Zynq MPSoC supports external DDR RAM. Add a RAM at 0 to the model.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 2c25e2a4198402a6477aef2975d5df7c415dd341.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Add a machine model for the Xilinx ZynqMP SoC EP108 board.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 3896b34c862f370dc0679e4428bf3848d1f9f83c.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
There are 2x Cadence UARTs in Zynq MP. Add them.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: e30795536f77599fabc1052278d846ccd52322e2.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Create a new header for Cadence UART to allow using the device with
modern SoC programming conventions. The state struct needs to be
visible to embed the device in SoC containers.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 46a0fbd45b6b205f54c4a8c778deb75c77f8abdf.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Clean up some variable names in preparation for migrating the state struct
and type cast macro to a public header. The acronym "UART" on it's own is
not specific enough to be used in a more global namespace so preface with
"cadence". Fix the capitalisation of "uart" in the state type while touching
the typename. Preface macros used by the state struct itself with CADENCE_UART
so they don't conflict in namespace either.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 3812b7426c338beae9e082557f3524a99310ddc6.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
There are 4x Cadence GEMs in ZynqMP. Add them.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 7d3e68e5495d145255f0ee567046415e3a26d67e.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Create a new header for Cadence GEM to allow using the device with
modern SoC programming conventions. The state struct needs to be
visible to embed the device in SoC containers.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: a98b5df6440c5bff8f813a26bb53ce1cfefb4c4c.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Cleanup some variable names in preparation for migrating the state
struct and type cast macro to a public header. The acronym "GEM" on
its own is not specific enough to be used in a more global namespace
so preface with "cadence". Fix the capitalisation of "gem" in the
state type while touching the typename. Also preface the GEM_MAXREG
macro as this will need to migrate to public header.
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 8e2b0687b3a7b7a3fde5ba2f3bee6f3b911e84ef.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Connect the GPIO outputs from the individual CPUs for the timers to the
GIC.
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: a7866a4f0c903c91fa3034210b4d2879aa4bfcb9.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Add the GIC and connect IRQ outputs to the CPUs. The GIC regions are
under-decoded through a 64k address region so implement aliases
accordingly.
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 5853189965728d676106d9e94e76b9bb87981cb5.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
With quad Cortex-A53 CPUs.
Use SMC PSCI, with the standard policy of secondaries starting in
power-off.
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: a16202a6c7b79e446e5289d38cb18d2ee4b897a0.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Add the ARM Cortex-A53 processor definition. Similar to A57, but with
different L1 I cache policy, phys addr size and different cache
geometries. The cache sizes is implementation configurable, but use
these values (from Xilinx Zynq MPSoC) as a default until cache size
configurability is added.
Acked-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: db439ff834cf0431bc192b05272a3b28fe2045d0.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Rename some A57 CP register variables in preparation for support for
Cortex A53. Use "a57_a53" to describe the shareable features. Some of
the CP15 registers (such as ACTLR) are specific to implementation, but
we currently just RAZ them so continue with that as the policy for both
A57 and A53 processors under a shared definition.
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-id: 5a5f957994677d91435190b3be1cefa6f657e274.1431381507.git.peter.crosthwaite@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVViG7AAoJEDhwtADrkYZTqu0QAJCtZI2V3JZ3RmUfj/ISpekZ
9gery42k6mc9dnMp+YOEdfbYYkjtcb3NqSPQi1iJUtBS1GjYGgvC2dqYDs6Eemow
OEMyat7pwzPL7oOgoXC2F3fd/LMkpGU+qNIcj9ofqrd0I46MXYCTuwS6f8j1geDQ
QtG+P57g6VFNzoy6I2H7NV3u3kLw1uwUTGaIEuuoCPUmSSWJrCxmoN2pFmHK1Rwk
8rjuN5ZBLt2Vonqkj59qv/MA7/VmpasIVdbfsbnt36Jih7IyojDxpcNB80xTMlnh
2AmVXSTsP62f7xhG2xWJf9+aOu4MWqfKCmv2f4wxuLV78eHRqjBz9zvMZTzSIE3j
ca71KBl5qXIPB0YdCXZrI6k6UnsXzkO8V51IfrclWqzGKX23JBaNltaKyFnAeFEU
mkVZFX2STFqE1sv9rpYlXcwnXf0OzERtoSK0yeQOFCUVRdFuZkUBHMoCcb06cZMt
kfP+gLt5d3hM9u1nv4rd2pfIq09HME+L6yyyG6x38EF1gvY7Up+ckqYSTaeioVWZ
S4lv1Wus/QFll5EZ5RIQNmA9PW58CJ7v5E3M2II82WNcqoWjhvcnjFtmaorvJ8N1
PFqIbODjbG3WOUTe5jZnJemzSoXKeX1QhQ4nwhAPMQQpvWiheOWlgE1sAj3vnK+l
7PUF4BnOPk0pH6nCeWY6
=wbUI
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-05-15' into staging
qapi: Fix qapi mangling of downstream names, and more
# gpg: Signature made Fri May 15 17:41:31 2015 BST using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>"
* remotes/armbru/tags/pull-qapi-2015-05-15: (26 commits)
qapi: Inline gen_command_decl_prologue(), gen_command_def_prologue()
qapi: Drop pointless flush() before close()
qapi: Factor open_output(), close_output() out of generators
qapi: Turn generators' mandatory option -i into an argument
qapi: Fix generators to report command line errors decently
qapi: Factor parse_command_line() out of the generators
qapi: qapi-commands.py option --type is unused, drop it
qapi: qapi-event.py option -b does nothing, drop it
tests: Add missing dependencies on $(qapi-py)
qapi: Support downstream events and commands
qapi: Support downstream alternates
qapi: Support downstream flat unions
qapi: Support downstream simple unions
qapi: Support downstream structs
qapi: Support downstream enums
qapi: Make c_type() consistently convert qapi names
qapi: Tidy c_type() logic
qapi: Move camel_to_upper(), c_enum_const() to closely related code
qapi: Use c_enum_const() in generate_alternate_qtypes()
qapi: Simplify c_enum_const()
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
These modifiers control, on a per-memory-op basis, whether
unaligned memory accesses are allowed. The default setting
reflects the target's definition of ALIGNED_ONLY.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
The extra information is not yet used but it is now available.
This requires minor changes through all of the tcg backends.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
At the tcg opcode level, not at the tcg-op.h generator level.
This requires minor changes through all of the tcg backends,
but none of the cpu translators.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Mandatory option is silly, and the error handling is missing: the
programs crash when -i isn't supplied. Make it an argument, and check
it properly.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Report to stderr, prefix with the program name. Also reject
extra arguments.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Anything but --type sync (which is the default) suppresses output
entirely, which makes no sense.
Dates back to the initial commit c17d990. Commit message says
"Currently only generators for synchronous qapi/qmp functions are
supported", so maybe output other than "synchronous qapi/qmp" was
planned at the time, to be selected with --type.
Should other kinds of output ever materialize, we can put the option
back.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Enhance the testsuite to cover downstream events and commands.
Events worked without more tweaks, but commands needed a few final
updates in the generator to mangle names in the appropriate places.
In making those tweaks, it was easier to drop type_visitor() and
inline its actions instead.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Enhance the testsuite to cover downstream alternates, including
whether the branch name or type is downstream. Update the
generator to mangle alternate names in the appropriate places.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Enhance the testsuite to cover downstream flat unions, including
the base type, discriminator name and type, and branch name and
type. Update the generator to mangle the union names in the
appropriate places.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Enhance the testsuite to cover downstream simple unions, including
when a union branch is a downstream name. Update the generator to
mangle the union names in the appropriate places.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Enhance the testsuite to cover downstream structs, including struct
members and base structs. Update the generator to mangle the
struct names in the appropriate places.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Enhance the testsuite to cover a downstream enum type and enum
string. Update the generator to mangle the enum name in the
appropriate places.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Continuing the string of cleanups for supporting downstream names
containing '.', this patch focuses on ensuring c_type() can
handle a downstream name. This patch alone does not fix the
places where generator output should be calling this function
but was open-coding things instead, but it gets us a step closer.
In particular, the changes to c_list_type() and type_name() mean
that type_name(FOO) now handles the case when FOO contains '.',
'-', or is a ticklish identifier other than a builtin (builtins
are exempted because ['int'] must remain mapped to 'intList' and
not 'q_intList'). Meanwhile, ['unix'] now maps to 'q_unixList'
rather than 'unixList', to match the fact that 'unix' is ticklish;
however, our naming conventions state that complex types should
start with a capital, so no type name following conventions will
ever have the 'q_' prepended.
Likewise, changes to c_type() mean that c_type(FOO) properly
handles an enum or complex type FOO with '.' or '-' in the
name, or is a ticklish identifier (again, a ticklish identifier
as a type name violates conventions).
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
c_type() is designed to be called on both string names and on
array designations, so 'name' is a bit misleading because it
operates on more than strings. Also, no caller ever passes
an empty string. Finally, + notation is a bit nicer to read
than '%s' % value for string concatenation.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Now that the two functions are identical, we only need one of them,
and we might as well give it a more descriptive name. Basically,
the function serves as the translation from a QAPI name into a
(portion of a) C identifier, without regards to whether it is a
variable or function name.
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
c_fun() maps '.' to '_', c_var() doesn't. Nothing prevents '.' in
QAPI names that get passed to c_var().
Which QAPI names get passed to c_fun(), to c_var(), or to both is not
obvious. Names of command parameters and struct type members get
passed to c_var().
c_var() strips a leading '*', but this cannot happen. c_fun()
doesn't.
Fix c_var() to work exactly like c_fun().
Perhaps they should be replaced by a single mapping function.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
[add 'import string']
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Event name for hot unplug errors was wrong.
Make doc match code.
Cc: Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
Reported-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
This will allow clients to query additional information directly using
qom-get on the CPU objects.
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
A few TCG fixes for the s390x target. Nothing special, but with these
applied I can run most of the SLE12 binaries in Linux-user emulation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJVU0hVAAoJECszeR4D/txgMdMQAKB9mN26EYtzFSCmKWiud4PF
IHMpTWcuLTWCJOL2dtRLHTzN3QJdFk/Kg8snwJSulF26mcV+poYXLG/a8kbECFL/
iwoodw3lb4m3yU0QaXZcMDazWk1U1muXWMyjtuiutDePEqVf6YfP4iX2r6GKKVxq
OQ0Nm5iirOCaP7CZMyseUmNNljTutOrx0xMwif8OKWrw8SPjIIgMSkVowAp5sBb7
c/DHYt1TNYfapOoFSVC06UU5GA5gsIyrNGj4EBMs+IpKmRVMiRTRa817liLE7Cjl
p4lIqBPoBL3ccPamNASKqw+9CNEIWu6pIQw/uUhxlK6IwBwJZLMY6c0s47mAGBn4
ABeB5SODBy9LoQLcGJAFAKHLk1BUys2+AckXZXrkb0+T8tyuiugAsb72ynSqxkHo
OfGh9OYGVIrm2+JSFdBkpbvYSdqbkj8fVUNHSTKpJVUNEJZzcFPFKOia9N6NKUEE
HdA/D78GuYnQr+5hGvG9Mg3LPSl7OjeoMHKDFUMsBC/XYQOLQzURDxj709dO6ZkH
vRTMVHyJ5LDHOzA4fk0TNRI6k/HUmYnAxK0rBHt25Q4TIMWBaARIMC5TPdl7DoIH
ngG0wtHh8EJmJJi5afHjlsBnSGCMD06xNwrxha3jE8I7OwvmCwvIC7J4DMLgNPzi
oUNYyBdQ6gNoJ7zSQrBZ
=hVj1
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/agraf/tags/signed-s390-for-upstream' into staging
Patch queue for s390 - 2015-05-13
A few TCG fixes for the s390x target. Nothing special, but with these
applied I can run most of the SLE12 binaries in Linux-user emulation.
# gpg: Signature made Wed May 13 13:49:25 2015 BST using RSA key ID 03FEDC60
# gpg: Good signature from "Alexander Graf <agraf@suse.de>"
# gpg: aka "Alexander Graf <alex@csgraf.de>"
* remotes/agraf/tags/signed-s390-for-upstream:
s390x: Add interlocked access facility 1 instructions
s390x: Add some documentation in opcode list
s390x: Fix stoc direction
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Version: GnuPG v1
iQIcBAABAgAGBQJVUzrzAAoJEH3vgQaq/DkOXS8QALd0l54nibDK8CA8ApUZeUns
frOmGf4bsP88YrJww0alYEiu3ERT4hmjqKkltcyioVFY2t/CuVwCkoayAKac4ga0
sg1pfAMwBG5mGfQ67N/9h+rivJkCboChK0tIaVKD78+G9ez564rVkt5Px8MD3PKP
SpatJSrfmOe5DjNVdlbgsNxuMEYZsI/req+G6kRJEddoHSIrQ6Ow/bk8Y5OLr1YV
GLCCb2n/G4tAkSb1akmVXBx+WqIWrtXyQVz//jWV1g4zMS773vco2jHZMDfPt1we
NvMoEo7uac8txlTYTXrHBFI19h+rW5jXs7+eYyM2bI04xZntEdxJzM1AIKoqzQUk
EtGmnGLNsrKg7hrIxcjHwJ09sBl3VkIj62PYUiyhXRB1t7b2bg5IOaRUESCZDnhQ
XV6ygdi6uGYoAiaM7JJ7FCt3k/xBFTPEHmyNTC+5Pza3mP5GXifNpDgLRPWP0ufG
EBnUdWDiWIYY6FNa/Z4A5BX5gu41vVQkGNMVjOc8rbZ7iuaGJxay1epVQyuH9vll
vZ8mUtFowvzWfGZGK/hjXVN7a3NK1N+JzVse1zVwqrf6z3nJXDd/Unn1ZfTcjHZb
0nBfe1WJRfsDOEgwYescjqckIwfcsLn1w+Q5MG76dQ6w2PeZcqaRf1LEl4sbiMSO
G+1YypZjZ2hJIwwBUam9
=D51H
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' into staging
# gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <jsnow@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F 18F2 88A9 064D 1835 61EB
# Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76 CBD0 7DEF 8106 AAFC 390E
* remotes/jnsnow/tags/ide-cve-pull-request:
fdc: force the fifo access to be in bounds of the allocated buffer
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
We're currently missing all instructions defined by the "interlocked-access
facility 1" which is part of zEC12. This patch implements all of them except
for LPD and LPDG.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Richard Henderson <rth@twiddle.net>
I find it really hard to grasp what each field in the opcode list means.
Slowly walking through its semantics myself, I figured I'd write a small
summary at the top of the file to make life easier for me and whoever
looks at the file next.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Richard Henderson <rth@twiddle.net>
The store conditional instruction wants to store when the condition
is fulfilled, so we should branch out when it's not true.
The code today branches out when the condition is true, clearly
reversing the logic. Fix it up by negating the condition.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Richard Henderson <rth@twiddle.net>
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>