hw/dma/xlnx_dpdma.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-)
Add a function xlnx_dpdma_read_descriptor() that
combines reading the descriptor from desc_addr
by calling dma_memory_read() and swapping desc
fields from guest memory order to host memory order.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v2:minor changes in xlnx_dpdma_read_descriptor()
hw/dma/xlnx_dpdma.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index dd66be5265..62a0952377 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -614,6 +614,34 @@ static void xlnx_dpdma_register_types(void)
type_register_static(&xlnx_dpdma_info);
}
+static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
+ uint64_t desc_addr, DPDMADescriptor *desc)
+{
+ if (dma_memory_read(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED))
+ return MEMTX_ERROR;
+
+ /* Convert from LE into host endianness. */
+ desc->control = le32_to_cpu(desc->control);
+ desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
+ desc->xfer_size = le32_to_cpu(desc->xfer_size);
+ desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
+ desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
+ desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
+ desc->address_extension = le32_to_cpu(desc->address_extension);
+ desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
+ desc->source_address = le32_to_cpu(desc->source_address);
+ desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
+ desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
+ desc->source_address2 = le32_to_cpu(desc->source_address2);
+ desc->source_address3 = le32_to_cpu(desc->source_address3);
+ desc->source_address4 = le32_to_cpu(desc->source_address4);
+ desc->source_address5 = le32_to_cpu(desc->source_address5);
+ desc->crc = le32_to_cpu(desc->crc);
+
+ return MEMTX_OK;
+}
+
size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
bool one_desc)
{
@@ -651,8 +679,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
}
- if (dma_memory_read(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
xlnx_dpdma_update_irq(s);
s->operation_finished[channel] = true;
--
2.30.2
Hi Alexandra, On 25/4/24 12:07, Alexandra Diupina wrote: > Add a function xlnx_dpdma_read_descriptor() that > combines reading the descriptor from desc_addr > by calling dma_memory_read() and swapping desc > fields from guest memory order to host memory order. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: d3c6369a96 ("introduce xlnx-dpdma") > Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru> > --- > v2:minor changes in xlnx_dpdma_read_descriptor() > hw/dma/xlnx_dpdma.c | 31 +++++++++++++++++++++++++++++-- > 1 file changed, 29 insertions(+), 2 deletions(-) > > diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c > index dd66be5265..62a0952377 100644 > --- a/hw/dma/xlnx_dpdma.c > +++ b/hw/dma/xlnx_dpdma.c > @@ -614,6 +614,34 @@ static void xlnx_dpdma_register_types(void) > type_register_static(&xlnx_dpdma_info); > } > > +static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s, > + uint64_t desc_addr, DPDMADescriptor *desc) > +{ > + if (dma_memory_read(&address_space_memory, desc_addr, &desc, > + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) > + return MEMTX_ERROR; > + > + /* Convert from LE into host endianness. */ > + desc->control = le32_to_cpu(desc->control); > + desc->descriptor_id = le32_to_cpu(desc->descriptor_id); > + desc->xfer_size = le32_to_cpu(desc->xfer_size); > + desc->line_size_stride = le32_to_cpu(desc->line_size_stride); > + desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb); > + desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb); > + desc->address_extension = le32_to_cpu(desc->address_extension); > + desc->next_descriptor = le32_to_cpu(desc->next_descriptor); > + desc->source_address = le32_to_cpu(desc->source_address); > + desc->address_extension_23 = le32_to_cpu(desc->address_extension_23); > + desc->address_extension_45 = le32_to_cpu(desc->address_extension_45); > + desc->source_address2 = le32_to_cpu(desc->source_address2); > + desc->source_address3 = le32_to_cpu(desc->source_address3); > + desc->source_address4 = le32_to_cpu(desc->source_address4); > + desc->source_address5 = le32_to_cpu(desc->source_address5); > + desc->crc = le32_to_cpu(desc->crc); > + > + return MEMTX_OK; > +} > + > size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, > bool one_desc) > { > @@ -651,8 +679,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, > desc_addr = xlnx_dpdma_descriptor_next_address(s, channel); > } > > - if (dma_memory_read(&address_space_memory, desc_addr, &desc, > - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) { > + if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) { Correct, but this is incomplete, because we have the same problem on the write descriptor back path, few lines later in the xlnx_dpdma_desc_update_enabled() block. > s->registers[DPDMA_EISR] |= ((1 << 1) << channel); > xlnx_dpdma_update_irq(s); > s->operation_finished[channel] = true;
Add xlnx_dpdma_read_descriptor() and
xlnx_dpdma_write_descriptor() functions.
xlnx_dpdma_read_descriptor() combines reading a
descriptor from desc_addr by calling dma_memory_read()
and swapping the desc fields from guest memory order
to host memory order. xlnx_dpdma_write_descriptor()
performs similar actions when writing a descriptor.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
v3: add xlnx_dpdma_write_descriptor()
v2: minor changes in xlnx_dpdma_read_descriptor()
hw/dma/xlnx_dpdma.c | 59 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 55 insertions(+), 4 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index dd66be5265..7845f43221 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -614,6 +614,59 @@ static void xlnx_dpdma_register_types(void)
type_register_static(&xlnx_dpdma_info);
}
+static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s,
+ uint64_t desc_addr, DPDMADescriptor *desc)
+{
+ if (dma_memory_read(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED))
+ return MEMTX_ERROR;
+
+ /* Convert from LE into host endianness. */
+ desc->control = le32_to_cpu(desc->control);
+ desc->descriptor_id = le32_to_cpu(desc->descriptor_id);
+ desc->xfer_size = le32_to_cpu(desc->xfer_size);
+ desc->line_size_stride = le32_to_cpu(desc->line_size_stride);
+ desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb);
+ desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb);
+ desc->address_extension = le32_to_cpu(desc->address_extension);
+ desc->next_descriptor = le32_to_cpu(desc->next_descriptor);
+ desc->source_address = le32_to_cpu(desc->source_address);
+ desc->address_extension_23 = le32_to_cpu(desc->address_extension_23);
+ desc->address_extension_45 = le32_to_cpu(desc->address_extension_45);
+ desc->source_address2 = le32_to_cpu(desc->source_address2);
+ desc->source_address3 = le32_to_cpu(desc->source_address3);
+ desc->source_address4 = le32_to_cpu(desc->source_address4);
+ desc->source_address5 = le32_to_cpu(desc->source_address5);
+ desc->crc = le32_to_cpu(desc->crc);
+
+ return MEMTX_OK;
+}
+
+static void xlnx_dpdma_write_descriptor(uint64_t desc_addr,
+ DPDMADescriptor *desc)
+{
+ /* Convert from host endianness into LE. */
+ desc->control = cpu_to_le32(desc->control);
+ desc->descriptor_id = cpu_to_le32(desc->descriptor_id);
+ desc->xfer_size = cpu_to_le32(desc->xfer_size);
+ desc->line_size_stride = cpu_to_le32(desc->line_size_stride);
+ desc->timestamp_lsb = cpu_to_le32(desc->timestamp_lsb);
+ desc->timestamp_msb = cpu_to_le32(desc->timestamp_msb);
+ desc->address_extension = cpu_to_le32(desc->address_extension);
+ desc->next_descriptor = cpu_to_le32(desc->next_descriptor);
+ desc->source_address = cpu_to_le32(desc->source_address);
+ desc->address_extension_23 = cpu_to_le32(desc->address_extension_23);
+ desc->address_extension_45 = cpu_to_le32(desc->address_extension_45);
+ desc->source_address2 = cpu_to_le32(desc->source_address2);
+ desc->source_address3 = cpu_to_le32(desc->source_address3);
+ desc->source_address4 = cpu_to_le32(desc->source_address4);
+ desc->source_address5 = cpu_to_le32(desc->source_address5);
+ desc->crc = cpu_to_le32(desc->crc);
+
+ dma_memory_write(&address_space_memory, desc_addr, &desc,
+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+}
+
size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
bool one_desc)
{
@@ -651,8 +704,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
desc_addr = xlnx_dpdma_descriptor_next_address(s, channel);
}
- if (dma_memory_read(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
+ if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) {
s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
xlnx_dpdma_update_irq(s);
s->operation_finished[channel] = true;
@@ -755,8 +807,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
/* The descriptor need to be updated when it's completed. */
DPRINTF("update the descriptor with the done flag set.\n");
xlnx_dpdma_desc_set_done(&desc);
- dma_memory_write(&address_space_memory, desc_addr, &desc,
- sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
+ xlnx_dpdma_write_descriptor(desc_addr, &desc);
}
if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
--
2.30.2
On 4/25/24 06:41, Alexandra Diupina wrote: > +static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s, > + uint64_t desc_addr, DPDMADescriptor *desc) > +{ > + if (dma_memory_read(&address_space_memory, desc_addr, &desc, > + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) > + return MEMTX_ERROR; > + Missing { } for docs/devel/style.rst. > +static void xlnx_dpdma_write_descriptor(uint64_t desc_addr, > + DPDMADescriptor *desc) > +{ > + /* Convert from host endianness into LE. */ > + desc->control = cpu_to_le32(desc->control); > + desc->descriptor_id = cpu_to_le32(desc->descriptor_id); > + desc->xfer_size = cpu_to_le32(desc->xfer_size); > + desc->line_size_stride = cpu_to_le32(desc->line_size_stride); > + desc->timestamp_lsb = cpu_to_le32(desc->timestamp_lsb); > + desc->timestamp_msb = cpu_to_le32(desc->timestamp_msb); > + desc->address_extension = cpu_to_le32(desc->address_extension); > + desc->next_descriptor = cpu_to_le32(desc->next_descriptor); > + desc->source_address = cpu_to_le32(desc->source_address); > + desc->address_extension_23 = cpu_to_le32(desc->address_extension_23); > + desc->address_extension_45 = cpu_to_le32(desc->address_extension_45); > + desc->source_address2 = cpu_to_le32(desc->source_address2); > + desc->source_address3 = cpu_to_le32(desc->source_address3); > + desc->source_address4 = cpu_to_le32(desc->source_address4); > + desc->source_address5 = cpu_to_le32(desc->source_address5); > + desc->crc = cpu_to_le32(desc->crc); This is incorrect, rewriting in place, because after the call, > if (xlnx_dpdma_desc_completion_interrupt(&desc)) { the memory block is still live, and the swap here has corrupted it. > + > + dma_memory_write(&address_space_memory, desc_addr, &desc, This is incorrect because desc is now a pointer so &desc is DPDMADescriptor **. Do not reply to an existing thread to post a new patch. r~
© 2016 - 2024 Red Hat, Inc.