diff options
| author | Alexandra Diupina <adiupina@astralinux.ru> | 2024-05-23 16:06:19 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2024-05-28 14:20:48 +0100 |
| commit | fdf029762f50101a3d7927d8db1be015e00f441c (patch) | |
| tree | 80033bcccfe68d02259f2d1a52d3e3a365f79df1 /hw | |
| parent | ad10b4badc1dd5b28305f9b9f1168cf0aa3ae946 (diff) | |
| download | qemu-fdf029762f50101a3d7927d8db1be015e00f441c.zip qemu-fdf029762f50101a3d7927d8db1be015e00f441c.tar.gz qemu-fdf029762f50101a3d7927d8db1be015e00f441c.tar.bz2 | |
xlnx_dpdma: fix descriptor endianness bug
Add xlnx_dpdma_read_descriptor() and
xlnx_dpdma_write_descriptor() functions.
xlnx_dpdma_read_descriptor() combines reading a
descriptor from desc_addr by calling dma_memory_read()
and swapping the desc fields from guest memory order
to host memory order. xlnx_dpdma_write_descriptor()
performs similar actions when writing a descriptor.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
[PMM: tweaked indent, dropped behaviour change for write-failure case]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/dma/xlnx_dpdma.c | 68 |
1 files changed, 64 insertions, 4 deletions
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c index 530717d..dde4aec 100644 --- a/hw/dma/xlnx_dpdma.c +++ b/hw/dma/xlnx_dpdma.c @@ -614,6 +614,65 @@ static void xlnx_dpdma_register_types(void) type_register_static(&xlnx_dpdma_info); } +static MemTxResult xlnx_dpdma_read_descriptor(XlnxDPDMAState *s, + uint64_t desc_addr, + DPDMADescriptor *desc) +{ + MemTxResult res = dma_memory_read(&address_space_memory, desc_addr, + &desc, sizeof(DPDMADescriptor), + MEMTXATTRS_UNSPECIFIED); + if (res) { + return res; + } + + /* Convert from LE into host endianness. */ + desc->control = le32_to_cpu(desc->control); + desc->descriptor_id = le32_to_cpu(desc->descriptor_id); + desc->xfer_size = le32_to_cpu(desc->xfer_size); + desc->line_size_stride = le32_to_cpu(desc->line_size_stride); + desc->timestamp_lsb = le32_to_cpu(desc->timestamp_lsb); + desc->timestamp_msb = le32_to_cpu(desc->timestamp_msb); + desc->address_extension = le32_to_cpu(desc->address_extension); + desc->next_descriptor = le32_to_cpu(desc->next_descriptor); + desc->source_address = le32_to_cpu(desc->source_address); + desc->address_extension_23 = le32_to_cpu(desc->address_extension_23); + desc->address_extension_45 = le32_to_cpu(desc->address_extension_45); + desc->source_address2 = le32_to_cpu(desc->source_address2); + desc->source_address3 = le32_to_cpu(desc->source_address3); + desc->source_address4 = le32_to_cpu(desc->source_address4); + desc->source_address5 = le32_to_cpu(desc->source_address5); + desc->crc = le32_to_cpu(desc->crc); + + return res; +} + +static MemTxResult xlnx_dpdma_write_descriptor(uint64_t desc_addr, + DPDMADescriptor *desc) +{ + DPDMADescriptor tmp_desc = *desc; + + /* Convert from host endianness into LE. */ + tmp_desc.control = cpu_to_le32(tmp_desc.control); + tmp_desc.descriptor_id = cpu_to_le32(tmp_desc.descriptor_id); + tmp_desc.xfer_size = cpu_to_le32(tmp_desc.xfer_size); + tmp_desc.line_size_stride = cpu_to_le32(tmp_desc.line_size_stride); + tmp_desc.timestamp_lsb = cpu_to_le32(tmp_desc.timestamp_lsb); + tmp_desc.timestamp_msb = cpu_to_le32(tmp_desc.timestamp_msb); + tmp_desc.address_extension = cpu_to_le32(tmp_desc.address_extension); + tmp_desc.next_descriptor = cpu_to_le32(tmp_desc.next_descriptor); + tmp_desc.source_address = cpu_to_le32(tmp_desc.source_address); + tmp_desc.address_extension_23 = cpu_to_le32(tmp_desc.address_extension_23); + tmp_desc.address_extension_45 = cpu_to_le32(tmp_desc.address_extension_45); + tmp_desc.source_address2 = cpu_to_le32(tmp_desc.source_address2); + tmp_desc.source_address3 = cpu_to_le32(tmp_desc.source_address3); + tmp_desc.source_address4 = cpu_to_le32(tmp_desc.source_address4); + tmp_desc.source_address5 = cpu_to_le32(tmp_desc.source_address5); + tmp_desc.crc = cpu_to_le32(tmp_desc.crc); + + return dma_memory_write(&address_space_memory, desc_addr, &tmp_desc, + sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); +} + size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, bool one_desc) { @@ -651,8 +710,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, desc_addr = xlnx_dpdma_descriptor_next_address(s, channel); } - if (dma_memory_read(&address_space_memory, desc_addr, &desc, - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) { + if (xlnx_dpdma_read_descriptor(s, desc_addr, &desc)) { s->registers[DPDMA_EISR] |= ((1 << 1) << channel); xlnx_dpdma_update_irq(s); s->operation_finished[channel] = true; @@ -755,8 +813,10 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, /* The descriptor need to be updated when it's completed. */ DPRINTF("update the descriptor with the done flag set.\n"); xlnx_dpdma_desc_set_done(&desc); - dma_memory_write(&address_space_memory, desc_addr, &desc, - sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); + if (xlnx_dpdma_write_descriptor(desc_addr, &desc)) { + DPRINTF("Can't write the descriptor.\n"); + /* TODO: check hardware behaviour for memory write failure */ + } } if (xlnx_dpdma_desc_completion_interrupt(&desc)) { |