On 2015-09-14 13:43, Leon Alrae wrote:
> cpu_mips_get_random() function is used to generate a random index from
> CP0.Wired to TLBSize-1 range. Current implementation avoids generating
> the same as before value, hence the while loop. If the guest sets
> CP0.Wired to TLBSize-1 (which actually does not sound to be very
> practical) QEMU will get stuck in the loop infinitely as we always
> generate the same index.
>
> Signed-off-by: Leon Alrae <leon.al...@imgtec.com>
> ---
> hw/mips/cputimer.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/hw/mips/cputimer.c b/hw/mips/cputimer.c
> index 577c9ae..c55d102 100644
> --- a/hw/mips/cputimer.c
> +++ b/hw/mips/cputimer.c
> @@ -33,10 +33,16 @@ uint32_t cpu_mips_get_random (CPUMIPSState *env)
> static uint32_t lfsr = 1;
> static uint32_t prev_idx = 0;
> uint32_t idx;
> + uint32_t nb_rand_tlb = env->tlb->nb_tlb - env->CP0_Wired;
> +
> + if (nb_rand_tlb == 1) {
> + return env->tlb->nb_tlb - 1;
> + }
> +
> /* Don't return same value twice, so get another value */
> do {
> lfsr = (lfsr >> 1) ^ (-(lfsr & 1u) & 0xd0000001u);
> - idx = lfsr % (env->tlb->nb_tlb - env->CP0_Wired) + env->CP0_Wired;
> + idx = lfsr % nb_rand_tlb + env->CP0_Wired;
> } while (idx == prev_idx);
> prev_idx = idx;
> return idx;
Reviewed-by: Aurelien Jarno <aurel...@aurel32.net>
Note that this patch conflicts with the following one, that we might
want to merge, even if the whole series is not ready:
https://lists.gnu.org/archive/html/qemu-devel/2015-07/msg01171.html
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net
