File 0190-hw-misc-tz-ppc-Support-having-unuse.patch of Package qemu.20748
From: Peter Maydell <peter.maydell@linaro.org>
Date: Thu, 21 Feb 2019 18:17:46 +0000
Subject: hw/misc/tz-ppc: Support having unused ports in the middle of the
range
Git-commit: 37e571f1e0101f9aab29235afa651028723eb4c5
References: bsc#1173612, CVE-2020-15469
The Peripheral Protection Controller's handling of unused ports
is that if there is nothing connected to the port's downstream
then it does not create the sysbus MMIO region for the upstream
end of the port. This results in odd behaviour when there is
an unused port in the middle of the range: since sysbus MMIO
regions are implicitly consecutively allocated, any used ports
above the unused ones end up with sysbus MMIO region numbers
that don't match the port number.
Avoid this numbering mismatch by creating dummy MMIO regions
for the unused ports. This doesn't change anything for our
existing boards, which don't have any gaps in the middle of
the port ranges they use; but it will be needed for the Musca
board.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
hw/misc/tz-ppc.c | 32 ++++++++++++++++++++++++++++++++
include/hw/misc/tz-ppc.h | 8 +++++++-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c
index 3dd045c15f5fb1a8bb06bd36b61b..2e04837bea989f855e225833e5cf 100644
--- a/hw/misc/tz-ppc.c
+++ b/hw/misc/tz-ppc.c
@@ -181,6 +181,21 @@ static const MemoryRegionOps tz_ppc_ops = {
.endianness = DEVICE_LITTLE_ENDIAN,
};
+static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr,
+ unsigned size, bool is_write,
+ MemTxAttrs attrs)
+{
+ /*
+ * Board code should never map the upstream end of an unused port,
+ * so we should never try to make a memory access to it.
+ */
+ g_assert_not_reached();
+}
+
+static const MemoryRegionOps tz_ppc_dummy_ops = {
+ .valid.accepts = tz_ppc_dummy_accepts,
+};
+
static void tz_ppc_reset(DeviceState *dev)
{
TZPPC *s = TZ_PPC(dev);
@@ -210,16 +225,33 @@ static void tz_ppc_realize(DeviceState *dev, Error **errp)
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
TZPPC *s = TZ_PPC(dev);
int i;
+ int max_port = 0;
/* We can't create the upstream end of the port until realize,
* as we don't know the size of the MR used as the downstream until then.
*/
for (i = 0; i < TZ_NUM_PORTS; i++) {
+ if (s->port[i].downstream) {
+ max_port = i;
+ }
+ }
+
+ for (i = 0; i <= max_port; i++) {
TZPPCPort *port = &s->port[i];
char *name;
uint64_t size;
if (!port->downstream) {
+ /*
+ * Create dummy sysbus MMIO region so the sysbus region
+ * numbering doesn't get out of sync with the port numbers.
+ * The size is entirely arbitrary.
+ */
+ name = g_strdup_printf("tz-ppc-dummy-port[%d]", i);
+ memory_region_init_io(&port->upstream, obj, &tz_ppc_dummy_ops,
+ port, name, 0x10000);
+ sysbus_init_mmio(sbd, &port->upstream);
+ g_free(name);
continue;
}
diff --git a/include/hw/misc/tz-ppc.h b/include/hw/misc/tz-ppc.h
index fc8b806e4dfb45a3ba9ba6992ee9..080d6e2ec17e531b837bc1ae404d 100644
--- a/include/hw/misc/tz-ppc.h
+++ b/include/hw/misc/tz-ppc.h
@@ -38,7 +38,13 @@
*
* QEMU interface:
* + sysbus MMIO regions 0..15: MemoryRegions defining the upstream end
- * of each of the 16 ports of the PPC
+ * of each of the 16 ports of the PPC. When a port is unused (i.e. no
+ * downstream MemoryRegion is connected to it) at the end of the 0..15
+ * range then no sysbus MMIO region is created for its upstream. When an
+ * unused port lies in the middle of the range with other used ports at
+ * higher port numbers, a dummy MMIO region is created to ensure that
+ * port N's upstream is always sysbus MMIO region N. Dummy regions should
+ * not be mapped, and will assert if any access is made to them.
* + Property "port[0..15]": MemoryRegion defining the downstream device(s)
* for each of the 16 ports of the PPC
* + Named GPIO inputs "cfg_nonsec[0..15]": set to 1 if the port should be
