#
e4e36e65 |
| 22-Feb-2024 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix invalid endian conversion
numcntl is one byte and so is max_vfs. Using cpu_to_le16 on big endian hosts results in numcntl being set to 0.
Fix by dropping the endian conversion.
Fixes:
hw/nvme: fix invalid endian conversion
numcntl is one byte and so is max_vfs. Using cpu_to_le16 on big endian hosts results in numcntl being set to 0.
Fix by dropping the endian conversion.
Fixes: 99f48ae7ae ("hw/nvme: Add support for Secondary Controller List") Reported-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com> Reviewed-by: Minwoo Im <minwoo.im@samsung.com> Message-ID: <20240222-fix-sriov-numcntl-v1-1-d60bea5e72d0@samsung.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> (cherry picked from commit d2b5bb860e6c17442ad95cc275feb07c1665be5c) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
show more ...
|
#
9b4b4e51 |
| 14-Jul-2023 |
Michael Tokarev <mjt@tls.msk.ru> |
hw/other: spelling fixes
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
#
652b0dd8 |
| 12-Sep-2023 |
Stefan Hajnoczi <stefanha@redhat.com> |
block: remove AIOCBInfo->get_aio_context()
The synchronous bdrv_aio_cancel() function needs the acb's AioContext so it can call aio_poll() to wait for cancellation.
It turns out that all users run
block: remove AIOCBInfo->get_aio_context()
The synchronous bdrv_aio_cancel() function needs the acb's AioContext so it can call aio_poll() to wait for cancellation.
It turns out that all users run under the BQL in the main AioContext, so this callback is not needed.
Remove the callback, mark bdrv_aio_cancel() GLOBAL_STATE_CODE just like its blk_aio_cancel() caller, and poll the main loop AioContext.
The purpose of this cleanup is to identify bdrv_aio_cancel() as an API that does not work with the multi-queue block layer.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-ID: <20230912231037.826804-2-stefanha@redhat.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
show more ...
|
#
b3c82467 |
| 11-Aug-2023 |
Peter Maydell <peter.maydell@linaro.org> |
hw/nvme: Avoid dynamic stack allocation
Instead of using a variable-length array in nvme_map_prp(), allocate on the stack with a g_autofree pointer.
The codebase has very few VLAs, and if we can ge
hw/nvme: Avoid dynamic stack allocation
Instead of using a variable-length array in nvme_map_prp(), allocate on the stack with a g_autofree pointer.
The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
b02c2a85 |
| 11-Aug-2023 |
Philippe Mathieu-Daudé <philmd@redhat.com> |
hw/nvme: Use #define to avoid variable length array
In nvme_map_sgl() we create an array segment[] whose size is the 'const int SEG_CHUNK_SIZE'. Since this is C, rather than C++, a "const int foo"
hw/nvme: Use #define to avoid variable length array
In nvme_map_sgl() we create an array segment[] whose size is the 'const int SEG_CHUNK_SIZE'. Since this is C, rather than C++, a "const int foo" is not a true constant, it's merely a variable with a constant value, and so semantically segment[] is a variable-length array. Switch SEG_CHUNK_SIZE to a #define so that we can make the segment[] array truly fixed-size, in the sense that it doesn't trigger the -Wvla warning.
The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527).
[PMM: rebased (function has moved file), expand commit message based on discussion from previous version of patch]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
3439ba9c |
| 08-Aug-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix null pointer access in ruh update
The Reclaim Unit Update operation in I/O Management Receive does not verify the presence of a configured endurance group prior to accessing it.
Fix th
hw/nvme: fix null pointer access in ruh update
The Reclaim Unit Update operation in I/O Management Receive does not verify the presence of a configured endurance group prior to accessing it.
Fix this.
Cc: qemu-stable@nongnu.org Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
6c8f8456 |
| 08-Aug-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix null pointer access in directive receive
nvme_directive_receive() does not check if an endurance group has been configured (set) prior to testing if flexible data placement is enabled o
hw/nvme: fix null pointer access in directive receive
nvme_directive_receive() does not check if an endurance group has been configured (set) prior to testing if flexible data placement is enabled or not.
Fix this.
Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1815 Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Reviewed-by: Jesper Wendel Devantier <j.devantier@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
6a33f2e9 |
| 19-Jul-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix compliance issue wrt. iosqes/iocqes
As of prior to this patch, the controller checks the value of CC.IOCQES and CC.IOSQES prior to enabling the controller. As reported by Ben in GitLab
hw/nvme: fix compliance issue wrt. iosqes/iocqes
As of prior to this patch, the controller checks the value of CC.IOCQES and CC.IOSQES prior to enabling the controller. As reported by Ben in GitLab issue #1691, this is not spec compliant. The controller should only check these values when queues are created.
This patch moves these checks to nvme_create_cq(). We do not need to check it in nvme_create_sq() since that will error out if the completion queue is not already created.
Also, since the controller exclusively supports SQEs of size 64 bytes and CQEs of size 16 bytes, hard code that.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1691 Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
ecb1b7b0 |
| 03-Aug-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix oob memory read in fdp events log
As reported by Trend Micro's Zero Day Initiative, an oob memory read vulnerability exists in nvme_fdp_events(). The host-provided offset is not verifie
hw/nvme: fix oob memory read in fdp events log
As reported by Trend Micro's Zero Day Initiative, an oob memory read vulnerability exists in nvme_fdp_events(). The host-provided offset is not verified.
Fix this.
This is only exploitable when Flexible Data Placement mode (fdp=on) is enabled.
Fixes: CVE-2023-4135 Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation") Reported-by: Trend Micro's Zero Day Initiative Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
c1e244b6 |
| 20-Jul-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: use stl/ldl pci dma api
Use the stl/ldl pci dma api for writing/reading doorbells. This removes the explicit endian conversions.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Rev
hw/nvme: use stl/ldl pci dma api
Use the stl/ldl pci dma api for writing/reading doorbells. This removes the explicit endian conversions.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Cédric Le Goater <clg@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
ea3c76f1 |
| 18-Jul-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix endianness issue for shadow doorbells
In commit 2fda0726e514 ("hw/nvme: fix missing endian conversions for doorbell buffers"), we fixed shadow doorbells for big-endian guests running on
hw/nvme: fix endianness issue for shadow doorbells
In commit 2fda0726e514 ("hw/nvme: fix missing endian conversions for doorbell buffers"), we fixed shadow doorbells for big-endian guests running on little endian hosts. But I did not fix little-endian guests on big-endian hosts. Fix this.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1765 Fixes: 3f7fe8de3d49 ("hw/nvme: Implement shadow doorbell buffer support") Cc: qemu-stable@nongnu.org Reported-by: Thomas Huth <thuth@redhat.com> Tested-by: Cédric Le Goater <clg@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
445416e3 |
| 10-Jul-2023 |
Akihiko Odaki <akihiko.odaki@daynix.com> |
pcie: Use common ARI next function number
Currently the only implementers of ARI is SR-IOV devices, and they behave similar. Share the ARI next function number.
Signed-off-by: Akihiko Odaki <akihik
pcie: Use common ARI next function number
Currently the only implementers of ARI is SR-IOV devices, and they behave similar. Share the ARI next function number.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Ani Sinha <anisinha@redhat.com> Message-Id: <20230710153838.33917-2-akihiko.odaki@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
show more ...
|
Revision tags: v8.0.0 |
|
#
381ab99d |
| 17-Apr-2023 |
Minwoo Im <minwoo.im@samsung.com> |
hw/nvme: check maximum copy length (MCL) for COPY
MCL(Maximum Copy Length) in the Identify Namespace data structure limits the number of LBAs to be copied inside of the controller. We've not checke
hw/nvme: check maximum copy length (MCL) for COPY
MCL(Maximum Copy Length) in the Identify Namespace data structure limits the number of LBAs to be copied inside of the controller. We've not checked it at all, so added the check with returning the proper error status.
Signed-off-by: Minwoo Im <minwoo.im@samsung.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
cab1da59 |
| 17-Apr-2023 |
Minwoo Im <minwoo.im@samsung.com> |
hw/nvme: consider COPY command in nvme_aio_err
If we don't have NVME_CMD_COPY consideration in the switch statement in nvme_aio_err(), it will go to have NVME_INTERNAL_DEV_ERROR and `req->status` wi
hw/nvme: consider COPY command in nvme_aio_err
If we don't have NVME_CMD_COPY consideration in the switch statement in nvme_aio_err(), it will go to have NVME_INTERNAL_DEV_ERROR and `req->status` will be ovewritten to it. During the aio context, it might set the NVMe status field like NVME_CMD_SIZE_LIMIT, but it's overwritten in the nvme_aio_err().
Add consideration for the NVME_CMD_COPY not to overwrite the status at the end of the function.
Signed-off-by: Minwoo Im <minwoo.im@samsung.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
7491e0e4 |
| 17-Apr-2023 |
Minwoo Im <minwoo.im@samsung.com> |
hw/nvme: add comment for nvme-ns properties
Add more comments of existing properties for nvme-ns device.
Signed-off-by: Minwoo Im <minwoo.im@samsung.com> Reviewed-by: Klaus Jensen <k.jensen@samsung
hw/nvme: add comment for nvme-ns properties
Add more comments of existing properties for nvme-ns device.
Signed-off-by: Minwoo Im <minwoo.im@samsung.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
f63192b0 |
| 27-Apr-2023 |
Alexander Bulekov <alxndr@bu.edu> |
hw: replace most qemu_bh_new calls with qemu_bh_new_guarded
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth <thuth@redhat.com> for diagnosing OS X test failure. Signed-of
hw: replace most qemu_bh_new calls with qemu_bh_new_guarded
This protects devices from bh->mmio reentrancy issues.
Thanks: Thomas Huth <thuth@redhat.com> for diagnosing OS X test failure. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Paul Durrant <paul@xen.org> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230427211013.2994127-5-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
show more ...
|
#
3488fc32 |
| 30-Mar-2023 |
Paolo Bonzini <pbonzini@redhat.com> |
nvme: remove constant argument to tracepoint
The last argument to -pci_nvme_err_startfail_virt_state is always "OFFLINE" due to the enclosing "if" condition requiring !sctrl->scs. Reported by Cover
nvme: remove constant argument to tracepoint
The last argument to -pci_nvme_err_startfail_virt_state is always "OFFLINE" due to the enclosing "if" condition requiring !sctrl->scs. Reported by Coverity.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
show more ...
|
#
4b32319c |
| 11-Apr-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix memory leak in nvme_dsm
The iocb (and the allocated memory to hold LBA ranges) leaks if reading the LBA ranges fails.
Fix this by adding a free and an unref of the iocb.
Reported-by:
hw/nvme: fix memory leak in nvme_dsm
The iocb (and the allocated memory to hold LBA ranges) leaks if reading the LBA ranges fails.
Fix this by adding a free and an unref of the iocb.
Reported-by: Coverity (CID 1508281) Fixes: d7d1474fd85d ("hw/nvme: reimplement dsm to allow cancellation") Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
Revision tags: v7.2.0 |
|
#
ca2a0918 |
| 25-Aug-2022 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: fix missing DNR on compare failure
Even if the host is somehow using compare to do compare-and-write, the host should be notified immediately about the compare failure and not have to wait
hw/nvme: fix missing DNR on compare failure
Even if the host is somehow using compare to do compare-and-write, the host should be notified immediately about the compare failure and not have to wait for the driver to potentially retry the command.
Fixes: 0a384f923f51 ("hw/block/nvme: add compare command") Reported-by: Jim Harris <james.r.harris@intel.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
9b4f0181 |
| 20-Mar-2023 |
Mateusz Kozlowski <kozlowski.mateuszpl@gmail.com> |
hw/nvme: Change alignment in dma functions for nvme_blk_*
Since the nvme_blk_read/write are used by both the data and metadata portions of the IO, it can't have the 512B alignment requirement. Witho
hw/nvme: Change alignment in dma functions for nvme_blk_*
Since the nvme_blk_read/write are used by both the data and metadata portions of the IO, it can't have the 512B alignment requirement. Without this change any metadata transfer, which length isn't a multiple of 512B and which is bigger than 512B, will result in only a partial transfer.
Signed-off-by: Mateusz Kozlowski <kozlowski.mateuszpl@gmail.com> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
73064edf |
| 20-Feb-2023 |
Jesper Devantier <j.devantier@samsung.com> |
hw/nvme: flexible data placement emulation
Add emulation of TP4146 ("Flexible Data Placement").
Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Jesper Devantier <j.devantier@samsung.com
hw/nvme: flexible data placement emulation
Add emulation of TP4146 ("Flexible Data Placement").
Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Jesper Devantier <j.devantier@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
e181d3da |
| 20-Feb-2023 |
Gollu Appalanaidu <anaidu.gollu@samsung.com> |
hw/nvme: basic directives support
Add support for the Directive Send and Recv commands and the Identify directive.
Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Gollu Appalanaidu <ana
hw/nvme: basic directives support
Add support for the Directive Send and Recv commands and the Identify directive.
Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Gollu Appalanaidu <anaidu.gollu@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
771dbc3a |
| 20-Feb-2023 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: add basic endurance group support
Add the mandatory Endurance Group identify data structures and log pages.
For now, all namespaces in a subsystem belongs to a single Endurance Group.
Rev
hw/nvme: add basic endurance group support
Add the mandatory Endurance Group identify data structures and log pages.
For now, all namespaces in a subsystem belongs to a single Endurance Group.
Reviewed-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
a555af17 |
| 20-Feb-2023 |
Joel Granados <j.granados@samsung.com> |
hw/nvme: move adjustment of data_units{read,written}
Move the rounding of bytes read/written into nvme_smart_log which reports in units of 512 bytes, rounded up in thousands. This is in preparation
hw/nvme: move adjustment of data_units{read,written}
Move the rounding of bytes read/written into nvme_smart_log which reports in units of 512 bytes, rounded up in thousands. This is in preparation for adding the Endurance Group Information log page which reports in units of billions, rounded up.
Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: Klaus Jensen <k.jensen@samsung.com> Signed-off-by: Joel Granados <j.granados@samsung.com> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|
#
973f76cf |
| 09-Nov-2022 |
Klaus Jensen <k.jensen@samsung.com> |
hw/nvme: cleanup error reporting in nvme_init_pci()
Replace the local Error variable with errp and ERRP_GUARD() and change the return value to bool.
Reviewed-by: Philippe Mathieu-Daudé <philmd@lina
hw/nvme: cleanup error reporting in nvme_init_pci()
Replace the local Error variable with errp and ERRP_GUARD() and change the return value to bool.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
show more ...
|