[Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic

From:	Michael Roth
Subject:	[Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers
Date:	Tue, 8 Jul 2014 12:18:44 -0500

From: Peter Maydell <address@hidden>

The code for handling writes to the generic timer control registers
had several bugs:
 * ISTATUS (bit 2) is read-only but we forced it to zero on any write
 * the check for "was IMASK (bit 1) toggled?" incorrectly used '&' where
   it should be '^'
 * the handling of IMASK was inverted: we should set the IRQ if
   ISTATUS is set and IMASK is clear, not if both are set

The combination of these bugs meant that when running a Linux guest
that uses the generic timers we would fairly quickly end up either
forgetting that the timer output should be asserted, or failing to
set the IRQ when the timer was unmasked. The result is that the guest
never gets any more timer interrupts.

Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
(cherry picked from commit d3afacc7269fee45d54d1501a46b51f12ea7bb15)
Signed-off-by: Michael Roth <address@hidden>
---
 target-arm/helper.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index c3e4910..6e67317 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -859,16 +859,16 @@ static int gt_ctl_write(CPUARMState *env, const 
ARMCPRegInfo *ri,
     int timeridx = ri->crm & 1;
     uint32_t oldval = env->cp15.c14_timer[timeridx].ctl;
 
-    env->cp15.c14_timer[timeridx].ctl = value & 3;
+    env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value);
     if ((oldval ^ value) & 1) {
         /* Enable toggled */
         gt_recalc_timer(cpu, timeridx);
-    } else if ((oldval & value) & 2) {
+    } else if ((oldval ^ value) & 2) {
         /* IMASK toggled: don't need to recalculate,
          * just set the interrupt line based on ISTATUS
          */
         qemu_set_irq(cpu->gt_timer_outputs[timeridx],
-                     (oldval & 4) && (value & 2));
+                     (oldval & 4) && !(value & 2));
     }
     return 0;
 }
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), (continued)
- [Qemu-devel] [PATCH 110/156] qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 124/156] blockdev: Plug memory leak in blockdev_init(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 122/156] target-xtensa: fix cross-page jumps/calls at the end of TB, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 123/156] cputlb: Fix regression with TCG interpreter (bug 1310324), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 126/156] block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 129/156] block/sheepdog: Plug memory leak in sd_snapshot_create(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 127/156] block/vvfat: Plug memory leak in check_directory_consistency(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 125/156] blockdev: Plug memory leak in drive_init(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 128/156] block/vvfat: Plug memory leak in read_directory(), Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 130/156] qemu-img: Plug memory leak in convert command, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 133/156] target-arm: Fix errors in writes to generic timer control registers, Michael Roth <=
- [Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 135/156] aio: fix qemu_bh_schedule() bh->ctx race condition, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 132/156] tcg-i386: Fix win64 qemu store, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 134/156] s390x/css: handle emw correctly for tsch, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 137/156] kvmclock: Ensure proper env->tsc value for kvmclock_current_nsec calculation, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 136/156] kvmclock: Ensure time in migration never goes backward, Michael Roth, 2014/07/08
  - Re: [Qemu-devel] [PATCH 136/156] kvmclock: Ensure time in migration never goes backward, Paolo Bonzini, 2014/07/15
- [Qemu-devel] [PATCH 142/156] usb: Fix usb-bt-dongle initialization., Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 141/156] vhost: fix resource leak in error handling, Michael Roth, 2014/07/08
- [Qemu-devel] [PATCH 145/156] target-i386: Filter FEAT_7_0_EBX TCG features too, Michael Roth, 2014/07/08

Prev by Date: [Qemu-devel] [PATCH 130/156] qemu-img: Plug memory leak in convert command
Next by Date: [Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity
Previous by thread: [Qemu-devel] [PATCH 130/156] qemu-img: Plug memory leak in convert command
Next by thread: [Qemu-devel] [PATCH 131/156] linux-user: Don't overrun guest buffer in sched_getaffinity
Index(es):
- Date
- Thread