hw/dma/xlnx_dpdma.c | 63 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 59 insertions(+), 4 deletions(-)
Add xlnx_dpdma_read_descriptor() and
xlnx_dpdma_write_descriptor() functions.
xlnx_dpdma_read_descriptor() combines reading a
descriptor from desc_addr by calling dma_memory_read()
and swapping the desc fields from guest memory order
to host memory order. xlnx_dpdma_write_descriptor()
performs similar actions when writing a descriptor.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v4: remove rewriting desc in place
v3: add xlnx_dpdma_write_descriptor()
v2: minor changes in xlnx_dpdma_read_descriptor()
hw/dma/xlnx_dpdma.c | 63 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 59 insertions(+), 4 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index 1f5cd64ed1..e9133e9dcb 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -614,6 +614,63 @@ static void xlnx_dpdma_register_types(void)
type_register_static(&xlnx_dpdma_info);
}
+static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
+ uint64_t desc_addr, DPDMADescriptor *desc)
+{
+ if (dma_memory_read(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ return MEMTX_ERROR;
+ }
+
+ /* Convert from LE into host endianness. */
+ desc->control = le32_to_cpu(desc->control);
+ desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
+ desc->xfer_size = le32_to_cpu(desc->xfer_size);
+ desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
+ desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
+ desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
+ desc->address_extension = le32_to_cpu(desc->address_extension);
+ desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
+ desc->source_address = le32_to_cpu(desc->source_address);
+ desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
+ desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
+ desc->source_address2 = le32_to_cpu(desc->source_address2);
+ desc->source_address3 = le32_to_cpu(desc->source_address3);
+ desc->source_address4 = le32_to_cpu(desc->source_address4);
+ desc->source_address5 = le32_to_cpu(desc->source_address5);
+ desc->crc = le32_to_cpu(desc->crc);
+
+ return MEMTX_OK;
+}
+
+static void xlnx_dpdma_write_descriptor(uint64_t desc_addr,
+ DPDMADescriptor *desc)
+{
+ DPDMADescriptor* tmp_desc = (DPDMADescriptor *)malloc(sizeof(DPDMADescriptor));
+ memcpy(tmp_desc, desc, sizeof(desc));
+
+ /* Convert from host endianness into LE. */
+ tmp_desc->control = cpu_to_le32(tmp_desc->control);
+ tmp_desc->descriptor_id = cpu_to_le32(tmp_desc->descriptor_id);
+ tmp_desc->xfer_size = cpu_to_le32(tmp_desc->xfer_size);
+ tmp_desc->line_size_stride = cpu_to_le32(tmp_desc->line_size_stride);
+ tmp_desc->timestamp_lsb = cpu_to_le32(tmp_desc->timestamp_lsb);
+ tmp_desc->timestamp_msb = cpu_to_le32(tmp_desc->timestamp_msb);
+ tmp_desc->address_extension = cpu_to_le32(tmp_desc->address_extension);
+ tmp_desc->next_descriptor = cpu_to_le32(tmp_desc->next_descriptor);
+ tmp_desc->source_address = cpu_to_le32(tmp_desc->source_address);
+ tmp_desc->address_extension_23 = cpu_to_le32(tmp_desc->address_extension_23);
+ tmp_desc->address_extension_45 = cpu_to_le32(tmp_desc->address_extension_45);
+ tmp_desc->source_address2 = cpu_to_le32(tmp_desc->source_address2);
+ tmp_desc->source_address3 = cpu_to_le32(tmp_desc->source_address3);
+ tmp_desc->source_address4 = cpu_to_le32(tmp_desc->source_address4);
+ tmp_desc->source_address5 = cpu_to_le32(tmp_desc->source_address5);
+ tmp_desc->crc = cpu_to_le32(tmp_desc->crc);
+
+ dma_memory_write(&address_space_memory, desc_addr, tmp_desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+}
+
size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
bool one_desc)
{
@@ -651,8 +708,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
}
- if (dma_memory_read(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
xlnx_dpdma_update_irq(s);
s->operation_finished[channel] = true;
@@ -755,8 +811,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
/* The descriptor need to be updated when it's completed. */
DPRINTF("update the descriptor with the done flag set.\n");
xlnx_dpdma_desc_set_done(&desc);
- dma_memory_write(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+ xlnx_dpdma_write_descriptor(desc_addr, &desc);
}
if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
--
2.30.2Alexandra Diupina <adiupina@astralinux.ru> writes: As the subject is what ends up in the shortlog it is useful to prefix the subsystem to make it easier to see what was touched when reviewing log files. So maybe: xlnx_dpdma: fix endianness bug or even: xlnx_dpdma: fix descriptor endianness bug as we have space within the 60 or so chars recommended for subject lines ;-) <snip> -- Alex Bennée Virtualisation Tech Lead @ Linaro
Add xlnx_dpdma_read_descriptor() and
xlnx_dpdma_write_descriptor() functions.
xlnx_dpdma_read_descriptor() combines reading a
descriptor from desc_addr by calling dma_memory_read()
and swapping the desc fields from guest memory order
to host memory order. xlnx_dpdma_write_descriptor()
performs similar actions when writing a descriptor.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v5: fix subject and make xlnx_dpdma_write_descriptor() not void
v4: remove rewriting desc in place
v3: add xlnx_dpdma_write_descriptor()
v2: minor changes in xlnx_dpdma_read_descriptor()
hw/dma/xlnx_dpdma.c | 66 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 62 insertions(+), 4 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index 1f5cd64ed1..f582c1a085 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -614,6 +614,63 @@ static void xlnx_dpdma_register_types(void)
type_register_static(&xlnx_dpdma_info);
}
+static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
+ uint64_t desc_addr, DPDMADescriptor *desc)
+{
+ MemTxResult res = dma_memory_read(&address_space_memory, desc_addr,
+ &desc, sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+ if (res) {
+ return res;
+ }
+
+ /* Convert from LE into host endianness. */
+ desc->control = le32_to_cpu(desc->control);
+ desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
+ desc->xfer_size = le32_to_cpu(desc->xfer_size);
+ desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
+ desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
+ desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
+ desc->address_extension = le32_to_cpu(desc->address_extension);
+ desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
+ desc->source_address = le32_to_cpu(desc->source_address);
+ desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
+ desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
+ desc->source_address2 = le32_to_cpu(desc->source_address2);
+ desc->source_address3 = le32_to_cpu(desc->source_address3);
+ desc->source_address4 = le32_to_cpu(desc->source_address4);
+ desc->source_address5 = le32_to_cpu(desc->source_address5);
+ desc->crc = le32_to_cpu(desc->crc);
+
+ return res;
+}
+
+static MemTxResult xlnx_dpdma_write_descriptor(uint64_t desc_addr,
+ DPDMADescriptor *desc)
+{
+ DPDMADescriptor tmp_desc = *desc;
+
+ /* Convert from host endianness into LE. */
+ tmp_desc.control = cpu_to_le32(tmp_desc.control);
+ tmp_desc.descriptor_id = cpu_to_le32(tmp_desc.descriptor_id);
+ tmp_desc.xfer_size = cpu_to_le32(tmp_desc.xfer_size);
+ tmp_desc.line_size_stride = cpu_to_le32(tmp_desc.line_size_stride);
+ tmp_desc.timestamp_lsb = cpu_to_le32(tmp_desc.timestamp_lsb);
+ tmp_desc.timestamp_msb = cpu_to_le32(tmp_desc.timestamp_msb);
+ tmp_desc.address_extension = cpu_to_le32(tmp_desc.address_extension);
+ tmp_desc.next_descriptor = cpu_to_le32(tmp_desc.next_descriptor);
+ tmp_desc.source_address = cpu_to_le32(tmp_desc.source_address);
+ tmp_desc.address_extension_23 = cpu_to_le32(tmp_desc.address_extension_23);
+ tmp_desc.address_extension_45 = cpu_to_le32(tmp_desc.address_extension_45);
+ tmp_desc.source_address2 = cpu_to_le32(tmp_desc.source_address2);
+ tmp_desc.source_address3 = cpu_to_le32(tmp_desc.source_address3);
+ tmp_desc.source_address4 = cpu_to_le32(tmp_desc.source_address4);
+ tmp_desc.source_address5 = cpu_to_le32(tmp_desc.source_address5);
+ tmp_desc.crc = cpu_to_le32(tmp_desc.crc);
+
+ return dma_memory_write(&address_space_memory, desc_addr, &tmp_desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+}
+
size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
bool one_desc)
{
@@ -651,8 +708,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
}
- if (dma_memory_read(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
xlnx_dpdma_update_irq(s);
s->operation_finished[channel] = true;
@@ -755,8 +811,10 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
/* The descriptor need to be updated when it's completed. */
DPRINTF("update the descriptor with the done flag set.\n");
xlnx_dpdma_desc_set_done(&desc);
- dma_memory_write(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+ if (xlnx_dpdma_write_descriptor(desc_addr, &desc)) {
+ DPRINTF("Can't write the descriptor.\n");
+ break;
+ }
}
if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
--
2.30.2On Thu, 2 May 2024 at 15:16, Alexandra Diupina <adiupina@astralinux.ru> wrote:
>
> Add xlnx_dpdma_read_descriptor() and
> xlnx_dpdma_write_descriptor() functions.
> xlnx_dpdma_read_descriptor() combines reading a
> descriptor from desc_addr by calling dma_memory_read()
> and swapping the desc fields from guest memory order
> to host memory order. xlnx_dpdma_write_descriptor()
> performs similar actions when writing a descriptor.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d3c6369a96 ("introduce xlnx-dpdma")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
> @@ -755,8 +811,10 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
> /* The descriptor need to be updated when it's completed. */
> DPRINTF("update the descriptor with the done flag set.\n");
> xlnx_dpdma_desc_set_done(&desc);
> - dma_memory_write(&address_space_memory, desc_addr, &desc,
> - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
> + if (xlnx_dpdma_write_descriptor(desc_addr, &desc)) {
> + DPRINTF("Can't write the descriptor.\n");
> + break;
> + }
This "break" introduces a behaviour change, so if we want it
it should not be in this patch, which is supposed to just
be fixing the endianness bug. (If we want to try to do the
right thing on write errors here we need to check the device
datasheet to see what it says about the hardware behaviour in
that situation.)
I dropped the "break" line and have queued this to target-arm.next.
thanks
-- PMM
On Sun, 28 Apr 2024 at 19:12, Alexandra Diupina <adiupina@astralinux.ru> wrote:
>
> Add xlnx_dpdma_read_descriptor() and
> xlnx_dpdma_write_descriptor() functions.
> xlnx_dpdma_read_descriptor() combines reading a
> descriptor from desc_addr by calling dma_memory_read()
> and swapping the desc fields from guest memory order
> to host memory order. xlnx_dpdma_write_descriptor()
> performs similar actions when writing a descriptor.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d3c6369a96 ("introduce xlnx-dpdma")
> Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
> ---
> v4: remove rewriting desc in place
> v3: add xlnx_dpdma_write_descriptor()
> v2: minor changes in xlnx_dpdma_read_descriptor()
> hw/dma/xlnx_dpdma.c | 63 ++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 59 insertions(+), 4 deletions(-)
>
> diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
> index 1f5cd64ed1..e9133e9dcb 100644
> --- a/hw/dma/xlnx_dpdma.c
> +++ b/hw/dma/xlnx_dpdma.c
> @@ -614,6 +614,63 @@ static void xlnx_dpdma_register_types(void)
> type_register_static(&xlnx_dpdma_info);
> }
>
> +static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
> + uint64_t desc_addr, DPDMADescriptor *desc)
> +{
> + if (dma_memory_read(&address_space_memory, desc_addr, &desc,
> + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
> + return MEMTX_ERROR;
You should return the return value you got from dma_memory_read() here.
> + }
> +
> + /* Convert from LE into host endianness. */
> + desc->control = le32_to_cpu(desc->control);
> + desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
> + desc->xfer_size = le32_to_cpu(desc->xfer_size);
> + desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
> + desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
> + desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
> + desc->address_extension = le32_to_cpu(desc->address_extension);
> + desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
> + desc->source_address = le32_to_cpu(desc->source_address);
> + desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
> + desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
> + desc->source_address2 = le32_to_cpu(desc->source_address2);
> + desc->source_address3 = le32_to_cpu(desc->source_address3);
> + desc->source_address4 = le32_to_cpu(desc->source_address4);
> + desc->source_address5 = le32_to_cpu(desc->source_address5);
> + desc->crc = le32_to_cpu(desc->crc);
> +
> + return MEMTX_OK;
> +}
> +
> +static void xlnx_dpdma_write_descriptor(uint64_t desc_addr,
> + DPDMADescriptor *desc)
> +{
> + DPDMADescriptor* tmp_desc = (DPDMADescriptor *)malloc(sizeof(DPDMADescriptor));
> + memcpy(tmp_desc, desc, sizeof(desc));
The descriptor structure is not very big, we don't need to malloc it.
So we can do:
DPDMADescriptor tmp_desc = *desc;
(adjusting the code below to match).
> +
> + /* Convert from host endianness into LE. */
> + tmp_desc->control = cpu_to_le32(tmp_desc->control);
> + tmp_desc->descriptor_id = cpu_to_le32(tmp_desc->descriptor_id);
> + tmp_desc->xfer_size = cpu_to_le32(tmp_desc->xfer_size);
> + tmp_desc->line_size_stride = cpu_to_le32(tmp_desc->line_size_stride);
> + tmp_desc->timestamp_lsb = cpu_to_le32(tmp_desc->timestamp_lsb);
> + tmp_desc->timestamp_msb = cpu_to_le32(tmp_desc->timestamp_msb);
> + tmp_desc->address_extension = cpu_to_le32(tmp_desc->address_extension);
> + tmp_desc->next_descriptor = cpu_to_le32(tmp_desc->next_descriptor);
> + tmp_desc->source_address = cpu_to_le32(tmp_desc->source_address);
> + tmp_desc->address_extension_23 = cpu_to_le32(tmp_desc->address_extension_23);
> + tmp_desc->address_extension_45 = cpu_to_le32(tmp_desc->address_extension_45);
> + tmp_desc->source_address2 = cpu_to_le32(tmp_desc->source_address2);
> + tmp_desc->source_address3 = cpu_to_le32(tmp_desc->source_address3);
> + tmp_desc->source_address4 = cpu_to_le32(tmp_desc->source_address4);
> + tmp_desc->source_address5 = cpu_to_le32(tmp_desc->source_address5);
> + tmp_desc->crc = cpu_to_le32(tmp_desc->crc);
> +
> + dma_memory_write(&address_space_memory, desc_addr, tmp_desc,
> + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
I know we don't check the return value at the callsite, but we might
as well do "return dma_memory_write(...)" here.
> +}
> +
> size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
> bool one_desc)
> {
> @@ -651,8 +708,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
> desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
> }
>
> - if (dma_memory_read(&address_space_memory, desc_addr, &desc,
> - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
> + if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
> s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
> xlnx_dpdma_update_irq(s);
> s->operation_finished[channel] = true;
> @@ -755,8 +811,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
> /* The descriptor need to be updated when it's completed. */
> DPRINTF("update the descriptor with the done flag set.\n");
> xlnx_dpdma_desc_set_done(&desc);
> - dma_memory_write(&address_space_memory, desc_addr, &desc,
> - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
> + xlnx_dpdma_write_descriptor(desc_addr, &desc);
> }
>
> if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
> --
> 2.30.2
thanks
-- PMM
© 2016 - 2024 Red Hat, Inc.