aboutsummaryrefslogtreecommitdiff
path: root/hw/sd/sd.c
AgeCommit message (Collapse)AuthorFilesLines
2021-02-20hw/sd: sd: Bypass the RCA check for CMD13 in SPI modeBin Meng1-1/+2
Unlike SD mode, when SD card is working in SPI mode, the argument of CMD13 is stuff bits. Hence we should bypass the RCA check. See "Physical Layer Specification Version 8.00", chapter 7.3.1.3 Detailed Command Description (SPI mode): "The card shall ignore stuff bits and reserved bits in an argument" and Table 7-3 Commands and Arguments (SPI mode): "CMD13 Argument [31:0] stuff bits" Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-9-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Skip write protect groups check in CMD24/25 for high capacity cardsBin Meng1-5/+9
High capacity cards don't support write protection hence we should not perform the write protect groups check in CMD24/25 for them. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-8-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Skip write protect groups check in sd_erase() for high capacity cardsBin Meng1-6/+12
High capacity cards don't support write protection hence we should not perform the write protect groups check in sd_erase() for them. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-6-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Move the sd_block_{read, write} and macros aheadBin Meng1-21/+21
These APIs and macros may be referenced by functions that are currently before them. Move them ahead a little bit. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-5-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Fix CMD30 response typeBin Meng1-1/+1
Per the "Physical Layer Specification Version 8.00", table 4-26 (SD mode) and table 7-3 (SPI mode) command descriptions, CMD30 response type is R1, not R1b. Fixes: a1bb27b1e98a ("SD card emulation initial implementation") Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-4-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Only SDSC cards support CMD28/29/30Bin Meng1-0/+12
Per the "Physical Layer Specification Version 8.00", table 4-26 (SD mode) and table 7-3 (SPI mode) command descriptions, the following commands: - CMD28 (SET_WRITE_PROT) - CMD29 (CLR_WRITE_PROT) - CMD30 (SEND_WRITE_PROT) are only supported by SDSC cards. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-3-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Fix address check in sd_erase()Bin Meng1-1/+1
For high capacity memory cards, the erase start address and end address are multiplied by 512, but the address check is still based on the original block number in sd->erase_{start, end}. Fixes: 1bd6fd8ed593 ("hw/sd/sdcard: Do not attempt to erase out of range addresses") Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210216150225.27996-2-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: Introduce receive_ready() callbackBin Meng1-0/+6
At present there is a data_ready() callback for the SD data read path. Let's add a receive_ready() for the SD data write path. Signed-off-by: Bin Meng <bin.meng@windriver.com> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20210128063035.15674-5-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Allow single/multiple block write for SPI modeBin Meng1-3/+0
At present the single/multiple block write in SPI mode is blocked by sd_normal_command(). Remove the limitation. Signed-off-by: Bin Meng <bin.meng@windriver.com> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210128063035.15674-4-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-02-20hw/sd: sd: Remove duplicated codes in single/multiple block read/writeBin Meng1-47/+0
The single block read (CMD17) codes are the same as the multiple block read (CMD18). Merge them into one. The same applies to single block write (CMD24) and multiple block write (CMD25). Signed-off-by: Bin Meng <bin.meng@windriver.com> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20210128063035.15674-3-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-01-27block: Separate blk_is_writable() and blk_supports_write_perm()Kevin Wolf1-3/+3
Currently, blk_is_read_only() tells whether a given BlockBackend can only be used in read-only mode because its root node is read-only. Some callers actually try to answer a slightly different question: Is the BlockBackend configured to be writable, by taking write permissions on the root node? This can differ, for example, for CD-ROM devices which don't take write permissions, but may be backed by a writable image file. scsi-cd allows write requests to the drive if blk_is_read_only() returns false. However, the write request will immediately run into an assertion failure because the write permission is missing. This patch introduces separate functions for both questions. blk_supports_write_perm() answers the question whether the block node/image file can support writable devices, whereas blk_is_writable() tells whether the BlockBackend is currently configured to be writable. All calls of blk_is_read_only() are converted to one of the two new functions. Fixes: https://bugs.launchpad.net/bugs/1906693 Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Message-Id: <20210118123448.307825-2-kwolf@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2021-01-24hw/sd: sd: Drop sd_crc16()Bin Meng1-18/+0
commit f6fb1f9b319f ("sdcard: Correct CRC16 offset in sd_function_switch()") changed the 16-bit CRC to be stored at offset 64. In fact, this CRC calculation is completely wrong. From the original codes, it wants to calculate the CRC16 of the first 64 bytes of sd->data[], however passing 64 as the `width` to sd_crc16() actually counts 256 bytes starting from the `message` for the CRC16 calculation, which is not what we want. Besides that, it seems existing sd_crc16() algorithm does not match the SD spec, which says CRC16 is the CCITT one but the calculation does not produce expected result. It turns out the CRC16 was never transferred outside the sd core, as in sd_read_byte() we see: if (sd->data_offset >= 64) sd->state = sd_transfer_state; Given above reasons, let's drop it. Signed-off-by: Bin Meng <bin.meng@windriver.com> Tested-by: Pragnesh Patel <pragnesh.patel@sifive.com> Reviewed-by: Pragnesh Patel <pragnesh.patel@sifive.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210123104016.17485-6-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-01-24hw/sd: sd: Support CMD59 for SPI modeBin Meng1-7/+1
After the card is put into SPI mode, CRC check for all commands including CMD0 will be done according to CMD59 setting. But this command is currently unimplemented. Simply allow the decoding of CMD59, but the CRC remains unchecked. Signed-off-by: Bin Meng <bin.meng@windriver.com> Tested-by: Pragnesh Patel <pragnesh.patel@sifive.com> Reviewed-by: Pragnesh Patel <pragnesh.patel@sifive.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20210123104016.17485-5-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2021-01-08Remove superfluous timer_del() callsPeter Maydell1-1/+0
This commit is the result of running the timer-del-timer-free.cocci script on the whole source tree. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Corey Minyard <cminyard@mvista.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20201215154107.3255-4-peter.maydell@linaro.org
2020-12-18qdev: Move softmmu properties to qdev-properties-system.hEduardo Habkost1-0/+1
Move the property types and property macros implemented in qdev-properties-system.c to a new qdev-properties-system.h header. Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Message-Id: <20201211220529.2290218-16-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
2020-11-17hw/sd: Fix 2 GiB card CSD register valuesBin Meng1-4/+11
Per the SD spec, to indicate a 2 GiB card, BLOCK_LEN shall be 1024 bytes, hence the READ_BL_LEN field in the CSD register shall be 10 instead of 9. This fixes the acceptance test error for the NetBSD 9.0 test of the Orange Pi PC that has an expanded SD card image of 2 GiB size. Fixes: 6d2d4069c47e ("hw/sd: Correct the maximum size of a Standard Capacity SD Memory Card") Reported-by: Niek Linnenbank <nieklinnenbank@gmail.com> Signed-off-by: Bin Meng <bin.meng@windriver.com> Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com> Message-Id: <20201025152357.11865-1-bmeng.cn@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2020-10-26hw/sd/sdcard: Zero out function selection fields before being populatedBin Meng1-0/+1
The function selection fields (399:376) should be zeroed out to prevent leftover from being or'ed into the switch function status data structure. This fixes the boot failure as seen in the acceptance testing on the orangepi target. Fixes: b638627c723a ("hw/sd: Fix incorrect populated function switch status data structure") Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20201024014954.21330-1-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2020-10-26hw/sd/sdcard: Make iolen unsignedPhilippe Mathieu-Daudé1-1/+1
I/O request length can not be negative. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-15-f4bug@amsat.org>
2020-10-26hw/sd/sdcard: Constify sd_crc*()'s message argumentPhilippe Mathieu-Daudé1-4/+4
CRC functions don't modify the buffer argument, make it const. Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200630133912.9428-14-f4bug@amsat.org>
2020-10-26hw/sd/sdcard: Simplify cmd_valid_while_locked()Philippe Mathieu-Daudé1-6/+5
cmd_valid_while_locked() only needs to read SDRequest->cmd, pass it directly and make it const. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-13-f4bug@amsat.org>
2020-10-26hw/sd/sdcard: Update the SDState documentationPhilippe Mathieu-Daudé1-1/+4
Add more descriptive comments to keep a clear separation between static property vs runtime changeable. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-12-f4bug@amsat.org>
2020-10-21hw/sd/sdcard: Assert if accessing an illegal groupPhilippe Mathieu-Daudé1-0/+2
We can not have more group than 'wpgrps_size'. Assert if we are accessing a group above this limit. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201015063824.212980-7-f4bug@amsat.org>
2020-10-21hw/sd/sdcard: Do not attempt to erase out of range addressesPhilippe Mathieu-Daudé1-0/+7
While the Spec v3 is not very clear, v6 states: If the host provides an out of range address as an argument to CMD32 or CMD33, the card shall indicate OUT_OF_RANGE error in R1 (ERX) for CMD38. If an address is out of range, do not attempt to erase it: return R1 with the error bit set. Buglink: https://bugs.launchpad.net/qemu/+bug/1895310 Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201015063824.212980-6-f4bug@amsat.org>
2020-10-21hw/sd/sdcard: Reset both start/end addresses on errorPhilippe Mathieu-Daudé1-0/+2
From the Spec "4.3.5 Erase": The host should adhere to the following command sequence: ERASE_WR_BLK_START, ERASE_WR_BLK_END and ERASE (CMD38). If an erase (CMD38) or address setting (CMD32, 33) command is received out of sequence, the card shall set the ERASE_SEQ_ERROR bit in the status register and reset the whole sequence. Reset both addresses if the ERASE command occured out of sequence (one of the start/end address is not set). Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201015063824.212980-5-f4bug@amsat.org>
2020-10-21hw/sd/sdcard: Do not use legal address '0' for INVALID_ADDRESSPhilippe Mathieu-Daudé1-3/+3
As it is legal to WRITE/ERASE the address/block 0, change the value of this definition to an illegal address: UINT32_MAX. Unfortunately this break the migration stream, so bump the VMState version number. This affects some ARM boards and the SDHCI_PCI device (which is only used for testing). Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201015063824.212980-4-f4bug@amsat.org>
2020-10-21hw/sd/sdcard: Introduce the INVALID_ADDRESS definitionPhilippe Mathieu-Daudé1-5/+8
'0' is used as a value to indicate an invalid (or unset) address. Use a definition instead of a magic value. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201015063824.212980-3-f4bug@amsat.org>
2020-10-21hw/sd/sdcard: Add trace event for ERASE command (CMD38)Philippe Mathieu-Daudé1-1/+1
Trace addresses provided to the ERASE command. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201015063824.212980-2-f4bug@amsat.org>
2020-09-11util/hexdump: Reorder qemu_hexdump() argumentsPhilippe Mathieu-Daudé1-1/+1
qemu_hexdump()'s pointer to the buffer and length of the buffer are closely related arguments but are widely separated in the argument list order (also, the format of <stdio.h> function prototypes is usually to have the FILE* argument coming first). Reorder the arguments as "fp, prefix, buf, size" which is more logical. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Message-Id: <20200822180950.1343963-3-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2020-09-11util/hexdump: Convert to take a void pointer argumentPhilippe Mathieu-Daudé1-1/+1
Most uses of qemu_hexdump() do not take an array of char as input, forcing use of cast. Since we can use this helper to dump any kind of buffer, use a pointer to void argument instead. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Message-Id: <20200822180950.1343963-2-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2020-08-21hw/sd: Correct the maximum size of a Standard Capacity SD Memory CardBin Meng1-2/+4
Per the SD spec, Standard Capacity SD Memory Card (SDSC) supports capacity up to and including 2 GiB. Fixes: 2d7adea4fe ("hw/sd: Support SDHC size cards") Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com> Message-Id: <1598021136-49525-2-git-send-email-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2020-08-21hw/sd: Fix incorrect populated function switch status data structureBin Meng1-1/+2
At present the function switch status data structure bit [399:376] are wrongly pupulated. These 3 bytes encode function switch status for the 6 function groups, with 4 bits per group, starting from function group 6 at bit 399, then followed by function group 5 at bit 395, and so on. However the codes mistakenly fills in the function group 1 status at bit 399. This fixes the code logic. Fixes: a1bb27b1e9 ("SD card emulation (initial implementation)") Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com> Message-Id: <1598021136-49525-1-git-send-email-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2020-08-21hw/sd: Rename read/write_data() as read/write_byte()Philippe Mathieu-Daudé1-8/+8
The read/write_data() methods write do a single byte access on the data line of a SD card. Rename them as read/write_byte(). Add some documentation (not in "hw/sd/sdcard_legacy.h" which we are going to remove soon). Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200814092346.21825-2-f4bug@amsat.org>
2020-08-21hw/sd: Move sdcard legacy API to 'hw/sd/sdcard_legacy.h'Philippe Mathieu-Daudé1-0/+1
omap_mmc.c is the last device left using the legacy sdcard API. Move the prototype declarations into a separate header, to make it clear this is a legacy API. Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-Id: <20180216022933.10945-8-f4bug@amsat.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Peter Maydell <peter.maydell@linaro.org>
2020-08-21hw/sd/sdcard: Make sd_data_ready() staticPhilippe Mathieu-Daudé1-1/+1
sd_data_ready() belongs to the legacy API. As its last user has been converted to the SDBus API, make it static. Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Message-Id: <20180216022933.10945-7-f4bug@amsat.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Peter Maydell <peter.maydell@linaro.org>
2020-07-14hw/sd/sdcard: Do not switch to ReceivingData if address is invalidPhilippe Mathieu-Daudé1-14/+24
Only move the state machine to ReceivingData if there is no pending error. This avoids later OOB access while processing commands queued. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.3 Data Read Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. 4.3.4 Data Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). Fixes: CVE-2020-13253 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
2020-07-14hw/sd/sdcard: Update coding style to make checkpatch.pl happyPhilippe Mathieu-Daudé1-8/+16
To make the next commit easier to review, clean this code first. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
2020-07-14hw/sd/sdcard: Do not allow invalid SD card sizesPhilippe Mathieu-Daudé1-0/+25
QEMU allows to create SD card with unrealistic sizes. This could work, but some guests (at least Linux) consider sizes that are not a power of 2 as a firmware bug and fix the card size to the next power of 2. While the possibility to use small SD card images has been seen as a feature, it became a bug with CVE-2020-13253, where the guest is able to do OOB read/write accesses past the image size end. In a pair of commits we will fix CVE-2020-13253 as: Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). While this is the correct behavior, in case QEMU create smaller SD cards, guests still try to access past the image size end, and QEMU considers this is an invalid address, thus "all further data transfer is ignored". This is wrong and make the guest looping until eventually timeouts. Fix by not allowing invalid SD card sizes (suggesting the expected size as a hint): $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw qemu-system-arm: Invalid SD card size: 60 MiB SD card size has to be a power of 2, e.g. 64 MiB. You can resize disk images with 'qemu-img resize <imagefile> <new-size>' (note that this will lose data if you make the image smaller than it currently is). Cc: qemu-stable@nongnu.org Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
2020-07-14hw/sd/sdcard: Simplify realize() a bitPhilippe Mathieu-Daudé1-5/+5
We don't need to check if sd->blk is set twice. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
2020-07-14hw/sd/sdcard: Restrict Class 6 commands to SCSD cardsPhilippe Mathieu-Daudé1-0/+5
Only SCSD cards support Class 6 (Block Oriented Write Protection) commands. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.14 Command Functional Difference in Card Capacity Types * Write Protected Group SDHC and SDXC do not support write-protected groups. Issuing CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
2020-07-10qdev: Use returned bool to check for failure, Coccinelle partMarkus Armbruster1-2/+1
The previous commit enables conversion of qdev_prop_set_drive_err(..., &err); if (err) { ... } to if (!qdev_prop_set_drive_err(..., errp)) { ... } Coccinelle script: @@ identifier fun = qdev_prop_set_drive_err; expression list args; typedef Error; Error *err; @@ - fun(args, &err); - if (err) + if (!fun(args, &err)) { ... } One line break tidied up manually. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <20200707160613.848843-33-armbru@redhat.com>
2020-06-23qdev: Make qdev_prop_set_drive() match the other helpersMarkus Armbruster1-1/+1
qdev_prop_set_drive() can fail. None of the other qdev_prop_set_FOO() can; they abort on error. To clean up this inconsistency, rename qdev_prop_set_drive() to qdev_prop_set_drive_err(), and create a qdev_prop_set_drive() that aborts on error. Coccinelle script to update callers: @ depends on !(file in "hw/core/qdev-properties-system.c")@ expression dev, name, value; symbol error_abort; @@ - qdev_prop_set_drive(dev, name, value, &error_abort); + qdev_prop_set_drive(dev, name, value); @@ expression dev, name, value, errp; @@ - qdev_prop_set_drive(dev, name, value, errp); + qdev_prop_set_drive_err(dev, name, value, errp); Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200622094227.1271650-14-armbru@redhat.com>
2020-06-15sd: Hide the qdev-but-not-quite thing created by sd_init()Markus Armbruster1-11/+27
Commit 260bc9d8aa "hw/sd/sd.c: QOMify" QOMified only the device itself, not its users. It kept sd_init() around for non-QOMified users. More than four years later, three such users remain: omap1 (machines cheetah, sx1, sx1-v1) and omap2 (machines n800, n810) are not QOMified, and pl181 (machines integratorcp, realview-eb, realview-eb-mpcore, realview-pb-a8 realview-pbx-a9, versatileab, versatilepb, vexpress-a15, vexpress-a9) is not QOMified properly. The issue I presently have with this: an "sd-card" device should plug into an "sd-bus" (its DeviceClass member bus_type says so), but sd_init() leaves it unplugged. This is normally a bug (I just fixed some instances), and I'd like to assert proper pluggedness to prevent regressions. However, the qdev-but-not-quite thing returned by sd_init() would fail the assertion. Meh. Make sd_init() hide it from QOM/qdev. Visible in "info qom-tree", here's the change for cheetah: /machine (cheetah-machine) [...] /unattached (container) [...] /device[5] (serial-mm) /serial (serial) /serial[0] (qemu:memory-region) - /device[6] (sd-card) - /device[7] (omap-gpio) + /device[6] (omap-gpio) [rest of device[*] renumbered...] Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20200609122339.937862-24-armbru@redhat.com>
2020-05-27error: Use error_reportf_err() where appropriateMarkus Armbruster1-2/+2
Replace error_report("...: %s", ..., error_get_pretty(err)); by error_reportf_err(err, "...: ", ...); One of the replaced messages lacked a colon. Add it. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200505101908.6207-6-armbru@redhat.com>
2020-01-24qdev: set properties with device_class_set_props()Marc-André Lureau1-1/+1
The following patch will need to handle properties registration during class_init time. Let's use a device_class_set_props() setter. spatch --macro-file scripts/cocci-macro-file.h --sp-file ./scripts/coccinelle/qdev-set-props.cocci --keep-comments --in-place --dir . @@ typedef DeviceClass; DeviceClass *d; expression val; @@ - d->props = val + device_class_set_props(d, val) Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20200110153039.1379601-20-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-08-16Include hw/qdev-properties.h lessMarkus Armbruster1-1/+0
In my "build everything" tree, changing hw/qdev-properties.h triggers a recompile of some 2700 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). Many places including hw/qdev-properties.h (directly or via hw/qdev.h) actually need only hw/qdev-core.h. Include hw/qdev-core.h there instead. hw/qdev.h is actually pointless: all it does is include hw/qdev-core.h and hw/qdev-properties.h, which in turn includes hw/qdev-core.h. Replace the remaining uses of hw/qdev.h by hw/qdev-properties.h. While there, delete a few superfluous inclusions of hw/qdev-core.h. Touching hw/qdev-properties.h now recompiles some 1200 objects. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: "Daniel P. Berrangé" <berrange@redhat.com> Cc: Eduardo Habkost <ehabkost@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com> Message-Id: <20190812052359.30071-22-armbru@redhat.com>
2019-08-16Include hw/hw.h exactly where neededMarkus Armbruster1-1/+0
In my "build everything" tree, changing hw/hw.h triggers a recompile of some 2600 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). The previous commits have left only the declaration of hw_error() in hw/hw.h. This permits dropping most of its inclusions. Touching it now recompiles less than 200 objects. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20190812052359.30071-19-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2019-08-16Include migration/vmstate.h lessMarkus Armbruster1-0/+1
In my "build everything" tree, changing migration/vmstate.h triggers a recompile of some 2700 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). hw/hw.h supposedly includes it for convenience. Several other headers include it just to get VMStateDescription. The previous commit made that unnecessary. Include migration/vmstate.h only where it's still needed. Touching it now recompiles only some 1600 objects. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20190812052359.30071-16-armbru@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2019-08-16Include hw/irq.h a lot lessMarkus Armbruster1-0/+1
In my "build everything" tree, changing hw/irq.h triggers a recompile of some 5400 out of 6600 objects (not counting tests and objects that don't depend on qemu/osdep.h). hw/hw.h supposedly includes it for convenience. Several other headers include it just to get qemu_irq and.or qemu_irq_handler. Move the qemu_irq and qemu_irq_handler typedefs from hw/irq.h to qemu/typedefs.h, and then include hw/irq.h only where it's still needed. Touching it now recompiles only some 500 objects. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190812052359.30071-13-armbru@redhat.com>
2019-06-21sd: Fix out-of-bounds assertionsLidong Chen1-2/+2
Due to an off-by-one error, the assert statements allow an out-of-bound array access. This doesn't happen in practice, but the static analyzer notices. Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Liam Merwick <liam.merwick@oracle.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <6b19cb7359a10a6bedc3ea0fce22fed3ef93c102.1560806687.git.lidong.chen@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-06-12Include qemu/module.h where needed, drop it from qemu-common.hMarkus Armbruster1-0/+1
Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20190523143508.25387-4-armbru@redhat.com> [Rebased with conflicts resolved automatically, except for hw/usb/dev-hub.c hw/misc/exynos4210_rng.c hw/misc/bcm2835_rng.c hw/misc/aspeed_scu.c hw/display/virtio-vga.c hw/arm/stm32f205_soc.c; ui/cocoa.m fixed up]