Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2233299/?format=api
{ "id": 2233299, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2233299/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.2/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com>", "list_archive_url": null, "date": "2026-05-06T07:54:30", "name": "[3/4] hw/ufs: Reject zero-depth MCQ queues", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "720353b7fde9145dabbfd64bf14ffdba5dbc0c79", "submitter": { "id": 86755, "url": "http://patchwork.ozlabs.org/api/1.2/people/86755/?format=api", "name": "Jeuk Kim", "email": "jeuk20.kim@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com/mbox/", "series": [ { "id": 502929, "url": "http://patchwork.ozlabs.org/api/1.2/series/502929/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502929", "date": "2026-05-06T07:54:27", "name": "hw/ufs: Fix guest-triggerable MCQ crashes", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502929/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2233299/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2233299/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=YXaBINPO;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9SPh6qkCz1yKd\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 17:56:23 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKX6R-0002ii-Bo; Wed, 06 May 2026 03:55:31 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <jeuk20.kim@gmail.com>)\n id 1wKX6B-0002eX-Dz\n for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:20 -0400", "from mail-pj1-x102b.google.com ([2607:f8b0:4864:20::102b])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <jeuk20.kim@gmail.com>)\n id 1wKX68-00082z-Hi\n for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:14 -0400", "by mail-pj1-x102b.google.com with SMTP id\n 98e67ed59e1d1-36534668247so3330979a91.1\n for <qemu-devel@nongnu.org>; Wed, 06 May 2026 00:55:12 -0700 (PDT)", "from jeuk-MS-7D42.. ([211.226.54.223])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.09\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 06 May 2026 00:55:10 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1778054111; x=1778658911; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=;\n b=YXaBINPOmPnoWIf7qAQnXJBRf0UnUgNmUV0PtKRAMU9DghZ5rg3cezr3QD5sUiUnzJ\n M2XnHEk0mT1yxGkXGIC5hxKH9HSCVahr7m3+IS2Z50jA+8H96Hxt+6WTXfrxLE/Ey/0p\n oqL2chmEPcIpbe9gKG4Scj+U5ExAm4lLOE55cVSly6w9PiEdBuIlWEJDIdiiIz1QFy/S\n wD4g0OvlRTKlL9MhgZvHcfXHs+TOWLelnFTr5mCmK7NBYa1ZMeqmA8x5l9uFOrjKQ8bN\n 50VYq/Opq195j5UwpA+aebMP05g6GK6zaQz+T+VVsxIZ+2+f2ldpssMR5xdqN/LwHqMy\n pY9g==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778054111; x=1778658911;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=;\n b=niUtWfvwhdiRoYl6S5jm8ZvfM7VnIoixvz5d2CkarWsXtpucWLNW3ANTnwOWX8FTV4\n QfMEOAKAfSGGYYFM2AOhXk+VvypDB/hmNu2GvWbF3kaBrFK4ZIllcMm+NqW/lD/ezHy4\n 83LTfAmQXrbWUqFYrvFbahUkGfAiPaNnyscWJCcBmA7Aa7KXILWN658CB2apFleXWJea\n 2Fb0QQ2oSn1ivhnmt2fT9kg2dxmvaD1PBgkoKzWaBE5B8pBzIco1YxcwEl6rDfY3z9JG\n wV64T3QJzMzY/5pggYti5avj8y/cbOBZodgMCC2JBcmbkwN3mUK7kiAwMqmwn3fVFYyJ\n EXrw==", "X-Gm-Message-State": "AOJu0YxPbMjevIJAXYPo0i3C60BbMGd2GLgIo8evMojv7xk/tygCcR79\n yfntHHJY2SEmiA5dv+NtZFB/rowypX8+5UiDhpM1cQt/98p0Hb4YtR/e+r3SVQ==", "X-Gm-Gg": "AeBDieuBhew26RWcFGumgaRhEQiLvcagY4GWWeKK7rmgbqRZSXMkurFVsFwpGQOwZoL\n MN1uoDE105dwX7Ch9eUv4izBAwDNYpmuoxKkMS1SoVMFSYFIcwwgHmiYARSQ128Q4InI2FAflQc\n /y3t6l4K9RNUknMTz2m/QZw2CJWmV6AzcjMKv+wbhmChq6LkWl/vgLiN4jITPFQquCUyQ+lMGSo\n qZavhIDe3Ngv3ygLdjOGqEhYkku75P2hpL3q6byb+fv3Hm4AOk6fwJpHi3LXmwwf10x+E/b/4Vk\n KoFJ0NSKL4G2YO8fhiSzVu7DxDLXSuNLusvj0MvpQAWPnNEtb7rkgJpLSQXeca17kqvNHKSxjp5\n p7o0hnJMvlsfhYCn61rIqAt0E/1eWOd9YsqVYFv1ykZW/gtf57k3eVfDk/rTPYc06OiQYVLjvRo\n hFbdzNMdoZoDDJj6Towwpa6Di9W2MWmg4oFhrcKlXblUx4Cj0KvT24", "X-Received": "by 2002:a17:90b:33d1:b0:359:f43d:4a6e with SMTP id\n 98e67ed59e1d1-365aa93c123mr2307983a91.0.1778054110764;\n Wed, 06 May 2026 00:55:10 -0700 (PDT)", "From": "Jeuk Kim <jeuk20.kim@gmail.com>", "X-Google-Original-From": "Jeuk Kim <jeuk20.kim@samsung.com>", "To": "qemu-devel@nongnu.org", "Cc": "jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org,\n j-young.choi@samsung.com", "Subject": "[PATCH 3/4] hw/ufs: Reject zero-depth MCQ queues", "Date": "Wed, 6 May 2026 16:54:30 +0900", "Message-ID": "\n <8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com>", "X-Mailer": "git-send-email 2.43.0", "In-Reply-To": "<cover.1778053560.git.jeuk20.kim@samsung.com>", "References": "<cover.1778053560.git.jeuk20.kim@samsung.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2607:f8b0:4864:20::102b;\n envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x102b.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Reject SQATTR.SIZE and CQATTR.SIZE values that produce zero-entry MCQ\nqueues. Such queues can later trigger a divide-by-zero while advancing\nqueue pointers.\n\nFixes: 5c079578d2e (\"hw/ufs: Add support MCQ of UFSHCI 4.0\")\nCc: qemu-stable@nongnu.org\nSigned-off-by: Jeuk Kim <jeuk20.kim@samsung.com>\n---\n hw/ufs/trace-events | 2 ++\n hw/ufs/ufs.c | 18 ++++++++++++++++--\n 2 files changed, 18 insertions(+), 2 deletions(-)", "diff": "diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events\nindex 531dcfc686..7734b35f08 100644\n--- a/hw/ufs/trace-events\n+++ b/hw/ufs/trace-events\n@@ -40,10 +40,12 @@ ufs_err_mcq_db_wr_invalid_sqid(uint8_t qid) \"invalid mcq sqid %\"PRIu8\"\"\n ufs_err_mcq_db_wr_invalid_db(uint8_t qid, uint32_t db) \"invalid mcq doorbell sqid %\"PRIu8\", db %\"PRIu32\"\"\n ufs_err_mcq_create_sq_invalid_sqid(uint8_t qid) \"invalid mcq sqid %\"PRIu8\"\"\n ufs_err_mcq_create_sq_invalid_cqid(uint8_t qid) \"invalid mcq cqid %\"PRIu8\"\"\n+ufs_err_mcq_create_sq_invalid_size(uint8_t qid) \"invalid mcq sq size for sqid %\"PRIu8\"\"\n ufs_err_mcq_create_sq_already_exists(uint8_t qid) \"mcq sqid %\"PRIu8 \"already exists\"\n ufs_err_mcq_delete_sq_invalid_sqid(uint8_t qid) \"invalid mcq sqid %\"PRIu8\"\"\n ufs_err_mcq_delete_sq_not_exists(uint8_t qid) \"mcq sqid %\"PRIu8 \"not exists\"\n ufs_err_mcq_create_cq_invalid_cqid(uint8_t qid) \"invalid mcq cqid %\"PRIu8\"\"\n+ufs_err_mcq_create_cq_invalid_size(uint8_t qid) \"invalid mcq cq size for cqid %\"PRIu8\"\"\n ufs_err_mcq_create_cq_already_exists(uint8_t qid) \"mcq cqid %\"PRIu8 \"already exists\"\n ufs_err_mcq_delete_cq_invalid_cqid(uint8_t qid) \"invalid mcq cqid %\"PRIu8\"\"\n ufs_err_mcq_delete_cq_not_exists(uint8_t qid) \"mcq cqid %\"PRIu8 \"not exists\"\ndiff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c\nindex 1819ba2e8a..4ccd7aa64d 100644\n--- a/hw/ufs/ufs.c\n+++ b/hw/ufs/ufs.c\n@@ -506,6 +506,8 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, uint32_t attr)\n UfsMcqReg *reg = &u->mcq_reg[qid];\n UfsSq *sq;\n uint8_t cqid = FIELD_EX32(attr, SQATTR, CQID);\n+ uint16_t qsize =\n+ ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry);\n \n if (qid >= u->params.mcq_maxq) {\n trace_ufs_err_mcq_create_sq_invalid_sqid(qid);\n@@ -527,12 +529,17 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, uint32_t attr)\n return false;\n }\n \n+ if (!qsize) {\n+ trace_ufs_err_mcq_create_sq_invalid_size(qid);\n+ return false;\n+ }\n+\n sq = g_malloc0(sizeof(*sq));\n sq->u = u;\n sq->sqid = qid;\n sq->cq = u->cq[cqid];\n sq->addr = ((uint64_t)reg->squba << 32) | reg->sqlba;\n- sq->size = ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry);\n+ sq->size = qsize;\n \n sq->bh = qemu_bh_new_guarded(ufs_mcq_process_sq, sq,\n &DEVICE(u)->mem_reentrancy_guard);\n@@ -576,6 +583,8 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, uint32_t attr)\n {\n UfsMcqReg *reg = &u->mcq_reg[qid];\n UfsCq *cq;\n+ uint16_t qsize =\n+ ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry);\n \n if (qid >= u->params.mcq_maxq) {\n trace_ufs_err_mcq_create_cq_invalid_cqid(qid);\n@@ -587,11 +596,16 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, uint32_t attr)\n return false;\n }\n \n+ if (!qsize) {\n+ trace_ufs_err_mcq_create_cq_invalid_size(qid);\n+ return false;\n+ }\n+\n cq = g_malloc0(sizeof(*cq));\n cq->u = u;\n cq->cqid = qid;\n cq->addr = ((uint64_t)reg->cquba << 32) | reg->cqlba;\n- cq->size = ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry);\n+ cq->size = qsize;\n \n cq->bh = qemu_bh_new_guarded(ufs_mcq_process_cq, cq,\n &DEVICE(u)->mem_reentrancy_guard);\n", "prefixes": [ "3/4" ] }