[Qemu-devel] [PULL for-2.10 0/4] s390x: more fixes

[Qemu-devel] [PULL for-2.10 0/4] s390x: more fixes

[Cornelia Huck]

The following changes since commit e01151de165070c25a1b202e9e2392950bd7c8da:

  Merge remote-tracking branch 'remotes/kraxel/tags/ui-20170727-pull-request' into staging (2017-07-27 15:27:06 +0100)

are available in the git repository at:

  git://github.com/cohuck/qemu tags/s390x-20170728

for you to fetch changes up to 4add0da64942d83e0564147c0876b01074bde9cb:

  s390x/css: fix bits must be zero check for TIC (2017-07-28 10:06:25 +0200)

----------------------------------------------------------------
More s390x fixes: Correct ilen, and ccw checking.

----------------------------------------------------------------

David Hildenbrand (2):
  target/s390x: fix pgm irq ilen for stsi
  target/s390x: fix pgm irq ilen in translate_pages()

Halil Pasic (2):
  s390x/css: check ccw address validity
  s390x/css: fix bits must be zero check for TIC

 hw/s390x/css.c             | 7 ++++++-
 target/s390x/misc_helper.c | 2 +-
 target/s390x/mmu_helper.c  | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

-- 
2.13.3

[Qemu-devel] [PULL for-2.10 1/4] target/s390x: fix pgm irq ilen for stsi

[Cornelia Huck]

From: David Hildenbrand <david@redhat.com>

The instruction is 4 bytes long.

Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20170721125609.11117-2-david@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
 target/s390x/misc_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c
index 44c5c401fb..d23ffcd890 100644
--- a/target/s390x/misc_helper.c
+++ b/target/s390x/misc_helper.c
@@ -192,7 +192,7 @@ uint32_t HELPER(stsi)(CPUS390XState *env, uint64_t a0,
     if ((r0 & STSI_LEVEL_MASK) <= STSI_LEVEL_3 &&
         ((r0 & STSI_R0_RESERVED_MASK) || (r1 & STSI_R1_RESERVED_MASK))) {
         /* valid function code, invalid reserved bits */
-        program_interrupt(env, PGM_SPECIFICATION, 2);
+        program_interrupt(env, PGM_SPECIFICATION, 4);
     }
 
     sel1 = r0 & STSI_R0_SEL1_MASK;
-- 
2.13.3

[Qemu-devel] [PULL for-2.10 2/4] target/s390x: fix pgm irq ilen in translate_pages()

[Cornelia Huck]

From: David Hildenbrand <david@redhat.com>

0 is certainly wrong. Let's use ILEN_AUTO.

Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20170721125609.11117-3-david@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
 target/s390x/mmu_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
index a873dc48a0..1ad01584b4 100644
--- a/target/s390x/mmu_helper.c
+++ b/target/s390x/mmu_helper.c
@@ -440,7 +440,7 @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
         }
         if (!address_space_access_valid(&address_space_memory, pages[i],
                                         TARGET_PAGE_SIZE, is_write)) {
-            program_interrupt(env, PGM_ADDRESSING, 0);
+            program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO);
             return -EFAULT;
         }
         addr += TARGET_PAGE_SIZE;
-- 
2.13.3

[Qemu-devel] [PULL for-2.10 3/4] s390x/css: check ccw address validity

[Cornelia Huck]

From: Halil Pasic <pasic@linux.vnet.ibm.com>

According to the PoP channel command words (CCW) must be doubleword
aligned and 31 bit addressable for format 1 and 24 bit addressable for
format 0 CCWs.

If the channel subsystem encounters a ccw address which does not satisfy
this alignment requirement a program-check condition is recognised.

The situation with 31 bit addressable is a bit more complicated: both the
ORB and a format 1 CCW TIC hold the address of (the rest of) the channel
program, that is the address of the next CCW in a word, and the PoP
mandates that bit 0 of that word shall be zero -- or a program-check
condition is to be recognized -- and does not belong to the field holding
the ccw address.

Since in code the corresponding fields span across the whole word (unlike
in PoP where these are defined as 31 bit wide) we can check this by
applying a mask. The 24 addressable case isn't affecting TIC because the
address is composed of a halfword and a byte portion (no additional zero
bit requirements) and just slightly complicates the ORB case where also
bits 1-7 need to be zero.

The same requirements (especially n-bit addressability) apply to the
ccw addresses generated while chaining.

Let's make our CSS implementation follow the AR more closely.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Message-Id: <20170727154842.23427-1-pasic@linux.vnet.ibm.com>
Reviewed-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
 hw/s390x/css.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/s390x/css.c b/hw/s390x/css.c
index 6a42b95cee..177cbfc92d 100644
--- a/hw/s390x/css.c
+++ b/hw/s390x/css.c
@@ -795,6 +795,10 @@ static int css_interpret_ccw(SubchDev *sch, hwaddr ccw_addr,
     if (!ccw_addr) {
         return -EIO;
     }
+    /* Check doubleword aligned and 31 or 24 (fmt 0) bit addressable. */
+    if (ccw_addr & (sch->ccw_fmt_1 ? 0x80000007 : 0xff000007)) {
+        return -EINVAL;
+    }
 
     /* Translate everything to format-1 ccws - the information is the same. */
     ccw = copy_ccw_from_guest(ccw_addr, sch->ccw_fmt_1);
-- 
2.13.3

[Qemu-devel] [PULL for-2.10 4/4] s390x/css: fix bits must be zero check for TIC

[Cornelia Huck]

From: Halil Pasic <pasic@linux.vnet.ibm.com>

According to the PoP bit positions 0-3 and 8-32 of the format-1 CCW must
contain zeros.  Bits 0-3 are already covered by cmd_code validity
checking, and bit 32 is covered by the CCW address checking.

Bits 8-31 correspond to CCW1.flags and CCW1.count.  Currently we only
check for the absence of certain flags.  Let's fix this.

Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Message-Id: <20170725224442.13383-3-pasic@linux.vnet.ibm.com>
Reviewed-by: Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
[CH: tweaked comment]
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
 hw/s390x/css.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/s390x/css.c b/hw/s390x/css.c
index 177cbfc92d..1880b1a0ff 100644
--- a/hw/s390x/css.c
+++ b/hw/s390x/css.c
@@ -885,7 +885,8 @@ static int css_interpret_ccw(SubchDev *sch, hwaddr ccw_addr,
             ret = -EINVAL;
             break;
         }
-        if (ccw.flags & (CCW_FLAG_CC | CCW_FLAG_DC)) {
+        if (ccw.flags || ccw.count) {
+            /* We have already sanitized these if converted from fmt 0. */
             ret = -EINVAL;
             break;
         }
-- 
2.13.3

Re: [Qemu-devel] [PULL for-2.10 0/4] s390x: more fixes

[Peter Maydell]

On 28 July 2017 at 10:19, Cornelia Huck <cohuck@redhat.com> wrote:
> The following changes since commit e01151de165070c25a1b202e9e2392950bd7c8da:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/ui-20170727-pull-request' into staging (2017-07-27 15:27:06 +0100)
>
> are available in the git repository at:
>
>   git://github.com/cohuck/qemu tags/s390x-20170728
>
> for you to fetch changes up to 4add0da64942d83e0564147c0876b01074bde9cb:
>
>   s390x/css: fix bits must be zero check for TIC (2017-07-28 10:06:25 +0200)
>
> ----------------------------------------------------------------
> More s390x fixes: Correct ilen, and ccw checking.
>
> ----------------------------------------------------------------
>
> David Hildenbrand (2):
>   target/s390x: fix pgm irq ilen for stsi
>   target/s390x: fix pgm irq ilen in translate_pages()
>
> Halil Pasic (2):
>   s390x/css: check ccw address validity
>   s390x/css: fix bits must be zero check for TIC
>
>  hw/s390x/css.c             | 7 ++++++-
>  target/s390x/misc_helper.c | 2 +-
>  target/s390x/mmu_helper.c  | 2 +-
>  3 files changed, 8 insertions(+), 3 deletions(-)

Applied, thanks.

-- PMM