Title integratorcp: core module interrupt state reaches hw_error() Version commit: 2339d0a1 tag: v10.2.0-690-g2339d0a1cf Device and source file hw/arm/integratorcp.c (Integrator core module) I checked `info mtree -f` after booting the machine. The reproducer accesses land in: - `0x10000000-0x107fffff` (`integratorcm`), so the access at `0x10000048` is in-range. - `0x10000000-0x107fffff` (`integratorcm`), so the access at `0x10000050` is in-range. Description of problem The Integrator core module update path does: `if (s->int_level & (s->irq_enabled | s->fiq_enabled)) hw_error("Core module interrupt\n");` So the emulator treats a reachable interrupt state as a fatal condition. On `integratorcp`, enabling the relevant bits through MMIO is enough to trip it. Key code: ```c /* hw/arm/integratorcp.c */ static void integratorcm_update(IntegratorCMState *s) { /* ??? The CPU irq/fiq is raised when either the core module or base PIC are active. */ if (s->int_level & (s->irq_enabled | s->fiq_enabled)) hw_error("Core module interrupt\n"); } ``` Root cause analysis Input source: guest MMIO writes that make `int_level` overlap with enabled IRQ/FIQ bits. Missing validation: a reachable interrupt condition is handled with `hw_error()`. Bug class: guest-triggerable fatal error / host DoS. Impact: QEMU aborts as soon as the core module sees that state. Steps to Reproduce Configuration ```bash ./configure --target-list=arm-softmmu --enable-debug --disable-strip make -j"$(nproc)" ``` Reproducer (qtest) Using the live addresses above, I reproduced it with qtest like this: ```bash cat <<'EOF' | ./qemu-system-arm -M integratorcp,accel=qtest,audiodev=snd0 -audiodev none,id=snd0 -display none -nodefaults -m 256M -monitor none -serial none -qtest stdio writel 0x10000048 0x00000001 writel 0x10000050 0x00000001 EOF ``` Observed output (excerpt) ```text OK [I 0.000000] OPENED [R +0.002194] writel 0x10000048 0x00000001 [S +0.002218] OK [R +0.002223] writel 0x10000050 0x00000001 qemu: hardware error: Core module interrupt CPU #0: R00=00000000 R01=00000000 R02=00000000 R03=00000000 R04=00000000 R05=00000000 R06=00000000 R07=00000000 R08=00000000 R09=00000000 R10=00000000 R11=00000000 R12=00000000 R13=00000000 R14=00000000 R15=00000000 PSR=400001d3 -Z-- A svc32 s00=00000000 s01=00000000 d00=0000000000000000 s02=00000000 s03=00000000 d01=0000000000000000 s04=00000000 s05=00000000 d02=0000000000000000 s06=00000000 s07=00000000 d03=0000000000000000 s08=00000000 s09=00000000 d04=0000000000000000 s10=00000000 s11=00000000 d05=0000000000000000 s12=00000000 s13=00000000 d06=0000000000000000 s14=00000000 s15=00000000 d07=0000000000000000 s16=00000000 s17=00000000 d08=0000000000000000 s18=00000000 s19=00000000 d09=0000000000000000 s20=00000000 s21=00000000 d10=0000000000000000 [local] exit code: -6 ```