From 57001144628db65ef9b7dbbfb759101212696d6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Date: Thu, 14 Mar 2024 09:22:38 +0100 Subject: [PATCH 1/3] vfio/iommufd: Fix memory leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverity reported a memory leak on variable 'contents' in routine iommufd_cdev_getfd(). Use g_autofree variables to simplify the exit path and get rid of g_free() calls. Cc: Eric Auger Cc: Yi Liu Fixes: CID 1540007 Fixes: 5ee3dc7af785 ("vfio/iommufd: Implement the iommufd backend") Suggested-by: Zhenzhong Duan Reviewed-by: Zhenzhong Duan Signed-off-by: Cédric Le Goater --- hw/vfio/iommufd.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c index bafddb8f5a..8827ffe636 100644 --- a/hw/vfio/iommufd.c +++ b/hw/vfio/iommufd.c @@ -118,10 +118,12 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp) { ERRP_GUARD(); long int ret = -ENOTTY; - char *path, *vfio_dev_path = NULL, *vfio_path = NULL; + g_autofree char *path = NULL; + g_autofree char *vfio_dev_path = NULL; + g_autofree char *vfio_path = NULL; DIR *dir = NULL; struct dirent *dent; - gchar *contents; + g_autofree gchar *contents = NULL; gsize length; int major, minor; dev_t vfio_devt; @@ -130,7 +132,7 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp) dir = opendir(path); if (!dir) { error_setg_errno(errp, errno, "couldn't open directory %s", path); - goto out_free_path; + goto out; } while ((dent = readdir(dir))) { @@ -147,14 +149,13 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp) if (!g_file_get_contents(vfio_dev_path, &contents, &length, NULL)) { error_setg(errp, "failed to load \"%s\"", vfio_dev_path); - goto out_free_dev_path; + goto out_close_dir; } if (sscanf(contents, "%d:%d", &major, &minor) != 2) { error_setg(errp, "failed to get major:minor for \"%s\"", vfio_dev_path); - goto out_free_dev_path; + goto out_close_dir; } - g_free(contents); vfio_devt = makedev(major, minor); vfio_path = g_strdup_printf("/dev/vfio/devices/%s", dent->d_name); @@ -164,17 +165,13 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp) } trace_iommufd_cdev_getfd(vfio_path, ret); - g_free(vfio_path); -out_free_dev_path: - g_free(vfio_dev_path); out_close_dir: closedir(dir); -out_free_path: +out: if (*errp) { error_prepend(errp, VFIO_MSG_PREFIX, path); } - g_free(path); return ret; } From 5b2b9450a2f83668bedd092b43233ad35f0d40bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Date: Mon, 18 Mar 2024 16:58:44 +0100 Subject: [PATCH 2/3] ppc/pnv: I2C controller is not user creatable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The I2C controller is a subunit of the processor. Make it so and avoid QEMU crashes. $ build/qemu-system-ppc64 -S -machine powernv9 -device pnv-i2c qemu-system-ppc64: ../hw/ppc/pnv_i2c.c:521: pnv_i2c_realize: Assertion `i2c->chip' failed. Aborted (core dumped) Fixes: 263b81ee15af ("ppc/pnv: Add an I2C controller model") Cc: Glenn Miles Reported-by: Thomas Huth Reviewed-by: Thomas Huth Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Glenn Miles Signed-off-by: Cédric Le Goater --- hw/ppc/pnv_i2c.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/ppc/pnv_i2c.c b/hw/ppc/pnv_i2c.c index 4581cc5e5d..eec5047ce8 100644 --- a/hw/ppc/pnv_i2c.c +++ b/hw/ppc/pnv_i2c.c @@ -557,6 +557,9 @@ static void pnv_i2c_class_init(ObjectClass *klass, void *data) xscomc->dt_xscom = pnv_i2c_dt_xscom; + /* Reason: This device is part of the CPU and cannot be used separately */ + dc->user_creatable = false; + dc->desc = "PowerNV I2C"; dc->realize = pnv_i2c_realize; device_class_set_props(dc, pnv_i2c_properties); From a7538ca0791880b6aeb2cc4cc8c00305e2d975f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= Date: Tue, 19 Mar 2024 08:33:20 +0100 Subject: [PATCH 3/3] aspeed/smc: Only wire flash devices at reset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Aspeed machines have many Static Memory Controllers (SMC), up to 8, which can only drive flash memory devices. Commit 27a2c66c92ec ("aspeed/smc: Wire CS lines at reset") tried to ease the definitions of these devices by allowing flash devices from the command line to be attached to a SSI bus. For that, the wiring of the CS lines of the Aspeed SMC controller was moved at reset. Two assumptions are made though, first that the device has a SSI_GPIO_CS GPIO line, which is not always the case, and second that it is a flash device. Correct this problem by ensuring that the devices attached to the bus are of the correct flash type. This fixes a QEMU abort when devices without a CS line, such as the max111x, are passed on the command line. While at it, export TYPE_M25P80 used in the Xilinx Versal Virtual machine. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2228 Fixes: 27a2c66c92ec ("aspeed/smc: Wire CS lines at reset") Reported-by: Thomas Huth Reviewed-by: Thomas Huth Tested-by: Thomas Huth [ clg: minor fixes in the commit log ] Signed-off-by: Cédric Le Goater --- hw/arm/xlnx-versal-virt.c | 3 ++- hw/block/m25p80.c | 1 - hw/ssi/aspeed_smc.c | 9 +++++++++ include/hw/block/flash.h | 2 ++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c index bfaed1aebf..962f98fee2 100644 --- a/hw/arm/xlnx-versal-virt.c +++ b/hw/arm/xlnx-versal-virt.c @@ -13,6 +13,7 @@ #include "qemu/error-report.h" #include "qapi/error.h" #include "sysemu/device_tree.h" +#include "hw/block/flash.h" #include "hw/boards.h" #include "hw/sysbus.h" #include "hw/arm/fdt.h" @@ -759,7 +760,7 @@ static void versal_virt_init(MachineState *machine) flash_klass = object_class_by_name(s->ospi_model); if (!flash_klass || object_class_is_abstract(flash_klass) || - !object_class_dynamic_cast(flash_klass, "m25p80-generic")) { + !object_class_dynamic_cast(flash_klass, TYPE_M25P80)) { error_setg(&error_fatal, "'%s' is either abstract or" " not a subtype of m25p80", s->ospi_model); return; diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index 08a00a6d9b..8dec134832 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -515,7 +515,6 @@ struct M25P80Class { FlashPartInfo *pi; }; -#define TYPE_M25P80 "m25p80-generic" OBJECT_DECLARE_TYPE(Flash, M25P80Class, M25P80) static inline Manufacturer get_man(Flash *s) diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c index 3c93936fd1..6e1a84c197 100644 --- a/hw/ssi/aspeed_smc.c +++ b/hw/ssi/aspeed_smc.c @@ -23,6 +23,7 @@ */ #include "qemu/osdep.h" +#include "hw/block/flash.h" #include "hw/sysbus.h" #include "migration/vmstate.h" #include "qemu/log.h" @@ -695,6 +696,14 @@ static void aspeed_smc_reset(DeviceState *d) for (i = 0; i < asc->cs_num_max; i++) { DeviceState *dev = ssi_get_cs(s->spi, i); if (dev) { + Object *o = OBJECT(dev); + + if (!object_dynamic_cast(o, TYPE_M25P80)) { + warn_report("Aspeed SMC %s.%d : Invalid %s device type", + BUS(s->spi)->name, i, object_get_typename(o)); + continue; + } + qemu_irq cs_line = qdev_get_gpio_in_named(dev, SSI_GPIO_CS, 0); qdev_connect_gpio_out_named(DEVICE(s), "cs", i, cs_line); } diff --git a/include/hw/block/flash.h b/include/hw/block/flash.h index de93756cbe..2b5ccd92f4 100644 --- a/include/hw/block/flash.h +++ b/include/hw/block/flash.h @@ -78,6 +78,8 @@ extern const VMStateDescription vmstate_ecc_state; /* m25p80.c */ +#define TYPE_M25P80 "m25p80-generic" + BlockBackend *m25p80_get_blk(DeviceState *dev); #endif