QEMU-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [Qemu-devel] [Bug 1693050] [NEW] xhci HCIVERSION register read emulation incorrectly handled
@ 2017-05-23 23:32 Robert Mustacchi
  2020-03-25 20:50 ` [Bug 1693050] " Paul Menzel
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Robert Mustacchi @ 2017-05-23 23:32 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

We had an illumos user trying to run illumos in QEMU 2.9.0 with the
qemu-xhci device enabled. Note, that while this was discovered against
QEMU 2.9.0, from my current read of the HEAD, it is still present. The
illumos bug at https://www.illumos.org/issues/8173 has additional
information on how the user invoked qemu. While investigating the
problem we found that the illumos driver was reading a version of 0x0000
when reading the HCIVERSION register from qemu.

In the illumos driver we're performing a 16-bit read of the version
register at offset 0x2. From looking around at other OSes, while Linux
performs a 4 byte read at offset 0x0 and masks out the version, others
that care about the version are doing a two byte read, though not all
actually act on the version and some just discard the information.

The user who hit this was able to enable tracing (note the tracing file
is attached to the illumos bug linked previously) and we hit the
unimplemented register read with offset 0x2 at
http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
xhci.c;hb=HEAD#l2960. The xhci register specifies today that its allowed
for users to do 1-4 byte reads; however, that it implements only four
byte reads in its implementation
(http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
xhci.c;hb=HEAD#l3333). Hence why when we read the HCIVERSION register at
offset 0x2, it isn't handled in xhci_cap_read() which then returns
zeros.

>From digging into this, I think that we're coming into
memory_region_dispatch_read() and then memory_region_dispatch_read1().
However, I don't see anything in either the general memory region logic
or in the xhci_cap_read() function that would deal with adjusting the
offset that we're reading at and then masking it off again. While the
access_with_adjusted_size() attempts to deal with this, it never adjusts
the hardware address that's passed in to be a multiple of the
implementation defined offset that I can see. I suspect that the FIXME
at line 582
(http://git.qemu.org/?p=qemu.git;a=blob;f=memory.c;hb=HEAD#l582) and the
implementation in the xhci code is the crux of the problem.

For the time being we're working around this in the illumos driver, but
I wanted to point this out such that it might be helpful for other
systems which are assuming that they can do the two byte read like on
hardware.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1693050

Title:
  xhci HCIVERSION register read emulation incorrectly handled

Status in QEMU:
  New

Bug description:
  We had an illumos user trying to run illumos in QEMU 2.9.0 with the
  qemu-xhci device enabled. Note, that while this was discovered against
  QEMU 2.9.0, from my current read of the HEAD, it is still present. The
  illumos bug at https://www.illumos.org/issues/8173 has additional
  information on how the user invoked qemu. While investigating the
  problem we found that the illumos driver was reading a version of
  0x0000 when reading the HCIVERSION register from qemu.

  In the illumos driver we're performing a 16-bit read of the version
  register at offset 0x2. From looking around at other OSes, while Linux
  performs a 4 byte read at offset 0x0 and masks out the version, others
  that care about the version are doing a two byte read, though not all
  actually act on the version and some just discard the information.

  The user who hit this was able to enable tracing (note the tracing
  file is attached to the illumos bug linked previously) and we hit the
  unimplemented register read with offset 0x2 at
  http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l2960. The xhci register specifies today that its
  allowed for users to do 1-4 byte reads; however, that it implements
  only four byte reads in its implementation
  (http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l3333). Hence why when we read the HCIVERSION register
  at offset 0x2, it isn't handled in xhci_cap_read() which then returns
  zeros.

  From digging into this, I think that we're coming into
  memory_region_dispatch_read() and then memory_region_dispatch_read1().
  However, I don't see anything in either the general memory region
  logic or in the xhci_cap_read() function that would deal with
  adjusting the offset that we're reading at and then masking it off
  again. While the access_with_adjusted_size() attempts to deal with
  this, it never adjusts the hardware address that's passed in to be a
  multiple of the implementation defined offset that I can see. I
  suspect that the FIXME at line 582
  (http://git.qemu.org/?p=qemu.git;a=blob;f=memory.c;hb=HEAD#l582) and
  the implementation in the xhci code is the crux of the problem.

  For the time being we're working around this in the illumos driver,
  but I wanted to point this out such that it might be helpful for other
  systems which are assuming that they can do the two byte read like on
  hardware.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1693050/+subscriptions

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug 1693050] Re: xhci HCIVERSION register read emulation incorrectly handled
  2017-05-23 23:32 [Qemu-devel] [Bug 1693050] [NEW] xhci HCIVERSION register read emulation incorrectly handled Robert Mustacchi
@ 2020-03-25 20:50 ` Paul Menzel
  2020-03-26 18:54 ` Philippe Mathieu-Daudé
  2020-03-26 21:16 ` Paul Menzel
  2 siblings, 0 replies; 4+ messages in thread
From: Paul Menzel @ 2020-03-25 20:50 UTC (permalink / raw)
  To: qemu-devel

According to [1], this is still an issue today.

[1]: https://review.coreboot.org/c/coreboot/+/39838/

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1693050

Title:
  xhci HCIVERSION register read emulation incorrectly handled

Status in QEMU:
  New

Bug description:
  We had an illumos user trying to run illumos in QEMU 2.9.0 with the
  qemu-xhci device enabled. Note, that while this was discovered against
  QEMU 2.9.0, from my current read of the HEAD, it is still present. The
  illumos bug at https://www.illumos.org/issues/8173 has additional
  information on how the user invoked qemu. While investigating the
  problem we found that the illumos driver was reading a version of
  0x0000 when reading the HCIVERSION register from qemu.

  In the illumos driver we're performing a 16-bit read of the version
  register at offset 0x2. From looking around at other OSes, while Linux
  performs a 4 byte read at offset 0x0 and masks out the version, others
  that care about the version are doing a two byte read, though not all
  actually act on the version and some just discard the information.

  The user who hit this was able to enable tracing (note the tracing
  file is attached to the illumos bug linked previously) and we hit the
  unimplemented register read with offset 0x2 at
  http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l2960. The xhci register specifies today that its
  allowed for users to do 1-4 byte reads; however, that it implements
  only four byte reads in its implementation
  (http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l3333). Hence why when we read the HCIVERSION register
  at offset 0x2, it isn't handled in xhci_cap_read() which then returns
  zeros.

  From digging into this, I think that we're coming into
  memory_region_dispatch_read() and then memory_region_dispatch_read1().
  However, I don't see anything in either the general memory region
  logic or in the xhci_cap_read() function that would deal with
  adjusting the offset that we're reading at and then masking it off
  again. While the access_with_adjusted_size() attempts to deal with
  this, it never adjusts the hardware address that's passed in to be a
  multiple of the implementation defined offset that I can see. I
  suspect that the FIXME at line 582
  (http://git.qemu.org/?p=qemu.git;a=blob;f=memory.c;hb=HEAD#l582) and
  the implementation in the xhci code is the crux of the problem.

  For the time being we're working around this in the illumos driver,
  but I wanted to point this out such that it might be helpful for other
  systems which are assuming that they can do the two byte read like on
  hardware.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1693050/+subscriptions


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug 1693050] Re: xhci HCIVERSION register read emulation incorrectly handled
  2017-05-23 23:32 [Qemu-devel] [Bug 1693050] [NEW] xhci HCIVERSION register read emulation incorrectly handled Robert Mustacchi
  2020-03-25 20:50 ` [Bug 1693050] " Paul Menzel
@ 2020-03-26 18:54 ` Philippe Mathieu-Daudé
  2020-03-26 21:16 ` Paul Menzel
  2 siblings, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-03-26 18:54 UTC (permalink / raw)
  To: qemu-devel

Odd, this should be fixed by commit 6ee021d41 and
36960b4d66..98f52cdbb5c.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1693050

Title:
  xhci HCIVERSION register read emulation incorrectly handled

Status in QEMU:
  New

Bug description:
  We had an illumos user trying to run illumos in QEMU 2.9.0 with the
  qemu-xhci device enabled. Note, that while this was discovered against
  QEMU 2.9.0, from my current read of the HEAD, it is still present. The
  illumos bug at https://www.illumos.org/issues/8173 has additional
  information on how the user invoked qemu. While investigating the
  problem we found that the illumos driver was reading a version of
  0x0000 when reading the HCIVERSION register from qemu.

  In the illumos driver we're performing a 16-bit read of the version
  register at offset 0x2. From looking around at other OSes, while Linux
  performs a 4 byte read at offset 0x0 and masks out the version, others
  that care about the version are doing a two byte read, though not all
  actually act on the version and some just discard the information.

  The user who hit this was able to enable tracing (note the tracing
  file is attached to the illumos bug linked previously) and we hit the
  unimplemented register read with offset 0x2 at
  http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l2960. The xhci register specifies today that its
  allowed for users to do 1-4 byte reads; however, that it implements
  only four byte reads in its implementation
  (http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l3333). Hence why when we read the HCIVERSION register
  at offset 0x2, it isn't handled in xhci_cap_read() which then returns
  zeros.

  From digging into this, I think that we're coming into
  memory_region_dispatch_read() and then memory_region_dispatch_read1().
  However, I don't see anything in either the general memory region
  logic or in the xhci_cap_read() function that would deal with
  adjusting the offset that we're reading at and then masking it off
  again. While the access_with_adjusted_size() attempts to deal with
  this, it never adjusts the hardware address that's passed in to be a
  multiple of the implementation defined offset that I can see. I
  suspect that the FIXME at line 582
  (http://git.qemu.org/?p=qemu.git;a=blob;f=memory.c;hb=HEAD#l582) and
  the implementation in the xhci code is the crux of the problem.

  For the time being we're working around this in the illumos driver,
  but I wanted to point this out such that it might be helpful for other
  systems which are assuming that they can do the two byte read like on
  hardware.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1693050/+subscriptions


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug 1693050] Re: xhci HCIVERSION register read emulation incorrectly handled
  2017-05-23 23:32 [Qemu-devel] [Bug 1693050] [NEW] xhci HCIVERSION register read emulation incorrectly handled Robert Mustacchi
  2020-03-25 20:50 ` [Bug 1693050] " Paul Menzel
  2020-03-26 18:54 ` Philippe Mathieu-Daudé
@ 2020-03-26 21:16 ` Paul Menzel
  2 siblings, 0 replies; 4+ messages in thread
From: Paul Menzel @ 2020-03-26 21:16 UTC (permalink / raw)
  To: qemu-devel

According to Duncan, it’s not, and the paragraph from the original issue
still applies.

> The xhci register specifies today that its allowed for users to do 1-4 byte reads; however, that
> it implements only four byte reads in its implementation
> (https://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-xhci.c;hb=HEAD#l3333). Hence why when we
> read the HCIVERSION register at offset 0x2, it isn't handled in xhci_cap_read() which then
> returns zeros.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1693050

Title:
  xhci HCIVERSION register read emulation incorrectly handled

Status in QEMU:
  New

Bug description:
  We had an illumos user trying to run illumos in QEMU 2.9.0 with the
  qemu-xhci device enabled. Note, that while this was discovered against
  QEMU 2.9.0, from my current read of the HEAD, it is still present. The
  illumos bug at https://www.illumos.org/issues/8173 has additional
  information on how the user invoked qemu. While investigating the
  problem we found that the illumos driver was reading a version of
  0x0000 when reading the HCIVERSION register from qemu.

  In the illumos driver we're performing a 16-bit read of the version
  register at offset 0x2. From looking around at other OSes, while Linux
  performs a 4 byte read at offset 0x0 and masks out the version, others
  that care about the version are doing a two byte read, though not all
  actually act on the version and some just discard the information.

  The user who hit this was able to enable tracing (note the tracing
  file is attached to the illumos bug linked previously) and we hit the
  unimplemented register read with offset 0x2 at
  http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l2960. The xhci register specifies today that its
  allowed for users to do 1-4 byte reads; however, that it implements
  only four byte reads in its implementation
  (http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/hcd-
  xhci.c;hb=HEAD#l3333). Hence why when we read the HCIVERSION register
  at offset 0x2, it isn't handled in xhci_cap_read() which then returns
  zeros.

  From digging into this, I think that we're coming into
  memory_region_dispatch_read() and then memory_region_dispatch_read1().
  However, I don't see anything in either the general memory region
  logic or in the xhci_cap_read() function that would deal with
  adjusting the offset that we're reading at and then masking it off
  again. While the access_with_adjusted_size() attempts to deal with
  this, it never adjusts the hardware address that's passed in to be a
  multiple of the implementation defined offset that I can see. I
  suspect that the FIXME at line 582
  (http://git.qemu.org/?p=qemu.git;a=blob;f=memory.c;hb=HEAD#l582) and
  the implementation in the xhci code is the crux of the problem.

  For the time being we're working around this in the illumos driver,
  but I wanted to point this out such that it might be helpful for other
  systems which are assuming that they can do the two byte read like on
  hardware.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1693050/+subscriptions


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-23 23:32 [Qemu-devel] [Bug 1693050] [NEW] xhci HCIVERSION register read emulation incorrectly handled Robert Mustacchi
2020-03-25 20:50 ` [Bug 1693050] " Paul Menzel
2020-03-26 18:54 ` Philippe Mathieu-Daudé
2020-03-26 21:16 ` Paul Menzel

QEMU-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/qemu-devel/0 qemu-devel/git/0.git
	git clone --mirror https://lore.kernel.org/qemu-devel/1 qemu-devel/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 qemu-devel qemu-devel/ https://lore.kernel.org/qemu-devel \
		qemu-devel@nongnu.org
	public-inbox-index qemu-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.nongnu.qemu-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git