aboutsummaryrefslogtreecommitdiff
path: root/hw/i2c/pm_smbus.c
AgeCommit message (Collapse)Author
2018-12-06i2c: pm_smbus: check smb_index before block transfer writePrasad J Pandit
While performing block transfer write in smb_ioport_writeb(), 'smb_index' is incremented and used to index smb_data[] array. Check 'smb_index' value to avoid OOB access. Note that this bug is exploitable by a guest to escape from the virtual machine. However the commit which introduced the bug was only made after the 3.0 release, and so it is not present in any released QEMU versions. Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability Reported-by: Michael Hanselmann <public@hansmi.ch> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Michael Hanselmann <public@hansmi.ch> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 20181206121830.6177-1-ppandit@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-08-23i2c: pm_smbus: Add the ability to force block transfer enableCorey Minyard
The PIIX4 hardware has block transfer buffer always enabled in the hardware, but the i801 does not. Add a parameter to pm_smbus_init to force on the block transfer so the PIIX4 handler can enable this by default, as it was disabled by default before. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1534796770-10295-9-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-23i2c: pm_smbus: Don't delay host status register busy bit when interrupts are ↵Corey Minyard
enabled Change 880b1ffe6ec2f0ae "smbus: do not immediately complete commands" changed pm_smbus to delay setting the host busy bit until the status register was read, to work around a bug in AMIBIOS. Unfortunately, when interrupts are enabled, the status register will never get read and the processing will never happen. Modify the code to only delay setting the host busy bit if interrupts are not enabled. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Hervé Poussineau <hpoussin@reactos.org> Cc: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <1534796770-10295-8-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-23i2c: pm_smbus: Add interrupt handlingCorey Minyard
Add the necessary code so that interrupts actually work from the pm_smbus device. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1534796770-10295-7-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-23i2c: pm_smbus: Add block transfer capabilityCorey Minyard
There was no block transfer code in pm_smbus.c, and it is needed for some devices. So add it. This adds both byte-by-byte block transfers and buffered block transfers. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1534796770-10295-5-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-23i2c: pm_smbus: Make the I2C block read command read-onlyCorey Minyard
It did have write capability, but the manual says the behavior with write enabled is undefined. So just set an error in this case. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1534796770-10295-4-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-23i2c: pm_smbus: Fix the semantics of block I2C transfersCorey Minyard
The I2C block transfer commands was not implemented correctly, it read a length byte and such like it was an smbus transfer. So fix the smbus_read_block() and smbus_write_block() functions so they can properly handle I2C transfers, and normal SMBus transfers (for upcoming changes). Pass in a transfer size and a bool to know whether to use the size byte (like SMBus) or use the length given (like I2C). Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1534796770-10295-3-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-08-23i2c: pm_smbus: Clean up some style issuesCorey Minyard
Fix some spacing issues, remove extraneous comments, add some defines instead of hard-coding numbers. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1534796770-10295-2-git-send-email-minyard@acm.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-01-11Merge remote-tracking branch 'origin/master' into HEADMichael S. Tsirkin
Resolve conflicts around apb. Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2017-12-22smbus: do not immediately complete commandsHervé Poussineau
PIIX4 errata says that "immediate polling of the Host Status Register BUSY bit may indicate that the SMBus is NOT busy." Due to this, some code does the following steps: (a) set parameters (b) start command (c) check for smbus busy bit set (to know that command started) (d) check for smbus busy bit not set (to know that command finished) Let (c) happen, by immediately setting the busy bit, and really executing the command when status register has been read once. This fixes a problem with AMIBIOS, which can now properly initialize the PIIX4. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2017-12-18hw/i2c: remove old i386 dependencyPhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2016-01-29x86: Clean up includesPeter Maydell
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-11-git-send-email-peter.maydell@linaro.org
2014-09-02Fix debug print warningGonglei
Steps: 1.enable qemu debug print, using simply scprit as below: grep "//#define DEBUG" * -rl | xargs sed -i "s/\/\/#define DEBUG/#define DEBUG/g" 2. make -j 3. get some warning: hw/i2c/pm_smbus.c: In function 'smb_ioport_writeb': hw/i2c/pm_smbus.c:142: warning: format '%04x' expects type 'unsigned int', but argument 2 has type 'hwaddr' hw/i2c/pm_smbus.c:142: warning: format '%02x' expects type 'unsigned int', but argument 3 has type 'uint64_t' hw/i2c/pm_smbus.c: In function 'smb_ioport_readb': hw/i2c/pm_smbus.c:209: warning: format '%04x' expects type 'unsigned int', but argument 2 has type 'hwaddr' hw/intc/i8259.c: In function 'pic_ioport_read': hw/intc/i8259.c:373: warning: format '%02x' expects type 'unsigned int', but argument 2 has type 'hwaddr' hw/input/pckbd.c: In function 'kbd_write_command': hw/input/pckbd.c:232: warning: format '%02x' expects type 'unsigned int', but argument 2 has type 'uint64_t' hw/input/pckbd.c: In function 'kbd_write_data': hw/input/pckbd.c:333: warning: format '%02x' expects type 'unsigned int', but argument 2 has type 'uint64_t' hw/isa/apm.c: In function 'apm_ioport_writeb': hw/isa/apm.c:44: warning: format '%x' expects type 'unsigned int', but argument 2 has type 'hwaddr' hw/isa/apm.c:44: warning: format '%02x' expects type 'unsigned int', but argument 3 has type 'uint64_t' hw/isa/apm.c: In function 'apm_ioport_readb': hw/isa/apm.c:67: warning: format '%x' expects type 'unsigned int', but argument 2 has type 'hwaddr' hw/timer/mc146818rtc.c: In function 'cmos_ioport_write': hw/timer/mc146818rtc.c:394: warning: format '%02x' expects type 'unsigned int', but argument 3 has type 'uint64_t' hw/i386/pc.c: In function 'port92_write': hw/i386/pc.c:479: warning: format '%02x' expects type 'unsigned int', but argument 2 has type 'uint64_t' Fix them. Cc: qemu-trivial@nongnu.org Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2014-05-07pm_smbus: correctly report unclaimed cyclesPaolo Bonzini
Without this patch, i2cdetect will report all addresses as present. With it, only 0x50..0x57 are present. Before: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30: 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40: 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50: 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60: 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70: 70 71 72 73 74 75 76 77 After: 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: -- -- -- -- -- -- -- -- -- -- -- -- -- 10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 50: 50 51 52 53 54 55 56 57 -- -- -- -- -- -- -- -- 60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 70: -- -- -- -- -- -- -- -- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2014-02-14i2c: Rename i2c_bus to I2CBusAndreas Färber
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-09Extend support of SMBUS(module pm_smbus.c) HST_STS register.MRatnikov
Previous realization doesn't consider flags in the status register. Add DS and INTR bits of HST_STS register set after transaction execution. Update bits resetting in HST_STS register. Update error processing: if DEV_ERR bit set transaction isn't execution. Signed-off-by: MRatnikov <m.o.ratnikov@gmail.com> Message-id: 1373230982-9190-1-git-send-email-m.o.ratnikov@gmail.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-07-04hw/i*: pass owner to memory_region_init* functionsPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04memory: add owner argument to initialization functionsPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-04-08hw: move target-independent files to subdirectoriesPaolo Bonzini
This patch tackles all files that are compiled once, moving them to subdirectories of hw/. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>