From nobody Wed May 8 20:47:17 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1691409304052593.2417051366033; Mon, 7 Aug 2023 04:55:04 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qSyoR-0001Wc-AX; Mon, 07 Aug 2023 07:54:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSyoQ-0001Vs-7G; Mon, 07 Aug 2023 07:54:14 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSyoO-0007u0-Dp; Mon, 07 Aug 2023 07:54:13 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 0AFB4320095B; Mon, 7 Aug 2023 07:54:08 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Mon, 07 Aug 2023 07:54:10 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 7 Aug 2023 07:54:06 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1691409248; x= 1691495648; bh=JuIqZ1lKO1qu1M7dOjuCMFT+dWdiAaliE0a0dIPMhHk=; b=A l4u6Sbsb+vzk1gS6tptMVpk+abQ54hdUlvK3TQ38XBkF21LvbvSHCAC6tTGrjxsp kIZ4mJ9EQDgHxwPY7OO/Y+79WRQQqotP5PhhGKFiFmIVkr9rLM++LERRULHfDTP5 Tdo3ES4gTDLmtxzIr2YasQ1rpzzEmc/IEg/n9JZ8IYx1ZWo9gGC3w3qnPX1Va9Ke 7plIHOsdoajbXO4tE5a6hz7zM2h0Hfu0GpxClid8z7cqZZ463LrwE+UDbcFNjk91 va5SSvPOcCQNXKv4nf9NF9v6dphzkukuvXNIU7Ot71HzfLftg4Mo59zh7IhiolQt 13501dV1das8wfGGxJnEA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1691409248; x= 1691495648; bh=JuIqZ1lKO1qu1M7dOjuCMFT+dWdiAaliE0a0dIPMhHk=; b=a 3NQOIP9x3oli6cobuQ7pcttaDh1F9mle7lUMLEXiZf1rSV6FGCfHe/dj8/ZgTkn6 N18Vze7LOUFVgjeJN3a3OqbTogbqyhHJRQ5ESp2VKqg873a/2TVmzHBf2oG2iFOf iDBC7r36nZ9v91JQ17OPHwRnXbFB9Y/djbzxccZBRZwCtKZu438Ebg+wtjNzc46Y jLU4rwvswcZ2h1uyvcQYQiymFuNWve824DhrqkHLY6vplI6dNuR0izxNbjjr+HOt 8J994fmEw6uO8BiDX7G0EoMv2NQbnvyFs6+eopjBHYUbL3T2ZK7jGWXyeI9nl1OS Y/D73T2OvObGZdLjxVIlg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrledtgdeggecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeejgfeilefgieevheekueevheehkeefveegiefgheefgfejjeehffefgedujedu geenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehith hssehirhhrvghlvghvrghnthdrughk X-ME-Proxy: Feedback-ID: idc91472f:Fastmail From: Klaus Jensen To: Peter Maydell , qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Keith Busch , Hanna Reitz , qemu-block@nongnu.org, Klaus Jensen , Stefan Hajnoczi , Fam Zheng , Kevin Wolf , Klaus Jensen Subject: [PULL 1/2] hw/nvme: fix oob memory read in fdp events log Date: Mon, 7 Aug 2023 13:54:01 +0200 Message-ID: <20230807115359.123-5-its@irrelevant.dk> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230807115359.123-4-its@irrelevant.dk> References: <20230807115359.123-4-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1063; i=k.jensen@samsung.com; h=from:subject; bh=Wwbuyim3FkkfQuNb85Ar+XHxUpYm7q9olERA4mQ7heI=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGTQ21hDDCvuj4kadAeYuj1nmHWzLmJqUiNS4 OGJkShr0EvqiokBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJk0NtYAAoJEE3hrzFt Tw3pGOIH/12cP0RcZBvxSRPkb8aVNUfVjNnqqn1plTAmluvLkhE84ea5tJQmFLiAp53LGN37+cl QI+iJ9ha/Iu2t4pui/FPSPVdGCAk8/WspOdy3DpbFuDuGWg4Cm2mTBqOmnjGteHPhEAsJM4zZVV CiBZO4y6rAIREE94IjnsjBNuQopwrEcb4xxj+9jnFexHBt3Qo2SHQIdbTIqJKRgkPrfCAbfY5lQ MUrA9Xw54hAnnH/RzUREXWtBDEbCtYNZWm2ai+lnqtqX90/ny7jxya37JOdAul2SECrZK+ar6Gm H78dKAYobgGc92vEUG//0Km3tMu5Vu4PmZhIhvOhSdfdiI3+Q+OkAal5 X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=64.147.123.25; envelope-from=its@irrelevant.dk; helo=wout2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1691409305842100007 Content-Type: text/plain; charset="utf-8" From: Klaus Jensen As reported by Trend Micro's Zero Day Initiative, an oob memory read vulnerability exists in nvme_fdp_events(). The host-provided offset is not verified. Fix this. This is only exploitable when Flexible Data Placement mode (fdp=3Don) is enabled. Fixes: CVE-2023-4135 Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Reported-by: Trend Micro's Zero Day Initiative Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index f2e5a2fa737b..e9b5a55811b8 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -5120,6 +5120,11 @@ static uint16_t nvme_fdp_events(NvmeCtrl *n, uint32_= t endgrpid, } =20 log_size =3D sizeof(NvmeFdpEventsLog) + ebuf->nelems * sizeof(NvmeFdpE= vent); + + if (off >=3D log_size) { + return NVME_INVALID_FIELD | NVME_DNR; + } + trans_len =3D MIN(log_size - off, buf_len); elog =3D g_malloc0(log_size); elog->num_events =3D cpu_to_le32(ebuf->nelems); --=20 2.41.0 From nobody Wed May 8 20:47:17 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1691409303929507.6121451949813; Mon, 7 Aug 2023 04:55:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qSyoU-0001Y2-IW; Mon, 07 Aug 2023 07:54:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSyoS-0001XA-MO; Mon, 07 Aug 2023 07:54:16 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qSyoQ-0007uR-RD; Mon, 07 Aug 2023 07:54:16 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 7176E3200912; Mon, 7 Aug 2023 07:54:12 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 07 Aug 2023 07:54:13 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 7 Aug 2023 07:54:10 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1691409251; x= 1691495651; bh=krEYUYUCrma2v+1MyOa2Dc134OYURUJiu4ofsblS17g=; b=N XzQp+OdxZC4xtg7y8QlFa3xYQgIF0/u2S9njMD28FmM66nzJ8aZzuVJ/j4547Nqr u1wl2YBpd9fby1p2thuV81leCnQbNRxmpYO5d2bkDWIbeBgJyRXVsRmYZIsuVpPX 21XCJhzyyhoMlDMEEavHavrlY64e0Q2k+I4fSY9CTxAHlI6q97cd/Z72S2AC0wU5 O39dDHGdS6GZUfOG40DJttWUrltC0WjLgVa/9l88vwjLGMobYOQA0lXd3sq2V+3B zbnVS8PNCTdPWzBzbk5WPBeI2/489bWy0GK/GT9809pWtjdE841qRKxkptyor1ar K4IfbkjzHGd/cxNMPPRow== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1691409251; x= 1691495651; bh=krEYUYUCrma2v+1MyOa2Dc134OYURUJiu4ofsblS17g=; b=e 4MqF8Ww6JcY9vog5FUOQeGQMzkOZl75BTEx21MuyW2/9EoW4ZACMOssyW+ABuybp TcWCzEv5HF+kQ0/yhi39cs4M3BUlGP1kSbblfy4+0O0on0IzErXy+utEqdsuIu5c 2zAPOL+4F8ro6aqnbmYJDAn9WaojOI8ty93/J+qIAEIukdY1saw1OoF4lEBQ0Xxe 9XOV6eibroGEhVWHmMV1QHo92dGnGU3EAKSOkMWeAktmMVT/lC1SCUU5YmvhFmPD FYL4jhUWQrhJ4W/YqxpPmn+LRUkErWzWYTdyQNcYJ3jiNsyJV/CLMwCMqOmGbS6X dGo5MWpSYHhNMpaQ0TL9g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrledtgdeghecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhs ucflvghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtth gvrhhnpeefheetgeehffefgeekgffhgeeijeekveffhfejveefkeduieeiveehteeludej udenucffohhmrghinhepghhithhlrggsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepihhtshesihhrrhgvlhgvvhgrnhhtrdgukh X-ME-Proxy: Feedback-ID: idc91472f:Fastmail From: Klaus Jensen To: Peter Maydell , qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Keith Busch , Hanna Reitz , qemu-block@nongnu.org, Klaus Jensen , Stefan Hajnoczi , Fam Zheng , Kevin Wolf , Klaus Jensen Subject: [PULL 2/2] hw/nvme: fix compliance issue wrt. iosqes/iocqes Date: Mon, 7 Aug 2023 13:54:02 +0200 Message-ID: <20230807115359.123-6-its@irrelevant.dk> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230807115359.123-4-its@irrelevant.dk> References: <20230807115359.123-4-its@irrelevant.dk> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6870; i=k.jensen@samsung.com; h=from:subject; bh=FsubvJ+HP595O7KOeC9stZh/Kjcdnop2L3p03s4C6SU=; b=owJ4nAFtAZL+kA0DAAoBTeGvMW1PDekByyZiAGTQ21iz1SOGOK4AHOqwLYOr1rnJiHdptIs0a sD1zBMOX1fWRokBMwQAAQoAHRYhBFIoM6p14tzmokdmwE3hrzFtTw3pBQJk0NtYAAoJEE3hrzFt Tw3pA0AH/j7C+OiVj2meiA8Cd9Sj/3tCtQHPPTU3wCYpIt61fb4P1VvHsNUgtLg2xicWpXmdfw5 KtUjYX3SZrYxADtj5fDEy8x5hIB2hn1xi/dmcAnZ3lY62K3UwYDoaF+p5hZZUdcLpirqrVmgHTu OVsOfN0kYC+A1FvPjNS8TyyyDbNXi65brM6sKjy4SbS3RwL4WwDbIacD/wdPpR4ZoACLWnNZoP1 tUu3gmPq29Usq2Q57SahS5ewLguoRNjBB2uPndhnpTCmPWWfxzBQIgE1LnQyL/JV5AtrOIMrLdY fJYw9hH11/3XdxIWTHTP9irX5dHfZxgGOR9Wua2s+//u4zlOFs/Ooa/J X-Developer-Key: i=k.jensen@samsung.com; a=openpgp; fpr=DDCA4D9C9EF931CC3468427263D56FC5E55DA838 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=64.147.123.25; envelope-from=its@irrelevant.dk; helo=wout2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1691409305278100003 Content-Type: text/plain; charset="utf-8" From: Klaus Jensen As of prior to this patch, the controller checks the value of CC.IOCQES and CC.IOSQES prior to enabling the controller. As reported by Ben in GitLab issue #1691, this is not spec compliant. The controller should only check these values when queues are created. This patch moves these checks to nvme_create_cq(). We do not need to check it in nvme_create_sq() since that will error out if the completion queue is not already created. Also, since the controller exclusively supports SQEs of size 64 bytes and CQEs of size 16 bytes, hard code that. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1691 Signed-off-by: Klaus Jensen --- hw/nvme/ctrl.c | 46 ++++++++++++-------------------------------- hw/nvme/nvme.h | 9 +++++++-- hw/nvme/trace-events | 1 + 3 files changed, 20 insertions(+), 36 deletions(-) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index e9b5a55811b8..d217ae91b506 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -1507,7 +1507,7 @@ static void nvme_post_cqes(void *opaque) req->cqe.status =3D cpu_to_le16((req->status << 1) | cq->phase); req->cqe.sq_id =3D cpu_to_le16(sq->sqid); req->cqe.sq_head =3D cpu_to_le16(sq->head); - addr =3D cq->dma_addr + cq->tail * n->cqe_size; + addr =3D cq->dma_addr + (cq->tail << NVME_CQES); ret =3D pci_dma_write(PCI_DEVICE(n), addr, (void *)&req->cqe, sizeof(req->cqe)); if (ret) { @@ -5300,10 +5300,18 @@ static uint16_t nvme_create_cq(NvmeCtrl *n, NvmeReq= uest *req) uint16_t qsize =3D le16_to_cpu(c->qsize); uint16_t qflags =3D le16_to_cpu(c->cq_flags); uint64_t prp1 =3D le64_to_cpu(c->prp1); + uint32_t cc =3D ldq_le_p(&n->bar.cc); + uint8_t iocqes =3D NVME_CC_IOCQES(cc); + uint8_t iosqes =3D NVME_CC_IOSQES(cc); =20 trace_pci_nvme_create_cq(prp1, cqid, vector, qsize, qflags, NVME_CQ_FLAGS_IEN(qflags) !=3D 0); =20 + if (iosqes !=3D NVME_SQES || iocqes !=3D NVME_CQES) { + trace_pci_nvme_err_invalid_create_cq_entry_size(iosqes, iocqes); + return NVME_MAX_QSIZE_EXCEEDED | NVME_DNR; + } + if (unlikely(!cqid || cqid > n->conf_ioqpairs || n->cq[cqid] !=3D NULL= )) { trace_pci_nvme_err_invalid_create_cq_cqid(cqid); return NVME_INVALID_QID | NVME_DNR; @@ -7000,7 +7008,7 @@ static void nvme_process_sq(void *opaque) } =20 while (!(nvme_sq_empty(sq) || QTAILQ_EMPTY(&sq->req_list))) { - addr =3D sq->dma_addr + sq->head * n->sqe_size; + addr =3D sq->dma_addr + (sq->head << NVME_SQES); if (nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd))) { trace_pci_nvme_err_addr_read(addr); trace_pci_nvme_err_cfs(); @@ -7225,34 +7233,6 @@ static int nvme_start_ctrl(NvmeCtrl *n) NVME_CAP_MPSMAX(cap)); return -1; } - if (unlikely(NVME_CC_IOCQES(cc) < - NVME_CTRL_CQES_MIN(n->id_ctrl.cqes))) { - trace_pci_nvme_err_startfail_cqent_too_small( - NVME_CC_IOCQES(cc), - NVME_CTRL_CQES_MIN(cap)); - return -1; - } - if (unlikely(NVME_CC_IOCQES(cc) > - NVME_CTRL_CQES_MAX(n->id_ctrl.cqes))) { - trace_pci_nvme_err_startfail_cqent_too_large( - NVME_CC_IOCQES(cc), - NVME_CTRL_CQES_MAX(cap)); - return -1; - } - if (unlikely(NVME_CC_IOSQES(cc) < - NVME_CTRL_SQES_MIN(n->id_ctrl.sqes))) { - trace_pci_nvme_err_startfail_sqent_too_small( - NVME_CC_IOSQES(cc), - NVME_CTRL_SQES_MIN(cap)); - return -1; - } - if (unlikely(NVME_CC_IOSQES(cc) > - NVME_CTRL_SQES_MAX(n->id_ctrl.sqes))) { - trace_pci_nvme_err_startfail_sqent_too_large( - NVME_CC_IOSQES(cc), - NVME_CTRL_SQES_MAX(cap)); - return -1; - } if (unlikely(!NVME_AQA_ASQS(aqa))) { trace_pci_nvme_err_startfail_asqent_sz_zero(); return -1; @@ -7265,8 +7245,6 @@ static int nvme_start_ctrl(NvmeCtrl *n) n->page_bits =3D page_bits; n->page_size =3D page_size; n->max_prp_ents =3D n->page_size / sizeof(uint64_t); - n->cqe_size =3D 1 << NVME_CC_IOCQES(cc); - n->sqe_size =3D 1 << NVME_CC_IOSQES(cc); nvme_init_cq(&n->admin_cq, n, acq, 0, 0, NVME_AQA_ACQS(aqa) + 1, 1); nvme_init_sq(&n->admin_sq, n, asq, 0, 0, NVME_AQA_ASQS(aqa) + 1); =20 @@ -8235,8 +8213,8 @@ static void nvme_init_ctrl(NvmeCtrl *n, PCIDevice *pc= i_dev) id->wctemp =3D cpu_to_le16(NVME_TEMPERATURE_WARNING); id->cctemp =3D cpu_to_le16(NVME_TEMPERATURE_CRITICAL); =20 - id->sqes =3D (0x6 << 4) | 0x6; - id->cqes =3D (0x4 << 4) | 0x4; + id->sqes =3D (NVME_SQES << 4) | NVME_SQES; + id->cqes =3D (NVME_CQES << 4) | NVME_CQES; id->nn =3D cpu_to_le32(NVME_MAX_NAMESPACES); id->oncs =3D cpu_to_le16(NVME_ONCS_WRITE_ZEROES | NVME_ONCS_TIMESTAMP | NVME_ONCS_FEATURES | NVME_ONCS_DSM | diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h index 209e8f5b4c08..5f2ae7b28b9c 100644 --- a/hw/nvme/nvme.h +++ b/hw/nvme/nvme.h @@ -30,6 +30,13 @@ #define NVME_FDP_MAX_EVENTS 63 #define NVME_FDP_MAXPIDS 128 =20 +/* + * The controller only supports Submission and Completion Queue Entry Size= s of + * 64 and 16 bytes respectively. + */ +#define NVME_SQES 6 +#define NVME_CQES 4 + QEMU_BUILD_BUG_ON(NVME_MAX_NAMESPACES > NVME_NSID_BROADCAST - 1); =20 typedef struct NvmeCtrl NvmeCtrl; @@ -530,8 +537,6 @@ typedef struct NvmeCtrl { uint32_t page_size; uint16_t page_bits; uint16_t max_prp_ents; - uint16_t cqe_size; - uint16_t sqe_size; uint32_t max_q_ents; uint8_t outstanding_aers; uint32_t irq_status; diff --git a/hw/nvme/trace-events b/hw/nvme/trace-events index 9afddf3b951c..3a67680c6ad1 100644 --- a/hw/nvme/trace-events +++ b/hw/nvme/trace-events @@ -168,6 +168,7 @@ pci_nvme_err_invalid_create_cq_size(uint16_t size) "fai= led creating completion q pci_nvme_err_invalid_create_cq_addr(uint64_t addr) "failed creating comple= tion queue, addr=3D0x%"PRIx64"" pci_nvme_err_invalid_create_cq_vector(uint16_t vector) "failed creating co= mpletion queue, vector=3D%"PRIu16"" pci_nvme_err_invalid_create_cq_qflags(uint16_t qflags) "failed creating co= mpletion queue, qflags=3D%"PRIu16"" +pci_nvme_err_invalid_create_cq_entry_size(uint8_t iosqes, uint8_t iocqes) = "iosqes %"PRIu8" iocqes %"PRIu8"" pci_nvme_err_invalid_identify_cns(uint16_t cns) "identify, invalid cns=3D0= x%"PRIx16"" pci_nvme_err_invalid_getfeat(int dw10) "invalid get features, dw10=3D0x%"P= RIx32"" pci_nvme_err_invalid_setfeat(uint32_t dw10) "invalid set features, dw10=3D= 0x%"PRIx32"" --=20 2.41.0