aboutsummaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)Author
2024-06-24vfio/container: Modify vfio_get_iommu_type() to use a container fdCédric Le Goater
The 'container' pointer has no other use than its 'fd' attribute. Simplify the prototype to ease future changes. Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-06-24vfio/container: Simplify vfio_container_init()Cédric Le Goater
Assign the base container VFIOAddressSpace 'space' pointer in vfio_address_space_insert(). The ultimate goal is to remove vfio_container_init() and instead rely on an .instance_init() handler to perfom the initialization of VFIOContainerBase. To be noted that vfio_connect_container() will assign the 'space' pointer later in the execution flow. This should not have any consequence. Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-06-24vfio/container: Introduce vfio_address_space_insert()Cédric Le Goater
It prepares ground for a future change initializing the 'space' pointer of VFIOContainerBase. The goal is to replace vfio_container_init() by an .instance_init() handler when VFIOContainerBase is QOMified. Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-06-24vfio/common: Extract vIOMMU code from vfio_sync_dirty_bitmap()Avihai Horon
Extract vIOMMU code from vfio_sync_dirty_bitmap() to a new function and restructure the code. This is done in preparation for optimizing vIOMMU device dirty page tracking. No functional changes intended. Signed-off-by: Avihai Horon <avihaih@nvidia.com> Signed-off-by: Joao Martins <joao.m.martins@oracle.com> [ clg: - Rebased on upstream - Fixed typo in commit log ] Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-06-24vfio/common: Move dirty tracking ranges update to helperJoao Martins
Separate the changes that update the ranges from the listener, to make it reusable in preparation to expand its use to vIOMMU support. Signed-off-by: Joao Martins <joao.m.martins@oracle.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> [ clg: - Rebased on upstream - Introduced vfio_dirty_tracking_update_range() - Fixed typ in commit log ] Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-06-24vfio: Make vfio_devices_dma_logging_start() return boolCédric Le Goater
Since vfio_devices_dma_logging_start() takes an 'Error **' argument, best practices suggest to return a bool. See the api/error.h Rules section. It will simplify potential changes coming after. vfio_container_set_dirty_page_tracking() could be modified in the same way but the errno value can be saved in the migration stream when called from vfio_listener_log_global_stop(). Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Tested-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-06-24hw/vfio: Remove memory_region_iommu_set_iova_ranges() callEric Auger
As we have just removed the only implementation of iommu_set_iova_ranges IOMMU MR callback in the virtio-iommu, let's remove the call to the memory wrapper. Usable IOVA ranges are now conveyed through the PCIIOMMUOps in VFIO-PCI. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24virtio-iommu: Remove the implementation of iommu_set_iova_rangeEric Auger
Now that we use PCIIOMMUOps to convey information about usable IOVA ranges we do not to implement the iommu_set_iova_ranges IOMMU MR callback. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24virtio-iommu: Compute host reserved regionsEric Auger
Compute the host reserved regions in virtio_iommu_set_iommu_device(). The usable IOVA regions are retrieved from the HostIOMMUDevice. The virtio_iommu_set_host_iova_ranges() helper turns usable regions into complementary reserved regions while testing the inclusion into existing ones. virtio_iommu_set_host_iova_ranges() reuse the implementation of virtio_iommu_set_iova_ranges() which will be removed in subsequent patches. rebuild_resv_regions() is just moved. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24HostIOMMUDevice: Store the aliased bus and devfnEric Auger
Store the aliased bus and devfn in the HostIOMMUDevice. This will be useful to handle info that are iommu group specific and not device specific (such as reserved iova ranges). Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24HostIOMMUDevice: Introduce get_iova_ranges callbackEric Auger
Introduce a new HostIOMMUDevice callback that allows to retrieve the usable IOVA ranges. Implement this callback in the legacy VFIO and IOMMUFD VFIO host iommu devices. This relies on the VFIODevice agent's base container iova_ranges resource. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24virtio-iommu: Implement set|unset]_iommu_device() callbacksEric Auger
Implement PCIIOMMUOPs [set|unset]_iommu_device() callbacks. In set(), the HostIOMMUDevice handle is stored in a hash table indexed by PCI BDF. The object will allow to retrieve information related to the physical IOMMU. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24HostIOMMUDevice: Store the VFIO/VDPA agentEric Auger
Store the agent device (VFIO or VDPA) in the host IOMMU device. This will allow easy access to some of its resources. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24intel_iommu: Check compatibility with host IOMMU capabilitiesZhenzhong Duan
If check fails, host device (either VFIO or VDPA device) is not compatible with current vIOMMU config and should not be passed to guest. Only aw_bits is checked for now, we don't care about other caps before scalable modern mode is introduced. Signed-off-by: Yi Liu <yi.l.liu@intel.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24intel_iommu: Implement [set|unset]_iommu_device() callbacksYi Liu
Implement [set|unset]_iommu_device() callbacks in Intel vIOMMU. In set call, we take a reference of HostIOMMUDevice and store it in hash table indexed by PCI BDF. Note this BDF index is device's real BDF not the aliased one which is different from the index of VTDAddressSpace. There can be multiple assigned devices under same virtual iommu group and share same VTDAddressSpace, but each has its own HostIOMMUDevice. Signed-off-by: Yi Liu <yi.l.liu@intel.com> Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24intel_iommu: Extract out vtd_cap_init() to initialize cap/ecapZhenzhong Duan
Extract cap/ecap initialization in vtd_cap_init() to make code cleaner. No functional change intended. Reviewed-by: Eric Auger <eric.auger@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24vfio/pci: Pass HostIOMMUDevice to vIOMMUZhenzhong Duan
With HostIOMMUDevice passed, vIOMMU can check compatibility with host IOMMU, call into IOMMUFD specific methods, etc. Originally-by: Yi Liu <yi.l.liu@intel.com> Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24hw/pci: Introduce pci_device_[set|unset]_iommu_device()Yi Liu
pci_device_[set|unset]_iommu_device() call pci_device_get_iommu_bus_devfn() to get iommu_bus->iommu_ops and call [set|unset]_iommu_device callback to set/unset HostIOMMUDevice for a given PCI device. Signed-off-by: Yi Liu <yi.l.liu@intel.com> Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com> Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24hw/pci: Introduce helper function pci_device_get_iommu_bus_devfn()Zhenzhong Duan
Extract out pci_device_get_iommu_bus_devfn() from pci_device_iommu_address_space() to facilitate implementation of pci_device_[set|unset]_iommu_device() in following patch. No functional change intended. Signed-off-by: Yi Liu <yi.l.liu@intel.com> Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com> Signed-off-by: Nicolin Chen <nicolinc@nvidia.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24vfio: Create host IOMMU device instanceZhenzhong Duan
Create host IOMMU device instance in vfio_attach_device() and call .realize() to initialize it further. Introuduce attribute VFIOIOMMUClass::hiod_typename and initialize it based on VFIO backend type. It will facilitate HostIOMMUDevice creation in vfio_attach_device(). Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24vfio/container: Implement HostIOMMUDeviceClass::get_cap() handlerZhenzhong Duan
Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24vfio/iommufd: Implement HostIOMMUDeviceClass::realize() handlerZhenzhong Duan
It calls iommufd_backend_get_device_info() to get host IOMMU related information and translate it into HostIOMMUDeviceCaps for query with .get_cap(). For aw_bits, use the same way as legacy backend by calling vfio_device_get_aw_bits() which is common for different vendor IOMMU. Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24vfio/container: Implement HostIOMMUDeviceClass::realize() handlerZhenzhong Duan
The realize function populates the capabilities. For now only the aw_bits caps is computed for legacy backend. Introduce a helper function vfio_device_get_aw_bits() which calls range_get_last_bit() to get host aw_bits and package it in HostIOMMUDeviceCaps for query with .get_cap(). This helper will also be used by iommufd backend. Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24backends/iommufd: Introduce TYPE_HOST_IOMMU_DEVICE_IOMMUFD[_VFIO] devicesZhenzhong Duan
TYPE_HOST_IOMMU_DEVICE_IOMMUFD represents a host IOMMU device under iommufd backend. It is abstract, because it is going to be derived into VFIO or VDPA type'd device. It will have its own .get_cap() implementation. TYPE_HOST_IOMMU_DEVICE_IOMMUFD_VFIO is a sub-class of TYPE_HOST_IOMMU_DEVICE_IOMMUFD, represents a VFIO type'd host IOMMU device under iommufd backend. It will be created during VFIO device attaching and passed to vIOMMU. It will have its own .realize() implementation. Opportunistically, add missed header to include/sysemu/iommufd.h. Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Yi Liu <yi.l.liu@intel.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24vfio/container: Introduce TYPE_HOST_IOMMU_DEVICE_LEGACY_VFIO deviceZhenzhong Duan
TYPE_HOST_IOMMU_DEVICE_LEGACY_VFIO represents a host IOMMU device under VFIO legacy container backend. It will have its own realize implementation. Suggested-by: Eric Auger <eric.auger@redhat.com> Suggested-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2024-06-24hw/sd/sdcard: Add comments around registers and commandsPhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-21-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Inline BLK_READ_BLOCK / BLK_WRITE_BLOCK macrosPhilippe Mathieu-Daudé
These macros only save 3 chars and make the code harder to maintain, simply remove them. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-20-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Add sd_invalid_mode_for_cmd to report invalid mode switchPhilippe Mathieu-Daudé
Having the mode switch displayed help to track incomplete command implementations. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-19-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Only call sd_req_get_address() where address is usedPhilippe Mathieu-Daudé
It will be useful later to assert only ADTC commands (Addressed point-to-point Data Transfer Commands, defined as the 'sd_adtc' enum) extract the address value from the command argument. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-18-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Factor sd_req_get_address() method outPhilippe Mathieu-Daudé
Extract sd_cmd_get_address() so we can re-use it in various SDProto handlers. Use CARD_CAPACITY and HWBLOCK_SHIFT definitions instead of magic values. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-17-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Only call sd_req_get_rca() where RCA is usedPhilippe Mathieu-Daudé
It will be useful later to assert only AC commands (Addressed point-to-point Commands, defined as the 'sd_ac' enum) extract the RCA value from the command argument. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-16-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Factor sd_req_get_rca() method outPhilippe Mathieu-Daudé
Extract sd_req_get_rca() so we can re-use it in various SDProto handlers. Return a 16-bit value since RCA is 16-bit. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-15-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Have cmd_valid_while_locked() return a boolean valuePhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-14-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Trace update of block count (CMD23)Philippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-12-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Remove explicit entries for illegal commandsPhilippe Mathieu-Daudé
NULL handler is already handled as illegal, no need to duplicate (that keeps this array simpler to maintain). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-9-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Remove ACMD6 handler for SPI modePhilippe Mathieu-Daudé
There is no ACMD6 command in SPI mode, remove the pointless handler introduced in commit 946897ce18 ("sdcard: handles more commands in SPI mode"). Keep sd_cmd_unimplemented() since we'll reuse it later. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-8-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Use Load/Store API to fill some CID/CSD registersPhilippe Mathieu-Daudé
The ld/st API helps noticing CID or CSD bytes refer to the same field. Multi-bytes fields are stored MSB first in CID / CSD. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-7-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Use registerfield CSR::CURRENT_STATE definitionPhilippe Mathieu-Daudé
Use registerfield-generated definitions to update card_status. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-6-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Use HWBLOCK_SHIFT definition instead of magic valuesPhilippe Mathieu-Daudé
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-5-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Fix typo in SEND_OP_COND command namePhilippe Mathieu-Daudé
There is no SEND_OP_CMD but SEND_OP_COND. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-4-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Rewrite sd_cmd_ALL_SEND_CID using switch case (CMD2)Philippe Mathieu-Daudé
Keep this handler style in sync with other handlers by using a switch() case, which might become handy to handle other states. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-3-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Correct code indentationPhilippe Mathieu-Daudé
Fix mis-alignment from commits 793d04f495 and 6380cd2052 ("Add sd_cmd_SEND_TUNING_BLOCK" and "Add sd_cmd_SET_BLOCK_COUNT"). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Message-Id: <20240621080554.18986-2-philmd@linaro.org>
2024-06-24hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switchPhilippe Mathieu-Daudé
For multi-bytes commands, our implementation uses the @data_start and @data_offset fields to track byte access. We initialize the command start/offset in buffer once. Malicious guest might abuse by switching command while staying in the 'transfer' state, switching command buffer size, and our implementation can access out of buffer boundary. For example, CMD17 (READ_SINGLE_BLOCK) allows to read up to 512 bytes, and CMD13 (SEND_STATUS) up to 64 bytes. By switching from CMD17 to CMD13 (see reproducer below), bytes [64-511] are out of the 'status' buffer. Our implementation return R0 status code for unexpected commands. Such in-transaction command switch is unexpected and returns R0. This is a good place to reset the start/offset fields to avoid malicious accesses. Can be reproduced running: $ export UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 $ cat << EOF | qemu-system-i386 \ -display none -nographic \ -machine accel=qtest -m 512M \ -nodefaults \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio -trace sd\* -trace -sdbus_read outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001004 outw 0xcfc 0x02 write 0xe000002c 0x1 0x05 write 0xe000000f 0x1 0x37 write 0xe000000a 0x1 0x01 write 0xe000000f 0x1 0x29 write 0xe000000f 0x1 0x02 write 0xe000000f 0x1 0x03 write 0xe000000c 0x1 0x32 write 0xe000000f 0x1 0x06 write 0xe0000005 0x1 0x01 write 0xe0000007 0x1 0x01 write 0xe0000003 0x1 0x00 write 0xe000000f 0x1 0x11 write 0xe000002a 0x1 0x01 write 0xe000002a 0x1 0x02 write 0xe000000f 0x1 0x0d write 0xe000002a 0x1 0x01 write 0xe000002a 0x1 0x02 EOF hw/sd/sd.c:1984:15: runtime error: index 256 out of bounds for type 'uint8_t [64]' #0 sd_read_byte hw/sd/sd.c:1984:15 #1 sdbus_read_data hw/sd/core.c:157:23 #2 sdhci_read_block_from_card hw/sd/sdhci.c:423:9 #3 sdhci_blkgap_write hw/sd/sdhci.c:1074:13 #4 sdhci_write hw/sd/sdhci.c:1195:13 #5 memory_region_write_accessor softmmu/memory.c:492:5 #6 access_with_adjusted_size softmmu/memory.c:554:18 #7 memory_region_dispatch_write softmmu/memory.c #8 flatview_write_continue softmmu/physmem.c:2778:23 #9 flatview_write softmmu/physmem.c:2818:14 #10 address_space_write softmmu/physmem.c:2910:18 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hw/sd/sd.c:1984:15 Reported-by: Alexander Bulekov <alxndr@bu.edu> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/487 Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36240 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20240408141717.66154-2-philmd@linaro.org>
2024-06-24target/s390x: Add a CONFIG switch to disable legacy CPUsThomas Huth
The oldest model that IBM still supports is the z13. Considering that each generation can "emulate" the previous two generations in hardware (via the "IBC" feature of the CPUs), this means that everything that is older than z114/196 is not an officially supported CPU model anymore. The Linux kernel still support the z10, so if we also take this into account, everything older than that can definitely be considered as a legacy CPU model. For downstream builds of QEMU, we would like to be able to disable these legacy CPUs in the build. Thus add a CONFIG switch that can be used to disable them (and old machine types that use them by default). Message-Id: <20240614125019.588928-1-thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-06-24vfio/{ap, ccw}: Use warn_report_err() for IRQ notifier registration errorsCédric Le Goater
vfio_ccw_register_irq_notifier() and vfio_ap_register_irq_notifier() errors are currently reported using error_report_err(). Since they are not considered as failing conditions, using warn_report_err() is more appropriate. Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Anthony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240522170107.289532-8-clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-06-24vfio/ccw: Fix the missed unrealize() call in error pathZhenzhong Duan
When get name failed, we should call unrealize() so that vfio_ccw_realize() is self contained. Fixes: 909a6254eda ("vfio/ccw: Make vfio cdev pre-openable by passing a file handle") Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240522170107.289532-7-clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-06-24vfio/ccw: Use the 'Error **errp' argument of vfio_ccw_realize()Cédric Le Goater
The local error variable is kept for vfio_ccw_register_irq_notifier() because it is not considered as a failing condition. We will change how error reporting is done in following changes. Remove the error_propagate() call. Cc: Zhenzhong Duan <zhenzhong.duan@intel.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Anthony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240522170107.289532-6-clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-06-24s390x/css: Make S390CCWDeviceClass::realize return boolCédric Le Goater
Since the realize() handler of S390CCWDeviceClass takes an 'Error **' argument, best practices suggest to return a bool. See the api/error.h Rules section. While at it, modify the call in vfio_ccw_realize(). Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Anthony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240522170107.289532-5-clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-06-24hw/s390x/ccw: Remove local Error variable from s390_ccw_realize()Cédric Le Goater
Use the 'Error **errp' argument of s390_ccw_realize() instead and remove the error_propagate() call. Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Anthony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240522170107.289532-4-clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-06-24s390x/css: Make CCWDeviceClass::realize return boolCédric Le Goater
Since the realize() handler of CCWDeviceClass takes an 'Error **' argument, best practices suggest to return a bool. See the api/error.h Rules section. While at it, modify the call in s390_ccw_realize(). Signed-off-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Reviewed-by: Anthony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-ID: <20240522170107.289532-3-clg@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>