qemu-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] edccf6: hw/ppc: check if spapr_drc_index() re


From: Richard Henderson
Subject: [Qemu-commits] [qemu/qemu] edccf6: hw/ppc: check if spapr_drc_index() returns NULL in...
Date: Thu, 28 Jul 2022 17:28:02 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: edccf661e6205d5ffff73860ab22eaf08a611ad9
      
https://github.com/qemu/qemu/commit/edccf661e6205d5ffff73860ab22eaf08a611ad9
  Author: Daniel Henrique Barboza <danielhb413@gmail.com>
  Date:   2022-07-28 (Thu, 28 Jul 2022)

  Changed paths:
    M hw/ppc/spapr_nvdimm.c

  Log Message:
  -----------
  hw/ppc: check if spapr_drc_index() returns NULL in spapr_nvdimm.c

spapr_nvdimm_flush_completion_cb() and flush_worker_cb() are using the
DRC object returned by spapr_drc_index() without checking it for NULL.
In this case we would be dereferencing a NULL pointer when doing
SPAPR_NVDIMM(drc->dev) and PC_DIMM(drc->dev).

This can happen if, during a scm_flush(), the DRC object is wrongly
freed/released (e.g. a bug in another part of the code).
spapr_drc_index() would then return NULL in the callbacks.

Fixes: Coverity CID 1487108, 1487178
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <20220409200856.283076-2-danielhb413@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>


  Commit: eda3f17bcd7b96cf43b1aead3c1c93a2dbbd21ae
      
https://github.com/qemu/qemu/commit/eda3f17bcd7b96cf43b1aead3c1c93a2dbbd21ae
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2022-07-28 (Thu, 28 Jul 2022)

  Changed paths:
    M hw/ppc/ppc440_uc.c

  Log Message:
  -----------
  hw/ppc/ppc440_uc: Initialize length passed to cpu_physical_memory_map()

In dcr_write_dma(), there is code that uses cpu_physical_memory_map()
to implement a DMA transfer.  That function takes a 'plen' argument,
which points to a hwaddr which is used for both input and output: the
caller must set it to the size of the range it wants to map, and on
return it is updated to the actual length mapped. The dcr_write_dma()
code fails to initialize rlen and wlen, so will end up mapping an
unpredictable amount of memory.

Initialize the length values correctly, and check that we managed to
map the entire range before using the fast-path memmove().

This was spotted by Coverity, which points out that we never
initialized the variables before using them.

Fixes: Coverity CID 1487137, 1487150
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220726182341.1888115-2-peter.maydell@linaro.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>


  Commit: 0c9717ff35d2fe46fa9cb91566fe2afbed9f4f2a
      
https://github.com/qemu/qemu/commit/0c9717ff35d2fe46fa9cb91566fe2afbed9f4f2a
  Author: Nicholas Piggin <npiggin@gmail.com>
  Date:   2022-07-28 (Thu, 28 Jul 2022)

  Changed paths:
    M target/ppc/internal.h
    M target/ppc/translate.c

  Log Message:
  -----------
  target/ppc: Implement new wait variants

ISA v2.06 adds new variations of wait, specified by the WC field. These
are not all compatible with the prior wait implementation, because they
add additional conditions that cause the processor to resume, which can
cause software to hang or run very slowly.

At this moment, with the current wait implementation and a pseries guest
using mainline kernel with new wait upcodes [1], QEMU hangs during boot if
more than one CPU is present:

 qemu-system-ppc64 -M pseries,x-vof=on -cpu POWER10 -smp 2 -nographic
-kernel zImage.pseries -no-reboot

QEMU will exit (as there's no filesystem) if the test "passes", or hang
during boot if it hits the bug.

ISA v3.0 changed the wait opcode and removed the new variants (retaining
the WC field but making non-zero values reserved).

ISA v3.1 added new WC values to the new wait opcode, and added a PL
field.

This patch implements the new wait encoding and supports WC variants
with no-op implementations, which provides basic correctness as
explained in comments.

[1] https://lore.kernel.org/all/20220720132132.903462-1-npiggin@gmail.com/

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: VĂ­ctor Colombo <victor.colombo@eldorado.org.br>
Tested-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Message-Id: <20220720133352.904263-1-npiggin@gmail.com>
[danielhb: added information about the bug being fixed]
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>


  Commit: cc42559ab129a15554cc485ea9265e34dde7ab5b
      
https://github.com/qemu/qemu/commit/cc42559ab129a15554cc485ea9265e34dde7ab5b
  Author: Richard Henderson <richard.henderson@linaro.org>
  Date:   2022-07-28 (Thu, 28 Jul 2022)

  Changed paths:
    M hw/ppc/ppc440_uc.c
    M hw/ppc/spapr_nvdimm.c
    M target/ppc/internal.h
    M target/ppc/translate.c

  Log Message:
  -----------
  Merge tag 'pull-ppc-20220728' of https://gitlab.com/danielhb/qemu into staging

ppc patch queue for 2022-07-28:

Short queue with 2 Coverity fixes and one fix of the
'wait' insns that is causing hangs if the guest kernel uses
the most up to date wait opcode.

- target/ppc:
  - implement new wait variants to fix guest hang when using the new opcode
- ppc440_uc: initialize length passed to cpu_physical_memory_map()
- spapr_nvdimm: check if spapr_drc_index() returns NULL

# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQQX6/+ZI9AYAK8oOBk82cqW3gMxZAUCYuK8VgAKCRA82cqW3gMx
# ZOc7AQDPMsFY9NHNqJ3O0MiX4Qoy8IGUreZ9dzZSS3zT1nxtEAD+Lwl0/aGO+dk+
# +NiIO80A5Agy/0g8PHie4qR3EqHEnwA=
# =Q4eR
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 28 Jul 2022 09:41:58 AM PDT
# gpg:                using EDDSA key 17EBFF9923D01800AF2838193CD9CA96DE033164
# gpg: Good signature from "Daniel Henrique Barboza <danielhb413@gmail.com>" 
[unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 17EB FF99 23D0 1800 AF28  3819 3CD9 CA96 DE03 3164

* tag 'pull-ppc-20220728' of https://gitlab.com/danielhb/qemu:
  target/ppc: Implement new wait variants
  hw/ppc/ppc440_uc: Initialize length passed to cpu_physical_memory_map()
  hw/ppc: check if spapr_drc_index() returns NULL in spapr_nvdimm.c

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Compare: https://github.com/qemu/qemu/compare/a17001c42329...cc42559ab129



reply via email to

[Prev in Thread] Current Thread [Next in Thread]