search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s390/sclp: check sccb len before filling in data
[qemu/ar7.git] / hw / s390x / sclp.c
blob0d54075309d551e250d91a5c3f2aa27658de2ef9
1 /*
2 * SCLP Support
3 *
4 * Copyright IBM, Corp. 2012
5 *
6 * Authors:
7 * Christian Borntraeger <borntraeger@de.ibm.com>
8 * Heinz Graalfs <graalfs@linux.vnet.ibm.com>
9 *
10 * This work is licensed under the terms of the GNU GPL, version 2 or (at your
11 * option) any later version. See the COPYING file in the top-level directory.
12 *
13 */
14
15 #include "qemu/osdep.h"
16 #include "qemu/units.h"
17 #include "qapi/error.h"
18 #include "cpu.h"
19 #include "sysemu/sysemu.h"
20 #include "hw/boards.h"
21 #include "hw/s390x/sclp.h"
22 #include "hw/s390x/event-facility.h"
23 #include "hw/s390x/s390-pci-bus.h"
24 #include "hw/s390x/ipl.h"
25
26 static inline SCLPDevice *get_sclp_device(void)
27 {
28 static SCLPDevice *sclp;
29
30 if (!sclp) {
31 sclp = SCLP(object_resolve_path_type("", TYPE_SCLP, NULL));
32 }
33 return sclp;
34 }
35
36 static inline bool sclp_command_code_valid(uint32_t code)
37 {
38 switch (code & SCLP_CMD_CODE_MASK) {
39 case SCLP_CMDW_READ_SCP_INFO:
40 case SCLP_CMDW_READ_SCP_INFO_FORCED:
41 case SCLP_CMDW_READ_CPU_INFO:
42 case SCLP_CMDW_CONFIGURE_IOA:
43 case SCLP_CMDW_DECONFIGURE_IOA:
44 case SCLP_CMD_READ_EVENT_DATA:
45 case SCLP_CMD_WRITE_EVENT_DATA:
46 case SCLP_CMD_WRITE_EVENT_MASK:
47 return true;
48 }
49 return false;
50 }
51
52 static bool sccb_verify_boundary(uint64_t sccb_addr, uint16_t sccb_len)
53 {
54 uint64_t sccb_max_addr = sccb_addr + sccb_len - 1;
55 uint64_t sccb_boundary = (sccb_addr & PAGE_MASK) + PAGE_SIZE;
56
57 if (sccb_max_addr < sccb_boundary) {
58 return true;
59 }
60
61 return false;
62 }
63
64 static void prepare_cpu_entries(MachineState *ms, CPUEntry *entry, int *count)
65 {
66 uint8_t features[SCCB_CPU_FEATURE_LEN] = { 0 };
67 int i;
68
69 s390_get_feat_block(S390_FEAT_TYPE_SCLP_CPU, features);
70 for (i = 0, *count = 0; i < ms->possible_cpus->len; i++) {
71 if (!ms->possible_cpus->cpus[i].cpu) {
72 continue;
73 }
74 entry[*count].address = ms->possible_cpus->cpus[i].arch_id;
75 entry[*count].type = 0;
76 memcpy(entry[*count].features, features, sizeof(features));
77 (*count)++;
78 }
79 }
80
81 #define SCCB_REQ_LEN(s, max_cpus) (sizeof(s) + max_cpus * sizeof(CPUEntry))
82
83 /* Provide information about the configuration, CPUs and storage */
84 static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb)
85 {
86 ReadInfo *read_info = (ReadInfo *) sccb;
87 MachineState *machine = MACHINE(qdev_get_machine());
88 int cpu_count;
89 int rnsize, rnmax;
90 IplParameterBlock *ipib = s390_ipl_get_iplb();
91 int required_len = SCCB_REQ_LEN(ReadInfo, machine->possible_cpus->len);
92
93 if (be16_to_cpu(sccb->h.length) < required_len) {
94 sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
95 return;
96 }
97
98 /* CPU information */
99 prepare_cpu_entries(machine, read_info->entries, &cpu_count);
100 read_info->entries_cpu = cpu_to_be16(cpu_count);
101 read_info->offset_cpu = cpu_to_be16(offsetof(ReadInfo, entries));
102 read_info->highest_cpu = cpu_to_be16(machine->smp.max_cpus - 1);
103
104 read_info->ibc_val = cpu_to_be32(s390_get_ibc_val());
105
106 /* Configuration Characteristic (Extension) */
107 s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR,
108 read_info->conf_char);
109 s390_get_feat_block(S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT,
110 read_info->conf_char_ext);
111
112 read_info->facilities = cpu_to_be64(SCLP_HAS_CPU_INFO |
113 SCLP_HAS_IOA_RECONFIG);
114
115 read_info->mha_pow = s390_get_mha_pow();
116 read_info->hmfai = cpu_to_be32(s390_get_hmfai());
117
118 rnsize = 1 << (sclp->increment_size - 20);
119 if (rnsize <= 128) {
120 read_info->rnsize = rnsize;
121 } else {
122 read_info->rnsize = 0;
123 read_info->rnsize2 = cpu_to_be32(rnsize);
124 }
125
126 /* we don't support standby memory, maxram_size is never exposed */
127 rnmax = machine->ram_size >> sclp->increment_size;
128 if (rnmax < 0x10000) {
129 read_info->rnmax = cpu_to_be16(rnmax);
130 } else {
131 read_info->rnmax = cpu_to_be16(0);
132 read_info->rnmax2 = cpu_to_be64(rnmax);
133 }
134
135 if (ipib && ipib->flags & DIAG308_FLAGS_LP_VALID) {
136 memcpy(&read_info->loadparm, &ipib->loadparm,
137 sizeof(read_info->loadparm));
138 } else {
139 s390_ipl_set_loadparm(read_info->loadparm);
140 }
141
142 sccb->h.response_code = cpu_to_be16(SCLP_RC_NORMAL_READ_COMPLETION);
143 }
144
145 /* Provide information about the CPU */
146 static void sclp_read_cpu_info(SCLPDevice *sclp, SCCB *sccb)
147 {
148 MachineState *machine = MACHINE(qdev_get_machine());
149 ReadCpuInfo *cpu_info = (ReadCpuInfo *) sccb;
150 int cpu_count;
151 int required_len = SCCB_REQ_LEN(ReadCpuInfo, machine->possible_cpus->len);
152
153 if (be16_to_cpu(sccb->h.length) < required_len) {
154 sccb->h.response_code = cpu_to_be16(SCLP_RC_INSUFFICIENT_SCCB_LENGTH);
155 return;
156 }
157
158 prepare_cpu_entries(machine, cpu_info->entries, &cpu_count);
159 cpu_info->nr_configured = cpu_to_be16(cpu_count);
160 cpu_info->offset_configured = cpu_to_be16(offsetof(ReadCpuInfo, entries));
161 cpu_info->nr_standby = cpu_to_be16(0);
162
163 /* The standby offset is 16-byte for each CPU */
164 cpu_info->offset_standby = cpu_to_be16(cpu_info->offset_configured
165 + cpu_info->nr_configured*sizeof(CPUEntry));
166
167
168 sccb->h.response_code = cpu_to_be16(SCLP_RC_NORMAL_READ_COMPLETION);
169 }
170
171 static void sclp_configure_io_adapter(SCLPDevice *sclp, SCCB *sccb,
172 bool configure)
173 {
174 int rc;
175
176 if (be16_to_cpu(sccb->h.length) < 16) {
177 rc = SCLP_RC_INSUFFICIENT_SCCB_LENGTH;
178 goto out_err;
179 }
180
181 switch (((IoaCfgSccb *)sccb)->atype) {
182 case SCLP_RECONFIG_PCI_ATYPE:
183 if (s390_has_feat(S390_FEAT_ZPCI)) {
184 if (configure) {
185 s390_pci_sclp_configure(sccb);
186 } else {
187 s390_pci_sclp_deconfigure(sccb);
188 }
189 return;
190 }
191 /* fallthrough */
192 default:
193 rc = SCLP_RC_ADAPTER_TYPE_NOT_RECOGNIZED;
194 }
195
196 out_err:
197 sccb->h.response_code = cpu_to_be16(rc);
198 }
199
200 static void sclp_execute(SCLPDevice *sclp, SCCB *sccb, uint32_t code)
201 {
202 SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp);
203 SCLPEventFacility *ef = sclp->event_facility;
204 SCLPEventFacilityClass *efc = EVENT_FACILITY_GET_CLASS(ef);
205
206 switch (code & SCLP_CMD_CODE_MASK) {
207 case SCLP_CMDW_READ_SCP_INFO:
208 case SCLP_CMDW_READ_SCP_INFO_FORCED:
209 sclp_c->read_SCP_info(sclp, sccb);
210 break;
211 case SCLP_CMDW_READ_CPU_INFO:
212 sclp_c->read_cpu_info(sclp, sccb);
213 break;
214 case SCLP_CMDW_CONFIGURE_IOA:
215 sclp_configure_io_adapter(sclp, sccb, true);
216 break;
217 case SCLP_CMDW_DECONFIGURE_IOA:
218 sclp_configure_io_adapter(sclp, sccb, false);
219 break;
220 default:
221 efc->command_handler(ef, sccb, code);
222 break;
223 }
224 }
225
226 /*
227 * We only need the address to have something valid for the
228 * service_interrupt call.
229 */
230 #define SCLP_PV_DUMMY_ADDR 0x4000
231 int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb,
232 uint32_t code)
233 {
234 SCLPDevice *sclp = get_sclp_device();
235 SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp);
236 SCCBHeader header;
237 g_autofree SCCB *work_sccb = NULL;
238
239 s390_cpu_pv_mem_read(env_archcpu(env), 0, &header, sizeof(SCCBHeader));
240
241 work_sccb = g_malloc0(be16_to_cpu(header.length));
242 s390_cpu_pv_mem_read(env_archcpu(env), 0, work_sccb,
243 be16_to_cpu(header.length));
244
245 if (!sclp_command_code_valid(code)) {
246 work_sccb->h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);
247 goto out_write;
248 }
249
250 if (!sccb_verify_boundary(sccb, be16_to_cpu(work_sccb->h.length))) {
251 work_sccb->h.response_code = cpu_to_be16(SCLP_RC_SCCB_BOUNDARY_VIOLATION);
252 goto out_write;
253 }
254
255 sclp_c->execute(sclp, work_sccb, code);
256 out_write:
257 s390_cpu_pv_mem_write(env_archcpu(env), 0, work_sccb,
258 be16_to_cpu(work_sccb->h.length));
259 sclp_c->service_interrupt(sclp, SCLP_PV_DUMMY_ADDR);
260 return 0;
261 }
262
263 int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code)
264 {
265 SCLPDevice *sclp = get_sclp_device();
266 SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp);
267 SCCBHeader header;
268 g_autofree SCCB *work_sccb = NULL;
269
270 /* first some basic checks on program checks */
271 if (env->psw.mask & PSW_MASK_PSTATE) {
272 return -PGM_PRIVILEGED;
273 }
274 if (cpu_physical_memory_is_io(sccb)) {
275 return -PGM_ADDRESSING;
276 }
277 if ((sccb & ~0x1fffUL) == 0 || (sccb & ~0x1fffUL) == env->psa
278 || (sccb & ~0x7ffffff8UL) != 0) {
279 return -PGM_SPECIFICATION;
280 }
281
282 /* the header contains the actual length of the sccb */
283 cpu_physical_memory_read(sccb, &header, sizeof(SCCBHeader));
284
285 /* Valid sccb sizes */
286 if (be16_to_cpu(header.length) < sizeof(SCCBHeader)) {
287 return -PGM_SPECIFICATION;
288 }
289
290 /*
291 * we want to work on a private copy of the sccb, to prevent guests
292 * from playing dirty tricks by modifying the memory content after
293 * the host has checked the values
294 */
295 work_sccb = g_malloc0(be16_to_cpu(header.length));
296 cpu_physical_memory_read(sccb, work_sccb, be16_to_cpu(header.length));
297
298 if (!sclp_command_code_valid(code)) {
299 work_sccb->h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);
300 goto out_write;
301 }
302
303 if (!sccb_verify_boundary(sccb, be16_to_cpu(work_sccb->h.length))) {
304 work_sccb->h.response_code = cpu_to_be16(SCLP_RC_SCCB_BOUNDARY_VIOLATION);
305 goto out_write;
306 }
307
308 sclp_c->execute(sclp, work_sccb, code);
309 out_write:
310 cpu_physical_memory_write(sccb, work_sccb,
311 be16_to_cpu(work_sccb->h.length));
312
313 sclp_c->service_interrupt(sclp, sccb);
314
315 return 0;
316 }
317
318 static void service_interrupt(SCLPDevice *sclp, uint32_t sccb)
319 {
320 SCLPEventFacility *ef = sclp->event_facility;
321 SCLPEventFacilityClass *efc = EVENT_FACILITY_GET_CLASS(ef);
322
323 uint32_t param = sccb & ~3;
324
325 /* Indicate whether an event is still pending */
326 param |= efc->event_pending(ef) ? 1 : 0;
327
328 if (!param) {
329 /* No need to send an interrupt, there's nothing to be notified about */
330 return;
331 }
332 s390_sclp_extint(param);
333 }
334
335 void sclp_service_interrupt(uint32_t sccb)
336 {
337 SCLPDevice *sclp = get_sclp_device();
338 SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp);
339
340 sclp_c->service_interrupt(sclp, sccb);
341 }
342
343 /* qemu object creation and initialization functions */
344
345 void s390_sclp_init(void)
346 {
347 Object *new = object_new(TYPE_SCLP);
348
349 object_property_add_child(qdev_get_machine(), TYPE_SCLP, new);
350 object_unref(new);
351 qdev_realize(DEVICE(new), NULL, &error_fatal);
352 }
353
354 static void sclp_realize(DeviceState *dev, Error **errp)
355 {
356 MachineState *machine = MACHINE(qdev_get_machine());
357 SCLPDevice *sclp = SCLP(dev);
358 uint64_t hw_limit;
359 int ret;
360
361 /*
362 * qdev_device_add searches the sysbus for TYPE_SCLP_EVENTS_BUS. As long
363 * as we can't find a fitting bus via the qom tree, we have to add the
364 * event facility to the sysbus, so e.g. a sclp console can be created.
365 */
366 if (!sysbus_realize(SYS_BUS_DEVICE(sclp->event_facility), errp)) {
367 return;
368 }
369
370 ret = s390_set_memory_limit(machine->maxram_size, &hw_limit);
371 if (ret == -E2BIG) {
372 error_setg(errp, "host supports a maximum of %" PRIu64 " GB",
373 hw_limit / GiB);
374 } else if (ret) {
375 error_setg(errp, "setting the guest size failed");
376 }
377 }
378
379 static void sclp_memory_init(SCLPDevice *sclp)
380 {
381 MachineState *machine = MACHINE(qdev_get_machine());
382 MachineClass *machine_class = MACHINE_GET_CLASS(qdev_get_machine());
383 ram_addr_t initial_mem = machine->ram_size;
384 int increment_size = 20;
385
386 /* The storage increment size is a multiple of 1M and is a power of 2.
387 * For some machine types, the number of storage increments must be
388 * MAX_STORAGE_INCREMENTS or fewer.
389 * The variable 'increment_size' is an exponent of 2 that can be
390 * used to calculate the size (in bytes) of an increment. */
391 while (machine_class->fixup_ram_size != NULL &&
392 (initial_mem >> increment_size) > MAX_STORAGE_INCREMENTS) {
393 increment_size++;
394 }
395 sclp->increment_size = increment_size;
396 }
397
398 static void sclp_init(Object *obj)
399 {
400 SCLPDevice *sclp = SCLP(obj);
401 Object *new;
402
403 new = object_new(TYPE_SCLP_EVENT_FACILITY);
404 object_property_add_child(obj, TYPE_SCLP_EVENT_FACILITY, new);
405 object_unref(new);
406 sclp->event_facility = EVENT_FACILITY(new);
407
408 sclp_memory_init(sclp);
409 }
410
411 static void sclp_class_init(ObjectClass *oc, void *data)
412 {
413 SCLPDeviceClass *sc = SCLP_CLASS(oc);
414 DeviceClass *dc = DEVICE_CLASS(oc);
415
416 dc->desc = "SCLP (Service-Call Logical Processor)";
417 dc->realize = sclp_realize;
418 dc->hotpluggable = false;
419 set_bit(DEVICE_CATEGORY_MISC, dc->categories);
420 /*
421 * Reason: Creates TYPE_SCLP_EVENT_FACILITY in sclp_init
422 * which is a non-pluggable sysbus device
423 */
424 dc->user_creatable = false;
425
426 sc->read_SCP_info = read_SCP_info;
427 sc->read_cpu_info = sclp_read_cpu_info;
428 sc->execute = sclp_execute;
429 sc->service_interrupt = service_interrupt;
430 }
431
432 static TypeInfo sclp_info = {
433 .name = TYPE_SCLP,
434 .parent = TYPE_DEVICE,
435 .instance_init = sclp_init,
436 .instance_size = sizeof(SCLPDevice),
437 .class_init = sclp_class_init,
438 .class_size = sizeof(SCLPDeviceClass),
439 };
440
441 static void register_types(void)
442 {
443 type_register_static(&sclp_info);
444 }
445 type_init(register_types);
AR7 emulation for QEMU