[PATCH 0/6] ppc small fixes for 10.0

[PATCH 0/6] ppc small fixes for 10.0

[Nicholas Piggin]

Coverity reported a bunch of issues with the last ppc PR
(thanks Cedric), and a couple of other things that were
noticed too. With Zoltan's amigaone patches this should
fix all Coverity bugs I hope.

Thanks,
Nick

Nicholas Piggin (6):
  ppc/xive: Fix typo in crowd block level calculation
  pnv/xive: Fix possible undefined shift error in group size calculation
  ppc/xive2: Fix logical / bitwise comparison typo
  ppc/spapr: Fix possible pa_features memory overflow
  ppc/pnv: Move the PNOR LPC address into struct PnvPnor
  ppc/pnv: Fix system symbols in HOMER structure definitions

 include/hw/ppc/pnv_pnor.h |   1 +
 hw/intc/xive.c            |  29 +++++-
 hw/intc/xive2.c           |  21 ++--
 hw/ppc/pnv.c              |   2 +-
 hw/ppc/pnv_bmc.c          |   4 +-
 hw/ppc/pnv_occ.c          | 201 ++++++++++++++++++--------------------
 hw/ppc/pnv_pnor.c         |   2 +
 hw/ppc/spapr.c            |   1 +
 8 files changed, 143 insertions(+), 118 deletions(-)

-- 
2.47.1

[PATCH 1/6] ppc/xive: Fix typo in crowd block level calculation

[Nicholas Piggin]

I introduced this bug when "tidying" the original patch, not Frederic.
Paper bag for me.

Fixes: 9cb7f6ebed60 ("ppc/xive2: Support group-matching when looking for target")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 hw/intc/xive.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/intc/xive.c b/hw/intc/xive.c
index c77df2c1f8c..e86f2749328 100644
--- a/hw/intc/xive.c
+++ b/hw/intc/xive.c
@@ -1686,7 +1686,7 @@ static uint8_t xive_get_group_level(bool crowd, bool ignore,
          * Supported crowd sizes are 2^1, 2^2, and 2^4. 2^3 is not supported.
          * HW will encode level 4 as the value 3.  See xive2_pgofnext().
          */
-        switch (level) {
+        switch (blk) {
         case 1:
         case 2:
             break;
-- 
2.47.1

[PATCH 2/6] pnv/xive: Fix possible undefined shift error in group size calculation

[Nicholas Piggin]

Coverity discovered a potential shift overflow in group size calculation
in the case of a guest error. Add checks and logs to ensure a issues are
caught.

Make the group and crowd error checking code more similar to one another
while here.

Resolves: Coverity CID 1593724
Fixes: 9cb7f6ebed60 ("ppc/xive2: Support group-matching when looking for target")
Cc: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 hw/intc/xive.c  | 27 ++++++++++++++++++++++++---
 hw/intc/xive2.c | 19 ++++++++++++++-----
 2 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/hw/intc/xive.c b/hw/intc/xive.c
index e86f2749328..3eb28c2265d 100644
--- a/hw/intc/xive.c
+++ b/hw/intc/xive.c
@@ -1662,12 +1662,20 @@ uint32_t xive_get_vpgroup_size(uint32_t nvp_index)
      * (starting with the least significant bits) in the NVP index
      * gives the size of the group.
      */
-    return 1 << (ctz32(~nvp_index) + 1);
+    int first_zero = cto32(nvp_index);
+    if (first_zero >= 31) {
+        qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid group index 0x%08x",
+                                       nvp_index);
+        return 0;
+    }
+
+    return 1U << (first_zero + 1);
 }
 
 static uint8_t xive_get_group_level(bool crowd, bool ignore,
                                     uint32_t nvp_blk, uint32_t nvp_index)
 {
+    int first_zero;
     uint8_t level;
 
     if (!ignore) {
@@ -1675,12 +1683,25 @@ static uint8_t xive_get_group_level(bool crowd, bool ignore,
         return 0;
     }
 
-    level = (ctz32(~nvp_index) + 1) & 0b1111;
+    first_zero = cto32(nvp_index);
+    if (first_zero >= 31) {
+        qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid group index 0x%08x",
+                                       nvp_index);
+        return 0;
+    }
+
+    level = (first_zero + 1) & 0b1111;
     if (crowd) {
         uint32_t blk;
 
         /* crowd level is bit position of first 0 from the right in nvp_blk */
-        blk = ctz32(~nvp_blk) + 1;
+        first_zero = cto32(nvp_blk);
+        if (first_zero >= 31) {
+            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid crowd block 0x%08x",
+                                           nvp_blk);
+            return 0;
+        }
+        blk = first_zero + 1;
 
         /*
          * Supported crowd sizes are 2^1, 2^2, and 2^4. 2^3 is not supported.
diff --git a/hw/intc/xive2.c b/hw/intc/xive2.c
index f8ef6154878..311b42e15d3 100644
--- a/hw/intc/xive2.c
+++ b/hw/intc/xive2.c
@@ -1153,13 +1153,15 @@ static bool xive2_vp_match_mask(uint32_t cam1, uint32_t cam2,
 
 static uint8_t xive2_get_vp_block_mask(uint32_t nvt_blk, bool crowd)
 {
-    uint8_t size, block_mask = 0b1111;
+    uint8_t block_mask = 0b1111;
 
     /* 3 supported crowd sizes: 2, 4, 16 */
     if (crowd) {
-        size = xive_get_vpgroup_size(nvt_blk);
-        if (size == 8) {
-            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid crowd size of 8n");
+        uint32_t size = xive_get_vpgroup_size(nvt_blk);
+
+        if (size != 2 && size != 4 && size != 16) {
+            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid crowd size of %d",
+                                           size);
             return block_mask;
         }
         block_mask &= ~(size - 1);
@@ -1172,7 +1174,14 @@ static uint32_t xive2_get_vp_index_mask(uint32_t nvt_index, bool cam_ignore)
     uint32_t index_mask = 0xFFFFFF; /* 24 bits */
 
     if (cam_ignore) {
-        index_mask &= ~(xive_get_vpgroup_size(nvt_index) - 1);
+        uint32_t size = xive_get_vpgroup_size(nvt_index);
+
+        if (size < 2) {
+            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid group size of %d",
+                                           size);
+            return index_mask;
+        }
+        index_mask &= ~(size - 1);
     }
     return index_mask;
 }
-- 
2.47.1

[PATCH 3/6] ppc/xive2: Fix logical / bitwise comparison typo

[Nicholas Piggin]

The comparison as written is always false (perhaps confusingly, because
the functions/macros are not really booleans but return 0 or the tested
bit value). Change to use logical-and.

Resolves: Coverity CID 1593721
Cc: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 hw/intc/xive2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/intc/xive2.c b/hw/intc/xive2.c
index 311b42e15d3..7d584dfafaf 100644
--- a/hw/intc/xive2.c
+++ b/hw/intc/xive2.c
@@ -1344,7 +1344,7 @@ static void xive2_router_end_notify(Xive2Router *xrtr, uint8_t end_blk,
         return;
     }
 
-    if (xive2_end_is_crowd(&end) & !xive2_end_is_ignore(&end)) {
+    if (xive2_end_is_crowd(&end) && !xive2_end_is_ignore(&end)) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "XIVE: invalid END, 'crowd' bit requires 'ignore' bit\n");
         return;
-- 
2.47.1

[PATCH 4/6] ppc/spapr: Fix possible pa_features memory overflow

[Nicholas Piggin]

Coverity reports a possible memory overflow in spapr_dt_pa_features().
This should not be a true bug since DAWR1 cap is only be true for
CPU_POWERPC_LOGICAL_3_10. Add an assertion to ensure any bug there is
caught.

Resolves: Coverity CID 1593722
Fixes: 5f361ea187ba ("ppc: spapr: Enable 2nd DAWR on Power10 pSeries machine")
Cc: Shivaprasad G Bhat <sbhat@linux.ibm.com>
Cc: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 hw/ppc/spapr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index a415e51d077..9865d7147ff 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -296,6 +296,7 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,
         pa_features[40 + 2] &= ~0x80; /* Radix MMU */
     }
     if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
+        g_assert(pa_size > 66);
         pa_features[66] |= 0x80;
     }
 
-- 
2.47.1

[PATCH 5/6] ppc/pnv: Move the PNOR LPC address into struct PnvPnor

[Nicholas Piggin]

Rather than use the hardcoded define throughout the tree for the
PNOR LPC address, keep it within the PnvPnor object.

This should solve a dead code issue in the BMC HIOMAP checks where
Coverity (correctly) reported that the sanity checks are dead code.
We would like to keep the sanity checks without turning them into a
compile time assert in case we would like to make them configurable
in future.

Fixes: 4c84a0a4a6e5 ("ppc/pnv: Add a PNOR address and size sanity checks")
Resolves: Coverity CID 1593723
Cc: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 include/hw/ppc/pnv_pnor.h | 1 +
 hw/ppc/pnv.c              | 2 +-
 hw/ppc/pnv_bmc.c          | 4 ++--
 hw/ppc/pnv_pnor.c         | 2 ++
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
index 19c2d642e82..b44cafe918d 100644
--- a/include/hw/ppc/pnv_pnor.h
+++ b/include/hw/ppc/pnv_pnor.h
@@ -28,6 +28,7 @@ struct PnvPnor {
     BlockBackend   *blk;
 
     uint8_t        *storage;
+    uint32_t       lpc_address; /* Offset within LPC FW space */
     int64_t        size;
     MemoryRegion   mmio;
 };
diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
index 59365370c37..63f2232f32f 100644
--- a/hw/ppc/pnv.c
+++ b/hw/ppc/pnv.c
@@ -1191,7 +1191,7 @@ static void pnv_init(MachineState *machine)
      * Since we can not reach the remote BMC machine with LPC memops,
      * map it always for now.
      */
-    memory_region_add_subregion(pnv->chips[0]->fw_mr, PNOR_SPI_OFFSET,
+    memory_region_add_subregion(pnv->chips[0]->fw_mr, pnv->pnor->lpc_address,
                                 &pnv->pnor->mmio);
 
     /*
diff --git a/hw/ppc/pnv_bmc.c b/hw/ppc/pnv_bmc.c
index 811ba3d7a49..fb70a8c1f22 100644
--- a/hw/ppc/pnv_bmc.c
+++ b/hw/ppc/pnv_bmc.c
@@ -174,8 +174,8 @@ static void hiomap_cmd(IPMIBmcSim *ibs, uint8_t *cmd, unsigned int cmd_len,
 {
     PnvPnor *pnor = PNV_PNOR(object_property_get_link(OBJECT(ibs), "pnor",
                                                       &error_abort));
+    uint32_t pnor_addr = pnor->lpc_address;
     uint32_t pnor_size = pnor->size;
-    uint32_t pnor_addr = PNOR_SPI_OFFSET;
     bool readonly = false;
 
     rsp_buffer_push(rsp, cmd[2]);
@@ -251,8 +251,8 @@ static const IPMINetfn hiomap_netfn = {
 
 void pnv_bmc_set_pnor(IPMIBmc *bmc, PnvPnor *pnor)
 {
+    uint32_t pnor_addr = pnor->lpc_address;
     uint32_t pnor_size = pnor->size;
-    uint32_t pnor_addr = PNOR_SPI_OFFSET;
 
     if (!pnv_bmc_is_simulator(bmc)) {
         return;
diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
index 863e2e70aca..9db44ca21d8 100644
--- a/hw/ppc/pnv_pnor.c
+++ b/hw/ppc/pnv_pnor.c
@@ -108,6 +108,8 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
         memset(s->storage, 0xFF, s->size);
     }
 
+    s->lpc_address = PNOR_SPI_OFFSET;
+
     memory_region_init_io(&s->mmio, OBJECT(s), &pnv_pnor_ops, s,
                           TYPE_PNV_PNOR, s->size);
 }
-- 
2.47.1

[PATCH 6/6] ppc/pnv: Fix system symbols in HOMER structure definitions

[Nicholas Piggin]

These definitions were taken from skiboot firmware. I naively thought it
would be nicer to keep the code similar by using the preprocessor, but
it was pointed out that system headers might still use those symbols and
cause something unexpected. Also just nicer to keep the QEMU tree clean.

Cc: Thomas Huth <thuth@redhat.com>
Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>
Fixes: 70bc5c2498f46 ("ppc/pnv: Make HOMER memory a RAM region")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
---
 hw/ppc/pnv_occ.c | 201 ++++++++++++++++++++++-------------------------
 1 file changed, 96 insertions(+), 105 deletions(-)

diff --git a/hw/ppc/pnv_occ.c b/hw/ppc/pnv_occ.c
index bda6b23ad3c..177c5e514b7 100644
--- a/hw/ppc/pnv_occ.c
+++ b/hw/ppc/pnv_occ.c
@@ -364,7 +364,12 @@ static void pnv_occ_register_types(void)
 
 type_init(pnv_occ_register_types);
 
-/* From skiboot/hw/occ.c with tab to space conversion */
+/*
+ * From skiboot/hw/occ.c with following changes:
+ * - tab to space conversion
+ * - Type conversions u8->uint8_t s8->int8_t __be16->uint16_t etc
+ * - __packed -> QEMU_PACKED
+ */
 /* OCC Communication Area for PStates */
 
 #define OPAL_DYNAMIC_DATA_OFFSET        0x0B80
@@ -384,20 +389,6 @@ type_init(pnv_occ_register_types);
 #define FREQ_MAX_IN_DOMAIN              0
 #define FREQ_MOST_RECENTLY_SET          1
 
-#define u8 uint8_t
-#define s8 int8_t
-#define u16 uint16_t
-#define s16 int16_t
-#define u32 uint32_t
-#define s32 int32_t
-#define u64 uint64_t
-#define s64 int64_t
-#define __be16 uint16_t
-#define __be32 uint32_t
-#ifndef __packed
-#define __packed QEMU_PACKED
-#endif /* !__packed */
-
 /**
  * OCC-OPAL Shared Memory Region
  *
@@ -434,69 +425,69 @@ type_init(pnv_occ_register_types);
  * @spare/reserved/pad:         Unused data
  */
 struct occ_pstate_table {
-    u8 valid;
-    u8 version;
-    union __packed {
-        struct __packed { /* Version 0x01 and 0x02 */
-            u8 throttle;
-            s8 pstate_min;
-            s8 pstate_nom;
-            s8 pstate_turbo;
-            s8 pstate_ultra_turbo;
-            u8 spare;
-            u64 reserved;
-            struct __packed {
-                s8 id;
-                u8 flags;
-                u8 vdd;
-                u8 vcs;
-                __be32 freq_khz;
+    uint8_t valid;
+    uint8_t version;
+    union QEMU_PACKED {
+        struct QEMU_PACKED { /* Version 0x01 and 0x02 */
+            uint8_t throttle;
+            int8_t pstate_min;
+            int8_t pstate_nom;
+            int8_t pstate_turbo;
+            int8_t pstate_ultra_turbo;
+            uint8_t spare;
+            uint64_t reserved;
+            struct QEMU_PACKED {
+                int8_t id;
+                uint8_t flags;
+                uint8_t vdd;
+                uint8_t vcs;
+                uint32_t freq_khz;
             } pstates[MAX_PSTATES];
-            s8 core_max[MAX_P8_CORES];
-            u8 pad[100];
+            int8_t core_max[MAX_P8_CORES];
+            uint8_t pad[100];
         } v2;
-        struct __packed { /* Version 0x90 */
-            u8 occ_role;
-            u8 pstate_min;
-            u8 pstate_nom;
-            u8 pstate_turbo;
-            u8 pstate_ultra_turbo;
-            u8 spare;
-            u64 reserved1;
-            u64 reserved2;
-            struct __packed {
-                u8 id;
-                u8 flags;
-                u16 reserved;
-                __be32 freq_khz;
+        struct QEMU_PACKED { /* Version 0x90 */
+            uint8_t occ_role;
+            uint8_t pstate_min;
+            uint8_t pstate_nom;
+            uint8_t pstate_turbo;
+            uint8_t pstate_ultra_turbo;
+            uint8_t spare;
+            uint64_t reserved1;
+            uint64_t reserved2;
+            struct QEMU_PACKED {
+                uint8_t id;
+                uint8_t flags;
+                uint16_t reserved;
+                uint32_t freq_khz;
             } pstates[MAX_PSTATES];
-            u8 core_max[MAX_P9_CORES];
-            u8 pad[56];
+            uint8_t core_max[MAX_P9_CORES];
+            uint8_t pad[56];
         } v9;
-        struct __packed { /* Version 0xA0 */
-            u8 occ_role;
-            u8 pstate_min;
-            u8 pstate_fixed_freq;
-            u8 pstate_base;
-            u8 pstate_ultra_turbo;
-            u8 pstate_fmax;
-            u8 minor;
-            u8 pstate_bottom_throttle;
-            u8 spare;
-            u8 spare1;
-            u32 reserved_32;
-            u64 reserved_64;
-            struct __packed {
-                u8 id;
-                u8 valid;
-                u16 reserved;
-                __be32 freq_khz;
+        struct QEMU_PACKED { /* Version 0xA0 */
+            uint8_t occ_role;
+            uint8_t pstate_min;
+            uint8_t pstate_fixed_freq;
+            uint8_t pstate_base;
+            uint8_t pstate_ultra_turbo;
+            uint8_t pstate_fmax;
+            uint8_t minor;
+            uint8_t pstate_bottom_throttle;
+            uint8_t spare;
+            uint8_t spare1;
+            uint32_t reserved_32;
+            uint64_t reserved_64;
+            struct QEMU_PACKED {
+                uint8_t id;
+                uint8_t valid;
+                uint16_t reserved;
+                uint32_t freq_khz;
             } pstates[MAX_PSTATES];
-            u8 core_max[MAX_P10_CORES];
-            u8 pad[48];
+            uint8_t core_max[MAX_P10_CORES];
+            uint8_t pad[48];
         } v10;
     };
-} __packed;
+} QEMU_PACKED;
 
 /**
  * OPAL-OCC Command Response Interface
@@ -531,13 +522,13 @@ struct occ_pstate_table {
  * @spare:                      Unused byte
  */
 struct opal_command_buffer {
-    u8 flag;
-    u8 request_id;
-    u8 cmd;
-    u8 spare;
-    __be16 data_size;
-    u8 data[MAX_OPAL_CMD_DATA_LENGTH];
-} __packed;
+    uint8_t flag;
+    uint8_t request_id;
+    uint8_t cmd;
+    uint8_t spare;
+    uint16_t data_size;
+    uint8_t data[MAX_OPAL_CMD_DATA_LENGTH];
+} QEMU_PACKED;
 
 /**
  * OPAL-OCC Response Buffer
@@ -571,13 +562,13 @@ struct opal_command_buffer {
  * @data:                       Response specific data
  */
 struct occ_response_buffer {
-    u8 flag;
-    u8 request_id;
-    u8 cmd;
-    u8 status;
-    __be16 data_size;
-    u8 data[MAX_OCC_RSP_DATA_LENGTH];
-} __packed;
+    uint8_t flag;
+    uint8_t request_id;
+    uint8_t cmd;
+    uint8_t status;
+    uint16_t data_size;
+    uint8_t data[MAX_OCC_RSP_DATA_LENGTH];
+} QEMU_PACKED;
 
 /**
  * OCC-OPAL Shared Memory Interface Dynamic Data Vx90
@@ -608,31 +599,31 @@ struct occ_response_buffer {
  * @rsp:                        OCC Response Buffer
  */
 struct occ_dynamic_data {
-    u8 occ_state;
-    u8 major_version;
-    u8 minor_version;
-    u8 gpus_present;
-    union __packed {
-        struct __packed { /* Version 0x90 */
-            u8 spare1;
+    uint8_t occ_state;
+    uint8_t major_version;
+    uint8_t minor_version;
+    uint8_t gpus_present;
+    union QEMU_PACKED {
+        struct QEMU_PACKED { /* Version 0x90 */
+            uint8_t spare1;
         } v9;
-        struct __packed { /* Version 0xA0 */
-            u8 wof_enabled;
+        struct QEMU_PACKED { /* Version 0xA0 */
+            uint8_t wof_enabled;
         } v10;
     };
-    u8 cpu_throttle;
-    u8 mem_throttle;
-    u8 quick_pwr_drop;
-    u8 pwr_shifting_ratio;
-    u8 pwr_cap_type;
-    __be16 hard_min_pwr_cap;
-    __be16 max_pwr_cap;
-    __be16 cur_pwr_cap;
-    __be16 soft_min_pwr_cap;
-    u8 pad[110];
+    uint8_t cpu_throttle;
+    uint8_t mem_throttle;
+    uint8_t quick_pwr_drop;
+    uint8_t pwr_shifting_ratio;
+    uint8_t pwr_cap_type;
+    uint16_t hard_min_pwr_cap;
+    uint16_t max_pwr_cap;
+    uint16_t cur_pwr_cap;
+    uint16_t soft_min_pwr_cap;
+    uint8_t pad[110];
     struct opal_command_buffer cmd;
     struct occ_response_buffer rsp;
-} __packed;
+} QEMU_PACKED;
 
 enum occ_response_status {
     OCC_RSP_SUCCESS                 = 0x00,
-- 
2.47.1

Re: [PATCH 6/6] ppc/pnv: Fix system symbols in HOMER structure definitions

[Thomas Huth]

On 17/03/2025 06.23, Nicholas Piggin wrote:
> These definitions were taken from skiboot firmware. I naively thought it
> would be nicer to keep the code similar by using the preprocessor, but
> it was pointed out that system headers might still use those symbols and
> cause something unexpected. Also just nicer to keep the QEMU tree clean.
> 
> Cc: Thomas Huth <thuth@redhat.com>
> Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>
> Cc: "Stefan Hajnoczi" <stefanha@gmail.com>
> Fixes: 70bc5c2498f46 ("ppc/pnv: Make HOMER memory a RAM region")
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>   hw/ppc/pnv_occ.c | 201 ++++++++++++++++++++++-------------------------
>   1 file changed, 96 insertions(+), 105 deletions(-)

Thanks for cleaning it up!

Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [PATCH 3/6] ppc/xive2: Fix logical / bitwise comparison typo

[Cédric Le Goater]

On 3/17/25 06:23, Nicholas Piggin wrote:
> The comparison as written is always false (perhaps confusingly, because
> the functions/macros are not really booleans but return 0 or the tested
> bit value). Change to use logical-and.
> 
> Resolves: Coverity CID 1593721
> Cc: Cédric Le Goater <clg@redhat.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>


Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.


> ---
>   hw/intc/xive2.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/intc/xive2.c b/hw/intc/xive2.c
> index 311b42e15d3..7d584dfafaf 100644
> --- a/hw/intc/xive2.c
> +++ b/hw/intc/xive2.c
> @@ -1344,7 +1344,7 @@ static void xive2_router_end_notify(Xive2Router *xrtr, uint8_t end_blk,
>           return;
>       }
>   
> -    if (xive2_end_is_crowd(&end) & !xive2_end_is_ignore(&end)) {
> +    if (xive2_end_is_crowd(&end) && !xive2_end_is_ignore(&end)) {
>           qemu_log_mask(LOG_GUEST_ERROR,
>                         "XIVE: invalid END, 'crowd' bit requires 'ignore' bit\n");
>           return;

Re: [PATCH 4/6] ppc/spapr: Fix possible pa_features memory overflow

[Cédric Le Goater]

On 3/17/25 06:23, Nicholas Piggin wrote:
> Coverity reports a possible memory overflow in spapr_dt_pa_features().
> This should not be a true bug since DAWR1 cap is only be true for
> CPU_POWERPC_LOGICAL_3_10. Add an assertion to ensure any bug there is
> caught.
> 
> Resolves: Coverity CID 1593722
> Fixes: 5f361ea187ba ("ppc: spapr: Enable 2nd DAWR on Power10 pSeries machine")
> Cc: Shivaprasad G Bhat <sbhat@linux.ibm.com>
> Cc: Cédric Le Goater <clg@redhat.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>   hw/ppc/spapr.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index a415e51d077..9865d7147ff 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -296,6 +296,7 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,
>           pa_features[40 + 2] &= ~0x80; /* Radix MMU */
>       }
>       if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
> +        g_assert(pa_size > 66);
>           pa_features[66] |= 0x80;
>       }
>   

Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.

Re: [PATCH 5/6] ppc/pnv: Move the PNOR LPC address into struct PnvPnor

[Cédric Le Goater]

On 3/17/25 06:23, Nicholas Piggin wrote:
> Rather than use the hardcoded define throughout the tree for the
> PNOR LPC address, keep it within the PnvPnor object.
> 
> This should solve a dead code issue in the BMC HIOMAP checks where
> Coverity (correctly) reported that the sanity checks are dead code.
> We would like to keep the sanity checks without turning them into a
> compile time assert in case we would like to make them configurable
> in future.
> 
> Fixes: 4c84a0a4a6e5 ("ppc/pnv: Add a PNOR address and size sanity checks")
> Resolves: Coverity CID 1593723
> Cc: Cédric Le Goater <clg@redhat.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>



Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.


> ---
>   include/hw/ppc/pnv_pnor.h | 1 +
>   hw/ppc/pnv.c              | 2 +-
>   hw/ppc/pnv_bmc.c          | 4 ++--
>   hw/ppc/pnv_pnor.c         | 2 ++
>   4 files changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/include/hw/ppc/pnv_pnor.h b/include/hw/ppc/pnv_pnor.h
> index 19c2d642e82..b44cafe918d 100644
> --- a/include/hw/ppc/pnv_pnor.h
> +++ b/include/hw/ppc/pnv_pnor.h
> @@ -28,6 +28,7 @@ struct PnvPnor {
>       BlockBackend   *blk;
>   
>       uint8_t        *storage;
> +    uint32_t       lpc_address; /* Offset within LPC FW space */
>       int64_t        size;
>       MemoryRegion   mmio;
>   };
> diff --git a/hw/ppc/pnv.c b/hw/ppc/pnv.c
> index 59365370c37..63f2232f32f 100644
> --- a/hw/ppc/pnv.c
> +++ b/hw/ppc/pnv.c
> @@ -1191,7 +1191,7 @@ static void pnv_init(MachineState *machine)
>        * Since we can not reach the remote BMC machine with LPC memops,
>        * map it always for now.
>        */
> -    memory_region_add_subregion(pnv->chips[0]->fw_mr, PNOR_SPI_OFFSET,
> +    memory_region_add_subregion(pnv->chips[0]->fw_mr, pnv->pnor->lpc_address,
>                                   &pnv->pnor->mmio);
>   
>       /*
> diff --git a/hw/ppc/pnv_bmc.c b/hw/ppc/pnv_bmc.c
> index 811ba3d7a49..fb70a8c1f22 100644
> --- a/hw/ppc/pnv_bmc.c
> +++ b/hw/ppc/pnv_bmc.c
> @@ -174,8 +174,8 @@ static void hiomap_cmd(IPMIBmcSim *ibs, uint8_t *cmd, unsigned int cmd_len,
>   {
>       PnvPnor *pnor = PNV_PNOR(object_property_get_link(OBJECT(ibs), "pnor",
>                                                         &error_abort));
> +    uint32_t pnor_addr = pnor->lpc_address;
>       uint32_t pnor_size = pnor->size;
> -    uint32_t pnor_addr = PNOR_SPI_OFFSET;
>       bool readonly = false;
>   
>       rsp_buffer_push(rsp, cmd[2]);
> @@ -251,8 +251,8 @@ static const IPMINetfn hiomap_netfn = {
>   
>   void pnv_bmc_set_pnor(IPMIBmc *bmc, PnvPnor *pnor)
>   {
> +    uint32_t pnor_addr = pnor->lpc_address;
>       uint32_t pnor_size = pnor->size;
> -    uint32_t pnor_addr = PNOR_SPI_OFFSET;
>   
>       if (!pnv_bmc_is_simulator(bmc)) {
>           return;
> diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
> index 863e2e70aca..9db44ca21d8 100644
> --- a/hw/ppc/pnv_pnor.c
> +++ b/hw/ppc/pnv_pnor.c
> @@ -108,6 +108,8 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
>           memset(s->storage, 0xFF, s->size);
>       }
>   
> +    s->lpc_address = PNOR_SPI_OFFSET;
> +
>       memory_region_init_io(&s->mmio, OBJECT(s), &pnv_pnor_ops, s,
>                             TYPE_PNV_PNOR, s->size);
>   }

Re: [PATCH 2/6] pnv/xive: Fix possible undefined shift error in group size calculation

[Cédric Le Goater]

On 3/17/25 06:23, Nicholas Piggin wrote:
> Coverity discovered a potential shift overflow in group size calculation
> in the case of a guest error. Add checks and logs to ensure a issues are
> caught.
> 
> Make the group and crowd error checking code more similar to one another
> while here.
> 
> Resolves: Coverity CID 1593724
> Fixes: 9cb7f6ebed60 ("ppc/xive2: Support group-matching when looking for target")
> Cc: Cédric Le Goater <clg@redhat.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>


Reviewed-by: Cédric Le Goater <clg@redhat.com>

Thanks,

C.


> ---
>   hw/intc/xive.c  | 27 ++++++++++++++++++++++++---
>   hw/intc/xive2.c | 19 ++++++++++++++-----
>   2 files changed, 38 insertions(+), 8 deletions(-)
> 
> diff --git a/hw/intc/xive.c b/hw/intc/xive.c
> index e86f2749328..3eb28c2265d 100644
> --- a/hw/intc/xive.c
> +++ b/hw/intc/xive.c
> @@ -1662,12 +1662,20 @@ uint32_t xive_get_vpgroup_size(uint32_t nvp_index)
>        * (starting with the least significant bits) in the NVP index
>        * gives the size of the group.
>        */
> -    return 1 << (ctz32(~nvp_index) + 1);
> +    int first_zero = cto32(nvp_index);
> +    if (first_zero >= 31) {
> +        qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid group index 0x%08x",
> +                                       nvp_index);
> +        return 0;
> +    }
> +
> +    return 1U << (first_zero + 1);
>   }
>   
>   static uint8_t xive_get_group_level(bool crowd, bool ignore,
>                                       uint32_t nvp_blk, uint32_t nvp_index)
>   {
> +    int first_zero;
>       uint8_t level;
>   
>       if (!ignore) {
> @@ -1675,12 +1683,25 @@ static uint8_t xive_get_group_level(bool crowd, bool ignore,
>           return 0;
>       }
>   
> -    level = (ctz32(~nvp_index) + 1) & 0b1111;
> +    first_zero = cto32(nvp_index);
> +    if (first_zero >= 31) {
> +        qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid group index 0x%08x",
> +                                       nvp_index);
> +        return 0;
> +    }
> +
> +    level = (first_zero + 1) & 0b1111;
>       if (crowd) {
>           uint32_t blk;
>   
>           /* crowd level is bit position of first 0 from the right in nvp_blk */
> -        blk = ctz32(~nvp_blk) + 1;
> +        first_zero = cto32(nvp_blk);
> +        if (first_zero >= 31) {
> +            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid crowd block 0x%08x",
> +                                           nvp_blk);
> +            return 0;
> +        }
> +        blk = first_zero + 1;
>   
>           /*
>            * Supported crowd sizes are 2^1, 2^2, and 2^4. 2^3 is not supported.
> diff --git a/hw/intc/xive2.c b/hw/intc/xive2.c
> index f8ef6154878..311b42e15d3 100644
> --- a/hw/intc/xive2.c
> +++ b/hw/intc/xive2.c
> @@ -1153,13 +1153,15 @@ static bool xive2_vp_match_mask(uint32_t cam1, uint32_t cam2,
>   
>   static uint8_t xive2_get_vp_block_mask(uint32_t nvt_blk, bool crowd)
>   {
> -    uint8_t size, block_mask = 0b1111;
> +    uint8_t block_mask = 0b1111;
>   
>       /* 3 supported crowd sizes: 2, 4, 16 */
>       if (crowd) {
> -        size = xive_get_vpgroup_size(nvt_blk);
> -        if (size == 8) {
> -            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid crowd size of 8n");
> +        uint32_t size = xive_get_vpgroup_size(nvt_blk);
> +
> +        if (size != 2 && size != 4 && size != 16) {
> +            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid crowd size of %d",
> +                                           size);
>               return block_mask;
>           }
>           block_mask &= ~(size - 1);
> @@ -1172,7 +1174,14 @@ static uint32_t xive2_get_vp_index_mask(uint32_t nvt_index, bool cam_ignore)
>       uint32_t index_mask = 0xFFFFFF; /* 24 bits */
>   
>       if (cam_ignore) {
> -        index_mask &= ~(xive_get_vpgroup_size(nvt_index) - 1);
> +        uint32_t size = xive_get_vpgroup_size(nvt_index);
> +
> +        if (size < 2) {
> +            qemu_log_mask(LOG_GUEST_ERROR, "XIVE: Invalid group size of %d",
> +                                           size);
> +            return index_mask;
> +        }
> +        index_mask &= ~(size - 1);
>       }
>       return index_mask;
>   }

Re: [PATCH 4/6] ppc/spapr: Fix possible pa_features memory overflow

[Shivaprasad G Bhat]

Hi Nick,


Thnks for taking care of this, I was about to post a fix.


On 3/17/25 10:53 AM, Nicholas Piggin wrote:
> Coverity reports a possible memory overflow in spapr_dt_pa_features().
> This should not be a true bug since DAWR1 cap is only be true for
> CPU_POWERPC_LOGICAL_3_10. Add an assertion to ensure any bug there is
> caught.
>
> Resolves: Coverity CID 1593722
> Fixes: 5f361ea187ba ("ppc: spapr: Enable 2nd DAWR on Power10 pSeries machine")
> Cc: Shivaprasad G Bhat <sbhat@linux.ibm.com>
> Cc: Cédric Le Goater <clg@redhat.com>
> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> ---
>   hw/ppc/spapr.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index a415e51d077..9865d7147ff 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -296,6 +296,7 @@ static void spapr_dt_pa_features(SpaprMachineState *spapr,
>           pa_features[40 + 2] &= ~0x80; /* Radix MMU */
>       }
>       if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1)) {
> +        g_assert(pa_size > 66);

SPAPR_CAP_DAWR1 is set to off in default_caps_with_cpu() for below P10 
(compat mode

cases).


So, this works.


I was planning to fix this instead with

+ if (spapr_get_cap(spapr, SPAPR_CAP_DAWR1) && pa_size > 66) { 
pa_features[66] |= 0x80; }

just being in-line with the other similar checks in the same function.


Reviewed-By: Shivaprasad G Bhat <sbhat@linux.ibm.com>


Regards,

Shivaprasad