hw/dma/xlnx_dpdma.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-)
Add a function xlnx_dpdma_read_descriptor() that
combines reading the descriptor from desc_addr
by calling dma_memory_read() and swapping desc
fields from guest memory order to host memory order.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v2:minor changes in xlnx_dpdma_read_descriptor()
hw/dma/xlnx_dpdma.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index dd66be5265..62a0952377 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -614,6 +614,34 @@ static void xlnx_dpdma_register_types(void)
type_register_static(&xlnx_dpdma_info);
}
+static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
+ uint64_t desc_addr, DPDMADescriptor *desc)
+{
+ if (dma_memory_read(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED))
+ return MEMTX_ERROR;
+
+ /* Convert from LE into host endianness. */
+ desc->control = le32_to_cpu(desc->control);
+ desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
+ desc->xfer_size = le32_to_cpu(desc->xfer_size);
+ desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
+ desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
+ desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
+ desc->address_extension = le32_to_cpu(desc->address_extension);
+ desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
+ desc->source_address = le32_to_cpu(desc->source_address);
+ desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
+ desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
+ desc->source_address2 = le32_to_cpu(desc->source_address2);
+ desc->source_address3 = le32_to_cpu(desc->source_address3);
+ desc->source_address4 = le32_to_cpu(desc->source_address4);
+ desc->source_address5 = le32_to_cpu(desc->source_address5);
+ desc->crc = le32_to_cpu(desc->crc);
+
+ return MEMTX_OK;
+}
+
size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
bool one_desc)
{
@@ -651,8 +679,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
}
- if (dma_memory_read(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
xlnx_dpdma_update_irq(s);
s->operation_finished[channel] = true;
--
2.30.2Hi Alexandra,
On 25/4/24 12:07, Alexandra Diupina wrote:
> Add a function xlnx_dpdma_read_descriptor() that
> combines reading the descriptor from desc_addr
> by calling dma_memory_read() and swapping desc
> fields from guest memory order to host memory order.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d3c6369a96 ("introduce xlnx-dpdma")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
> ---
> v2:minor changes in xlnx_dpdma_read_descriptor()
> hw/dma/xlnx_dpdma.c | 31 +++++++++++++++++++++++++++++--
> 1 file changed, 29 insertions(+), 2 deletions(-)
>
> diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
> index dd66be5265..62a0952377 100644
> --- a/hw/dma/xlnx_dpdma.c
> +++ b/hw/dma/xlnx_dpdma.c
> @@ -614,6 +614,34 @@ static void xlnx_dpdma_register_types(void)
> type_register_static(&xlnx_dpdma_info);
> }
>
> +static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
> + uint64_t desc_addr, DPDMADescriptor *desc)
> +{
> + if (dma_memory_read(&address_space_memory, desc_addr, &desc,
> + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED))
> + return MEMTX_ERROR;
> +
> + /* Convert from LE into host endianness. */
> + desc->control = le32_to_cpu(desc->control);
> + desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
> + desc->xfer_size = le32_to_cpu(desc->xfer_size);
> + desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
> + desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
> + desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
> + desc->address_extension = le32_to_cpu(desc->address_extension);
> + desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
> + desc->source_address = le32_to_cpu(desc->source_address);
> + desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
> + desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
> + desc->source_address2 = le32_to_cpu(desc->source_address2);
> + desc->source_address3 = le32_to_cpu(desc->source_address3);
> + desc->source_address4 = le32_to_cpu(desc->source_address4);
> + desc->source_address5 = le32_to_cpu(desc->source_address5);
> + desc->crc = le32_to_cpu(desc->crc);
> +
> + return MEMTX_OK;
> +}
> +
> size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
> bool one_desc)
> {
> @@ -651,8 +679,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
> desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
> }
>
> - if (dma_memory_read(&address_space_memory, desc_addr, &desc,
> - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
> + if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
Correct, but this is incomplete, because we have the same problem
on the write descriptor back path, few lines later in the
xlnx_dpdma_desc_update_enabled() block.
> s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
> xlnx_dpdma_update_irq(s);
> s->operation_finished[channel] = true;
Add xlnx_dpdma_read_descriptor() and
xlnx_dpdma_write_descriptor() functions.
xlnx_dpdma_read_descriptor() combines reading a
descriptor from desc_addr by calling dma_memory_read()
and swapping the desc fields from guest memory order
to host memory order. xlnx_dpdma_write_descriptor()
performs similar actions when writing a descriptor.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v3: add xlnx_dpdma_write_descriptor()
v2: minor changes in xlnx_dpdma_read_descriptor()
hw/dma/xlnx_dpdma.c | 59 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 55 insertions(+), 4 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index dd66be5265..7845f43221 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -614,6 +614,59 @@ static void xlnx_dpdma_register_types(void)
type_register_static(&xlnx_dpdma_info);
}
+static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
+ uint64_t desc_addr, DPDMADescriptor *desc)
+{
+ if (dma_memory_read(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED))
+ return MEMTX_ERROR;
+
+ /* Convert from LE into host endianness. */
+ desc->control = le32_to_cpu(desc->control);
+ desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
+ desc->xfer_size = le32_to_cpu(desc->xfer_size);
+ desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
+ desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
+ desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
+ desc->address_extension = le32_to_cpu(desc->address_extension);
+ desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
+ desc->source_address = le32_to_cpu(desc->source_address);
+ desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
+ desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
+ desc->source_address2 = le32_to_cpu(desc->source_address2);
+ desc->source_address3 = le32_to_cpu(desc->source_address3);
+ desc->source_address4 = le32_to_cpu(desc->source_address4);
+ desc->source_address5 = le32_to_cpu(desc->source_address5);
+ desc->crc = le32_to_cpu(desc->crc);
+
+ return MEMTX_OK;
+}
+
+static void xlnx_dpdma_write_descriptor(uint64_t desc_addr,
+ DPDMADescriptor *desc)
+{
+ /* Convert from host endianness into LE. */
+ desc->control = cpu_to_le32(desc->control);
+ desc->descriptor_id = cpu_to_le32(desc->descriptor_id);
+ desc->xfer_size = cpu_to_le32(desc->xfer_size);
+ desc->line_size_stride = cpu_to_le32(desc->line_size_stride);
+ desc->timestamp_lsb = cpu_to_le32(desc->timestamp_lsb);
+ desc->timestamp_msb = cpu_to_le32(desc->timestamp_msb);
+ desc->address_extension = cpu_to_le32(desc->address_extension);
+ desc->next_descriptor = cpu_to_le32(desc->next_descriptor);
+ desc->source_address = cpu_to_le32(desc->source_address);
+ desc->address_extension_23 = cpu_to_le32(desc->address_extension_23);
+ desc->address_extension_45 = cpu_to_le32(desc->address_extension_45);
+ desc->source_address2 = cpu_to_le32(desc->source_address2);
+ desc->source_address3 = cpu_to_le32(desc->source_address3);
+ desc->source_address4 = cpu_to_le32(desc->source_address4);
+ desc->source_address5 = cpu_to_le32(desc->source_address5);
+ desc->crc = cpu_to_le32(desc->crc);
+
+ dma_memory_write(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+}
+
size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
bool one_desc)
{
@@ -651,8 +704,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
}
- if (dma_memory_read(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
xlnx_dpdma_update_irq(s);
s->operation_finished[channel] = true;
@@ -755,8 +807,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
/* The descriptor need to be updated when it's completed. */
DPRINTF("update the descriptor with the done flag set.\n");
xlnx_dpdma_desc_set_done(&desc);
- dma_memory_write(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+ xlnx_dpdma_write_descriptor(desc_addr, &desc);
}
if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
--
2.30.2On 4/25/24 06:41, Alexandra Diupina wrote:
> +static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
> + uint64_t desc_addr, DPDMADescriptor *desc)
> +{
> + if (dma_memory_read(&address_space_memory, desc_addr, &desc,
> + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED))
> + return MEMTX_ERROR;
> +
Missing { } for docs/devel/style.rst.
> +static void xlnx_dpdma_write_descriptor(uint64_t desc_addr,
> + DPDMADescriptor *desc)
> +{
> + /* Convert from host endianness into LE. */
> + desc->control = cpu_to_le32(desc->control);
> + desc->descriptor_id = cpu_to_le32(desc->descriptor_id);
> + desc->xfer_size = cpu_to_le32(desc->xfer_size);
> + desc->line_size_stride = cpu_to_le32(desc->line_size_stride);
> + desc->timestamp_lsb = cpu_to_le32(desc->timestamp_lsb);
> + desc->timestamp_msb = cpu_to_le32(desc->timestamp_msb);
> + desc->address_extension = cpu_to_le32(desc->address_extension);
> + desc->next_descriptor = cpu_to_le32(desc->next_descriptor);
> + desc->source_address = cpu_to_le32(desc->source_address);
> + desc->address_extension_23 = cpu_to_le32(desc->address_extension_23);
> + desc->address_extension_45 = cpu_to_le32(desc->address_extension_45);
> + desc->source_address2 = cpu_to_le32(desc->source_address2);
> + desc->source_address3 = cpu_to_le32(desc->source_address3);
> + desc->source_address4 = cpu_to_le32(desc->source_address4);
> + desc->source_address5 = cpu_to_le32(desc->source_address5);
> + desc->crc = cpu_to_le32(desc->crc);
This is incorrect, rewriting in place, because after the call,
> if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
the memory block is still live, and the swap here has corrupted it.
> +
> + dma_memory_write(&address_space_memory, desc_addr, &desc,
This is incorrect because desc is now a pointer so &desc is DPDMADescriptor **.
Do not reply to an existing thread to post a new patch.
r~
© 2016 - 2026 Red Hat, Inc.