{"id":2233149,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233149/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505185157.608910-2-peter.maydell@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260505185157.608910-2-peter.maydell@linaro.org>","list_archive_url":null,"date":"2026-05-05T18:51:56","name":"[1/2] hw/net/rocker_of_dpa: Check group ID pointers are not NULL","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ce39efd85e58b04f0714390849124dd4419baddd","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/1.2/people/5111/?format=json","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505185157.608910-2-peter.maydell@linaro.org/mbox/","series":[{"id":502883,"url":"http://patchwork.ozlabs.org/api/1.2/series/502883/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502883","date":"2026-05-05T18:51:56","name":"hw/net_rocker_of_dpa: two bugfixes","version":1,"mbox":"http://patchwork.ozlabs.org/series/502883/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233149/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233149/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=PL2HtD09;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g971T4qRWz1yJx\n\tfor ; Wed, 06 May 2026 04:52:45 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wKKsi-0002xx-Vf; Tue, 05 May 2026 14:52:35 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wKKsH-0002hZ-P5\n for qemu-devel@nongnu.org; Tue, 05 May 2026 14:52:12 -0400","from mail-wr1-x42f.google.com ([2a00:1450:4864:20::42f])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wKKsE-0007AK-G8\n for qemu-devel@nongnu.org; Tue, 05 May 2026 14:52:04 -0400","by mail-wr1-x42f.google.com with SMTP id\n ffacd0b85a97d-44e1ebb3122so1311685f8f.2\n for ; Tue, 05 May 2026 11:52:01 -0700 (PDT)","from lanath.. (wildly.archaic.org.uk. [81.2.115.145])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a8eb6ffb7sm377086675e9.5.2026.05.05.11.51.59\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 05 May 2026 11:51:59 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1778007120; x=1778611920; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=YZnBv5rFSKGwhe+faoJren4bCvjBLrz7mCkkLHBPgiE=;\n b=PL2HtD09yEzjPj36uZE7oGQ+Ho2hvGJkPxM6h0BravV3oOf0ss4U5EASYJRa+8Phic\n +4wWC0Qdz2zOGU6OUexj56PojiakxO0s552zbWUzhoi35WCK0GrhHIzBpPzjm2nk81SA\n NzL8hgRBFlTipON8bEpdPg08DAtrsPy8F8ZkD5I/ULUetQnvajEtTDFyXYVOEDQv1uGq\n ARXAIqFEzZzaVwy/qJaLmzQ8VAHJ8UsW+dGrz+wIATkxDIJVzwPQy0/4pf0UWP7Oxr9W\n HbHpYTOLvs9nwvJWau4g+bmywiDMSvZLG38s1WQCJbmbEYeRUfLD7hfs4ywOHs0FMimG\n KPQA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778007120; x=1778611920;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=YZnBv5rFSKGwhe+faoJren4bCvjBLrz7mCkkLHBPgiE=;\n b=tWmjJF3VL8wtPNh3u4wjBVPijsbfx9ocQWPsnrnD/4eIlxhClUnz/bB1vYDW03CeEt\n dNHC1yxbBGrEMvTiLxiKnBtITWKzT/uejeQJ8nmsbvCfCZxmh5b7s0fY2jcV6gng4gTw\n 6it8piU3JayTrABS1FSon6NgtraJIkN8bzk+yd7aDEGqqjzmxIfgAp9RgPrbbCm6VyYd\n mQBOF2BvhVFGCj5lZhEUkCbHAmsr+kAOvkB136DhY2/G5hyUngCHvI+kcS1q1PaGbSyz\n cgbZjZ6nV4dqJx8fX6nM6Tqg91pIUXO+wqkNoYEXhNFijzfb/nJtiunqKAV4bVyVvm2G\n n/HQ==","X-Gm-Message-State":"AOJu0YwjxY5ecndIerKjSYfwQ87AaayIuNQM9nla8kiFgg3XdQ1Xpc03\n ygL85pJ/83AXOfWyoQdeoJIsEKUjGQKnefdDzuDFNkXmh94SPCZNwsDBM3EMLL/6B+qkWEv4nYJ\n M5HM3","X-Gm-Gg":"AeBDieupNqKT3HbXbpn+yvlJ29ujQM/OhHyb4R59DcbDBjd6QX2RazCflr32H4TREsQ\n ThM99B7hfIkgQciQ6iu1d4HP6j6GREKCCqvwyiiqC/87/sqhi1WYjKMlXpd02IVjTFRg0h1Mpsy\n vJhEqMil3JD1BMrQPqwqhiAdlttdpmaSkOTc3GIFtWFK68NAdTiGcexQfS/KRXnudnXSVUgPJvm\n cFmDA4skb0sqE5r9a3CtIVCM4VE96I2QgJSFkFz20U39H/hhUb1EMqEcQn17gaoWM51hbayoaPZ\n BlJAjVvowoMPsBWMH3lUye/Y42VDaWWCQdcgxmBR46eF35pzRNKv/KM1hs81vyczx4gYh5sHJhV\n 1U65jBC2HNvK/I/owYBAg2Y0OzTND+UC7VXQfbK7/x3VkxTGQSDyZkUWRawD1OfATzQpDsroHp8\n ySiogacAKYhV1PCGw/4c1wAcrcuYs2PMB5MFjz4QGDZwQKuhtbSigpkoCH+5t9Bgk4TALVbBYgE\n vLrSaasA7u7iKQklwJIAtwARIEQZCKVpRxjPdXP4SbS1bjafuH/","X-Received":"by 2002:a05:600c:c11c:b0:488:a723:ea53 with SMTP id\n 5b1f17b1804b1-48e51f5398emr5175595e9.7.1778007119839;\n Tue, 05 May 2026 11:51:59 -0700 (PDT)","From":"Peter Maydell ","To":"qemu-devel@nongnu.org","Cc":"Jiri Pirko ,\n\tJason Wang ","Subject":"[PATCH 1/2] hw/net/rocker_of_dpa: Check group ID pointers are not\n NULL","Date":"Tue, 5 May 2026 19:51:56 +0100","Message-ID":"<20260505185157.608910-2-peter.maydell@linaro.org>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260505185157.608910-1-peter.maydell@linaro.org>","References":"<20260505185157.608910-1-peter.maydell@linaro.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2a00:1450:4864:20::42f;\n envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x42f.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"In of_dpa_cmd_add_l2_flood(), we use rocker_tlv_parse_nested()\nto fill in a tlvs[] array. If the guest command is valid then\nthe entries should be pointers to TLV data items with group IDs.\nHowever, if the guest gives us bogus data then rocker_tlv_parse_nested()\nindicates this by leaving the tlvs[] entries NULL. In the other\nplaces that use this function, we check for this before using\nthe value, but here we forgot, and the result is that QEMU can\ncrash:\n\n#0 __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:331\n#1 0x00005555574f7137 in __asan_memcpy ()\n#2 0x0000555558106792 in ldl_he_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:278\n#3 0x0000555558106755 in ldl_le_p (ptr=0x8) at /home/pm215/qemu/include/qemu/bswap.h:311\n#4 0x00005555580f85ed in rocker_tlv_get_le32 (tlv=0x0) at ../../hw/net/rocker/rocker_tlv.h:114\n#5 0x000055555810a8ad in of_dpa_cmd_add_l2_flood (of_dpa=0x506000082e38, group=0x503000b4e440, group_tlvs=0x7fff68702c20)\n at ../../hw/net/rocker/rocker_of_dpa.c:2032\n#6 0x0000555558108a74 in of_dpa_cmd_group_do (of_dpa=0x506000082e38, group_id=1073741824, group=0x503000b4e440, group_tlvs=0x7fff68702c20)\n at ../../hw/net/rocker/rocker_of_dpa.c:2115\n#7 0x0000555558108730 in of_dpa_cmd_group_add (of_dpa=0x506000082e38, group_id=1073741824, group_tlvs=0x7fff68702c20)\n at ../../hw/net/rocker/rocker_of_dpa.c:2135\n#8 0x00005555580f66ec in of_dpa_group_cmd\n (of_dpa=0x506000082e38, info=0x514000072e40, buf=0x5070002356c0 \"\\001\", cmd=7, group_tlvs=0x7fff68702c20)\n at ../../hw/net/rocker/rocker_of_dpa.c:2194\n\nCheck for NULL values and return an error.\n\nCc: qemu-stable@nongnu.org\nResolves: https://gitlab.com/qemu-project/qemu/-/work_items/1851\nSigned-off-by: Peter Maydell \n---\n hw/net/rocker/rocker_of_dpa.c | 4 ++++\n 1 file changed, 4 insertions(+)","diff":"diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c\nindex 3190a0e75c..958f3006c1 100644\n--- a/hw/net/rocker/rocker_of_dpa.c\n+++ b/hw/net/rocker/rocker_of_dpa.c\n@@ -2029,6 +2029,10 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,\n group_tlvs[ROCKER_TLV_OF_DPA_GROUP_IDS]);\n \n for (i = 0; i < group->l2_flood.group_count; i++) {\n+ if (!tlvs[i + 1]) {\n+ err = -ROCKER_EINVAL;\n+ goto err_out;\n+ }\n group->l2_flood.group_ids[i] = rocker_tlv_get_le32(tlvs[i + 1]);\n }\n \n","prefixes":["1/2"]}