From patchwork Wed Apr 10 09:13:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921869 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=pBK7reAo; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxxf1s91z1yYB for ; Wed, 10 Apr 2024 19:15:18 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1c-0005kQ-UK; Wed, 10 Apr 2024 05:13:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1J-0005iR-RP for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:29 -0400 Received: from mail-ej1-x62b.google.com ([2a00:1450:4864:20::62b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1I-0005XX-9v for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:29 -0400 Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a51abd0d7c2so685373066b.2 for ; Wed, 10 Apr 2024 02:13:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740404; x=1713345204; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KjsuSCcLyjpkQOiK5wnHTdf6ojU2i1M+lbXXnXeIWDo=; b=pBK7reAoK4GVpnPUAIwz53JETgFfJSUTV4yRpbHGKDk5vF2OAZMmBipa2brUgaB582 SDp9xHccX3QTDmbocoO5k6u4vgGUxvLQojGlJfCFyDAK78Na0JTlPBd1LXzM4Dq9bjhH 0K7BvxB+5K3oHoq1Ca+lSEY7sj3U1ohgi1a5GseRWZWea1zAZsVnZtMgvYeFMcbF8cp+ 9EHTJzLGjJgXVwQCtNugGOh1NwdxZDXFE6rRq8TLTyjHOzqmDe3c19eXGPC29+790hqA aWfS1Tq+By2vl3cy4r35KZ28Af5qH5wkYuFFTLFfxBCtqjeqZcQCIx5mWgoEFYt3ijjT V9oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740404; x=1713345204; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KjsuSCcLyjpkQOiK5wnHTdf6ojU2i1M+lbXXnXeIWDo=; b=q1X9t8MiSJf6WUHUkL0QzjP/kP3Kd7+juRFHcBwEOvz6I7KNSuMr+ZR0VkO/Lr2/mJ tLACh+xFlolYsNbdqGRudfxPf/6/i7WtWg3gQkK7hc0N1DxuNnZpEtMEqQ4HBznEYhHG 8UonOegfGX9KfuXNRKYs/c4U/336h+P4OUbDqoXOGAi8N2QDP2Z18RvHngf31Q7fDPVw xADks+N1iJkjYJASdBpSQh9WF7NaLiWS85BAZ8FcpaU82LQCzt6aD9KZ2hzTM6znz8eD /OhT2Wl05TzeKMFOBZSYRJCwb4dLC73ApcNMxWxTC+w1zimIvhNmg4L7UR8rWTN8qEys rOJQ== X-Gm-Message-State: AOJu0YxBfqDuHa/E64U9braCc/hAY1dPxZPaEbpm4TesEVj9tFdaw6Ck qg6C6i7HyOjTIYxEPP7woiAOALZqMmWJLtO1H9jMjhpUlRPE9jdXeNoldgpnIQfNOFRxcUeaSZh 2 X-Google-Smtp-Source: AGHT+IGiKS6lHvcUT0nXL6iQQWNv5ouo3y11K1PuCDyhXX9Jb3v0Gr7ABnYO8lpNd/0yf5EAPCRp3Q== X-Received: by 2002:a17:906:dc8f:b0:a51:c975:f02a with SMTP id cs15-20020a170906dc8f00b00a51c975f02amr1377951ejc.65.1712740404712; Wed, 10 Apr 2024 02:13:24 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id d3-20020a170907272300b00a518a133d77sm6858396ejl.144.2024.04.10.02.13.23 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:13:24 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Gerd Hoffmann , "Michael S . Tsirkin" Subject: [PULL 01/16] hw/virtio: Introduce virtio_bh_new_guarded() helper Date: Wed, 10 Apr 2024 11:13:00 +0200 Message-ID: <20240410091315.57241-2-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::62b; envelope-from=philmd@linaro.org; helo=mail-ej1-x62b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded() but using the transport memory guard, instead of the device one (there can only be one virtio device per virtio bus). Inspired-by: Gerd Hoffmann Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-2-philmd@linaro.org> --- include/hw/virtio/virtio.h | 7 +++++++ hw/virtio/virtio.c | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h index c8f72850bc..7d5ffdc145 100644 --- a/include/hw/virtio/virtio.h +++ b/include/hw/virtio/virtio.h @@ -22,6 +22,7 @@ #include "standard-headers/linux/virtio_config.h" #include "standard-headers/linux/virtio_ring.h" #include "qom/object.h" +#include "block/aio.h" /* * A guest should never accept this. It implies negotiation is broken @@ -508,4 +509,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev) bool virtio_legacy_allowed(VirtIODevice *vdev); bool virtio_legacy_check_disabled(VirtIODevice *vdev); +QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, + QEMUBHFunc *cb, void *opaque, + const char *name); +#define virtio_bh_new_guarded(dev, cb, opaque) \ + virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb))) + #endif diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index c5bedca848..871674f9be 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -4145,3 +4145,13 @@ static void virtio_register_types(void) } type_init(virtio_register_types) + +QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, + QEMUBHFunc *cb, void *opaque, + const char *name) +{ + DeviceState *transport = qdev_get_parent_bus(dev)->parent; + + return qemu_bh_new_full(cb, opaque, name, + &transport->mem_reentrancy_guard); +} From patchwork Wed Apr 10 09:13:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921879 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=j/1+OhJ9; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxzY2hdwz1yYd for ; Wed, 10 Apr 2024 19:16:57 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1d-0005lv-SE; Wed, 10 Apr 2024 05:13:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1P-0005it-Pm for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:37 -0400 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1N-0005Xs-9L for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:35 -0400 Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-56fd7df9ea9so345059a12.0 for ; Wed, 10 Apr 2024 02:13:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740411; x=1713345211; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Nl65Et5THn+WU6N1r23t/my2YFDQcyKHCHoGccvL7sA=; b=j/1+OhJ9StncvIxlCAeOeBhp2QrZcDLZXQock1V680UUeo7FVSiIzrrAiwuvajowta tyLKGNoCsRk0CTBZNx9OUmrRW0x+dW2qtBWu7wDac3dOklxdjvi/69mt0ybqU02Vf9R8 DuZWcOBbv+75PrYlrDyrLdXu78avdzW1oL+fS7e+BCqEV2bLDuPCjwb+ltHMVLJaU0Ar alECkI6vTNpd1xe2O7SJs1jwrB545OSrt/Ajqan5hrKdbOjyLpnDyUvDmUAocLrfNTDv lMQAPb7PyiVzT7vjzCTROxqYOSjcCNHVEsMlK1HAKCfXgTWuiGEZHtSXXSAogNqwqRzX JdWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740411; x=1713345211; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Nl65Et5THn+WU6N1r23t/my2YFDQcyKHCHoGccvL7sA=; b=ktKheo2m10XibNJJaBZRh54ATJ5dSXciL2eYswFEMQTo8s0GxrEeBbf7pHdYqfd57U JHL+b+z9yAMFKQ5q4xnDQagL2QIji+hy43o9ZtDmpwLNy0mzqT23qTdJs8zVLjGv6LEL IfQNCLEAy2eF2CHTG8Zpn0FUhVRiKK4bdby/T04mFf1gLQqs+JqhfzpNa+Hn3N/2WQhg RmCaOCpKJOxgd7FOjmJi7qo86aKggq/5G4PS+q1eTqs1ifk+LJrOaKDFBtSty0G1UcG7 blrYfjiMqP0F7TVncqrhHkuP3MbFcnH3+AoEm7iYaWspGUQegCky9ZjK1ndy81jO77OS pA6Q== X-Gm-Message-State: AOJu0YwG17FqlSd/jNFJZaFSqyFTZq5M8kLRwMe0kMjayr6tFYgrPxpq PoAyMoQxXhv7RiYr768drUvyF7oz6obdUaD48N6Ov6tJFIJsFrcNpPFb12/pKDIz5vgmuqF4dYC f X-Google-Smtp-Source: AGHT+IEDqrcJAetXuhtfMpyrEEqesHYPWmkDUXvkVwexeHd8wq4AVh0UHN3KJkS0Ap2FQdJUVdAzPg== X-Received: by 2002:a50:a686:0:b0:56b:f5ae:ae58 with SMTP id e6-20020a50a686000000b0056bf5aeae58mr1251069edc.29.1712740411313; Wed, 10 Apr 2024 02:13:31 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id eh15-20020a0564020f8f00b0056e67f9f4c3sm2743207edb.72.2024.04.10.02.13.29 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:13:30 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Yongkang Jia , Xiao Lei , Yiming Tao , Gerd Hoffmann , "Michael S . Tsirkin" Subject: [PULL 02/16] hw/display/virtio-gpu: Protect from DMA re-entrancy bugs Date: Wed, 10 Apr 2024 11:13:01 +0200 Message-ID: <20240410091315.57241-3-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::52b; envelope-from=philmd@linaro.org; helo=mail-ed1-x52b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest \ -m 512M \ -device virtio-gpu \ -qtest stdio outl 0xcf8 0x80000820 outl 0xcfc 0xe0004000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0004030 0x4 0x024000e0 write 0xe0004028 0x1 0xff write 0xe0004020 0x4 0x00009300 write 0xe000401c 0x1 0x01 write 0x101 0x1 0x04 write 0x103 0x1 0x1c write 0x9301c8 0x1 0x18 write 0x105 0x1 0x1c write 0x107 0x1 0x1c write 0x109 0x1 0x1c write 0x10b 0x1 0x00 write 0x10d 0x1 0x00 write 0x10f 0x1 0x00 write 0x111 0x1 0x00 write 0x113 0x1 0x00 write 0x115 0x1 0x00 write 0x117 0x1 0x00 write 0x119 0x1 0x00 write 0x11b 0x1 0x00 write 0x11d 0x1 0x00 write 0x11f 0x1 0x00 write 0x121 0x1 0x00 write 0x123 0x1 0x00 write 0x125 0x1 0x00 write 0x127 0x1 0x00 write 0x129 0x1 0x00 write 0x12b 0x1 0x00 write 0x12d 0x1 0x00 write 0x12f 0x1 0x00 write 0x131 0x1 0x00 write 0x133 0x1 0x00 write 0x135 0x1 0x00 write 0x137 0x1 0x00 write 0x139 0x1 0x00 write 0xe0007003 0x1 0x00 EOF ... ================================================================= ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178 at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58 READ of size 8 at 0x60d000011178 thread T0 #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42 #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5 #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13 #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9 #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5 #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9 #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5 #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11 #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9 #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14 #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3 #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0) 0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8) freed by thread T0 here: #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662) #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9 #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9 #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5 #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5 #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18 previously allocated by thread T0 here: #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e) #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12 #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16 #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15 #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response With this change, the same reproducer triggers: qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6 Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov Reported-by: Yongkang Jia Reported-by: Xiao Lei Reported-by: Yiming Tao Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-3-philmd@linaro.org> --- hw/display/virtio-gpu.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index 78d5a4f164..ae831b6b3e 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -1492,10 +1492,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp) g->ctrl_vq = virtio_get_queue(vdev, 0); g->cursor_vq = virtio_get_queue(vdev, 1); - g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g, - &qdev->mem_reentrancy_guard); - g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g, - &qdev->mem_reentrancy_guard); + g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g); + g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g); g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g); qemu_cond_init(&g->reset_cond); QTAILQ_INIT(&g->reslist); From patchwork Wed Apr 10 09:13:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921866 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=ydX0ENs1; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxxC2K9Yz1yYM for ; Wed, 10 Apr 2024 19:14:55 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1f-0005n0-6K; Wed, 10 Apr 2024 05:13:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1a-0005kH-Rc for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:48 -0400 Received: from mail-lf1-x129.google.com ([2a00:1450:4864:20::129]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1U-0005YU-Sg for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:46 -0400 Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-516dbc36918so5072070e87.0 for ; Wed, 10 Apr 2024 02:13:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740418; x=1713345218; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aTtiohc8j0973gwMd1zGGgj7zIH/1fbKuICF0OE6WHs=; b=ydX0ENs1cakZyPrHx8g4P8bHfcRva96W5wA/HKkE0GIBKudortLT5HO9cBeI8G/hk6 q8CdSOby++kdAnXYfc7Th+qsfngRgEE3ptINN12+7a9KgRvXwnxPKN7jrwyHgjMYCLzp WaSOZ2MVB4eGInfC6pNM1K4VWbAE0lyEj0Xdwq3lwtw8dzu65iSoANDYPPI6/vHoTZVl UsQ/4KRr1nYsniraaAv8eCfTHJ7/qe9KRKtr8Jyt1Fzb2nBJLxmtGXjwArROuZcGlTtZ /RBfCySBiaFUSKf4RqxdCfA8Di33tDpRWGQPPlBTTtyxpFdbketZ6H5LSfAE6P0MUbRQ 2PHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740418; x=1713345218; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aTtiohc8j0973gwMd1zGGgj7zIH/1fbKuICF0OE6WHs=; b=az4lh1W2C7cl2NSDgCr3+dqUTQrJ4mETlcMV0lAk6iP1YIIOWbFz56SlfEnbdHSV49 uPc2ItPvFEXgacWArsiRRanrrCK3n82l/N+Ux8vBApZIopZMfNGR5FtkVukLjqoTCq5m UIb6Vda+SldyBqMRO69b6DvMUzxlh8DktDxFbv1gtIFZ7RSHYxBBPTymrQ9F3SvZ8/qL 9Qc+QMXkRZRMjSuXSxO7U7JtPqVcv5MOTCES5itoXx0/A2SrBnb3tvAIv0xuOBlxKgWC 80tQKVs2eTf/y9giOI0eM7K0S3XmKkFFccbcGEHt5ud52gavTNigPxR4GvY8LgglQYYD r2jA== X-Gm-Message-State: AOJu0YyCgrBRYgSwqrhuovDgvK3gINMJz/bCfF4smsBblMEqVjSxVTtV AcMS+ww8QvkCRMzIyhkngug3T2WsPlz2vsgx3S6buARzzpG0L1P67z/D5QqAX9n06/mW9cdxWBn F X-Google-Smtp-Source: AGHT+IFSrHosw8rD/3TxcC7XkOpoK7Qx97GPqOoe9Lr+K8BLfhzrHr2fCN0HiAEA6wwWOTjQm8pRWg== X-Received: by 2002:a05:6512:3b26:b0:517:64ec:1251 with SMTP id f38-20020a0565123b2600b0051764ec1251mr1427777lfv.15.1712740418030; Wed, 10 Apr 2024 02:13:38 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id ao11-20020a170907358b00b00a51aa517076sm6349767ejc.74.2024.04.10.02.13.36 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:13:37 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Gerd Hoffmann , "Michael S . Tsirkin" , Laurent Vivier , Amit Shah , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , Paolo Bonzini Subject: [PULL 03/16] hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs Date: Wed, 10 Apr 2024 11:13:02 +0200 Message-ID: <20240410091315.57241-4-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::129; envelope-from=philmd@linaro.org; helo=mail-lf1-x129.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-4-philmd@linaro.org> --- hw/char/virtio-serial-bus.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c index 016aba6374..2094d213cd 100644 --- a/hw/char/virtio-serial-bus.c +++ b/hw/char/virtio-serial-bus.c @@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp) return; } - port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port, - &dev->mem_reentrancy_guard); + port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port); port->elem = NULL; } From patchwork Wed Apr 10 09:13:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921881 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=aS/e5d5S; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDy0L3MYCz1yYB for ; Wed, 10 Apr 2024 19:17:38 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1e-0005mU-Io; Wed, 10 Apr 2024 05:13:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1d-0005l6-1X for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:49 -0400 Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1a-0005Yx-O1 for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:48 -0400 Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56c5d05128dso7273348a12.0 for ; Wed, 10 Apr 2024 02:13:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740424; x=1713345224; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jcCYZ0ICkBKBb87mzxsdf9nmTwmmEuaTsn4C58m0KwA=; b=aS/e5d5SgNWtgf6Nj2rGDJQHJfapXyVAnltTsda5O+X4Z/WGVcqwz65LTqdCsBGgoi 7wCQOTsYowWo9sLeECtjxzvSu6aJuSXWXNELY5Dki+aY71CpPKPsgHyFH4cPpu8Qfu74 9qgaNfXjXE+bshp9ynWh4zTzmxrv0VzubPOKyfNWSw0v+YIQVc3JgAMp0n/AXjl4iuiV Fj39Ys+mIQhsqfsU/LrLdXjlv19YFJ9Y9eugtVW7Te3QscrXXAWBf345fZpz05KtHrw8 6xGM3oPSBlv1onypR/94aU3Sf9WJlvpvgiTbufDwZd85NJvPJqCYjDGGfET/yu8Jsq4C s22w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740424; x=1713345224; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jcCYZ0ICkBKBb87mzxsdf9nmTwmmEuaTsn4C58m0KwA=; b=EKnn8W3x7IJYfAjnuu7YMdN7zk/i60hYNRAt+xBdU9e7LDHS69i2Qkg22sWnH1B2FB g1lxKmUkPc2e4yfH/I+hR9bMDGrpt6+TjbxXUgePPs1U3U4yID4SCcgztwaCk0bYFSJW 4NFbNeDT+0j+N6EJMcZUSqjJ80j+x1RDnvX6fnWtBkEGlT+53cTvkxVwPRL3RqJN8+F9 AaGEzGXAHqPLn8f9X3QjDkiH7aVGFfP/LgIW1AIvBJV7LG+tltqdxbak5fQNoLD/a9ZF LepzzmdoVGcnQiSDhEs+eRr3pl4TGQD4771BWixyCrXgVHYbRpWagvaYTvCJqlCKzoB+ B3pQ== X-Gm-Message-State: AOJu0YwKiL49ajDrlghWq+oOzPfqVvHMJojL8wVBdwyAnLNGO0DdGI92 tazT50auL1kF7ylvxX004Vk4XxR5B38YTYml2KLDDSYKQZ61sMt0OJLQRpK71nE0oFEFXcUjlKn j X-Google-Smtp-Source: AGHT+IFDjLHPBNAYm9Erw9+ciQqbdZrsdWOIKKgNeZ0U4PmnCNqCV8V9gPqSJ3jjEMYMUYJt4p2Kag== X-Received: by 2002:a50:9b19:0:b0:56e:238e:372c with SMTP id o25-20020a509b19000000b0056e238e372cmr1315225edi.26.1712740424537; Wed, 10 Apr 2024 02:13:44 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id b93-20020a509f66000000b0056e0376286bsm6419677edf.24.2024.04.10.02.13.42 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:13:43 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Gerd Hoffmann , "Michael S . Tsirkin" , "Gonglei (Arei)" Subject: [PULL 04/16] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs Date: Wed, 10 Apr 2024 11:13:03 +0200 Message-ID: <20240410091315.57241-5-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::52f; envelope-from=philmd@linaro.org; helo=mail-ed1-x52f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-5-philmd@linaro.org> --- hw/virtio/virtio-crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index fe1313f2ad..bbe8aa4b99 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp) vcrypto->vqs[i].dataq = virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh); vcrypto->vqs[i].dataq_bh = - qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i], - &dev->mem_reentrancy_guard); + virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh, + &vcrypto->vqs[i]); vcrypto->vqs[i].vcrypto = vcrypto; } From patchwork Wed Apr 10 09:13:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921876 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=g8dVZt2n; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxyr46Rbz1yYB for ; Wed, 10 Apr 2024 19:16:20 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1i-0005nU-IW; Wed, 10 Apr 2024 05:13:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1h-0005nM-Rw for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:53 -0400 Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1g-0005ZW-8K for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:53 -0400 Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a5200afe39eso147156766b.1 for ; Wed, 10 Apr 2024 02:13:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740430; x=1713345230; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+KsSirCZg01hhKd4JAUXgq8lzzdN/Hb2WqmF/tsoo34=; b=g8dVZt2nAQq1yN7yU8j0Srki/Lh3hrZSTekEbT44PdmZOjvmTwTPzIrrI8jPKAwM3P 1E9XnUuM7ihPEJuhcPM36Nu7Ql23WtcLMb1bWxI+YfTM1rWMZ85AB3AIZ0M6OKT3cRB1 IuL8IcUjHLAzap//pBU9JiJEg9vnHAtFFi1Y7VoltyR+aOW85kvEwSG0xqdOBxhw3l23 lycq5KBPD/UblaUqClZGL5yuYkWlBNwXYQBVW3DzqbTWGF2ZajuUPiy72//H/Nw84sVq bWcX+7mg/vL5F61uFfe+IC5BcVmJ/HVS1hqGW/ovfrC0o3LlYpjKoVy6qsC5+ASkgQKA Y72A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740430; x=1713345230; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+KsSirCZg01hhKd4JAUXgq8lzzdN/Hb2WqmF/tsoo34=; b=qtJf/QX/KI9OArmVOUcLT698jeNFJCACydIXbw8Wa9QnG0OQaxn2H3lHdg0/KpgbL4 ZuIPgMYxa0zbRHvuY5p1b9XUYZKP3/NaED8Gaa2hX23r7susTy0bNar1SYVE3yc1ATes EHKVS9N3sIJZo26QQ/MAgWCfGvrq1VwnODiPTfv3bBT050Jw7Gb+vLGk/7U+5o8DkJz6 tGiUwd6jaP6jdRVzVsFc2TxhycaElGNNH0HDHZ7IyDDjZLZUAcImUUvjB3qlpKKMQrUF g4ONneXFjn37Bib/m3KzswFPYffM5zq6bGjrYieXpPynp7qTOE+9eWzl2x1DR5FvC/ZA XKyQ== X-Gm-Message-State: AOJu0YxivZ7gM1xXxJUPT678pqir3xQ0P7zH8KnjUdCrTrCglBwYA1WC FtEq+yFdsAxoGJShd0co43cOgMQrWgMxGrlRkicPvrf7gy0ZV7NDNmhNYL104O1l9ibNJAlP/7O Y X-Google-Smtp-Source: AGHT+IGfbrGv2eRQo22z+re7ozKJqKSBXnJkE8EPhHfBWLFhkVQ6x3/4nVassDnuBA0bYsdMW4tmIg== X-Received: by 2002:a17:906:f116:b0:a52:10dc:4ca8 with SMTP id gv22-20020a170906f11600b00a5210dc4ca8mr782642ejb.72.1712740430220; Wed, 10 Apr 2024 02:13:50 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id hd19-20020a170907969300b00a51bd3b432fsm5302611ejc.115.2024.04.10.02.13.49 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:13:49 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Yuquan Wang , =?utf-8?q?Philippe_Mathieu-?= =?utf-8?q?Daud=C3=A9?= Subject: [PULL 05/16] qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo Date: Wed, 10 Apr 2024 11:13:04 +0200 Message-ID: <20240410091315.57241-6-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::636; envelope-from=philmd@linaro.org; helo=mail-ej1-x636.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: Yuquan Wang Fix the unit typo of interleave-granularity of CXL Fixed Memory Window in qemu-option.hx. Fixes: 03b39fcf64 ("hw/cxl: Make the CFMW a machine parameter.") Signed-off-by: Yuquan Wang wangyuquan1236@phytium.com.cn Message-ID: <20240407083539.1488172-2-wangyuquan1236@phytium.com.cn> [PMD: Reworded] Signed-off-by: Philippe Mathieu-Daudé --- qemu-options.hx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/qemu-options.hx b/qemu-options.hx index 7fd1713fa8..8ce85d4559 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -151,14 +151,14 @@ SRST platform and configuration dependent. ``interleave-granularity=granularity`` sets the granularity of - interleave. Default 256KiB. Only 256KiB, 512KiB, 1024KiB, 2048KiB - 4096KiB, 8192KiB and 16384KiB granularities supported. + interleave. Default 256 (bytes). Only 256, 512, 1k, 2k, + 4k, 8k and 16k granularities supported. Example: :: - -machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512k + -machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512 ERST DEF("M", HAS_ARG, QEMU_OPTION_M, From patchwork Wed Apr 10 09:13:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921871 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=kPLtL3JN; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxyQ4VMHz1yYB for ; Wed, 10 Apr 2024 19:15:58 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1q-0005oX-82; Wed, 10 Apr 2024 05:14:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1n-0005o4-VY for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:00 -0400 Received: from mail-ed1-x52d.google.com ([2a00:1450:4864:20::52d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1m-0005Zy-4q for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:13:59 -0400 Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-55a179f5fa1so7339028a12.0 for ; Wed, 10 Apr 2024 02:13:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740436; x=1713345236; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=t6v/aT8rb7X2sUMc6qOL0nZTELiwkre+4QEi5O+6ex0=; b=kPLtL3JNKBGeG3HBDtBROCJIkoh20YPzNrRAV9BgDDV7RM9MDOIeFoQu2AbOI4QRGr BK/6gg5h4LMeGwJ3cPDaysQHn7afGdtpIQVAP7gCdZpHSYy1XtKZUIShj703XQDDXyj9 Dr3FeJ0aJX+GB3zUoiqqvF46mbsRNjC/GuldKi7XKFdRSQ8512O4avbsFVTZ/aCoVaPK wckOry/44mHmA8VgIOGZrAaqckTaDR/BF51kVdlqdJPTUyaMFa4hVbOVtTRkC9xdYpCX dLwNYc//fwk09qWRW4auPVw0RdMPQSHyM5O2Jt5oPdW7KikT0a+/1YufqqT3RET/6jXq h45w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740436; x=1713345236; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t6v/aT8rb7X2sUMc6qOL0nZTELiwkre+4QEi5O+6ex0=; b=gS7wQ4uphWXV2gZHfuA1Lp7nRqm8UOHFF5BtyEGKGVlXxyVMMQtZz2zfnJCw4qzwsf lsSkxDpRcj4f467zpKWPMfQ6OZf1a29IHiKctFZWxeEugGkdMv4lyznY6Ns7+X8fKmrs qYS9QETY8X8vyhr6T/zkyUPVd+56W8U7LCB2lfOqhCTA+1R3sPtp3gCpCy4wd6SRRKjF QxM2pFbwWHysvWFPiU9DX9CUukwssVRW6vpkdP4HyulA8+2ExPFaOVmT32NM9wAl6oO/ dNYxRSKnDfNjmWQEbrxpck9WELGd7DcQH8NeZ7Pp/SYfTIi6SgJZZeYSRc3rFT1gcDYF PxOQ== X-Gm-Message-State: AOJu0YzTnrVoTVhkfmsggew+GVZPJNAsAxiyzg5zTbXBLbjRs5H8cX3e EXxPLQKO8kQtl+ASb6//nE+VYqaFY/xOUoAyjjRajvx2FbEt8CddW+ePp3vy8ucPJslzE1WWJ0/ Z X-Google-Smtp-Source: AGHT+IFLpTKsx+0txJFPrMy80DGUa90Jq8awXkYvxCDNbJ4WVWnB0bo6kjQynHAeBbZnddLEC5xYEQ== X-Received: by 2002:a50:8a84:0:b0:56d:c722:93a3 with SMTP id j4-20020a508a84000000b0056dc72293a3mr1579497edj.21.1712740436319; Wed, 10 Apr 2024 02:13:56 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id c9-20020a0564021f8900b00568c613570dsm6282943edc.79.2024.04.10.02.13.55 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:13:55 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Richard Henderson , Kevin Wolf , Hanna Reitz , qemu-block@nongnu.org Subject: [PULL 06/16] hw/block/nand: Factor nand_load_iolen() method out Date: Wed, 10 Apr 2024 11:13:05 +0200 Message-ID: <20240410091315.57241-7-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::52d; envelope-from=philmd@linaro.org; helo=mail-ed1-x52d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Reviewed-by: Richard Henderson Reviewed-by: Kevin Wolf Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409135944.24997-2-philmd@linaro.org> --- hw/block/nand.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/hw/block/nand.c b/hw/block/nand.c index d1435f2207..f33eb2d552 100644 --- a/hw/block/nand.c +++ b/hw/block/nand.c @@ -243,9 +243,28 @@ static inline void nand_pushio_byte(NANDFlashState *s, uint8_t value) } } +/* + * nand_load_block: Load block containing (s->addr + @offset). + * Returns length of data available at @offset in this block. + */ +static unsigned nand_load_block(NANDFlashState *s, unsigned offset) +{ + unsigned iolen; + + s->blk_load(s, s->addr, offset); + + iolen = (1 << s->page_shift); + if (s->gnd) { + iolen += 1 << s->oob_shift; + } + assert(offset <= iolen); + iolen -= offset; + + return iolen; +} + static void nand_command(NANDFlashState *s) { - unsigned int offset; switch (s->cmd) { case NAND_CMD_READ0: s->iolen = 0; @@ -271,12 +290,7 @@ static void nand_command(NANDFlashState *s) case NAND_CMD_NOSERIALREAD2: if (!(nand_flash_ids[s->chip_id].options & NAND_SAMSUNG_LP)) break; - offset = s->addr & ((1 << s->addr_shift) - 1); - s->blk_load(s, s->addr, offset); - if (s->gnd) - s->iolen = (1 << s->page_shift) - offset; - else - s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset; + s->iolen = nand_load_block(s, s->addr & ((1 << s->addr_shift) - 1)); break; case NAND_CMD_RESET: @@ -597,12 +611,7 @@ uint32_t nand_getio(DeviceState *dev) if (!s->iolen && s->cmd == NAND_CMD_READ0) { offset = (int) (s->addr & ((1 << s->addr_shift) - 1)) + s->offset; s->offset = 0; - - s->blk_load(s, s->addr, offset); - if (s->gnd) - s->iolen = (1 << s->page_shift) - offset; - else - s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset; + s->iolen = nand_load_block(s, offset); } if (s->ce || s->iolen <= 0) { From patchwork Wed Apr 10 09:13:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921868 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=cFh/Isz4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxxM2SlMz1yYS for ; Wed, 10 Apr 2024 19:15:03 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU1v-0005sU-S8; Wed, 10 Apr 2024 05:14:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU1u-0005s3-UB for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:06 -0400 Received: from mail-ed1-x532.google.com ([2a00:1450:4864:20::532]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1t-0005aa-6y for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:06 -0400 Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-56e56ee8d5cso4716518a12.2 for ; Wed, 10 Apr 2024 02:14:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740442; x=1713345242; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Cl/8eM6HtaFKzS73NnToQu9iXIco13zqVdgURn6Eu4c=; b=cFh/Isz4AkfWhxCGMn5IO6e3+UrN7sjAhPuhxidtXfcaqPjM3jJERof/JU6J1Z9Pnt Unf7kn83etLRdJl6YKgrhLyTElPBCY1AHDIGWt+K6+5aTGQPLyiLBbe+3O85KTa4XfzQ 0s+L6VY7MM/0RrRt0rDiKCtcrQcZvfB6Y0YSar3uv82HFJlWF69YcUjbJ1q5mve12rsV fYku9r2LfB3i2YgaMhWfEsrPxrDBjo7/BrZvVeK1Fe4NiP3tghYas/ZjPuDP/3UGgI7h OU7S4U4NHUw2HfDHDvhLYZAdlIDUTo02OLx+dOV10+BKP99n2f8HKFJFCfmjV6JPiXqh 6jOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740442; x=1713345242; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Cl/8eM6HtaFKzS73NnToQu9iXIco13zqVdgURn6Eu4c=; b=Ib32eWSKtaVPUPWL7t5h2h4lF+sqwhoYRQIQ+kSgLHZMZiBp7R7IJzsgY+5VlaEqic ere7Q7eYz+umV9ynyrI53LPP2mk4v5MGHkcrI1AbNMzuIIonISqSmkBSNuf8/VUczo3X qRh1yI6oulU66nVU+N5aott2IFMkeQ0AgATj2JqPCT/t1vqXwp+mPO+jmr/KRnSFio86 Z5htPi+V69EGorxtZ7p2WTOaUJxjgS/98VjUlHiZ6Edu3pv8HxlFUxPu2zOWLRAr3Pp7 0QrcS+57Tfx8dmsi8wxCBk6HeifUmOYLjc6mPE3Lj65yHrH28ReRy9Uv8GOeD0Mi1bLI Nk+g== X-Gm-Message-State: AOJu0YzTzW2Qnb0Lpoaz3yYGM0cYZj9tb4qB8T+lgaDvWaaxlSjYIimd WSJIqvM1FRWqRMv/TPfcl62q0LquJ0LirHnaE2lf4bRjYhD830Xt6fBaOPXkFtryoy4lFdwOZnL X X-Google-Smtp-Source: AGHT+IEKi/itgsqITl6Luze98rbUOYYknW+dW6doyRjc5WQrQuI2cosSQHrS5nx6F4XPhOpxtdYrgQ== X-Received: by 2002:a17:906:3782:b0:a51:dc1f:a3b1 with SMTP id n2-20020a170906378200b00a51dc1fa3b1mr1435230ejc.39.1712740442464; Wed, 10 Apr 2024 02:14:02 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id bp5-20020a17090726c500b00a51db91186fsm3254243ejc.119.2024.04.10.02.14.01 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:02 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Richard Henderson , Kevin Wolf , Hanna Reitz , qemu-block@nongnu.org Subject: [PULL 07/16] hw/block/nand: Have blk_load() take unsigned offset and return boolean Date: Wed, 10 Apr 2024 11:13:06 +0200 Message-ID: <20240410091315.57241-8-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::532; envelope-from=philmd@linaro.org; helo=mail-ed1-x532.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Negative offset is meaningless, use unsigned type. Return a boolean value indicating success. Reviewed-by: Richard Henderson Reviewed-by: Kevin Wolf Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409135944.24997-3-philmd@linaro.org> --- hw/block/nand.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/hw/block/nand.c b/hw/block/nand.c index f33eb2d552..5a31d78b6b 100644 --- a/hw/block/nand.c +++ b/hw/block/nand.c @@ -84,7 +84,11 @@ struct NANDFlashState { void (*blk_write)(NANDFlashState *s); void (*blk_erase)(NANDFlashState *s); - void (*blk_load)(NANDFlashState *s, uint64_t addr, int offset); + /* + * Returns %true when block containing (@addr + @offset) is + * successfully loaded, otherwise %false. + */ + bool (*blk_load)(NANDFlashState *s, uint64_t addr, unsigned offset); uint32_t ioaddr_vmstate; }; @@ -772,11 +776,11 @@ static void glue(nand_blk_erase_, NAND_PAGE_SIZE)(NANDFlashState *s) } } -static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, - uint64_t addr, int offset) +static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, + uint64_t addr, unsigned offset) { if (PAGE(addr) >= s->pages) { - return; + return false; } if (s->blk) { @@ -804,6 +808,8 @@ static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, offset, NAND_PAGE_SIZE + OOB_SIZE - offset); s->ioaddr = s->io; } + + return true; } static void glue(nand_init_, NAND_PAGE_SIZE)(NANDFlashState *s) From patchwork Wed Apr 10 09:13:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921882 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=OlHQvv2i; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDy0m4HClz1yYB for ; Wed, 10 Apr 2024 19:18:00 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU23-0005xu-2h; Wed, 10 Apr 2024 05:14:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU21-0005x4-Ci for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:13 -0400 Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU1y-0005b4-GH for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:13 -0400 Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-a4644bde1d4so883637666b.3 for ; Wed, 10 Apr 2024 02:14:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740448; x=1713345248; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qxZBIWm4tgxEEXfwbtjrHn2I7XDplBRXPRN1tLGRLQA=; b=OlHQvv2iRL1kMwJPjfJ9lp1SyKf5m9/yk6nqLdQrJVQ2j6mn3rmd/1dOK6ds3NHnjM EbjJohb598s3SI7mvKbmgXN4gMcBmqkj36xKOr9+npNBNhGVjSkm9eRmyjSgERLrvdpo XajwAb+UoGXJwCtqoW/yLfcHmwENjjlTPXC0HCv+u1zrVMR3v/zfVXUu2w41bbilTw9R 2QqIEpBb06NJV/oPJxHDKQt21zssNfk1jw8YVmYHrO9VeH1h29QVARhAxJvXMPSxbk1K x9ASERYFKU93MM6JYvXnc6mxDkNwR2y6+zmNEG1Br6TRL3LUAbznlEwANqyS3zPOCQm2 J+xQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740448; x=1713345248; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qxZBIWm4tgxEEXfwbtjrHn2I7XDplBRXPRN1tLGRLQA=; b=JnMKwMoGXL9d0pkOycKE1yo5Wb4xRbZsZR834Cumhfa/wdYx/++gn80ZJMfMSHtcbT xTavoMIjAeppy/7DJrgx3ScP1jlM+kWrK4Xs/qYYw38ukJyx/IgCqrk8OI+nW0R3SnwZ iYCOtVfz1/X1WYssg2DUjLuwOtSm4bEiOjB9aNA7xBWk+BB+z4nR2MLIBzL+UMGE4j// +Ig3g4XTHHs1aT+D6b/ZhbvtiiG5n2DGKARFbEHzgJu7+pkcHG8ahRJhZcej9BEfhAR9 fvPIcDV98Cc+b2HDgBnVzXDMpz5o88i+fhnGV37ta4y4JDVxhGSgBu7uJ4cp3k1BYQxT tgkQ== X-Gm-Message-State: AOJu0YyKEbhm72uq0m4p5W2/TwkzTyRC4cDchDfPoIyeV1JZLQmStQl5 fIaJcpRDp5O/CUZABrgMWwhYdTonqpVX7A7kbDzFB5dCTKO8KJKjiko6FgDLh8/xbeHy2yWbmy6 S X-Google-Smtp-Source: AGHT+IHal/yCxZbs+KzSvnDU/FItC8yAP3XgpbwhGMLLreT4BAJhrVqZt/Ofe8Y48yXtaTR7s5ebhg== X-Received: by 2002:a17:907:7208:b0:a4a:aaa9:8b3b with SMTP id dr8-20020a170907720800b00a4aaaa98b3bmr1295738ejc.77.1712740448595; Wed, 10 Apr 2024 02:14:08 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id me6-20020a170906aec600b00a51ef986051sm2016438ejb.57.2024.04.10.02.14.07 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:08 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Qiang Liu , Richard Henderson , Kevin Wolf , Hanna Reitz , qemu-block@nongnu.org Subject: [PULL 08/16] hw/block/nand: Fix out-of-bound access in NAND block buffer Date: Wed, 10 Apr 2024 11:13:07 +0200 Message-ID: <20240410091315.57241-9-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::62f; envelope-from=philmd@linaro.org; helo=mail-ej1-x62f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org nand_command() and nand_getio() don't check @offset points into the block, nor the available data length (s->iolen) is not negative. In order to fix: - check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(), - do not set @iolen if blk_load() failed. Reproducer: $ cat << EOF | qemu-system-arm -machine tosa \ -monitor none -serial none \ -display none -qtest stdio write 0x10000111 0x1 0xca write 0x10000104 0x1 0x47 write 0x1000ca04 0x1 0xd7 write 0x1000ca01 0x1 0xe0 write 0x1000ca04 0x1 0x71 write 0x1000ca00 0x1 0x50 write 0x1000ca04 0x1 0xd7 read 0x1000ca02 0x1 write 0x1000ca01 0x1 0x10 EOF ================================================================= ==15750==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000de0 at pc 0x560e61557210 bp 0x7ffcfc4a59f0 sp 0x7ffcfc4a59e8 READ of size 1 at 0x61f000000de0 thread T0 #0 0x560e6155720f in mem_and hw/block/nand.c:101:20 #1 0x560e6155ac9c in nand_blk_write_512 hw/block/nand.c:663:9 #2 0x560e61544200 in nand_command hw/block/nand.c:293:13 #3 0x560e6153cc83 in nand_setio hw/block/nand.c:520:13 #4 0x560e61a0a69e in tc6393xb_nand_writeb hw/display/tc6393xb.c:380:13 #5 0x560e619f9bf7 in tc6393xb_writeb hw/display/tc6393xb.c:524:9 #6 0x560e647c7d03 in memory_region_write_accessor softmmu/memory.c:492:5 #7 0x560e647c7641 in access_with_adjusted_size softmmu/memory.c:554:18 #8 0x560e647c5f66 in memory_region_dispatch_write softmmu/memory.c:1514:16 #9 0x560e6485409e in flatview_write_continue softmmu/physmem.c:2825:23 #10 0x560e648421eb in flatview_write softmmu/physmem.c:2867:12 #11 0x560e64841ca8 in address_space_write softmmu/physmem.c:2963:18 #12 0x560e61170162 in qemu_writeb tests/qtest/videzzo/videzzo_qemu.c:1080:5 #13 0x560e6116eef7 in dispatch_mmio_write tests/qtest/videzzo/videzzo_qemu.c:1227:28 0x61f000000de0 is located 0 bytes to the right of 3424-byte region [0x61f000000080,0x61f000000de0) allocated by thread T0 here: #0 0x560e611276cf in malloc /root/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f7959a87e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98) #2 0x560e64b98871 in object_new qom/object.c:749:12 #3 0x560e64b5d1a1 in qdev_new hw/core/qdev.c:153:19 #4 0x560e61547ea5 in nand_init hw/block/nand.c:639:11 #5 0x560e619f8772 in tc6393xb_init hw/display/tc6393xb.c:558:16 #6 0x560e6390bad2 in tosa_init hw/arm/tosa.c:250:12 SUMMARY: AddressSanitizer: heap-buffer-overflow hw/block/nand.c:101:20 in mem_and ==15750==ABORTING Broken since introduction in commit 3e3d5815cb ("NAND Flash memory emulation and ECC calculation helpers for use by NAND controllers"). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1445 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1446 Reported-by: Qiang Liu Reviewed-by: Richard Henderson Reviewed-by: Kevin Wolf Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409135944.24997-4-philmd@linaro.org> --- hw/block/nand.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hw/block/nand.c b/hw/block/nand.c index 5a31d78b6b..e2433c25bd 100644 --- a/hw/block/nand.c +++ b/hw/block/nand.c @@ -255,7 +255,9 @@ static unsigned nand_load_block(NANDFlashState *s, unsigned offset) { unsigned iolen; - s->blk_load(s, s->addr, offset); + if (!s->blk_load(s, s->addr, offset)) { + return 0; + } iolen = (1 << s->page_shift); if (s->gnd) { @@ -783,6 +785,10 @@ static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, return false; } + if (offset > NAND_PAGE_SIZE + OOB_SIZE) { + return false; + } + if (s->blk) { if (s->mem_oob) { if (blk_pread(s->blk, SECTOR(addr) << BDRV_SECTOR_BITS, From patchwork Wed Apr 10 09:13:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921872 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=u1FU4Smc; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxyR05Zjz1yYd for ; Wed, 10 Apr 2024 19:15:59 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU27-00060W-1P; Wed, 10 Apr 2024 05:14:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU25-000601-Bs for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:17 -0400 Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU23-0005ba-VD for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:17 -0400 Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a51ddc783e3so370649866b.0 for ; Wed, 10 Apr 2024 02:14:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740454; x=1713345254; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/MZTGZdwMOzZ2yxKjK4p8nmin3fYzpAE8Zer+jhlYRQ=; b=u1FU4Smc6L/452yzc96I6Iar/c9yr+3knoCyCv7lelrHxiHD+97kbewGjZxBFTqLPz f1iYDjp0oIsQ9QgpUInRzdzbYT5aXAQMAu/s/SAy5Gt1mTe/VTK3zrBGpwmLa7jELsAz xHsD2lR1pWN1rWjnC1jkFwtdjt7GUUn58WS5I3ULUzdTnGm9bjEZRZvj3yZzjk8sVrNN 3u02sKdzZ5nRGMVzbnKa1J/a5mh35tYEYV7CESHa3WFaypnsaZExMGO3DQo9i2e1/8Rm 6ypVqw4geXFc7RMjTEArsoH4cYzwYL5XPeTtuXEMIfc/5NV3kCQ5BilzN6g8d+ndxQkR unpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740454; x=1713345254; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/MZTGZdwMOzZ2yxKjK4p8nmin3fYzpAE8Zer+jhlYRQ=; b=XYHgalY9oO7oEcXhw993bOcGm6R0WALB4JlpCve8tOuRcPSMGglKiqs3WTw8a7ckuQ sRJp4OfxYbg2CM2I/h3shZViZpedad4siDsvRiB9G1hmweReYz+HOcLmClBYOYNzUXm5 M2Qzo+pSiVRHACKElsSiGK2tgQpe5NWLBpxo/VpRMxYOnvl42HWAs7gwYnEaeOJB8hy+ ix7vVggqOoXugoqu828mBInFiuiwU6bxJuJGxHmv5ugw8hDp/gMhYFmbiNd00xmtwdbs 7mZTAYL7zK+A32+jY+/G4qusfgvj8C1owpGOdcC5NO4mAHQVzO/CIet+gUGr/SHpkAe3 ZVJA== X-Gm-Message-State: AOJu0YynM9lw85H86qgr+btlP3ue2Y/J4101nA5b+7HGRxILwwh6rfiy 9n062awUyJVFef37iS4WAXTRJPp9W2BPBBLcqitmd2uwZWb8iJuGU+zgmD4fi0zuqcRZZcLtbMb F X-Google-Smtp-Source: AGHT+IGo37IkCX/up1RQnu58ITbbHvNBsONYaqD03IrTxmSJVUnBfS43et6OuVabKaxiBL8GCMSFrg== X-Received: by 2002:a17:906:448b:b0:a51:a676:db26 with SMTP id y11-20020a170906448b00b00a51a676db26mr1131338ejo.21.1712740454346; Wed, 10 Apr 2024 02:14:14 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id lv27-20020a170906bc9b00b00a51a67f08d0sm6600986ejb.77.2024.04.10.02.14.13 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:14 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Peter Maydell Subject: [PULL 09/16] hw/misc/applesmc: Do not call DeviceReset from DeviceRealize Date: Wed, 10 Apr 2024 11:13:08 +0200 Message-ID: <20240410091315.57241-10-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::632; envelope-from=philmd@linaro.org; helo=mail-ej1-x632.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org QDev core layer always call DeviceReset() after DeviceRealize(), no need to do it manually. Remove the extra call. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240408095217.57239-2-philmd@linaro.org> --- hw/misc/applesmc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c index 72300d0cbc..8e65816da6 100644 --- a/hw/misc/applesmc.c +++ b/hw/misc/applesmc.c @@ -342,7 +342,6 @@ static void applesmc_isa_realize(DeviceState *dev, Error **errp) } QLIST_INIT(&s->data_def); - qdev_applesmc_isa_reset(dev); } static Property applesmc_isa_properties[] = { From patchwork Wed Apr 10 09:13:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921867 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=QqHzX0eS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxxC4lX2z1yYd for ; Wed, 10 Apr 2024 19:14:55 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU2F-00061j-Um; Wed, 10 Apr 2024 05:14:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU2E-00060x-3Q for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:26 -0400 Received: from mail-ed1-x52d.google.com ([2a00:1450:4864:20::52d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2C-0005dl-3h for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:25 -0400 Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-56e6e08d328so2399419a12.2 for ; Wed, 10 Apr 2024 02:14:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740460; x=1713345260; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NK+7czDYVa9QOo+2RkWIhoABk19wFDSzwvVIKg/yarM=; b=QqHzX0eSMVGle2Vne1102PVTNSEuW7OfBUYaaUuNiapT/Vc2eMkP70Rz8SXjwshd7C BhWVhImd3uyeCGqvAEGpAk6O+HtjMkUAWSUaF3j/555J3xevghDvVdl8KI1gOisRPHHD u1zMnYZftAc5r+Q8N8FB4xKzuy3Iw0oMvtDWpjhUs63DFHRY8NKzyTkHRPJ77p071FAq Q1jPkLgtbRomOo7ecF0frbO05REN1bzJLTHhYxzqmnoGKOZImEVz6EZrqF4/0pIoY2jD ITYENjl5VcZiTXXYIVLMMUvnz/HFP8L/RcJBavVqcWfLMqDf1lOSad5mQ00tFwsMNRhY XiiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740460; x=1713345260; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NK+7czDYVa9QOo+2RkWIhoABk19wFDSzwvVIKg/yarM=; b=pguMNc/wFWcwGUXrOrfLeSrk0TO5S6c2MeWEb6b/rWJNPx8XjqvPTaee5D0FAyQN/Y hpgZ7alSPQgbUWJ1Gf+/lRv3TDm2fbUsOXI7KtydneA3XSTMNXoB21CMz2J3oubhw8XE IMTleHHUkCK2dJfTw40VGIaGZ7l2UVwWtx/aC34/em2wN/Jf/DeqcmvwOCtuwerIDanQ rkeFofJhyQutBokBZput0jq/Uv2QnoJVVZxmG9/TDYkplDRKEVUl99OlbOQitHt4d6l9 W8+6hkL3PdZMOUjPzcJ851V8cs0nDAPBbsIvcJy65iasALmI1rfNT8kC4/SnB+iIuRz5 B/LQ== X-Gm-Message-State: AOJu0Yz6SVmQSu802z1hbq6/uqxY6e+D4NxW0M5VrBZBVEBTx1B5s3WD Lq0LOmJuSXYtyxq8OHW1Oj7RsiV4oVXzz3EHY7qWId7N8vfpNpLy4LkeYdvkH5YV1aQMvGNkNvh d X-Google-Smtp-Source: AGHT+IEDjv4MMB+eWWHs9xCbE0zOKZx2tJgHctqMfuQy0v9UBrYLs6dCwdmoGYOYsHtQxYVARHtDlA== X-Received: by 2002:a50:ab16:0:b0:56c:5ab5:5fb7 with SMTP id s22-20020a50ab16000000b0056c5ab55fb7mr1111707edc.30.1712740460284; Wed, 10 Apr 2024 02:14:20 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id bc23-20020a056402205700b0056e064a6d2dsm6235097edb.2.2024.04.10.02.14.19 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:19 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Zheyu Ma , Peter Maydell Subject: [PULL 10/16] hw/misc/applesmc: Fix memory leak in reset() handler Date: Wed, 10 Apr 2024 11:13:09 +0200 Message-ID: <20240410091315.57241-11-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::52d; envelope-from=philmd@linaro.org; helo=mail-ed1-x52d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org AppleSMCData is allocated with g_new0() in applesmc_add_key(): release it with g_free(). Leaked since commit 1ddda5cd36 ("AppleSMC device emulation"). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272 Reported-by: Zheyu Ma Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240408095217.57239-3-philmd@linaro.org> --- hw/misc/applesmc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c index 8e65816da6..14e3ef667d 100644 --- a/hw/misc/applesmc.c +++ b/hw/misc/applesmc.c @@ -274,6 +274,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev) /* Remove existing entries */ QLIST_FOREACH_SAFE(d, &s->data_def, node, next) { QLIST_REMOVE(d, node); + g_free(d); } s->status = 0x00; s->status_1e = 0x00; From patchwork Wed Apr 10 09:13:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921874 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=oXsZY55L; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxyT66hyz1yYd for ; Wed, 10 Apr 2024 19:16:01 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU2L-00066K-J2; Wed, 10 Apr 2024 05:14:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU2H-000643-Tv for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:30 -0400 Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2G-0005eV-9h for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:29 -0400 Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-56e6affdd21so749440a12.3 for ; Wed, 10 Apr 2024 02:14:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740466; x=1713345266; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JTSWrkOypAhA6kMD+44qfKpFKP2exY3ZyHzORb0u98w=; b=oXsZY55LCsZxH50L8PiOssMIUl8C8XunUgnAZja1vejZbJ4HX2JtZxUJ8MDHCP1Wi/ lF8B5vge1Dx9kNpKO0N95IkuOdgdPggTBk2x36P7j5Nw127BfWFsR4UbKh5nFdyEh8Yk mq4IroeuCeFxrUzOUPDsIgHrCiQSysygaclqv8dFgySDrv2jXP+uUUtHWd+9AKr/Jy3j 4lQa7Lu9puLnA27zKwqCsx60QPUDDzo/Xi6qJH5X0ZGNfl2eCJ01WjtvMJcYwmyspEf4 /EqnRVcvr0lG/3dpSbtIUJ8t6y0obB2QjewT2So8ZO0k92tbHl583nMVnsrLrOk12nux 70bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740466; x=1713345266; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JTSWrkOypAhA6kMD+44qfKpFKP2exY3ZyHzORb0u98w=; b=kfvP7QLihbQwXCEGnAbOACADVzYb8VEfaPrEFhGpZ0T+cao75ZBIcPj2K7vk0ihRnK /gZWT7dvuncLVz/afBGqieq7qjJZ9yxuSU+hpLhgWeJ6M4OwzY9bc3dbjZcInsZSoKkJ xUec4wTuqwLDW7n4iZ53WYckzapcW8eF3R3Airr/l1jZIaUeFViacycGMmXgOYR+XW6E /Jk8bo5BRj6Ue+SR7XFN/wKHWbpGm09vbQ2hy/xKHZznL7QRiF+/IHuX4gre8fWLWLzm j6p9g6z+IZnrXkexqvZZ40PZ94VVmaFqeuIzEVEnzlq70fb4oAXZx81zuPCGAiNevm84 dv+Q== X-Gm-Message-State: AOJu0YwkuwP9x1ATK4hBEgJSYaJRVrY+t1KFS98a6+lu96HonVTVgQ4k X79abhI4qlCrB9S/tpTjpDxfOSwveYRp51poxjZiq+Ld7P6KX6SCsjgFWnTcW/Bh+9eOshIl9Pc 0 X-Google-Smtp-Source: AGHT+IFjXIBmBO2Boh2IgfRGkJN/ZJD1o3HtoBJs6FHg3LfeGF9+laVHdPEhR1i+19X1DqUMHPDx9w== X-Received: by 2002:a50:ccdb:0:b0:56e:64b:8733 with SMTP id b27-20020a50ccdb000000b0056e064b8733mr1416801edj.40.1712740466408; Wed, 10 Apr 2024 02:14:26 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id cq9-20020a056402220900b0056e3418cd4asm5786842edb.20.2024.04.10.02.14.24 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:26 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Zheyu Ma , zhenwei pi , "Gonglei (Arei)" Subject: [PULL 11/16] backends/cryptodev: Do not abort for invalid session ID Date: Wed, 10 Apr 2024 11:13:10 +0200 Message-ID: <20240410091315.57241-12-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::536; envelope-from=philmd@linaro.org; helo=mail-ed1-x536.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Instead of aborting when a session ID is invalid, return VIRTIO_CRYPTO_INVSESS ("Invalid session id"). Reproduced using: $ cat << EOF | qemu-system-i386 -display none \ -machine q35,accel=qtest -m 512M -nodefaults \ -object cryptodev-backend-builtin,id=cryptodev0 \ -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \ -qtest stdio outl 0xcf8 0x80000804 outw 0xcfc 0x06 outl 0xcf8 0x80000820 outl 0xcfc 0xe0008000 write 0x10800e 0x1 0x01 write 0xe0008016 0x1 0x01 write 0xe0008020 0x4 0x00801000 write 0xe0008028 0x4 0x00c01000 write 0xe000801c 0x1 0x01 write 0x110000 0x1 0x05 write 0x110001 0x1 0x04 write 0x108002 0x1 0x11 write 0x108008 0x1 0x48 write 0x10800c 0x1 0x01 write 0x108018 0x1 0x10 write 0x10801c 0x1 0x02 write 0x10c002 0x1 0x01 write 0xe000b005 0x1 0x00 EOF Assertion failed: (session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]), function cryptodev_builtin_close_session, file cryptodev-builtin.c, line 430. Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2274 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: zhenwei pi Message-Id: <20240409094757.9127-1-philmd@linaro.org> --- backends/cryptodev-builtin.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index 39d0455280..a514bbb310 100644 --- a/backends/cryptodev-builtin.c +++ b/backends/cryptodev-builtin.c @@ -427,7 +427,9 @@ static int cryptodev_builtin_close_session( CRYPTODEV_BACKEND_BUILTIN(backend); CryptoDevBackendBuiltinSession *session; - assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]); + if (session_id >= MAX_NUM_SESSIONS || !builtin->sessions[session_id]) { + return -VIRTIO_CRYPTO_INVSESS; + } session = builtin->sessions[session_id]; if (session->cipher) { From patchwork Wed Apr 10 09:13:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921878 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=fziNY459; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxzW3lg4z1yYB for ; Wed, 10 Apr 2024 19:16:55 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU2W-00069U-6j; Wed, 10 Apr 2024 05:14:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU2U-00068n-9Z for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:42 -0400 Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2O-0005fJ-In for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:14:42 -0400 Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-a47385a4379so1386593066b.0 for ; Wed, 10 Apr 2024 02:14:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740473; x=1713345273; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=X+HfBaogaKesnx0L+UIHNSkZQ9BO28r47IsjVL4QJyA=; b=fziNY459L/G51xwhYEsRLnfI7vVFdMBeXLPpaBkzs9h+77XeC6PR4vztYGECqOuQA0 kVJ4mrFCOQAvDLmjX0OWvt1b+bNmD9Gijw+2VmcyxO12BpkTGE3epGy2p+oThhX2kICE 6OOfXaC2ZMSAquAhIqMj4H/YSo+YEF4+nu0afR902q2wwgukTkRF0bOcGCreTngK26jA Xq+KsEIi/jqEbFzO5paRKYGM/wiA4X1/X//3FQ8pLTbfbA0wHkOEZ5dIPiVDCzP6TLI6 J0TsYVf36ZW4GnhOenzrTvb26sfctSgqO19hoPvc+3gfwfico9Jvo3KzofIJJ2sBKmvg mwUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740473; x=1713345273; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=X+HfBaogaKesnx0L+UIHNSkZQ9BO28r47IsjVL4QJyA=; b=qCy+aoKqpioyQOCzaZQDiXjXJ2ypWdPaYkVCGx1c3LYJMIQzH4tSGY8s4N+fUakrvh JPu7X45LCI2xCHuPPjHf+c3dwAGsQxu2dAVZIuitmds1fvRXENQFph6znK/+G8vpc2Zv Lg3FMZg9O0duZshm+VghMsoMcjI7Ls++gtaLFLnFHvYMxF7oS7m6c96xAXIKMWKChWHX mN1Lz83lEqeuujpeBCKFH/dV8BfO494aAEQub/UkzMYkA1ojreWRjIrTsuZ8lO0JPmmO 88ucL43FN4iz8sCDEPcfbji2R47OSD0lPQ5KAtj1kn5vdtmHV+T+a/vtlVA9eE+Tp5+B I8jg== X-Gm-Message-State: AOJu0YzDxSU8tsUEN9TVVNnd1syUKpEKUoMp0stSQpxbFedAc5H3KcN2 qxDduE6gvPHSUX20c1vf4lvHeW0+GwPLdGWZ2Zj72hp8vhyNPzhOm94zwZWRXbn5E4EUCKv/Aow Y X-Google-Smtp-Source: AGHT+IGoDMUXuKMrP/V8KdlIOOIUr52ADKubzuoInKXcw+xRBDNyFt26/8mDZavXBDNCamsIKesVCg== X-Received: by 2002:a17:906:4899:b0:a51:b49e:473e with SMTP id v25-20020a170906489900b00a51b49e473emr1755593ejq.19.1712740473385; Wed, 10 Apr 2024 02:14:33 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id jx24-20020a170907761800b00a46baba1a0asm6723080ejc.100.2024.04.10.02.14.31 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:33 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Peter Maydell , Jason Wang Subject: [PULL 12/16] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition Date: Wed, 10 Apr 2024 11:13:11 +0200 Message-ID: <20240410091315.57241-13-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::62f; envelope-from=philmd@linaro.org; helo=mail-ej1-x62f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org The magic 2048 is explained in the LAN9211 datasheet (DS00002414A) in chapter 1.4, "10/100 Ethernet MAC": The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. [...] Note, the use of the constant in lan9118_receive() reveals that our implementation is using the same buffer for both tx and rx. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240409133801.23503-2-philmd@linaro.org> --- hw/net/lan9118.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c index 47ff25b441..8214569a2c 100644 --- a/hw/net/lan9118.c +++ b/hw/net/lan9118.c @@ -150,6 +150,12 @@ do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0) #define GPT_TIMER_EN 0x20000000 +/* + * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit + * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. + */ +#define MIL_TXFIFO_SIZE 2048 + enum tx_state { TX_IDLE, TX_B, @@ -166,7 +172,7 @@ typedef struct { int32_t pad; int32_t fifo_used; int32_t len; - uint8_t data[2048]; + uint8_t data[MIL_TXFIFO_SIZE]; } LAN9118Packet; static const VMStateDescription vmstate_lan9118_packet = { @@ -182,7 +188,7 @@ static const VMStateDescription vmstate_lan9118_packet = { VMSTATE_INT32(pad, LAN9118Packet), VMSTATE_INT32(fifo_used, LAN9118Packet), VMSTATE_INT32(len, LAN9118Packet), - VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048), + VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE), VMSTATE_END_OF_LIST() } }; @@ -544,7 +550,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf, return -1; } - if (size >= 2048 || size < 14) { + if (size >= MIL_TXFIFO_SIZE || size < 14) { return -1; } From patchwork Wed Apr 10 09:13:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921870 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=h9vNpKww; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxyK2BC5z1yYB for ; Wed, 10 Apr 2024 19:15:53 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU35-00071t-OD; Wed, 10 Apr 2024 05:15:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU2m-0006nz-Fn for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:03 -0400 Received: from mail-ed1-x531.google.com ([2a00:1450:4864:20::531]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2k-0005gQ-Mn for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:00 -0400 Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-56e69888a36so3779876a12.3 for ; Wed, 10 Apr 2024 02:14:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740497; x=1713345297; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6sqSTbvcHE/PEJ061E2tWbqv/m5mGCSbZ1MuwfTm1R8=; b=h9vNpKww2lzMJFmL4wtY4SDU/v6Df/hCYO/19EZM+fEyWowS3J0YoRauBJDa67a2RZ 3SQk4q0Tt9ADDlivwHx2oXwAHi16me6oP1xqn1IKr/dwS0clpIWQmg1GlR3kh8HYyCKx WpLwSLc916mdbI2Xa/NqZ9IYVB4mFHHPiA1ma43FBd73xzGKXyeVJgiD8WNRhVEc6wg1 OfUzdDS6jMDcoUebYtrm2h/PgnEEFptmy/jUCOqwSWHt2YnjEaCZZoOWOhYYliUuRFXz AA9xTMQU+853P+0WBNwB19GxAp4qW4g5TixFcF9uxGD1iYq/qiVP5BhtO7PLzCbaQstm GgIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740497; x=1713345297; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6sqSTbvcHE/PEJ061E2tWbqv/m5mGCSbZ1MuwfTm1R8=; b=MEf93GFOwsgw+7ukGGSG8CseHjFODSCfEo6wNBFRNZojQfpayjezKFXKijNMsG9z6/ i4uEXo3BVraJmg7Glwr5WMrH58m4wjzvEqhVNZkEb9Ap+IwCAkZzmlsJSLENZcd0mLNK 6abq7N/bogpKTISRmTor/8/ViPjhPVwl3GDjm4/8UDPwVKJQvcR9NA4mxjiMtyrsm+T1 XBOKGzRwrC4QR8Ji6TJJwZlkgbNcyttJk/oWmyWq07HBKSRkdB8zCd3Af9JWhY8HogU/ mcu686H2Fhfbk3c0xgk2ll0+67AkelI/fGzVsTu3ZLnlMKUAEySRYUuGOvbp0byl4sh0 xU+g== X-Gm-Message-State: AOJu0Yw4CPJwkPe2u6glwfzgojTPlsCKb/HRbDTUCMXxX+j6/QJ2O8/s 3JGaom2AYtQs7MIBEGfnb+wyT2RImObollacvW+I9lrkxhbtoWpqZndFW4EY7agv3/HuH4ySFZX p X-Google-Smtp-Source: AGHT+IF2Pi0nXPUSbCoq2qDvc7kQRo+1W6T5bDSunDJ8zbGsSKOO3MNQ9GqSE1iVEQmn8sndcJtMXA== X-Received: by 2002:a17:906:ae94:b0:a4e:3777:db0 with SMTP id md20-20020a170906ae9400b00a4e37770db0mr1123626ejb.57.1712740496785; Wed, 10 Apr 2024 02:14:56 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id k14-20020a1709063fce00b00a4e8a47107asm6654677ejj.200.2024.04.10.02.14.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:14:56 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Chuhong Yuan , Peter Maydell , Jason Wang Subject: [PULL 13/16] hw/net/lan9118: Fix overflow in MIL TX FIFO Date: Wed, 10 Apr 2024 11:13:12 +0200 Message-ID: <20240410091315.57241-14-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::531; envelope-from=philmd@linaro.org; helo=mail-ed1-x531.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org When the MAC Interface Layer (MIL) transmit FIFO is full, truncate the packet, and raise the Transmitter Error (TXE) flag. Broken since model introduction in commit 2a42499017 ("LAN9118 emulation"). When using the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/2267 we get: hw/net/lan9118.c:798:17: runtime error: index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')     #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43     #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9     #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9     #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5     #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18     #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16     #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18     #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19     #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12     #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18 ... [*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER" Cc: qemu-stable@nongnu.org Reported-by: Will Lester Reported-by: Chuhong Yuan Suggested-by: Peter Maydell Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240409133801.23503-3-philmd@linaro.org> --- hw/net/lan9118.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c index 8214569a2c..91d81b410b 100644 --- a/hw/net/lan9118.c +++ b/hw/net/lan9118.c @@ -799,8 +799,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val) /* Documentation is somewhat unclear on the ordering of bytes in FIFO words. Empirical results show it to be little-endian. */ - /* TODO: FIFO overflow checking. */ while (n--) { + if (s->txp->len == MIL_TXFIFO_SIZE) { + /* + * No more space in the FIFO. The datasheet is not + * precise about this case. We choose what is easiest + * to model: the packet is truncated, and TXE is raised. + * + * Note, it could be a fragmented packet, but we currently + * do not handle that (see earlier TX_B case). + */ + qemu_log_mask(LOG_GUEST_ERROR, + "MIL TX FIFO overrun, discarding %u byte%s\n", + n, n > 1 ? "s" : ""); + s->int_sts |= TXE_INT; + break; + } s->txp->data[s->txp->len] = val & 0xff; s->txp->len++; val >>= 8; From patchwork Wed Apr 10 09:13:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921880 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=VONmiBPM; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDy051CKNz1yYB for ; Wed, 10 Apr 2024 19:17:25 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU37-0007Gz-KR; Wed, 10 Apr 2024 05:15:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU2t-0006yd-Ce for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:11 -0400 Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2r-0005o8-4x for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:07 -0400 Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a51abd0d7c2so685557366b.2 for ; Wed, 10 Apr 2024 02:15:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740503; x=1713345303; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wCXZmNcFjp1+/8lRg7QkohZUjPbpaL6S/D2zRFaEFPs=; b=VONmiBPM8ckmVn97zxWLC5SL7kA95Gte4hgMSB0BEcDeqRyJARILje1oCrvDD5I6lN O4ONdZuCrIKu91nj9hbcQDXamGAY4OZOnBLIp3lO1v1KTQnvy48pJQyDhFOQsP07bEJL +limsJYtru1E7TAnxYLV3P4UKZwRptJPymgqicQ71joC0iNS/aWFNR+ZUALrostTj2wv rpAmMqmNcIznm/nIOtq+mXUDja4j+HVGp3kE5lHKdIaYdAohqzbmcIZLxXwccel11qCT pYSUrUwYDpHGaFjU9zuB33n/RiuSFRjrdGRor15ihQw/L4TAefpY842fy2TQhw8g7bHb J4fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740503; x=1713345303; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wCXZmNcFjp1+/8lRg7QkohZUjPbpaL6S/D2zRFaEFPs=; b=tKMojVJO9LWyaHPCWhtC+npAtD/5c4Ro04YdaeAnRso3Y91DJgf8GIgqbfxdPYSJ0F FuqRbjS0dBYCG19WM4sGXNAZ7Xdo+wClwdBXI6KikEQ4D48QSg5Ooy9K4YlcjghtL4Iu Mwep7nuHB8TizlDS85SNASeg2jtJDP2Tom5JKOQHPLd5SyyB4L2DP+YnIyVRUrxpadlU kbTy0/UY9Of/YRlLa7ZD6OS9VQi8C98p1k8h7AZzfCUFcGf8BaRhdAp3r+xI+ha2AHSl dBb4tpJ9lRE7bPEi93o5tlAu9i1nEZWAbufCXmbctAZuKnzlIViIep6FPJ1oiDd/lWli mmkg== X-Gm-Message-State: AOJu0YyQKyR6ArPBKKZtmgTsoS4SkrB3QXGKjS8bPznGxMoexVGuD/t+ Jr/9F0cww2qu2Ek4N9S60y/BgeZa3LR9P1nGEjeGdoDj6xv/6aNGLIC2o2ZdHoakPI5d3VBh7eX M X-Google-Smtp-Source: AGHT+IF21E5+tPO43LWzkbeontiWSQBqF0WUYc5BiYtJvIw2EGHfkhEzuXPTaIMfP8t3dRoQd7QK0w== X-Received: by 2002:a17:906:c316:b0:a52:514:8ba3 with SMTP id s22-20020a170906c31600b00a5205148ba3mr1161618ejz.60.1712740503003; Wed, 10 Apr 2024 02:15:03 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id kh21-20020a170906f81500b00a51d073da7esm4090424ejb.82.2024.04.10.02.15.01 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:15:02 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov , Chuhong Yuan , Peter Maydell , Bin Meng , qemu-block@nongnu.org Subject: [PULL 14/16] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set Date: Wed, 10 Apr 2024 11:13:13 +0200 Message-ID: <20240410091315.57241-15-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::635; envelope-from=philmd@linaro.org; helo=mail-ej1-x635.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Per "SD Host Controller Standard Specification Version 3.00": * 2.2.5 Transfer Mode Register (Offset 00Ch) Writes to this register shall be ignored when the Command Inhibit (DAT) in the Present State register is 1. Do not update the TRNMOD register when Command Inhibit (DAT) bit is set to avoid the present-status register going out of sync, leading to malicious guest using DMA mode and overflowing the FIFO buffer: $ cat << EOF | qemu-system-i386 \ -display none -nographic -nodefaults \ -machine accel=qtest -m 512M \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio outl 0xcf8 0x80001013 outl 0xcfc 0x91 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0x9100002c 0x1 0x05 write 0x91000058 0x1 0x16 write 0x91000005 0x1 0x04 write 0x91000028 0x1 0x08 write 0x16 0x1 0x21 write 0x19 0x1 0x20 write 0x9100000c 0x1 0x01 write 0x9100000e 0x1 0x20 write 0x9100000f 0x1 0x00 write 0x9100000c 0x1 0x00 write 0x91000020 0x1 0x00 EOF Stack trace (part): ================================================================= ==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 WRITE of size 1 at 0x615000029900 thread T0 #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 ... 0x615000029900 is located 0 bytes to the right of 512-byte region [0x615000029700,0x615000029900) allocated by thread T0 here: #0 0x55d5f7237b27 in __interceptor_calloc #1 0x7f9e36dd4c50 in g_malloc0 #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10 #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 ... SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 in sdhci_write_dataport Add assertions to ensure the fifo_buffer[] is not overflowed by malicious accesses to the Buffer Data Port register. Fixes: CVE-2024-3447 Cc: qemu-stable@nongnu.org Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 Reported-by: Alexander Bulekov Reported-by: Chuhong Yuan Signed-off-by: Peter Maydell Message-Id: Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409145524.27913-1-philmd@linaro.org> --- hw/sd/sdhci.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index c5e0bc018b..27673e1c70 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size) } for (i = 0; i < size; i++) { + assert(s->data_count < s->buf_maxsz); value |= s->fifo_buffer[s->data_count] << i * 8; s->data_count++; /* check if we've read all valid data (blksize bytes) from buffer */ @@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size) } for (i = 0; i < size; i++) { + assert(s->data_count < s->buf_maxsz); s->fifo_buffer[s->data_count] = value & 0xFF; s->data_count++; value >>= 8; @@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) { value &= ~SDHC_TRNS_DMA; } + + /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */ + if (s->prnsts & SDHC_DATA_INHIBIT) { + mask |= 0xffff; + } + MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK); MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16); From patchwork Wed Apr 10 09:13:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921875 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=AqXOk2nS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxyW22Xcz1yYB for ; Wed, 10 Apr 2024 19:16:03 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU3X-0007ub-Vp; Wed, 10 Apr 2024 05:15:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU33-00077N-7W for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:19 -0400 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU2y-0005t1-PN for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:15 -0400 Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-566e869f631so6401267a12.0 for ; Wed, 10 Apr 2024 02:15:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740509; x=1713345309; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=t0Ig4tCUv+CoSBcmjY5cMZ6OdlOyTnZul85SObM22NQ=; b=AqXOk2nSJNtVk7lVzgdGLctPUkUHw/ofTtSfjpDdzGbImbg48YZ08pknkddPF/PX9e BN6VyepUDyTl/hRpV+Vsr++ZA7OBitXVuns90+DCDkSgOCO9rbj4ZxHvPeq3he2b6W6J RglxVrXQMEVpfwrzFJK0XJjJd47FopKgrd/5ZG4pvkn4oYUs8cg3yjefTGZJPXmr/bg0 hA+dttDdFwivgQhHkF5WbDMKXPl20tvRW7031uLXOZkvMtDgp/pSn+L+6Y3w+kKHjg8Y Q1LM2cswYAE/D8vhjiAa1hVVFZyvzzHNFiqxNyKQV8o+Of7hF2Q8nTFb98VhWpIFsWXD D+0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740509; x=1713345309; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t0Ig4tCUv+CoSBcmjY5cMZ6OdlOyTnZul85SObM22NQ=; b=I12hMFXZPqgP96aRPGpOPYdt2qx7UUDPgTEtrfA8jT1T+Aj/cHXFieqQeO+H2TAfyV ZO9Pawk7Pn04j//g6jK1V2F2XxHrg2WQ31YzicQ+c6S+H/Tjs6tMcZlBJ42Bc/poYKyj Fb/K5BmmahzdkCteps5iLDGZ0cLubyZgYiVblsEqf/Kz5YK07eS5CTvOFS54T6K+/Tvu Mg8oCXgU+BKh3AxIgrafDzNFipAsfHJKjMA7AWpFqfGxfFCbDJ7FhVsssiwzy87nmpHH X5S9rTNI9p7kb8QrboRaJJQ8MOFXClis5FSLSaVFNbCx5n8+0webLPiANEgkGz/5juRb 7C/w== X-Gm-Message-State: AOJu0YxlHY781gNBDiA34q32h/qXtAGBfapWVFRb60/bM9dTWNwaTr8Y lFgN2gUe2a9fCeoVqTvlwAyuaMQdzgZTGFCnbYpNQAT0vhchgIB26imtwWGOwfncmFxZHTawo03 E X-Google-Smtp-Source: AGHT+IEDuM948sjn4KH2bfPGevG8GxP4WUqHqyIlhX+AT6ruXCgMx1gnBPx4pLsgfXrXkfREtRwieQ== X-Received: by 2002:a50:d78f:0:b0:56c:522f:53e1 with SMTP id w15-20020a50d78f000000b0056c522f53e1mr1601603edi.17.1712740509553; Wed, 10 Apr 2024 02:15:09 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id p6-20020a05640210c600b0056e719a9a1bsm1797741edu.16.2024.04.10.02.15.07 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:15:09 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Zheyu Ma , Akihiko Odaki , Jason Wang , Dmitry Fleytman Subject: [PULL 15/16] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() Date: Wed, 10 Apr 2024 11:13:14 +0200 Message-ID: <20240410091315.57241-16-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::529; envelope-from=philmd@linaro.org; helo=mail-ed1-x529.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org If a fragmented packet size is too short, do not try to calculate its checksum. Reproduced using: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest -m 32M \ -device igb,netdev=net0 \ -netdev user,id=net0 \ -qtest stdio outl 0xcf8 0x80000810 outl 0xcfc 0xe0000000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0000403 0x1 0x02 writel 0xe0003808 0xffffffff write 0xe000381a 0x1 0x5b write 0xe000381b 0x1 0x00 EOF Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 Fixes: CVE-2024-3567 Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Akihiko Odaki Acked-by: Jason Wang Message-Id: <20240410070459.49112-1-philmd@linaro.org> --- hw/net/net_tx_pkt.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 2134a18c4c..b7b1de816d 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt) uint32_t csum = 0; struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG; + if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) { + return false; + } + if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) { return false; } From patchwork Wed Apr 10 09:13:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 1921877 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=CMYlsvtC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VDxzW45yqz1yYd for ; Wed, 10 Apr 2024 19:16:55 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruU3Z-00088p-NW; Wed, 10 Apr 2024 05:15:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruU36-0007CL-7a for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:20 -0400 Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruU34-0005tT-Eu for qemu-devel@nongnu.org; Wed, 10 Apr 2024 05:15:19 -0400 Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a51fd94c0bfso187440066b.2 for ; Wed, 10 Apr 2024 02:15:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1712740515; x=1713345315; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Na6FzHvKUI8XfFFB8KxCEL6XESOoupUckFCQxyDkVbo=; b=CMYlsvtCvDYq9A/m43Vku9lQSFzOUckJyexGmzPDAQ8FD2Y6uYCY0KIkavKxVU4Stl BQjpWT8S1V5NTSYIhQggKLA5eOl864AIahfcXfS2Dr4XvmYBCaxdkjnY7cNJsQtap3Qt 2VnYXEbD7viYQJEO0B5EB/Du3oSEWYvKaAJ8zctzim68YPT/QxoSCDJKQlDQrxCDXuDx JsWdPB6UizHS1iOa2TMzDSjd7NeKl3uaM6tHxixtxL+syImVYDi4z0RwKbZAKYU7X9V7 rh5KS3jibBCUIN/bD8A3h7yQxJ7dZpbdUO193zm6QRjobNpJXXqpHgefVtjLaqH9fqN3 sB6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712740515; x=1713345315; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Na6FzHvKUI8XfFFB8KxCEL6XESOoupUckFCQxyDkVbo=; b=ma49Y2h7+0+V6OgyT4Wjl/JmsyTPsBjJRbzmDlC0vZSvHhYzt35hfXWfCNcxL9766b LlXFxl1yN7+D3YlyGJlRAS6nIy/AvBL5ETDKFuvHbhEQMpPfIOW0+FLKj/HQC4LVKFeX bdH4yixZTZVa7YOXMdTWkCApA5aJw2mEzrZQ2Ean8BwZOBnBSkLpC9+GoObvGCTe6TP2 r/DDy4YPe2tUnmEPllv3B0KLodDuQxhZ0TQw9ANXJ3Jlw6WeKfNovR32maRwuXljMqVA iVqYuxIkeinOtRnHRyVWtyYq5kP94AM914Rkr2vZqCiHOy3w09sXP6pnS67Xj9PhOtAj u59A== X-Gm-Message-State: AOJu0YyWRJV5Sp7OexxGv2jlVjiUb+9PEuid8PFXEKk2rEoFqFtD7x0k UdezXV+Ub4Ek9lbp2n2wwyFoW3TF+gW7KLN5ME84T3g95IGEtGzhzUlVUGf4e9QZXtuLNxKWTsz L X-Google-Smtp-Source: AGHT+IHk1nu8hUSLKRx/Z3Dk0Mwte37YIBjOnzOZidEzFOKOcz8uDPWOFi3rZyObr56MxO1UjPzxug== X-Received: by 2002:a17:906:e288:b0:a52:a3a:3959 with SMTP id gg8-20020a170906e28800b00a520a3a3959mr1044618ejb.23.1712740515544; Wed, 10 Apr 2024 02:15:15 -0700 (PDT) Received: from m1x-phil.lan (arl95-h02-176-184-34-173.dsl.sta.abo.bbox.fr. [176.184.34.173]) by smtp.gmail.com with ESMTPSA id gc7-20020a170906c8c700b00a51a259fa60sm6663631ejb.118.2024.04.10.02.15.14 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 10 Apr 2024 02:15:15 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Manos Pitsidianakis , Gerd Hoffmann , "Michael S. Tsirkin" Subject: [PULL 16/16] hw/audio/virtio-snd: Remove unused assignment Date: Wed, 10 Apr 2024 11:13:15 +0200 Message-ID: <20240410091315.57241-17-philmd@linaro.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20240410091315.57241-1-philmd@linaro.org> References: <20240410091315.57241-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::632; envelope-from=philmd@linaro.org; helo=mail-ej1-x632.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Coverity reported: >>> CID 1542933: Code maintainability issues (UNUSED_VALUE) >>> CID 1542934: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "NULL" to "stream" here, but that stored value is overwritten before it can be used. Simply remove the unused assignments. Resolves: Coverity CID 1542933 Resolves: Coverity CID 1542934 Fixes: 731655f87f ("virtio-snd: rewrite invalid tx/rx message handling") Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Manos Pitsidianakis Message-Id: <20240410053712.34747-1-philmd@linaro.org> --- hw/audio/virtio-snd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 90d9a2796e..c80b58bf5d 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -885,7 +885,9 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq) } trace_virtio_snd_handle_tx_xfer(); - for (VirtIOSoundPCMStream *stream = NULL;; stream = NULL) { + for (;;) { + VirtIOSoundPCMStream *stream; + elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); if (!elem) { break; @@ -964,7 +966,9 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq) } trace_virtio_snd_handle_rx_xfer(); - for (VirtIOSoundPCMStream *stream = NULL;; stream = NULL) { + for (;;) { + VirtIOSoundPCMStream *stream; + elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); if (!elem) { break;