* [Qemu-devel] [PATCH-for-4.1 v6 1/3] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
[not found] <20190709123240.16298-1-philmd@redhat.com>
@ 2019-07-09 12:32 ` Philippe Mathieu-Daudé
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 2/3] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory Philippe Mathieu-Daudé
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-07-09 12:32 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Francisco Iglesias, Alistair Francis, qemu-stable,
Prasad J Pandit, Lei Sun, qemu-arm, Edgar E. Iglesias,
Philippe Mathieu-Daudé
In the next commit we will implement the write_with_attrs()
handler. To avoid using different APIs, convert the read()
handler first.
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
v4: Do not ignore lqspi_read() return value (Francisco)
---
hw/ssi/xilinx_spips.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 8115bb6d46..b7c7275dbe 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1202,27 +1202,26 @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
}
}
-static uint64_t
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+ unsigned size, MemTxAttrs attrs)
{
- XilinxQSPIPS *q = opaque;
- uint32_t ret;
+ XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
if (addr >= q->lqspi_cached_addr &&
addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
- ret = cpu_to_le32(*(uint32_t *)retp);
- DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
- (unsigned)ret);
- return ret;
- } else {
- lqspi_load_cache(opaque, addr);
- return lqspi_read(opaque, addr, size);
+ *value = cpu_to_le32(*(uint32_t *)retp);
+ DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
+ addr, *value);
+ return MEMTX_OK;
}
+
+ lqspi_load_cache(opaque, addr);
+ return lqspi_read(opaque, addr, value, size, attrs);
}
static const MemoryRegionOps lqspi_ops = {
- .read = lqspi_read,
+ .read_with_attrs = lqspi_read,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
.min_access_size = 1,
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Qemu-devel] [PATCH-for-4.1 v6 2/3] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
[not found] <20190709123240.16298-1-philmd@redhat.com>
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 1/3] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs Philippe Mathieu-Daudé
@ 2019-07-09 12:32 ` Philippe Mathieu-Daudé
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 3/3] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] Philippe Mathieu-Daudé
2019-07-11 14:43 ` [Qemu-devel] [PATCH-for-4.1 v6 0/3] hw/ssi/xilinx_spips: Avoid NULL dereference and out-of-bound access Peter Maydell
3 siblings, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-07-09 12:32 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Francisco Iglesias, Alistair Francis, qemu-stable,
Prasad J Pandit, Lei Sun, qemu-arm, Edgar E. Iglesias,
Philippe Mathieu-Daudé
Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.
From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).
Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).
[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
v4: Fix typos (Francisco)
---
hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index b7c7275dbe..3c4e8365ee 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1220,8 +1220,24 @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
return lqspi_read(opaque, addr, value, size, attrs);
}
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+ unsigned size, MemTxAttrs attrs)
+{
+ /*
+ * From UG1085, Chapter 24 (Quad-SPI controllers):
+ * - Writes are ignored
+ * - AXI writes generate an external AXI slave error (SLVERR)
+ */
+ qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+ " (value: 0x%" PRIx64 "\n",
+ __func__, size << 3, offset, value);
+
+ return MEMTX_ERROR;
+}
+
static const MemoryRegionOps lqspi_ops = {
.read_with_attrs = lqspi_read,
+ .write_with_attrs = lqspi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
.min_access_size = 1,
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Qemu-devel] [PATCH-for-4.1 v6 3/3] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
[not found] <20190709123240.16298-1-philmd@redhat.com>
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 1/3] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs Philippe Mathieu-Daudé
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 2/3] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory Philippe Mathieu-Daudé
@ 2019-07-09 12:32 ` Philippe Mathieu-Daudé
2019-07-11 14:43 ` [Qemu-devel] [PATCH-for-4.1 v6 0/3] hw/ssi/xilinx_spips: Avoid NULL dereference and out-of-bound access Peter Maydell
3 siblings, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2019-07-09 12:32 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Francisco Iglesias, Alistair Francis, qemu-stable,
Prasad J Pandit, Lei Sun, qemu-arm, Edgar E. Iglesias,
Philippe Mathieu-Daudé
Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.
From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
Transfer Size Limitations
Because of the 32-bit wide TX, RX, and generic FIFO, all
APB/AXI transfers must be an integer multiple of 4-bytes.
Shorter transfers are not possible.
Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.
[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
v6: fix datasheet reference
v5: add datasheet reference, drop RFC prefix, fix build (Francisco)
---
hw/ssi/xilinx_spips.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 3c4e8365ee..b29e0a4a89 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -1239,6 +1239,10 @@ static const MemoryRegionOps lqspi_ops = {
.read_with_attrs = lqspi_read,
.write_with_attrs = lqspi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
+ .impl = {
+ .min_access_size = 4,
+ .max_access_size = 4,
+ },
.valid = {
.min_access_size = 1,
.max_access_size = 4
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Qemu-devel] [PATCH-for-4.1 v6 0/3] hw/ssi/xilinx_spips: Avoid NULL dereference and out-of-bound access
[not found] <20190709123240.16298-1-philmd@redhat.com>
` (2 preceding siblings ...)
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 3/3] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] Philippe Mathieu-Daudé
@ 2019-07-11 14:43 ` Peter Maydell
3 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2019-07-11 14:43 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Francisco Iglesias, qemu-stable, Alistair Francis,
QEMU Developers, Prasad J Pandit, Lei Sun, qemu-arm,
Edgar E. Iglesias
On Tue, 9 Jul 2019 at 13:32, Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> v1: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01238.html
> v2: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01586.html
> v3: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01657.html
> v4: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01777.html
> v5: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg01959.html
> v6:
> - fixed datasheet reference, added Francisco tags
>
> Philippe Mathieu-Daudé (3):
> hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
> hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
> hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
Applied to target-arm.next, thanks.
-- PMM
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-11 14:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20190709123240.16298-1-philmd@redhat.com>
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 1/3] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs Philippe Mathieu-Daudé
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 2/3] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory Philippe Mathieu-Daudé
2019-07-09 12:32 ` [Qemu-devel] [PATCH-for-4.1 v6 3/3] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] Philippe Mathieu-Daudé
2019-07-11 14:43 ` [Qemu-devel] [PATCH-for-4.1 v6 0/3] hw/ssi/xilinx_spips: Avoid NULL dereference and out-of-bound access Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).