/usr/src/usr.sbin/vmd/vioblk.c

Bug Summary

File:	src/usr.sbin/vmd/vioblk.c
Warning:	line 231, column 12 Array access (via field 'disk_fd') results in an undefined pointer dereference

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name vioblk.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.sbin/vmd/obj -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/usr.sbin/vmd -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.sbin/vmd/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/usr.sbin/vmd/vioblk.c

1/*	$OpenBSD: vioblk.c,v 1.9 2023/09/26 01:53:54 dv Exp $	*/

3/*
* Copyright (c) 2023 Dave Voutila <dv@openbsd.org>
* Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
19#include <sys/mman.h>
20#include <sys/param.h> /* PAGE_SIZE */

22#include <dev/pci/virtio_pcireg.h>
23#include <dev/pv/vioblkreg.h>
24#include <dev/pv/virtioreg.h>

26#include <errno(*__errno()).h>
27#include <event.h>
28#include <fcntl.h>
29#include <stdlib.h>
30#include <string.h>
31#include <unistd.h>

33#include "atomicio.h"
34#include "pci.h"
35#include "virtio.h"
36#include "vmd.h"

38extern char *__progname;
39extern struct vmd_vm *current_vm;
40struct iovec io_v[VIOBLK_QUEUE_SIZE128];

42static const char *disk_type(int);
43static uint32_t handle_io_read(struct viodev_msg *, struct virtio_dev *,
  int8_t *);
45static int handle_io_write(struct viodev_msg *, struct virtio_dev *);

47static void vioblk_update_qs(struct vioblk_dev *);
48static void vioblk_update_qa(struct vioblk_dev *);
49static int vioblk_notifyq(struct vioblk_dev *);
50static ssize_t vioblk_rw(struct vioblk_dev *, int, off_t,
  struct vring_desc *, struct vring_desc **);

53static void dev_dispatch_vm(int, short, void *);
54static void handle_sync_io(int, short, void *);

56static const char *
57disk_type(int type)
58{
switch (type) {
case VMDF_RAW0x01: return "raw";
case VMDF_QCOW20x02: return "qcow2";
}
return "unknown";
64}

66__dead__attribute__((__noreturn__)) void
67vioblk_main(int fd, int fd_vmm)
68{
struct virtio_dev	 dev;
struct vioblk_dev	*vioblk;
1
'vioblk' declared without an initial value→
struct viodev_msg 	 msg;
struct vmd_vm		 vm;
struct vm_create_params	*vcp;
ssize_t			 sz;
off_t			 szp = 0;
int			 i, ret, type;

/*
* stdio - needed for read/write to disk fds and channels to the vm.
* vmm + proc - needed to create shared vm mappings.
*/
if (pledge("stdio vmm proc", NULL((void *)0)) == -1)
2
←
Assuming the condition is false→
3
←
Taking false branch→
fatal("pledge");

/* Zero and initialize io work queue. */
memset(io_v, 0, nitems(io_v)(sizeof((io_v)) / sizeof((io_v)[0]))*sizeof(io_v[0]));

/* Receive our virtio_dev, mostly preconfigured. */
memset(&dev, 0, sizeof(dev));
sz = atomicio(read, fd, &dev, sizeof(dev));
if (sz != sizeof(dev)) {
4
←
Assuming the condition is false→
5
←
Taking false branch→
ret = errno(*__errno());
log_warn("failed to receive vioblk");
goto fail;
}
if (dev.dev_type != VMD_DEVTYPE_DISK'd') {
6
←
Assuming the condition is true→
7
←
Taking true branch→
ret = EINVAL22;
log_warn("received invalid device type");
goto fail;
8
←
Control jumps to line 221→
}
dev.sync_fd = fd;
vioblk = &dev.vioblk;

log_debug("%s: got viblk dev. num disk fds = %d, sync fd = %d, "
   "async fd = %d, capacity = %lld seg_max = %u, vmm fd = %d",
   __func__, vioblk->ndisk_fd, dev.sync_fd, dev.async_fd,
   vioblk->capacity, vioblk->seg_max, fd_vmm);

/* Receive our vm information from the vm process. */
memset(&vm, 0, sizeof(vm));
sz = atomicio(read, dev.sync_fd, &vm, sizeof(vm));
if (sz != sizeof(vm)) {
ret = EIO5;
log_warnx("failed to receive vm details");
goto fail;
}
vcp = &vm.vm_params.vmc_params;
current_vm = &vm;

setproctitle("%s/vioblk%d", vcp->vcp_name, vioblk->idx);
log_procinit("vm/%s/vioblk%d", vcp->vcp_name, vioblk->idx);

/* Now that we have our vm information, we can remap memory. */
ret = remap_guest_mem(&vm, fd_vmm);
if (ret) {
log_warnx("failed to remap guest memory");
goto fail;
}

/*
* We no longer need /dev/vmm access.
*/
close_fd(fd_vmm);
if (pledge("stdio", NULL((void *)0)) == -1)
fatal("pledge2");

/* Initialize the virtio block abstractions. */
type = vm.vm_params.vmc_disktypes[vioblk->idx];
switch (type) {
case VMDF_RAW0x01:
ret = virtio_raw_init(&vioblk->file, &szp, vioblk->disk_fd,
    vioblk->ndisk_fd);
break;
case VMDF_QCOW20x02:
ret = virtio_qcow2_init(&vioblk->file, &szp, vioblk->disk_fd,
    vioblk->ndisk_fd);
break;
default:
log_warnx("invalid disk image type");
goto fail;
}
if (ret || szp < 0) {
log_warnx("failed to init disk %s image", disk_type(type));
goto fail;
}
vioblk->capacity = szp / 512;
log_debug("%s: initialized vioblk%d with %s image (capacity=%lld)",
   __func__, vioblk->idx, disk_type(type), vioblk->capacity);

/* If we're restoring hardware, reinitialize the virtqueue hva. */
if (vm.vm_state & VM_STATE_RECEIVED0x08)
vioblk_update_qa(vioblk);

/* Initialize libevent so we can start wiring event handlers. */
event_init();

/* Wire up an async imsg channel. */
log_debug("%s: wiring in async vm event handler (fd=%d)", __func__,
dev.async_fd);
if (vm_device_pipe(&dev, dev_dispatch_vm)) {
ret = EIO5;
log_warnx("vm_device_pipe");
goto fail;
}

/* Configure our sync channel event handler. */
log_debug("%s: wiring in sync channel handler (fd=%d)", __func__,
dev.sync_fd);
if (fcntl(dev.sync_fd, F_SETFL4, O_NONBLOCK0x0004) == -1) {
ret = errno(*__errno());
log_warn("%s: fcntl", __func__);
goto fail;
}
imsg_init(&dev.sync_iev.ibuf, dev.sync_fd);
dev.sync_iev.handler = handle_sync_io;
dev.sync_iev.data = &dev;
dev.sync_iev.events = EV_READ0x02;
imsg_event_add(&dev.sync_iev);

/* Send a ready message over the sync channel. */
log_debug("%s: telling vm %s device is ready", __func__, vcp->vcp_name);
memset(&msg, 0, sizeof(msg));
msg.type = VIODEV_MSG_READY1;
imsg_compose_event(&dev.sync_iev, IMSG_DEVOP_MSG, 0, 0, -1, &msg,
   sizeof(msg));

/* Send a ready message over the async channel. */
log_debug("%s: sending heartbeat", __func__);
ret = imsg_compose_event(&dev.async_iev, IMSG_DEVOP_MSG, 0, 0, -1,
   &msg, sizeof(msg));
if (ret == -1) {
log_warnx("%s: failed to send async ready message!", __func__);
goto fail;
}

/* Engage the event loop! */
ret = event_dispatch();

if (ret == 0) {
/* Clean shutdown. */
close_fd(dev.sync_fd);
close_fd(dev.async_fd);
for (i = 0; i < (int)sizeof(vioblk->disk_fd); i++)
	close_fd(vioblk->disk_fd[i]);
_exit(0);
/* NOTREACHED */
}

219fail:
/* Try letting the vm know we've failed something. */
memset(&msg, 0, sizeof(msg));
msg.type = VIODEV_MSG_ERROR2;
msg.data = ret;
imsg_compose(&dev.sync_iev.ibuf, IMSG_DEVOP_MSG, 0, 0, -1, &msg,
   sizeof(msg));
imsg_flush(&dev.sync_iev.ibuf);

close_fd(dev.sync_fd);
close_fd(dev.async_fd);
for (i = 0; i < (int)sizeof(vioblk->disk_fd); i++)
9
←
Loop condition is true.  Entering loop body→
close_fd(vioblk->disk_fd[i]);
10
←
Array access (via field 'disk_fd') results in an undefined pointer dereference
_exit(ret);
/* NOTREACHED */
234}

236const char *
237vioblk_cmd_name(uint32_t type)
238{
switch (type) {
case VIRTIO_BLK_T_IN0: return "read";
case VIRTIO_BLK_T_OUT1: return "write";
case VIRTIO_BLK_T_SCSI_CMD2: return "scsi read";
case VIRTIO_BLK_T_SCSI_CMD_OUT3: return "scsi write";
case VIRTIO_BLK_T_FLUSH4: return "flush";
case VIRTIO_BLK_T_FLUSH_OUT5: return "flush out";
case VIRTIO_BLK_T_GET_ID8: return "get id";
default: return "unknown";
}
249}

251static void
252vioblk_update_qa(struct vioblk_dev *dev)
253{
struct virtio_vq_info *vq_info;
void *hva = NULL((void *)0);

/* Invalid queue? */
if (dev->cfg.queue_select > 0)
return;

vq_info = &dev->vq[dev->cfg.queue_select];
vq_info->q_gpa = (uint64_t)dev->cfg.queue_pfn * VIRTIO_PAGE_SIZE(4096);

hva = hvaddr_mem(vq_info->q_gpa, vring_size(VIOBLK_QUEUE_SIZE128));
if (hva == NULL((void *)0))
fatal("vioblk_update_qa");
vq_info->q_hva = hva;
268}

270static void
271vioblk_update_qs(struct vioblk_dev *dev)
272{
struct virtio_vq_info *vq_info;

/* Invalid queue? */
if (dev->cfg.queue_select > 0) {
dev->cfg.queue_size = 0;
return;
}

vq_info = &dev->vq[dev->cfg.queue_select];

/* Update queue pfn/size based on queue select */
dev->cfg.queue_pfn = vq_info->q_gpa >> 12;
dev->cfg.queue_size = vq_info->qs;
286}

288/*
* Process virtqueue notifications. If an unrecoverable error occurs, puts
* device into a "needs reset" state.
*
* Returns 1 if an we need to assert an IRQ.
*/
294static int
295vioblk_notifyq(struct vioblk_dev *dev)
296{
uint32_t cmd_len;
uint16_t idx, cmd_desc_idx;
uint8_t ds;
off_t offset;
ssize_t sz;
int is_write, notify, i;
char *vr;
struct vring_desc *table, *desc;
struct vring_avail *avail;
struct vring_used *used;
struct virtio_blk_req_hdr *cmd;
struct virtio_vq_info *vq_info;

/* Invalid queue? */
if (dev->cfg.queue_notify > 0)
return (0);

vq_info = &dev->vq[dev->cfg.queue_notify];
idx = vq_info->last_avail;
vr = vq_info->q_hva;
if (vr == NULL((void *)0))
fatalx("%s: null vring", __func__);

/* Compute offsets in table of descriptors, avail ring, and used ring */
table = (struct vring_desc *)(vr);
avail = (struct vring_avail *)(vr + vq_info->vq_availoffset);
used = (struct vring_used *)(vr + vq_info->vq_usedoffset);

while (idx != avail->idx) {
/* Retrieve Command descriptor. */
cmd_desc_idx = avail->ring[idx & VIOBLK_QUEUE_MASK(128 - 1)];
desc = &table[cmd_desc_idx];
cmd_len = desc->len;

/*
 * Validate Command descriptor. It should be chained to another
 * descriptor and not be itself writable.
 */
if ((desc->flags & VRING_DESC_F_NEXT1) == 0) {
	log_warnx("%s: unchained cmd descriptor", __func__);
	goto reset;
}
if (DESC_WRITABLE(desc)(((desc)->flags & 2) ? 1 : 0)) {
	log_warnx("%s: invalid cmd descriptor state", __func__);
	goto reset;
}

/* Retrieve the vioblk command request. */
cmd = hvaddr_mem(desc->addr, sizeof(*cmd));
if (cmd == NULL((void *)0))
	goto reset;

/* Advance to the 2nd descriptor. */
desc = &table[desc->next & VIOBLK_QUEUE_MASK(128 - 1)];

/* Process each available command & chain. */
switch (cmd->type) {
case VIRTIO_BLK_T_IN0:
case VIRTIO_BLK_T_OUT1:
	/* Read (IN) & Write (OUT) */
	is_write = (cmd->type == VIRTIO_BLK_T_OUT1) ? 1 : 0;
	offset = cmd->sector * VIRTIO_BLK_SECTOR_SIZE512;
	sz = vioblk_rw(dev, is_write, offset, table, &desc);
	if (sz == -1)
		ds = VIRTIO_BLK_S_IOERR1;
	else
		ds = VIRTIO_BLK_S_OK0;
	break;
case VIRTIO_BLK_T_GET_ID8:
	/*
	 * We don't support this command yet. While it's not
	 * officially part of the virtio spec (will be in v1.2)
	 * there's no feature to negotiate. Linux drivers will
	 * often send this command regardless.
	 */
	ds = VIRTIO_BLK_S_UNSUPP2;
default:
	log_warnx("%s: unsupported vioblk command %d", __func__,
	    cmd->type);
	ds = VIRTIO_BLK_S_UNSUPP2;
	break;
}

/* Advance to the end of the chain, if needed. */
i = 0;
while (desc->flags & VRING_DESC_F_NEXT1) {
	desc = &table[desc->next & VIOBLK_QUEUE_MASK(128 - 1)];
	if (++i >= VIOBLK_QUEUE_SIZE128) {
		/*
		 * If we encounter an infinite/looping chain,
		 * not much we can do but say we need a reset.
		 */
		log_warnx("%s: descriptor chain overflow",
		    __func__);
		goto reset;
	}
}

/* Provide the status of our command processing. */
if (!DESC_WRITABLE(desc)(((desc)->flags & 2) ? 1 : 0)) {
	log_warnx("%s: status descriptor unwritable", __func__);
	goto reset;
}
/* Overkill as ds is 1 byte, but validates gpa. */
if (write_mem(desc->addr, &ds, sizeof(ds)))
	log_warnx("%s: can't write device status data "
	    "@ 0x%llx",__func__, desc->addr);

dev->cfg.isr_status |= 1;
notify = 1;

used->ring[used->idx & VIOBLK_QUEUE_MASK(128 - 1)].id = cmd_desc_idx;
used->ring[used->idx & VIOBLK_QUEUE_MASK(128 - 1)].len = cmd_len;

__sync_synchronize();
used->idx++;
idx++;
}

vq_info->last_avail = idx;
return (notify);

419reset:
/*
* When setting the "needs reset" flag, the driver is notified
* via a configuration change interrupt.
*/
dev->cfg.device_status |= DEVICE_NEEDS_RESET64;
dev->cfg.isr_status |= VIRTIO_CONFIG_ISR_CONFIG_CHANGE2;
return (1);
427}

429static void
430dev_dispatch_vm(int fd, short event, void *arg)
431{
struct virtio_dev	*dev = (struct virtio_dev *)arg;
struct imsgev		*iev = &dev->async_iev;
struct imsgbuf		*ibuf = &iev->ibuf;
struct imsg	 	 imsg;
ssize_t			 n = 0;
int			 verbose;

if (event & EV_READ0x02) {
if ((n = imsg_read(ibuf)) == -1 && errno(*__errno()) != EAGAIN35)
	fatal("%s: imsg_read", __func__);
if (n == 0) {
	/* this pipe is dead, so remove the event handler */
	log_debug("%s: pipe dead (EV_READ)", __func__);
	event_del(&iev->ev);
	event_loopexit(NULL((void *)0));
	return;
}
}

if (event & EV_WRITE0x04) {
if ((n = msgbuf_write(&ibuf->w)) == -1 && errno(*__errno()) != EAGAIN35)
	fatal("%s: msgbuf_write", __func__);
if (n == 0) {
	/* this pipe is dead, so remove the event handler */
	log_debug("%s: pipe dead (EV_WRITE)", __func__);
	event_del(&iev->ev);
	event_loopbreak();
	return;
}
}

for (;;) {
if ((n = imsg_get(ibuf, &imsg)) == -1)
	fatal("%s: imsg_get", __func__);
if (n == 0)
	break;

switch (imsg.hdr.type) {
case IMSG_VMDOP_PAUSE_VM:
	log_debug("%s: pausing", __func__);
	break;
case IMSG_VMDOP_UNPAUSE_VM:
	log_debug("%s: unpausing", __func__);
	break;
case IMSG_CTL_VERBOSE:
	IMSG_SIZE_CHECK(&imsg, &verbose)do { if (((&imsg)->hdr.len - sizeof(struct imsg_hdr)) <
 sizeof(*&verbose)) fatalx("bad length imsg received (%s)"
, "&verbose"); } while (0);
	memcpy(&verbose, imsg.data, sizeof(verbose));
	log_setverbose(verbose);
	break;
default:
	log_warnx("%s: unhandled imsg type %d", __func__,
	    imsg.hdr.type);
	break;
}
imsg_free(&imsg);
}
imsg_event_add(iev);
489}

491/*
* Synchronous IO handler.
*
*/
495static void
496handle_sync_io(int fd, short event, void *arg)
497{
struct virtio_dev *dev = (struct virtio_dev *)arg;
struct imsgev *iev = &dev->sync_iev;
struct imsgbuf *ibuf = &iev->ibuf;
struct viodev_msg msg;
struct imsg imsg;
ssize_t n;
int8_t intr = INTR_STATE_NOOP0;

if (event & EV_READ0x02) {
if ((n = imsg_read(ibuf)) == -1 && errno(*__errno()) != EAGAIN35)
	fatal("%s: imsg_read", __func__);
if (n == 0) {
	/* this pipe is dead, so remove the event handler */
	log_debug("%s: vioblk pipe dead (EV_READ)", __func__);
	event_del(&iev->ev);
	event_loopexit(NULL((void *)0));
	return;
}
}

if (event & EV_WRITE0x04) {
if ((n = msgbuf_write(&ibuf->w)) == -1 && errno(*__errno()) != EAGAIN35)
	fatal("%s: msgbuf_write", __func__);
if (n == 0) {
	/* this pipe is dead, so remove the event handler */
	log_debug("%s: vioblk pipe dead (EV_WRITE)", __func__);
	event_del(&iev->ev);
	event_loopexit(NULL((void *)0));
	return;
}
}

for (;;) {
if ((n = imsg_get(ibuf, &imsg)) == -1)
	fatalx("%s: imsg_get (n=%ld)", __func__, n);
if (n == 0)
	break;

/* Unpack our message. They ALL should be dev messeges! */
IMSG_SIZE_CHECK(&imsg, &msg)do { if (((&imsg)->hdr.len - sizeof(struct imsg_hdr)) <
 sizeof(*&msg)) fatalx("bad length imsg received (%s)", "&msg"
); } while (0);
memcpy(&msg, imsg.data, sizeof(msg));
imsg_free(&imsg);

switch (msg.type) {
case VIODEV_MSG_DUMP6:
	/* Dump device */
	n = atomicio(vwrite(ssize_t (*)(int, void *, size_t))write, dev->sync_fd, dev, sizeof(*dev));
	if (n != sizeof(*dev)) {
		log_warnx("%s: failed to dump vioblk device",
		    __func__);
		break;
	}
case VIODEV_MSG_IO_READ4:
	/* Read IO: make sure to send a reply */
	msg.data = handle_io_read(&msg, dev, &intr);
	msg.data_valid = 1;
	msg.state = intr;
	imsg_compose_event(iev, IMSG_DEVOP_MSG, 0, 0, -1, &msg,
	    sizeof(msg));
	break;
case VIODEV_MSG_IO_WRITE5:
	/* Write IO: no reply needed */
	if (handle_io_write(&msg, dev) == 1)
		virtio_assert_pic_irq(dev, 0);
	break;
case VIODEV_MSG_SHUTDOWN7:
	event_del(&dev->sync_iev.ev);
	event_loopbreak();
	return;
default:
	fatalx("%s: invalid msg type %d", __func__, msg.type);
}
}
imsg_event_add(iev);
572}

574static int
575handle_io_write(struct viodev_msg *msg, struct virtio_dev *dev)
576{
struct vioblk_dev *vioblk = &dev->vioblk;
uint32_t data = msg->data;
int intr = 0;

switch (msg->reg) {
case VIRTIO_CONFIG_DEVICE_FEATURES0:
case VIRTIO_CONFIG_QUEUE_SIZE12:
case VIRTIO_CONFIG_ISR_STATUS19:
log_warnx("%s: illegal write %x to %s", __progname, data,
    virtio_reg_name(msg->reg));
break;
case VIRTIO_CONFIG_GUEST_FEATURES4:
vioblk->cfg.guest_feature = data;
break;
case VIRTIO_CONFIG_QUEUE_PFN8:
vioblk->cfg.queue_pfn = data;
vioblk_update_qa(vioblk);
break;
case VIRTIO_CONFIG_QUEUE_SELECT14:
vioblk->cfg.queue_select = data;
vioblk_update_qs(vioblk);
break;
case VIRTIO_CONFIG_QUEUE_NOTIFY16:
/* XXX We should be stricter about status checks. */
if (!(vioblk->cfg.device_status & DEVICE_NEEDS_RESET64)) {
	vioblk->cfg.queue_notify = data;
	if (vioblk_notifyq(vioblk))
		intr = 1;
}
break;
case VIRTIO_CONFIG_DEVICE_STATUS18:
vioblk->cfg.device_status = data;
if (vioblk->cfg.device_status == 0) {
	vioblk->cfg.guest_feature = 0;
	vioblk->cfg.queue_pfn = 0;
	vioblk_update_qa(vioblk);
	vioblk->cfg.queue_size = 0;
	vioblk_update_qs(vioblk);
	vioblk->cfg.queue_select = 0;
	vioblk->cfg.queue_notify = 0;
	vioblk->cfg.isr_status = 0;
	vioblk->vq[0].last_avail = 0;
	vioblk->vq[0].notified_avail = 0;
	virtio_deassert_pic_irq(dev, msg->vcpu);
}
break;
default:
break;
}
return (intr);
627}

629static uint32_t
630handle_io_read(struct viodev_msg *msg, struct virtio_dev *dev, int8_t *intr)
631{
struct vioblk_dev *vioblk = &dev->vioblk;
uint8_t sz = msg->io_sz;
uint32_t data;

if (msg->data_valid)
data = msg->data;
else
data = 0;

switch (msg->reg) {
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20:
switch (sz) {
case 4:
	data = (uint32_t)(vioblk->capacity);
	break;
case 2:
	data &= 0xFFFF0000;
	data |= (uint32_t)(vioblk->capacity) & 0xFFFF;
	break;
case 1:
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity) & 0xFF;
	break;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 1:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 8) & 0xFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 2:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 16) & 0xFF;
} else if (sz == 2) {
	data &= 0xFFFF0000;
	data |= (uint32_t)(vioblk->capacity >> 16) & 0xFFFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 3:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 24) & 0xFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 4:
switch (sz) {
case 4:
	data = (uint32_t)(vioblk->capacity >> 32);
	break;
case 2:
	data &= 0xFFFF0000;
	data |= (uint32_t)(vioblk->capacity >> 32) & 0xFFFF;
	break;
case 1:
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 32) & 0xFF;
	break;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 5:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 40) & 0xFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 6:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 48) & 0xFF;
} else if (sz == 2) {
	data &= 0xFFFF0000;
	data |= (uint32_t)(vioblk->capacity >> 48) & 0xFFFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 7:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->capacity >> 56) & 0xFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 12:
switch (sz) {
case 4:
	data = (uint32_t)(vioblk->seg_max);
	break;
case 2:
	data &= 0xFFFF0000;
	data |= (uint32_t)(vioblk->seg_max) & 0xFFFF;
	break;
case 1:
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->seg_max) & 0xFF;
	break;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 13:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->seg_max >> 8) & 0xFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 14:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->seg_max >> 16) & 0xFF;
} else if (sz == 2) {
	data &= 0xFFFF0000;
	data |= (uint32_t)(vioblk->seg_max >> 16)
	    & 0xFFFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_CONFIG_NOMSI20 + 15:
if (sz == 1) {
	data &= 0xFFFFFF00;
	data |= (uint32_t)(vioblk->seg_max >> 24) & 0xFF;
}
/* XXX handle invalid sz */
break;
case VIRTIO_CONFIG_DEVICE_FEATURES0:
data = vioblk->cfg.device_feature;
break;
case VIRTIO_CONFIG_GUEST_FEATURES4:
data = vioblk->cfg.guest_feature;
break;
case VIRTIO_CONFIG_QUEUE_PFN8:
data = vioblk->cfg.queue_pfn;
break;
case VIRTIO_CONFIG_QUEUE_SIZE12:
data = vioblk->cfg.queue_size;
break;
case VIRTIO_CONFIG_QUEUE_SELECT14:
data = vioblk->cfg.queue_select;
break;
case VIRTIO_CONFIG_QUEUE_NOTIFY16:
data = vioblk->cfg.queue_notify;
break;
case VIRTIO_CONFIG_DEVICE_STATUS18:
data = vioblk->cfg.device_status;
break;
case VIRTIO_CONFIG_ISR_STATUS19:
data = vioblk->cfg.isr_status;
vioblk->cfg.isr_status = 0;
if (intr != NULL((void *)0))
	*intr = INTR_STATE_DEASSERT-1;
break;
default:
return (0xFFFFFFFF);
}

return (data);
795}

797/*
* Emulate read/write io. Walks the descriptor chain, collecting io work and
* then emulates the read or write.
*
* On success, returns bytes read/written.
* On error, returns -1 and descriptor (desc) remains at its current position.
*/
804static ssize_t
805vioblk_rw(struct vioblk_dev *dev, int is_write, off_t offset,
  struct vring_desc *desc_tbl, struct vring_desc **desc)
807{
struct iovec *iov = NULL((void *)0);
ssize_t sz = 0;
size_t io_idx = 0;		/* Index into iovec workqueue. */
size_t xfer_sz = 0;		/* Total accumulated io bytes. */

do {
iov = &io_v[io_idx];

/*
 * Reads require writable descriptors. Writes require
 * non-writeable descriptors.
 */
if ((!is_write) ^ DESC_WRITABLE(*desc)(((*desc)->flags & 2) ? 1 : 0)) {
	log_warnx("%s: invalid descriptor for %s command",
	    __func__, is_write ? "write" : "read");
	return (-1);
}

/* Collect the IO segment information. */
iov->iov_len = (size_t)(*desc)->len;
iov->iov_base = hvaddr_mem((*desc)->addr, iov->iov_len);
if (iov->iov_base == NULL((void *)0))
	return (-1);

/* Move our counters. */
xfer_sz += iov->iov_len;
io_idx++;

/* Guard against infinite chains */
if (io_idx >= nitems(io_v)(sizeof((io_v)) / sizeof((io_v)[0]))) {
	log_warnx("%s: descriptor table "
	    "invalid", __func__);
	return (-1);
}

/* Advance to the next descriptor. */
*desc = &desc_tbl[(*desc)->next & VIOBLK_QUEUE_MASK(128 - 1)];
} while ((*desc)->flags & VRING_DESC_F_NEXT1);

/*
* Validate the requested block io operation alignment and size.
* Checking offset is just an extra caution as it is derived from
* a disk sector and is done for completeness in bounds checking.
*/
if (offset % VIRTIO_BLK_SECTOR_SIZE512 != 0 &&
   xfer_sz % VIRTIO_BLK_SECTOR_SIZE512 != 0) {
log_warnx("%s: unaligned read", __func__);
return (-1);
}
if (xfer_sz > SSIZE_MAX0x7fffffffffffffffL) {	/* iovec_copyin limit */
log_warnx("%s: invalid %s size: %zu", __func__,
    is_write ? "write" : "read", xfer_sz);
return (-1);
}

/* Emulate the Read or Write operation. */
if (is_write)
sz = dev->file.pwritev(dev->file.p, io_v, io_idx, offset);
else
sz = dev->file.preadv(dev->file.p, io_v, io_idx, offset);
if (sz != (ssize_t)xfer_sz) {
log_warnx("%s: %s failure at offset 0x%llx, xfer_sz=%zu, "
    "sz=%ld", __func__, (is_write ? "write" : "read"), offset,
    xfer_sz, sz);
return (-1);
}

return (sz);
876}