On Mon, Dec 15, 2014 at 11:15:07AM +1100, Gavin Shan wrote: > The emulation for EEH RTAS requests from guest isn't covered > by QEMU yet and the patch implements them. > > The patch defines constants used by EEH RTAS calls and adds > callback sPAPRPHBClass::eeh_handler, which is going to be used > this way: > > * RTAS calls are received in spapr_pci.c, sanity check is done > there. > * RTAS handlers handle what they can. If there is something it > cannot handle and sPAPRPHBClass::eeh_handler callback is defined, > it is called. > * sPAPRPHBClass::eeh_handler is only implemented for VFIO now. It > does ioctl() to the IOMMU container fd to complete the call. Error > codes from that ioctl() are transferred back to the guest. > > [aik: defined RTAS tokens for EEH RTAS calls] > Signed-off-by: Gavin Shan <[email protected]> > --- > hw/ppc/spapr_pci.c | 246 > ++++++++++++++++++++++++++++++++++++++++++++ > include/hw/pci-host/spapr.h | 7 ++ > include/hw/ppc/spapr.h | 43 +++++++- > 3 files changed, 294 insertions(+), 2 deletions(-) > > diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c > index 3d70efe..3bb1971 100644 > --- a/hw/ppc/spapr_pci.c > +++ b/hw/ppc/spapr_pci.c > @@ -406,6 +406,233 @@ static void > rtas_ibm_query_interrupt_source_number(PowerPCCPU *cpu, > rtas_st(rets, 2, 1);/* 0 == level; 1 == edge */ > } > > +static int rtas_handle_eeh_request(sPAPREnvironment *spapr, > + uint64_t buid, uint32_t req, uint32_t opt) > +{ > + sPAPRPHBState *sphb = spapr_pci_find_phb(spapr, buid); > + sPAPRPHBClass *info = SPAPR_PCI_HOST_BRIDGE_GET_CLASS(sphb); > + > + if (!sphb || !info->eeh_handler) { > + return -ENOENT; > + } > + > + return info->eeh_handler(sphb, req, opt); > +} > + > +static void rtas_ibm_set_eeh_option(PowerPCCPU *cpu, > + sPAPREnvironment *spapr, > + uint32_t token, uint32_t nargs, > + target_ulong args, uint32_t nret, > + target_ulong rets) > +{ > + uint32_t addr, option; > + uint64_t buid = ((uint64_t)rtas_ld(args, 1) << 32) | rtas_ld(args, 2);
You're dereferencing RTAS parameters here before you've checked the
number of parameters, which isn't safe. Similar problem in the other
entry points as well.
> + int ret;
> +
> + if ((nargs != 4) || (nret != 1)) {
> + goto param_error_exit;
> + }
> +
> + addr = rtas_ld(args, 0);
> + option = rtas_ld(args, 3);
> + switch (option) {
> + case RTAS_EEH_ENABLE:
> + if (!spapr_pci_find_dev(spapr, buid, addr)) {
> + goto param_error_exit;
> + }
> + break;
> + case RTAS_EEH_DISABLE:
> + case RTAS_EEH_THAW_IO:
> + case RTAS_EEH_THAW_DMA:
> + break;
> + default:
> + goto param_error_exit;
> + }
> +
> + ret = rtas_handle_eeh_request(spapr, buid,
> + RTAS_EEH_REQ_SET_OPTION, option);
> + if (ret >= 0) {
> + rtas_st(rets, 0, RTAS_OUT_SUCCESS);
> + return;
> + }
The fall through here means that any failure in
rtas_handle_eeh_request will be reported as RTAS_OUT_PARAM_ERROR,
which doesn't sound like it would always be the right error code.
Similar in the other entry points.
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
pgpSgPVmpkTyI.pgp
Description: PGP signature
