Misc HW patch queue
- Fix CXL Fixed Memory Window interleave-granularity typo - Fix for DMA re-entrancy abuse with VirtIO devices (CVE-2024-3446) - Fix out-of-bound access in NAND block buffer - Fix memory leak in AppleSMC reset() handler - Avoid VirtIO crypto backends abort o invalid session ID - Fix overflow in LAN9118 MIL TX FIFO - Fix overflow when abusing SDHCI TRNMOD register (CVE-2024-3447) - Fix overrun in short fragmented packet SCTP checksum (CVE-2024-3567) - Remove unused assignment in virtio-snd model (Coverity 1542933 & 1542934) -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmYWV94ACgkQ4+MsLN6t wN4+ew/+PqDmL4S8xXGQPi6Q8fxAogbwo1mPptDO2y8ChEjtc9LI5HOLu90EYz7A s62SPDsh3gx8vOthrJVEk0LqCbw4N3s5dFdmHNrnjXCsKQFifgucQ+yZy8ipy34N wWHSJ9nipBQLvkK23iCxkbl3cTyr44Rlweae/TZR4/FjFCEe3N555LQU0fruEqRo AHW1RjYhGvOfL9knLWzIQqW2QjcCnKky3bJhwHh3crfWE69nvVJTkbSF6oUxWSG0 RzSToK3nN5tmvUlyvbTBE9u0K9JkOcbtMQiAgj39nR9xpsaUZZa0zSWOmliYIuBC kWuUY0/nAQk6gxHBKyu8q09ACBbzeCp+lVPOYXdxax8QMeURSa9fB1qY7JmI5QAZ bg0ypD2pvbxhidU5TWpw7araAYyBOJrEYjnOkhXB4oa01ZWu2d0uNhGWo83h3Wjy ahKrNDoVIQIdh8QkYy/ZqDwhCMoNM+pQcfUzsYxkqZC/JiiM/qxm87pTHQ/x2yQA l0MLzljGv90/dklokrqeg4REwMqfwzc74PUbKdCk43saemmatslK3ktu3xAzUlQW 2xmZQTnKwXDf+U3YnYryDddow2LsU7qlu8dlDGNd0WIrE5LRCCXzhv8la66O0jVE qMOHpBPkwMlACBwiXuxV6ucelk4vy+XvabeQUsizm0m+PR7TwJY= =9phd -----END PGP SIGNATURE----- Merge tag 'hw-misc-20240410' of https://github.com/philmd/qemu into staging Misc HW patch queue - Fix CXL Fixed Memory Window interleave-granularity typo - Fix for DMA re-entrancy abuse with VirtIO devices (CVE-2024-3446) - Fix out-of-bound access in NAND block buffer - Fix memory leak in AppleSMC reset() handler - Avoid VirtIO crypto backends abort o invalid session ID - Fix overflow in LAN9118 MIL TX FIFO - Fix overflow when abusing SDHCI TRNMOD register (CVE-2024-3447) - Fix overrun in short fragmented packet SCTP checksum (CVE-2024-3567) - Remove unused assignment in virtio-snd model (Coverity 1542933 & 1542934) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmYWV94ACgkQ4+MsLN6t # wN4+ew/+PqDmL4S8xXGQPi6Q8fxAogbwo1mPptDO2y8ChEjtc9LI5HOLu90EYz7A # s62SPDsh3gx8vOthrJVEk0LqCbw4N3s5dFdmHNrnjXCsKQFifgucQ+yZy8ipy34N # wWHSJ9nipBQLvkK23iCxkbl3cTyr44Rlweae/TZR4/FjFCEe3N555LQU0fruEqRo # AHW1RjYhGvOfL9knLWzIQqW2QjcCnKky3bJhwHh3crfWE69nvVJTkbSF6oUxWSG0 # RzSToK3nN5tmvUlyvbTBE9u0K9JkOcbtMQiAgj39nR9xpsaUZZa0zSWOmliYIuBC # kWuUY0/nAQk6gxHBKyu8q09ACBbzeCp+lVPOYXdxax8QMeURSa9fB1qY7JmI5QAZ # bg0ypD2pvbxhidU5TWpw7araAYyBOJrEYjnOkhXB4oa01ZWu2d0uNhGWo83h3Wjy # ahKrNDoVIQIdh8QkYy/ZqDwhCMoNM+pQcfUzsYxkqZC/JiiM/qxm87pTHQ/x2yQA # l0MLzljGv90/dklokrqeg4REwMqfwzc74PUbKdCk43saemmatslK3ktu3xAzUlQW # 2xmZQTnKwXDf+U3YnYryDddow2LsU7qlu8dlDGNd0WIrE5LRCCXzhv8la66O0jVE # qMOHpBPkwMlACBwiXuxV6ucelk4vy+XvabeQUsizm0m+PR7TwJY= # =9phd # -----END PGP SIGNATURE----- # gpg: Signature made Wed 10 Apr 2024 10:11:58 BST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * tag 'hw-misc-20240410' of https://github.com/philmd/qemu: hw/audio/virtio-snd: Remove unused assignment hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set hw/net/lan9118: Fix overflow in MIL TX FIFO hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition backends/cryptodev: Do not abort for invalid session ID hw/misc/applesmc: Fix memory leak in reset() handler hw/misc/applesmc: Do not call DeviceReset from DeviceRealize hw/block/nand: Fix out-of-bound access in NAND block buffer hw/block/nand: Have blk_load() take unsigned offset and return boolean hw/block/nand: Factor nand_load_iolen() method out qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs hw/display/virtio-gpu: Protect from DMA re-entrancy bugs hw/virtio: Introduce virtio_bh_new_guarded() helper Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell
commit
f243175727
@ -427,7 +427,9 @@ static int cryptodev_builtin_close_session(
|
|||||||
CRYPTODEV_BACKEND_BUILTIN(backend);
|
CRYPTODEV_BACKEND_BUILTIN(backend);
|
||||||
CryptoDevBackendBuiltinSession *session;
|
CryptoDevBackendBuiltinSession *session;
|
||||||
|
|
||||||
assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]);
|
if (session_id >= MAX_NUM_SESSIONS || !builtin->sessions[session_id]) {
|
||||||
|
return -VIRTIO_CRYPTO_INVSESS;
|
||||||
|
}
|
||||||
|
|
||||||
session = builtin->sessions[session_id];
|
session = builtin->sessions[session_id];
|
||||||
if (session->cipher) {
|
if (session->cipher) {
|
||||||
|
|||||||
@ -885,7 +885,9 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq)
|
|||||||
}
|
}
|
||||||
trace_virtio_snd_handle_tx_xfer();
|
trace_virtio_snd_handle_tx_xfer();
|
||||||
|
|
||||||
for (VirtIOSoundPCMStream *stream = NULL;; stream = NULL) {
|
for (;;) {
|
||||||
|
VirtIOSoundPCMStream *stream;
|
||||||
|
|
||||||
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
|
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
|
||||||
if (!elem) {
|
if (!elem) {
|
||||||
break;
|
break;
|
||||||
@ -964,7 +966,9 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)
|
|||||||
}
|
}
|
||||||
trace_virtio_snd_handle_rx_xfer();
|
trace_virtio_snd_handle_rx_xfer();
|
||||||
|
|
||||||
for (VirtIOSoundPCMStream *stream = NULL;; stream = NULL) {
|
for (;;) {
|
||||||
|
VirtIOSoundPCMStream *stream;
|
||||||
|
|
||||||
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
|
elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
|
||||||
if (!elem) {
|
if (!elem) {
|
||||||
break;
|
break;
|
||||||
|
|||||||
@ -84,7 +84,11 @@ struct NANDFlashState {
|
|||||||
|
|
||||||
void (*blk_write)(NANDFlashState *s);
|
void (*blk_write)(NANDFlashState *s);
|
||||||
void (*blk_erase)(NANDFlashState *s);
|
void (*blk_erase)(NANDFlashState *s);
|
||||||
void (*blk_load)(NANDFlashState *s, uint64_t addr, int offset);
|
/*
|
||||||
|
* Returns %true when block containing (@addr + @offset) is
|
||||||
|
* successfully loaded, otherwise %false.
|
||||||
|
*/
|
||||||
|
bool (*blk_load)(NANDFlashState *s, uint64_t addr, unsigned offset);
|
||||||
|
|
||||||
uint32_t ioaddr_vmstate;
|
uint32_t ioaddr_vmstate;
|
||||||
};
|
};
|
||||||
@ -243,9 +247,30 @@ static inline void nand_pushio_byte(NANDFlashState *s, uint8_t value)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* nand_load_block: Load block containing (s->addr + @offset).
|
||||||
|
* Returns length of data available at @offset in this block.
|
||||||
|
*/
|
||||||
|
static unsigned nand_load_block(NANDFlashState *s, unsigned offset)
|
||||||
|
{
|
||||||
|
unsigned iolen;
|
||||||
|
|
||||||
|
if (!s->blk_load(s, s->addr, offset)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
iolen = (1 << s->page_shift);
|
||||||
|
if (s->gnd) {
|
||||||
|
iolen += 1 << s->oob_shift;
|
||||||
|
}
|
||||||
|
assert(offset <= iolen);
|
||||||
|
iolen -= offset;
|
||||||
|
|
||||||
|
return iolen;
|
||||||
|
}
|
||||||
|
|
||||||
static void nand_command(NANDFlashState *s)
|
static void nand_command(NANDFlashState *s)
|
||||||
{
|
{
|
||||||
unsigned int offset;
|
|
||||||
switch (s->cmd) {
|
switch (s->cmd) {
|
||||||
case NAND_CMD_READ0:
|
case NAND_CMD_READ0:
|
||||||
s->iolen = 0;
|
s->iolen = 0;
|
||||||
@ -271,12 +296,7 @@ static void nand_command(NANDFlashState *s)
|
|||||||
case NAND_CMD_NOSERIALREAD2:
|
case NAND_CMD_NOSERIALREAD2:
|
||||||
if (!(nand_flash_ids[s->chip_id].options & NAND_SAMSUNG_LP))
|
if (!(nand_flash_ids[s->chip_id].options & NAND_SAMSUNG_LP))
|
||||||
break;
|
break;
|
||||||
offset = s->addr & ((1 << s->addr_shift) - 1);
|
s->iolen = nand_load_block(s, s->addr & ((1 << s->addr_shift) - 1));
|
||||||
s->blk_load(s, s->addr, offset);
|
|
||||||
if (s->gnd)
|
|
||||||
s->iolen = (1 << s->page_shift) - offset;
|
|
||||||
else
|
|
||||||
s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case NAND_CMD_RESET:
|
case NAND_CMD_RESET:
|
||||||
@ -597,12 +617,7 @@ uint32_t nand_getio(DeviceState *dev)
|
|||||||
if (!s->iolen && s->cmd == NAND_CMD_READ0) {
|
if (!s->iolen && s->cmd == NAND_CMD_READ0) {
|
||||||
offset = (int) (s->addr & ((1 << s->addr_shift) - 1)) + s->offset;
|
offset = (int) (s->addr & ((1 << s->addr_shift) - 1)) + s->offset;
|
||||||
s->offset = 0;
|
s->offset = 0;
|
||||||
|
s->iolen = nand_load_block(s, offset);
|
||||||
s->blk_load(s, s->addr, offset);
|
|
||||||
if (s->gnd)
|
|
||||||
s->iolen = (1 << s->page_shift) - offset;
|
|
||||||
else
|
|
||||||
s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->ce || s->iolen <= 0) {
|
if (s->ce || s->iolen <= 0) {
|
||||||
@ -763,11 +778,15 @@ static void glue(nand_blk_erase_, NAND_PAGE_SIZE)(NANDFlashState *s)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
|
static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
|
||||||
uint64_t addr, int offset)
|
uint64_t addr, unsigned offset)
|
||||||
{
|
{
|
||||||
if (PAGE(addr) >= s->pages) {
|
if (PAGE(addr) >= s->pages) {
|
||||||
return;
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (offset > NAND_PAGE_SIZE + OOB_SIZE) {
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->blk) {
|
if (s->blk) {
|
||||||
@ -795,6 +814,8 @@ static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
|
|||||||
offset, NAND_PAGE_SIZE + OOB_SIZE - offset);
|
offset, NAND_PAGE_SIZE + OOB_SIZE - offset);
|
||||||
s->ioaddr = s->io;
|
s->ioaddr = s->io;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void glue(nand_init_, NAND_PAGE_SIZE)(NANDFlashState *s)
|
static void glue(nand_init_, NAND_PAGE_SIZE)(NANDFlashState *s)
|
||||||
|
|||||||
@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port,
|
port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port);
|
||||||
&dev->mem_reentrancy_guard);
|
|
||||||
port->elem = NULL;
|
port->elem = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -1492,10 +1492,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
|
|||||||
|
|
||||||
g->ctrl_vq = virtio_get_queue(vdev, 0);
|
g->ctrl_vq = virtio_get_queue(vdev, 0);
|
||||||
g->cursor_vq = virtio_get_queue(vdev, 1);
|
g->cursor_vq = virtio_get_queue(vdev, 1);
|
||||||
g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g,
|
g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
|
||||||
&qdev->mem_reentrancy_guard);
|
g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
|
||||||
g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g,
|
|
||||||
&qdev->mem_reentrancy_guard);
|
|
||||||
g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g);
|
g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g);
|
||||||
qemu_cond_init(&g->reset_cond);
|
qemu_cond_init(&g->reset_cond);
|
||||||
QTAILQ_INIT(&g->reslist);
|
QTAILQ_INIT(&g->reslist);
|
||||||
|
|||||||
@ -274,6 +274,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev)
|
|||||||
/* Remove existing entries */
|
/* Remove existing entries */
|
||||||
QLIST_FOREACH_SAFE(d, &s->data_def, node, next) {
|
QLIST_FOREACH_SAFE(d, &s->data_def, node, next) {
|
||||||
QLIST_REMOVE(d, node);
|
QLIST_REMOVE(d, node);
|
||||||
|
g_free(d);
|
||||||
}
|
}
|
||||||
s->status = 0x00;
|
s->status = 0x00;
|
||||||
s->status_1e = 0x00;
|
s->status_1e = 0x00;
|
||||||
@ -342,7 +343,6 @@ static void applesmc_isa_realize(DeviceState *dev, Error **errp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
QLIST_INIT(&s->data_def);
|
QLIST_INIT(&s->data_def);
|
||||||
qdev_applesmc_isa_reset(dev);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static Property applesmc_isa_properties[] = {
|
static Property applesmc_isa_properties[] = {
|
||||||
|
|||||||
@ -150,6 +150,12 @@ do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0)
|
|||||||
|
|
||||||
#define GPT_TIMER_EN 0x20000000
|
#define GPT_TIMER_EN 0x20000000
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit
|
||||||
|
* and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs.
|
||||||
|
*/
|
||||||
|
#define MIL_TXFIFO_SIZE 2048
|
||||||
|
|
||||||
enum tx_state {
|
enum tx_state {
|
||||||
TX_IDLE,
|
TX_IDLE,
|
||||||
TX_B,
|
TX_B,
|
||||||
@ -166,7 +172,7 @@ typedef struct {
|
|||||||
int32_t pad;
|
int32_t pad;
|
||||||
int32_t fifo_used;
|
int32_t fifo_used;
|
||||||
int32_t len;
|
int32_t len;
|
||||||
uint8_t data[2048];
|
uint8_t data[MIL_TXFIFO_SIZE];
|
||||||
} LAN9118Packet;
|
} LAN9118Packet;
|
||||||
|
|
||||||
static const VMStateDescription vmstate_lan9118_packet = {
|
static const VMStateDescription vmstate_lan9118_packet = {
|
||||||
@ -182,7 +188,7 @@ static const VMStateDescription vmstate_lan9118_packet = {
|
|||||||
VMSTATE_INT32(pad, LAN9118Packet),
|
VMSTATE_INT32(pad, LAN9118Packet),
|
||||||
VMSTATE_INT32(fifo_used, LAN9118Packet),
|
VMSTATE_INT32(fifo_used, LAN9118Packet),
|
||||||
VMSTATE_INT32(len, LAN9118Packet),
|
VMSTATE_INT32(len, LAN9118Packet),
|
||||||
VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
|
VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE),
|
||||||
VMSTATE_END_OF_LIST()
|
VMSTATE_END_OF_LIST()
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
@ -544,7 +550,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (size >= 2048 || size < 14) {
|
if (size >= MIL_TXFIFO_SIZE || size < 14) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -793,8 +799,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val)
|
|||||||
/* Documentation is somewhat unclear on the ordering of bytes
|
/* Documentation is somewhat unclear on the ordering of bytes
|
||||||
in FIFO words. Empirical results show it to be little-endian.
|
in FIFO words. Empirical results show it to be little-endian.
|
||||||
*/
|
*/
|
||||||
/* TODO: FIFO overflow checking. */
|
|
||||||
while (n--) {
|
while (n--) {
|
||||||
|
if (s->txp->len == MIL_TXFIFO_SIZE) {
|
||||||
|
/*
|
||||||
|
* No more space in the FIFO. The datasheet is not
|
||||||
|
* precise about this case. We choose what is easiest
|
||||||
|
* to model: the packet is truncated, and TXE is raised.
|
||||||
|
*
|
||||||
|
* Note, it could be a fragmented packet, but we currently
|
||||||
|
* do not handle that (see earlier TX_B case).
|
||||||
|
*/
|
||||||
|
qemu_log_mask(LOG_GUEST_ERROR,
|
||||||
|
"MIL TX FIFO overrun, discarding %u byte%s\n",
|
||||||
|
n, n > 1 ? "s" : "");
|
||||||
|
s->int_sts |= TXE_INT;
|
||||||
|
break;
|
||||||
|
}
|
||||||
s->txp->data[s->txp->len] = val & 0xff;
|
s->txp->data[s->txp->len] = val & 0xff;
|
||||||
s->txp->len++;
|
s->txp->len++;
|
||||||
val >>= 8;
|
val >>= 8;
|
||||||
|
|||||||
@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt)
|
|||||||
uint32_t csum = 0;
|
uint32_t csum = 0;
|
||||||
struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
|
struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG;
|
||||||
|
|
||||||
|
if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) {
|
if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size)
|
|||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < size; i++) {
|
for (i = 0; i < size; i++) {
|
||||||
|
assert(s->data_count < s->buf_maxsz);
|
||||||
value |= s->fifo_buffer[s->data_count] << i * 8;
|
value |= s->fifo_buffer[s->data_count] << i * 8;
|
||||||
s->data_count++;
|
s->data_count++;
|
||||||
/* check if we've read all valid data (blksize bytes) from buffer */
|
/* check if we've read all valid data (blksize bytes) from buffer */
|
||||||
@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size)
|
|||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < size; i++) {
|
for (i = 0; i < size; i++) {
|
||||||
|
assert(s->data_count < s->buf_maxsz);
|
||||||
s->fifo_buffer[s->data_count] = value & 0xFF;
|
s->fifo_buffer[s->data_count] = value & 0xFF;
|
||||||
s->data_count++;
|
s->data_count++;
|
||||||
value >>= 8;
|
value >>= 8;
|
||||||
@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
|
|||||||
if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) {
|
if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) {
|
||||||
value &= ~SDHC_TRNS_DMA;
|
value &= ~SDHC_TRNS_DMA;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */
|
||||||
|
if (s->prnsts & SDHC_DATA_INHIBIT) {
|
||||||
|
mask |= 0xffff;
|
||||||
|
}
|
||||||
|
|
||||||
MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK);
|
MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK);
|
||||||
MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
|
MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
|
||||||
|
|
||||||
|
|||||||
@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp)
|
|||||||
vcrypto->vqs[i].dataq =
|
vcrypto->vqs[i].dataq =
|
||||||
virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
|
virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
|
||||||
vcrypto->vqs[i].dataq_bh =
|
vcrypto->vqs[i].dataq_bh =
|
||||||
qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
|
virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
|
||||||
&dev->mem_reentrancy_guard);
|
&vcrypto->vqs[i]);
|
||||||
vcrypto->vqs[i].vcrypto = vcrypto;
|
vcrypto->vqs[i].vcrypto = vcrypto;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -4145,3 +4145,13 @@ static void virtio_register_types(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
type_init(virtio_register_types)
|
type_init(virtio_register_types)
|
||||||
|
|
||||||
|
QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
|
||||||
|
QEMUBHFunc *cb, void *opaque,
|
||||||
|
const char *name)
|
||||||
|
{
|
||||||
|
DeviceState *transport = qdev_get_parent_bus(dev)->parent;
|
||||||
|
|
||||||
|
return qemu_bh_new_full(cb, opaque, name,
|
||||||
|
&transport->mem_reentrancy_guard);
|
||||||
|
}
|
||||||
|
|||||||
@ -22,6 +22,7 @@
|
|||||||
#include "standard-headers/linux/virtio_config.h"
|
#include "standard-headers/linux/virtio_config.h"
|
||||||
#include "standard-headers/linux/virtio_ring.h"
|
#include "standard-headers/linux/virtio_ring.h"
|
||||||
#include "qom/object.h"
|
#include "qom/object.h"
|
||||||
|
#include "block/aio.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* A guest should never accept this. It implies negotiation is broken
|
* A guest should never accept this. It implies negotiation is broken
|
||||||
@ -508,4 +509,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
|
|||||||
bool virtio_legacy_allowed(VirtIODevice *vdev);
|
bool virtio_legacy_allowed(VirtIODevice *vdev);
|
||||||
bool virtio_legacy_check_disabled(VirtIODevice *vdev);
|
bool virtio_legacy_check_disabled(VirtIODevice *vdev);
|
||||||
|
|
||||||
|
QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
|
||||||
|
QEMUBHFunc *cb, void *opaque,
|
||||||
|
const char *name);
|
||||||
|
#define virtio_bh_new_guarded(dev, cb, opaque) \
|
||||||
|
virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -151,14 +151,14 @@ SRST
|
|||||||
platform and configuration dependent.
|
platform and configuration dependent.
|
||||||
|
|
||||||
``interleave-granularity=granularity`` sets the granularity of
|
``interleave-granularity=granularity`` sets the granularity of
|
||||||
interleave. Default 256KiB. Only 256KiB, 512KiB, 1024KiB, 2048KiB
|
interleave. Default 256 (bytes). Only 256, 512, 1k, 2k,
|
||||||
4096KiB, 8192KiB and 16384KiB granularities supported.
|
4k, 8k and 16k granularities supported.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
-machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512k
|
-machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512
|
||||||
ERST
|
ERST
|
||||||
|
|
||||||
DEF("M", HAS_ARG, QEMU_OPTION_M,
|
DEF("M", HAS_ARG, QEMU_OPTION_M,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user