +1538,7 @@ static void lm3s811evb_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
 
-    mc->desc = "Stellaris LM3S811EVB";
+    mc->desc = "Stellaris LM3S811EVB (Cortex-M3)";
     mc->init = lm3s811evb_init;
     mc->ignore_memory_transaction_failures = true;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-m3");
@@ -1554,7 +1554,7 @@ static void lm3s6965evb_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
 
-    mc->desc = "Stellaris LM3S6965EVB";
+    mc->desc = "Stellaris LM3S6965EVB (Cortex-M3)";
     mc->init = lm3s6965evb_init;
     mc->ignore_memory_transaction_failures = true;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-m3");
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 24+ messages in thread

* Re: [PULL 00/21] target-arm queue
  2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
                   ` (20 preceding siblings ...)
  2021-02-02 17:55 ` [PULL 21/21] hw/arm: Display CPU type in machine description Peter Maydell
@ 2021-02-03  9:22 ` Philippe Mathieu-Daudé
  2021-02-03 10:12   ` P J P
  21 siblings, 1 reply; 24+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-02-03  9:22 UTC (permalink / raw)
  To: Peter Maydell, Prasad J Pandit; +Cc: Prasad J Pandit, qemu-devel

Hi Peter,

On 2/2/21 6:54 PM, Peter Maydell wrote:
> Mostly just bug fixes. The important one here is
>   hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
> which fixes a buffer overrun that's a security issue if you're running
> KVM on Arm with kernel-irqchip=off (which hopefully nobody is doing in
> a security context, because kernel-irqchip=on is the default and the
> sensible choice for performance).

FYI Prasad mentioned a CVE was requested:
https://www.mail-archive.com/qemu-devel@nongnu.org/msg778659.html

As you said it is an odd configuration, I am not sure it is worth
to wait for the CVE number to add it to the commit (which helps
downstream distributions tracking these).

[updating]

Just got detail from Prasad on IRC, it usually takes ~1 day to get
the CVE number assigned, so maybe worth postponing this until tomorrow.

Prasad, can you reply to this message ASAP once you get the number?

Thanks,

Phil.

> -- PMM
> 
> The following changes since commit cf7ca7d5b9faca13f1f8e3ea92cfb2f741eb0c0e:
> 
>   Merge remote-tracking branch 'remotes/stefanha-gitlab/tags/tracing-pull-request' into staging (2021-02-01 16:28:00 +0000)
> 
> are available in the Git repository at:
> 
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210202-1
> 
> for you to fetch changes up to 14657850c9cc10948551fbb884c30eb5a3a7370a:
> 
>   hw/arm: Display CPU type in machine description (2021-02-02 17:53:44 +0000)
> 
> ----------------------------------------------------------------
> target-arm queue:
>  * hw/intc/arm_gic: Allow to use QTest without crashing
>  * hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
>  * hw/char/exynos4210_uart: Fix missing call to report ready for input
>  * hw/arm/smmuv3: Fix addr_mask for range-based invalidation
>  * hw/ssi/imx_spi: Fix various minor bugs
>  * hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
>  * hw/arm: Add missing Kconfig dependencies
>  * hw/arm: Display CPU type in machine description
> 
> ----------------------------------------------------------------
> Bin Meng (5):
>       hw/ssi: imx_spi: Use a macro for number of chip selects supported
>       hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset()
>       hw/ssi: imx_spi: Round up the burst length to be multiple of 8
>       hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic
>       hw/ssi: imx_spi: Correct tx and rx fifo endianness
> 
> Iris Johnson (2):
>       hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled
>       hw/char/exynos4210_uart: Fix missing call to report ready for input
> 
> Philippe Mathieu-Daudé (12):
>       hw/intc/arm_gic: Allow to use QTest without crashing
>       hw/ssi: imx_spi: Remove pointless variable initialization
>       hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value
>       hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled
>       hw/ssi: imx_spi: Rework imx_spi_write() to handle block disabled
>       hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
>       hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ
>       hw/arm/exynos4210: Add missing dependency on OR_IRQ
>       hw/arm/xlnx-versal: Versal SoC requires ZDMA
>       hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals
>       hw/net/can: ZynqMP CAN device requires PTIMER
>       hw/arm: Display CPU type in machine description
> 
> Xuzhou Cheng (1):
>       hw/ssi: imx_spi: Disable chip selects when controller is disabled
> 
> Zenghui Yu (1):
>       hw/arm/smmuv3: Fix addr_mask for range-based invalidation
> 
>  include/hw/ssi/imx_spi.h  |   5 +-
>  hw/arm/digic_boards.c     |   2 +-
>  hw/arm/microbit.c         |   2 +-
>  hw/arm/netduino2.c        |   2 +-
>  hw/arm/netduinoplus2.c    |   2 +-
>  hw/arm/orangepi.c         |   2 +-
>  hw/arm/smmuv3.c           |   4 +-
>  hw/arm/stellaris.c        |   4 +-
>  hw/char/exynos4210_uart.c |   7 ++-
>  hw/intc/arm_gic.c         |   5 +-
>  hw/ssi/imx_spi.c          | 153 +++++++++++++++++++++++++++++-----------------
>  hw/Kconfig                |   1 +
>  hw/arm/Kconfig            |   5 ++
>  hw/dma/Kconfig            |   3 +
>  hw/dma/meson.build        |   2 +-
>  15 files changed, 130 insertions(+), 69 deletions(-)
> 



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PULL 00/21] target-arm queue
  2021-02-03  9:22 ` [PULL 00/21] target-arm queue Philippe Mathieu-Daudé
@ 2021-02-03 10:12   ` P J P
  0 siblings, 0 replies; 24+ messages in thread
From: P J P @ 2021-02-03 10:12 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé; +Cc: Peter Maydell, qemu-devel

[-- Attachment #1: Type: text/plain, Size: 802 bytes --]

+-- On Wed, 3 Feb 2021, Philippe Mathieu-Daudé wrote --+
| FYI Prasad mentioned a CVE was requested:
| https://www.mail-archive.com/qemu-devel@nongnu.org/msg778659.html
| 
| As you said it is an odd configuration, I am not sure it is worth
| to wait for the CVE number to add it to the commit (which helps
| downstream distributions tracking these).
| 
| [updating]
| 
| Just got detail from Prasad on IRC, it usually takes ~1 day to get
| the CVE number assigned, so maybe worth postponing this until tomorrow.
| 
| Prasad, can you reply to this message ASAP once you get the number?

'CVE-2021-20221' assigned by Red Hat Inc.
  -> https://bugs.launchpad.net/qemu/+bug/1914353/comments/3

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2021-02-03 10:13 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 17:54 [PULL 00/21] target-arm queue Peter Maydell
2021-02-02 17:54 ` [PULL 01/21] hw/intc/arm_gic: Allow to use QTest without crashing Peter Maydell
2021-02-02 17:54 ` [PULL 02/21] hw/char/exynos4210_uart: Fix buffer size reporting with FIFO disabled Peter Maydell
2021-02-02 17:54 ` [PULL 03/21] hw/char/exynos4210_uart: Fix missing call to report ready for input Peter Maydell
2021-02-02 17:55 ` [PULL 04/21] hw/arm/smmuv3: Fix addr_mask for range-based invalidation Peter Maydell
2021-02-02 17:55 ` [PULL 05/21] hw/ssi: imx_spi: Use a macro for number of chip selects supported Peter Maydell
2021-02-02 17:55 ` [PULL 06/21] hw/ssi: imx_spi: Remove imx_spi_update_irq() in imx_spi_reset() Peter Maydell
2021-02-02 17:55 ` [PULL 07/21] hw/ssi: imx_spi: Remove pointless variable initialization Peter Maydell
2021-02-02 17:55 ` [PULL 08/21] hw/ssi: imx_spi: Rework imx_spi_reset() to keep CONREG register value Peter Maydell
2021-02-02 17:55 ` [PULL 09/21] hw/ssi: imx_spi: Rework imx_spi_read() to handle block disabled Peter Maydell
2021-02-02 17:55 ` [PULL 10/21] hw/ssi: imx_spi: Rework imx_spi_write() " Peter Maydell
2021-02-02 17:55 ` [PULL 11/21] hw/ssi: imx_spi: Disable chip selects when controller is disabled Peter Maydell
2021-02-02 17:55 ` [PULL 12/21] hw/ssi: imx_spi: Round up the burst length to be multiple of 8 Peter Maydell
2021-02-02 17:55 ` [PULL 13/21] hw/ssi: imx_spi: Correct the burst length > 32 bit transfer logic Peter Maydell
2021-02-02 17:55 ` [PULL 14/21] hw/ssi: imx_spi: Correct tx and rx fifo endianness Peter Maydell
2021-02-02 17:55 ` [PULL 15/21] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register Peter Maydell
2021-02-02 17:55 ` [PULL 16/21] hw/arm/stm32f405_soc: Add missing dependency on OR_IRQ Peter Maydell
2021-02-02 17:55 ` [PULL 17/21] hw/arm/exynos4210: " Peter Maydell
2021-02-02 17:55 ` [PULL 18/21] hw/arm/xlnx-versal: Versal SoC requires ZDMA Peter Maydell
2021-02-02 17:55 ` [PULL 19/21] hw/arm/xlnx-versal: Versal SoC requires ZynqMP peripherals Peter Maydell
2021-02-02 17:55 ` [PULL 20/21] hw/net/can: ZynqMP CAN device requires PTIMER Peter Maydell
2021-02-02 17:55 ` [PULL 21/21] hw/arm: Display CPU type in machine description Peter Maydell
2021-02-03  9:22 ` [PULL 00/21] target-arm queue Philippe Mathieu-Daudé
2021-02-03 10:12   ` P J P

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.