[Qemu-commits] [qemu/qemu] 07e415: fdc: Rename fdctrl_reset

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 07e415: fdc: Rename fdctrl_reset_fifo() to fd

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] 07e415: fdc: Rename fdctrl_reset_fifo() to fdctrl_to_comma...
Date:	Mon, 08 Jun 2015 07:30:06 -0700
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 07e415f2398d9cfb21cdd5ef902445032ba54556
      
https://github.com/qemu/qemu/commit/07e415f2398d9cfb21cdd5ef902445032ba54556
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Rename fdctrl_reset_fifo() to fdctrl_to_command_phase()

What all callers of fdctrl_reset_fifo() really want to do is to start
the command phase, where writes to the data port initiate a new command.

The function doesn't only clear the FIFO, but also sets up the state so
that a new command can be received. Rename it to reflect this.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 83a260135f13db8b5d7df72090864a5ebcef2845
      
https://github.com/qemu/qemu/commit/83a260135f13db8b5d7df72090864a5ebcef2845
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Rename fdctrl_set_fifo() to fdctrl_to_result_phase()

What callers really do with this function is to switch from execution
phase (including data transfers) to result phase where the guest can
read out one or more status bytes from the FIFO (the number depends on
the command).

Rename the function accordingly.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 85d291a08c91c07927bbbd29f72a27d3ad7478f3
      
https://github.com/qemu/qemu/commit/85d291a08c91c07927bbbd29f72a27d3ad7478f3
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Introduce fdctrl->phase

The floppy controller spec describes three different controller phases,
which are currently not explicitly modelled in our emulation. Instead,
each phase is represented by a combination of flags in registers.

This patch makes explicit in which phase the controller currently is.

Signed-off-by: Kevin Wolf <address@hidden>
Acked-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 5b0a25e8d2f15f89255c745c71d297b5b24d138c
      
https://github.com/qemu/qemu/commit/5b0a25e8d2f15f89255c745c71d297b5b24d138c
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Use phase in fdctrl_write_data()

Instead of relying on a flag in the MSR to distinguish controller phases,
use the explicit phase that we store now. Assertions of the right MSR
flags are added.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: d275b33d76c8ed9d5a3dca22ea0fdec8d5a5c8e6
      
https://github.com/qemu/qemu/commit/d275b33d76c8ed9d5a3dca22ea0fdec8d5a5c8e6
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Code cleanup in fdctrl_write_data()

Factor out a few common lines of code, reformat, improve comments.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: f6c2d1d8425fd0ca450d515b06821e2224d4b43c
      
https://github.com/qemu/qemu/commit/f6c2d1d8425fd0ca450d515b06821e2224d4b43c
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Disentangle phases in fdctrl_read_data()

This commit makes similar improvements as have already been made to the
write function: Instead of relying on a flag in the MSR to distinguish
controller phases, use the explicit phase that we store now. Assertions
of the right MSR flags are added.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 6cc8a11c84ddc18c64fc88d54c8e9dca24ada489
      
https://github.com/qemu/qemu/commit/6cc8a11c84ddc18c64fc88d54c8e9dca24ada489
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M hw/block/fdc.c

  Log Message:
  -----------
  fdc: Fix MSR.RQM flag

The RQM bit in MSR should be set whenever the guest is supposed to
access the FIFO, and it should be cleared in all other cases. This is
important so the guest can't continue writing/reading the FIFO beyond
the length that it's suppossed to access (see CVE-2015-3456).

Commit e9077462 fixed the CVE by adding code that avoids the buffer
overflow; however it doesn't correct the wrong behaviour of the floppy
controller which should already have cleared RQM.

Currently, RQM stays set all the time and during all phases while a
command is being processed. This is error-prone because the command has
to explicitly clear the flag if it doesn't need data (and indeed, the
two buggy commands that are the culprits for the CVE just forgot to do
that).

This patch clears RQM immediately as soon as all bytes that are expected
have been received. If the the FIFO is used in the next phase, the flag
has to be set explicitly there.

It also clear RQM after receiving all bytes even if the phase transition
immediately sets it again. While it's technically not necessary at the
moment because the state between clearing and setting RQM is not
observable by the guest, this is more explicit and matches how real
hardware works. It will actually become necessary in qemu once
asynchronous code paths are introduced.

This alone should have been enough to fix the CVE, but now we have two
lines of defense - even better.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 4964e18e490f3ecad35c9e4cc9b613316a98755e
      
https://github.com/qemu/qemu/commit/4964e18e490f3ecad35c9e4cc9b613316a98755e
  Author: Kevin Wolf <address@hidden>
  Date:   2015-06-02 (Tue, 02 Jun 2015)

  Changed paths:
    M tests/fdc-test.c

  Log Message:
  -----------
  fdc-test: Test state for existing cases more thoroughly

This just adds a few additional checks of the MSR and interrupt pin to
the already existing test cases.

Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 0389b8f8c7688fe512e16bdc00c5f35d2d8df12c
      
https://github.com/qemu/qemu/commit/0389b8f8c7688fe512e16bdc00c5f35d2d8df12c
  Author: Mark Cave-Ayland <address@hidden>
  Date:   2015-06-04 (Thu, 04 Jun 2015)

  Changed paths:
    M hw/ide/macio.c

  Log Message:
  -----------
  macio: switch pmac_dma_read() over to new offset/len implementation

For better handling of unaligned block device accesses.

Signed-off-by: Mark Cave-Ayland <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: ac58fe7b2c67a9be142beacd4c6ee51f3264d90f
      
https://github.com/qemu/qemu/commit/ac58fe7b2c67a9be142beacd4c6ee51f3264d90f
  Author: Mark Cave-Ayland <address@hidden>
  Date:   2015-06-04 (Thu, 04 Jun 2015)

  Changed paths:
    M hw/ide/macio.c
    M include/hw/ppc/mac_dbdma.h

  Log Message:
  -----------
  macio: switch pmac_dma_write() over to new offset/len implementation

In particular, this fixes a bug whereby chains of overlapping head/tail chains
would incorrectly write over each other's remainder cache. This is the access
pattern used by OS X/Darwin and fixes an issue with a corrupt Darwin
installation in my local tests.

While we are here, rename the DBDMA_io struct property remainder to
head_remainder for clarification.

Signed-off-by: Mark Cave-Ayland <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: b01d44cd0623dec66e583d6cd2438451443261df
      
https://github.com/qemu/qemu/commit/b01d44cd0623dec66e583d6cd2438451443261df
  Author: Mark Cave-Ayland <address@hidden>
  Date:   2015-06-04 (Thu, 04 Jun 2015)

  Changed paths:
    M hw/ide/macio.c

  Log Message:
  -----------
  macio: update comment/constants to reflect the new code

With the offset/len functions taking care of all of the alignment mapping
in isolation from the DMA tranasaction, many comments are now unnecessary.
Remove these and tidy up a few constants at the same time.

Signed-off-by: Mark Cave-Ayland <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 0ba98885a0e965a17df214ab12b819ef630d8a14
      
https://github.com/qemu/qemu/commit/0ba98885a0e965a17df214ab12b819ef630d8a14
  Author: Mark Cave-Ayland <address@hidden>
  Date:   2015-06-04 (Thu, 04 Jun 2015)

  Changed paths:
    M hw/ide/macio.c
    M include/hw/ppc/mac_dbdma.h

  Log Message:
  -----------
  macio: remove remainder_len DBDMA_io property

Since the block alignment code is now effectively independent of the DMA
implementation, this variable is no longer required and can be removed.

Signed-off-by: Mark Cave-Ayland <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>


  Commit: 2e29dd7c44db30e3d3c108ab2a622cbdac6d16f0
      
https://github.com/qemu/qemu/commit/2e29dd7c44db30e3d3c108ab2a622cbdac6d16f0
  Author: Peter Maydell <address@hidden>
  Date:   2015-06-08 (Mon, 08 Jun 2015)

  Changed paths:
    M hw/block/fdc.c
    M hw/ide/macio.c
    M include/hw/ppc/mac_dbdma.h
    M tests/fdc-test.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

# gpg: Signature made Fri Jun  5 20:59:07 2015 BST using RSA key ID AAFC390E
# gpg: Good signature from "John Snow (John Huston) <address@hidden>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 61EB
#      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 390E

* remotes/jnsnow/tags/ide-pull-request:
  macio: remove remainder_len DBDMA_io property
  macio: update comment/constants to reflect the new code
  macio: switch pmac_dma_write() over to new offset/len implementation
  macio: switch pmac_dma_read() over to new offset/len implementation
  fdc-test: Test state for existing cases more thoroughly
  fdc: Fix MSR.RQM flag
  fdc: Disentangle phases in fdctrl_read_data()
  fdc: Code cleanup in fdctrl_write_data()
  fdc: Use phase in fdctrl_write_data()
  fdc: Introduce fdctrl->phase
  fdc: Rename fdctrl_set_fifo() to fdctrl_to_result_phase()
  fdc: Rename fdctrl_reset_fifo() to fdctrl_to_command_phase()

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/0daba1f037ab...2e29dd7c44db
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 07e415: fdc: Rename fdctrl_reset_fifo() to fdctrl_to_comma..., GitHub <=
Prev by Date: [Qemu-commits] [qemu/qemu] 0daba1: machine: Drop use of DEFAULT_RAM_SIZE in help text
Next by Date: [Qemu-commits] [qemu/qemu] 9157ee: Move parallel_hds_isa_init to hw/isa/isa-bus.c
Previous by thread: [Qemu-commits] [qemu/qemu] 0daba1: machine: Drop use of DEFAULT_RAM_SIZE in help text
Next by thread: [Qemu-commits] [qemu/qemu] 9157ee: Move parallel_hds_isa_init to hw/isa/isa-bus.c
Index(es):
- Date
- Thread