Title pl080: peripheral flow-control mode reaches hw_error() Version commit: 2339d0a1 tag: v10.2.0-690-g2339d0a1cf Device and source file hw/dma/pl080.c (`pl080` DMA controller) I verified the addresses from the live memory map first. These are the regions qtest ends up touching: - `0x10130000-0x10130fff` (`pl080`), so the access at `0x1013010c` is in-range. - `0x10130000-0x10130fff` (`pl080`), so the access at `0x10130110` is in-range. - `0x10130000-0x10130fff` (`pl080`), so the access at `0x10130030` is in-range. Description of problem The PL080 run loop still treats peripheral flow-control mode as a fatal condition: `hw_error("pl080_run: Peripheral flow control not implemented\n");` On `versatilepb`, the guest can program that mode through the normal DMA channel registers and force the controller into the fatal branch. Key code: ```c /* hw/dma/pl080.c */ flow = (ch->conf >> 11) & 7; if (flow >= 4) { hw_error("pl080_run: Peripheral flow control not implemented\n"); } ``` Root cause analysis Input source: guest DMA channel configuration. Missing validation: unsupported transfer mode goes to `hw_error()`. Bug class: guest-triggerable fatal error / host DoS. Impact: the DMA engine aborts QEMU when the channel is started. Steps to Reproduce Configuration ```bash ./configure --target-list=arm-softmmu --enable-debug --disable-strip make -j"$(nproc)" ``` Reproducer (qtest) With the runtime layout confirmed first, this is the qtest sequence I used: ```bash cat <<'EOF' | ./qemu-system-arm -machine versatilepb,accel=qtest -monitor none -serial none -display none -nodefaults -qtest stdio -audio none writel 0x1013010c 0x00000001 writel 0x10130110 0x00002001 writel 0x10130030 0x00000001 EOF ``` Observed output (excerpt) ```text [I 0.000000] OPENED [R +0.005961] writel 0x1013010c 0x00000001 [S +0.006009] OK [R +0.006016] writel 0x10130110 0x00002001 [S +0.006018] OK [R +0.006020] writel 0x10130030 0x00000001 qemu: hardware error: pl080_run: Peripheral flow control not implemented CPU #0: R00=00000000 R01=00000000 R02=00000000 R03=00000000 R04=00000000 R05=00000000 R06=00000000 R07=00000000 R08=00000000 R09=00000000 R10=00000000 R11=00000000 R12=00000000 R13=00000000 R14=00000000 R15=00000000 PSR=400001d3 -Z-- A svc32 s00=00000000 s01=00000000 d00=0000000000000000 s02=00000000 s03=00000000 d01=0000000000000000 s04=00000000 s05=00000000 d02=0000000000000000 s06=00000000 s07=00000000 d03=0000000000000000 s08=00000000 s09=00000000 d04=0000000000000000 s10=00000000 s11=00000000 d05=0000000000000000 s12=00000000 s13=00000000 d06=0000000000000000 s14=00000000 s15=00000000 d07=0000000000000000 s16=00000000 s17=00000000 d08=0000000000000000 s18=00000000 s19=00000000 d09=0000000000000000 s20=00000000 s21=00000000 d10=0000000000000000 [local] exit code: -6 ```