From 57001144628db65ef9b7dbbfb759101212696d6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>
Date: Thu, 14 Mar 2024 09:22:38 +0100
Subject: [PATCH 1/3] vfio/iommufd: Fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Coverity reported a memory leak on variable 'contents' in routine
iommufd_cdev_getfd(). Use g_autofree variables to simplify the exit
path and get rid of g_free() calls.
Cc: Eric Auger <eric.auger@redhat.com>
Cc: Yi Liu <yi.l.liu@intel.com>
Fixes: CID 1540007
Fixes: 5ee3dc7af785 ("vfio/iommufd: Implement the iommufd backend")
Suggested-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/vfio/iommufd.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/hw/vfio/iommufd.c b/hw/vfio/iommufd.c
index bafddb8f5a..8827ffe636 100644
--- a/hw/vfio/iommufd.c
+++ b/hw/vfio/iommufd.c
@@ -118,10 +118,12 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
{
ERRP_GUARD();
long int ret = -ENOTTY;
- char *path, *vfio_dev_path = NULL, *vfio_path = NULL;
+ g_autofree char *path = NULL;
+ g_autofree char *vfio_dev_path = NULL;
+ g_autofree char *vfio_path = NULL;
DIR *dir = NULL;
struct dirent *dent;
- gchar *contents;
+ g_autofree gchar *contents = NULL;
gsize length;
int major, minor;
dev_t vfio_devt;
@@ -130,7 +132,7 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
dir = opendir(path);
if (!dir) {
error_setg_errno(errp, errno, "couldn't open directory %s", path);
- goto out_free_path;
+ goto out;
}
while ((dent = readdir(dir))) {
@@ -147,14 +149,13 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
if (!g_file_get_contents(vfio_dev_path, &contents, &length, NULL)) {
error_setg(errp, "failed to load \"%s\"", vfio_dev_path);
- goto out_free_dev_path;
+ goto out_close_dir;
}
if (sscanf(contents, "%d:%d", &major, &minor) != 2) {
error_setg(errp, "failed to get major:minor for \"%s\"", vfio_dev_path);
- goto out_free_dev_path;
+ goto out_close_dir;
}
- g_free(contents);
vfio_devt = makedev(major, minor);
vfio_path = g_strdup_printf("/dev/vfio/devices/%s", dent->d_name);
@@ -164,17 +165,13 @@ static int iommufd_cdev_getfd(const char *sysfs_path, Error **errp)
}
trace_iommufd_cdev_getfd(vfio_path, ret);
- g_free(vfio_path);
-out_free_dev_path:
- g_free(vfio_dev_path);
out_close_dir:
closedir(dir);
-out_free_path:
+out:
if (*errp) {
error_prepend(errp, VFIO_MSG_PREFIX, path);
}
- g_free(path);
return ret;
}
From 5b2b9450a2f83668bedd092b43233ad35f0d40bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>
Date: Mon, 18 Mar 2024 16:58:44 +0100
Subject: [PATCH 2/3] ppc/pnv: I2C controller is not user creatable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The I2C controller is a subunit of the processor. Make it so and avoid
QEMU crashes.
$ build/qemu-system-ppc64 -S -machine powernv9 -device pnv-i2c
qemu-system-ppc64: ../hw/ppc/pnv_i2c.c:521: pnv_i2c_realize: Assertion `i2c->chip' failed.
Aborted (core dumped)
Fixes: 263b81ee15af ("ppc/pnv: Add an I2C controller model")
Cc: Glenn Miles <milesg@linux.vnet.ibm.com>
Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Glenn Miles <milesg@linux.vnet.ibm.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/ppc/pnv_i2c.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/ppc/pnv_i2c.c b/hw/ppc/pnv_i2c.c
index 4581cc5e5d..eec5047ce8 100644
--- a/hw/ppc/pnv_i2c.c
+++ b/hw/ppc/pnv_i2c.c
@@ -557,6 +557,9 @@ static void pnv_i2c_class_init(ObjectClass *klass, void *data)
xscomc->dt_xscom = pnv_i2c_dt_xscom;
+ /* Reason: This device is part of the CPU and cannot be used separately */
+ dc->user_creatable = false;
+
dc->desc = "PowerNV I2C";
dc->realize = pnv_i2c_realize;
device_class_set_props(dc, pnv_i2c_properties);
From a7538ca0791880b6aeb2cc4cc8c00305e2d975f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>
Date: Tue, 19 Mar 2024 08:33:20 +0100
Subject: [PATCH 3/3] aspeed/smc: Only wire flash devices at reset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The Aspeed machines have many Static Memory Controllers (SMC), up to
8, which can only drive flash memory devices. Commit 27a2c66c92ec
("aspeed/smc: Wire CS lines at reset") tried to ease the definitions
of these devices by allowing flash devices from the command line to be
attached to a SSI bus. For that, the wiring of the CS lines of the
Aspeed SMC controller was moved at reset. Two assumptions are made
though, first that the device has a SSI_GPIO_CS GPIO line, which is
not always the case, and second that it is a flash device.
Correct this problem by ensuring that the devices attached to the bus
are of the correct flash type. This fixes a QEMU abort when devices
without a CS line, such as the max111x, are passed on the command
line.
While at it, export TYPE_M25P80 used in the Xilinx Versal Virtual
machine.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2228
Fixes: 27a2c66c92ec ("aspeed/smc: Wire CS lines at reset")
Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
[ clg: minor fixes in the commit log ]
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/arm/xlnx-versal-virt.c | 3 ++-
hw/block/m25p80.c | 1 -
hw/ssi/aspeed_smc.c | 9 +++++++++
include/hw/block/flash.h | 2 ++
4 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
index bfaed1aebf..962f98fee2 100644
--- a/hw/arm/xlnx-versal-virt.c
+++ b/hw/arm/xlnx-versal-virt.c
@@ -13,6 +13,7 @@
#include "qemu/error-report.h"
#include "qapi/error.h"
#include "sysemu/device_tree.h"
+#include "hw/block/flash.h"
#include "hw/boards.h"
#include "hw/sysbus.h"
#include "hw/arm/fdt.h"
@@ -759,7 +760,7 @@ static void versal_virt_init(MachineState *machine)
flash_klass = object_class_by_name(s->ospi_model);
if (!flash_klass ||
object_class_is_abstract(flash_klass) ||
- !object_class_dynamic_cast(flash_klass, "m25p80-generic")) {
+ !object_class_dynamic_cast(flash_klass, TYPE_M25P80)) {
error_setg(&error_fatal, "'%s' is either abstract or"
" not a subtype of m25p80", s->ospi_model);
return;
diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index 08a00a6d9b..8dec134832 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -515,7 +515,6 @@ struct M25P80Class {
FlashPartInfo *pi;
};
-#define TYPE_M25P80 "m25p80-generic"
OBJECT_DECLARE_TYPE(Flash, M25P80Class, M25P80)
static inline Manufacturer get_man(Flash *s)
diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index 3c93936fd1..6e1a84c197 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -23,6 +23,7 @@
*/
#include "qemu/osdep.h"
+#include "hw/block/flash.h"
#include "hw/sysbus.h"
#include "migration/vmstate.h"
#include "qemu/log.h"
@@ -695,6 +696,14 @@ static void aspeed_smc_reset(DeviceState *d)
for (i = 0; i < asc->cs_num_max; i++) {
DeviceState *dev = ssi_get_cs(s->spi, i);
if (dev) {
+ Object *o = OBJECT(dev);
+
+ if (!object_dynamic_cast(o, TYPE_M25P80)) {
+ warn_report("Aspeed SMC %s.%d : Invalid %s device type",
+ BUS(s->spi)->name, i, object_get_typename(o));
+ continue;
+ }
+
qemu_irq cs_line = qdev_get_gpio_in_named(dev, SSI_GPIO_CS, 0);
qdev_connect_gpio_out_named(DEVICE(s), "cs", i, cs_line);
}
diff --git a/include/hw/block/flash.h b/include/hw/block/flash.h
index de93756cbe..2b5ccd92f4 100644
--- a/include/hw/block/flash.h
+++ b/include/hw/block/flash.h
@@ -78,6 +78,8 @@ extern const VMStateDescription vmstate_ecc_state;
/* m25p80.c */
+#define TYPE_M25P80 "m25p80-generic"
+
BlockBackend *m25p80_get_blk(DeviceState *dev);
#endif