{"id":2233299,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233299/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com>","list_archive_url":null,"date":"2026-05-06T07:54:30","name":"[3/4] hw/ufs: Reject zero-depth MCQ queues","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"720353b7fde9145dabbfd64bf14ffdba5dbc0c79","submitter":{"id":86755,"url":"http://patchwork.ozlabs.org/api/1.2/people/86755/?format=json","name":"Jeuk Kim","email":"jeuk20.kim@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com/mbox/","series":[{"id":502929,"url":"http://patchwork.ozlabs.org/api/1.2/series/502929/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502929","date":"2026-05-06T07:54:27","name":"hw/ufs: Fix guest-triggerable MCQ crashes","version":1,"mbox":"http://patchwork.ozlabs.org/series/502929/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233299/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233299/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=YXaBINPO;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9SPh6qkCz1yKd\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 17:56:23 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKX6R-0002ii-Bo; Wed, 06 May 2026 03:55:31 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <jeuk20.kim@gmail.com>)\n id 1wKX6B-0002eX-Dz\n for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:20 -0400","from mail-pj1-x102b.google.com ([2607:f8b0:4864:20::102b])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <jeuk20.kim@gmail.com>)\n id 1wKX68-00082z-Hi\n for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:14 -0400","by mail-pj1-x102b.google.com with SMTP id\n 98e67ed59e1d1-36534668247so3330979a91.1\n for <qemu-devel@nongnu.org>; Wed, 06 May 2026 00:55:12 -0700 (PDT)","from jeuk-MS-7D42.. ([211.226.54.223])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.09\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 06 May 2026 00:55:10 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1778054111; x=1778658911; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=;\n b=YXaBINPOmPnoWIf7qAQnXJBRf0UnUgNmUV0PtKRAMU9DghZ5rg3cezr3QD5sUiUnzJ\n M2XnHEk0mT1yxGkXGIC5hxKH9HSCVahr7m3+IS2Z50jA+8H96Hxt+6WTXfrxLE/Ey/0p\n oqL2chmEPcIpbe9gKG4Scj+U5ExAm4lLOE55cVSly6w9PiEdBuIlWEJDIdiiIz1QFy/S\n wD4g0OvlRTKlL9MhgZvHcfXHs+TOWLelnFTr5mCmK7NBYa1ZMeqmA8x5l9uFOrjKQ8bN\n 50VYq/Opq195j5UwpA+aebMP05g6GK6zaQz+T+VVsxIZ+2+f2ldpssMR5xdqN/LwHqMy\n pY9g==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778054111; x=1778658911;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=;\n b=niUtWfvwhdiRoYl6S5jm8ZvfM7VnIoixvz5d2CkarWsXtpucWLNW3ANTnwOWX8FTV4\n QfMEOAKAfSGGYYFM2AOhXk+VvypDB/hmNu2GvWbF3kaBrFK4ZIllcMm+NqW/lD/ezHy4\n 83LTfAmQXrbWUqFYrvFbahUkGfAiPaNnyscWJCcBmA7Aa7KXILWN658CB2apFleXWJea\n 2Fb0QQ2oSn1ivhnmt2fT9kg2dxmvaD1PBgkoKzWaBE5B8pBzIco1YxcwEl6rDfY3z9JG\n wV64T3QJzMzY/5pggYti5avj8y/cbOBZodgMCC2JBcmbkwN3mUK7kiAwMqmwn3fVFYyJ\n EXrw==","X-Gm-Message-State":"AOJu0YxPbMjevIJAXYPo0i3C60BbMGd2GLgIo8evMojv7xk/tygCcR79\n yfntHHJY2SEmiA5dv+NtZFB/rowypX8+5UiDhpM1cQt/98p0Hb4YtR/e+r3SVQ==","X-Gm-Gg":"AeBDieuBhew26RWcFGumgaRhEQiLvcagY4GWWeKK7rmgbqRZSXMkurFVsFwpGQOwZoL\n MN1uoDE105dwX7Ch9eUv4izBAwDNYpmuoxKkMS1SoVMFSYFIcwwgHmiYARSQ128Q4InI2FAflQc\n /y3t6l4K9RNUknMTz2m/QZw2CJWmV6AzcjMKv+wbhmChq6LkWl/vgLiN4jITPFQquCUyQ+lMGSo\n qZavhIDe3Ngv3ygLdjOGqEhYkku75P2hpL3q6byb+fv3Hm4AOk6fwJpHi3LXmwwf10x+E/b/4Vk\n KoFJ0NSKL4G2YO8fhiSzVu7DxDLXSuNLusvj0MvpQAWPnNEtb7rkgJpLSQXeca17kqvNHKSxjp5\n p7o0hnJMvlsfhYCn61rIqAt0E/1eWOd9YsqVYFv1ykZW/gtf57k3eVfDk/rTPYc06OiQYVLjvRo\n hFbdzNMdoZoDDJj6Towwpa6Di9W2MWmg4oFhrcKlXblUx4Cj0KvT24","X-Received":"by 2002:a17:90b:33d1:b0:359:f43d:4a6e with SMTP id\n 98e67ed59e1d1-365aa93c123mr2307983a91.0.1778054110764;\n Wed, 06 May 2026 00:55:10 -0700 (PDT)","From":"Jeuk Kim <jeuk20.kim@gmail.com>","X-Google-Original-From":"Jeuk Kim <jeuk20.kim@samsung.com>","To":"qemu-devel@nongnu.org","Cc":"jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org,\n j-young.choi@samsung.com","Subject":"[PATCH 3/4] hw/ufs: Reject zero-depth MCQ queues","Date":"Wed,  6 May 2026 16:54:30 +0900","Message-ID":"\n <8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<cover.1778053560.git.jeuk20.kim@samsung.com>","References":"<cover.1778053560.git.jeuk20.kim@samsung.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::102b;\n envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x102b.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Reject SQATTR.SIZE and CQATTR.SIZE values that produce zero-entry MCQ\nqueues. Such queues can later trigger a divide-by-zero while advancing\nqueue pointers.\n\nFixes: 5c079578d2e (\"hw/ufs: Add support MCQ of UFSHCI 4.0\")\nCc: qemu-stable@nongnu.org\nSigned-off-by: Jeuk Kim <jeuk20.kim@samsung.com>\n---\n hw/ufs/trace-events |  2 ++\n hw/ufs/ufs.c        | 18 ++++++++++++++++--\n 2 files changed, 18 insertions(+), 2 deletions(-)","diff":"diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events\nindex 531dcfc686..7734b35f08 100644\n--- a/hw/ufs/trace-events\n+++ b/hw/ufs/trace-events\n@@ -40,10 +40,12 @@ ufs_err_mcq_db_wr_invalid_sqid(uint8_t qid) \"invalid mcq sqid %\"PRIu8\"\"\n ufs_err_mcq_db_wr_invalid_db(uint8_t qid, uint32_t db) \"invalid mcq doorbell sqid %\"PRIu8\", db %\"PRIu32\"\"\n ufs_err_mcq_create_sq_invalid_sqid(uint8_t qid) \"invalid mcq sqid %\"PRIu8\"\"\n ufs_err_mcq_create_sq_invalid_cqid(uint8_t qid) \"invalid mcq cqid %\"PRIu8\"\"\n+ufs_err_mcq_create_sq_invalid_size(uint8_t qid) \"invalid mcq sq size for sqid %\"PRIu8\"\"\n ufs_err_mcq_create_sq_already_exists(uint8_t qid) \"mcq sqid %\"PRIu8 \"already exists\"\n ufs_err_mcq_delete_sq_invalid_sqid(uint8_t qid) \"invalid mcq sqid %\"PRIu8\"\"\n ufs_err_mcq_delete_sq_not_exists(uint8_t qid) \"mcq sqid %\"PRIu8 \"not exists\"\n ufs_err_mcq_create_cq_invalid_cqid(uint8_t qid) \"invalid mcq cqid %\"PRIu8\"\"\n+ufs_err_mcq_create_cq_invalid_size(uint8_t qid) \"invalid mcq cq size for cqid %\"PRIu8\"\"\n ufs_err_mcq_create_cq_already_exists(uint8_t qid) \"mcq cqid %\"PRIu8 \"already exists\"\n ufs_err_mcq_delete_cq_invalid_cqid(uint8_t qid) \"invalid mcq cqid %\"PRIu8\"\"\n ufs_err_mcq_delete_cq_not_exists(uint8_t qid) \"mcq cqid %\"PRIu8 \"not exists\"\ndiff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c\nindex 1819ba2e8a..4ccd7aa64d 100644\n--- a/hw/ufs/ufs.c\n+++ b/hw/ufs/ufs.c\n@@ -506,6 +506,8 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, uint32_t attr)\n     UfsMcqReg *reg = &u->mcq_reg[qid];\n     UfsSq *sq;\n     uint8_t cqid = FIELD_EX32(attr, SQATTR, CQID);\n+    uint16_t qsize =\n+        ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry);\n \n     if (qid >= u->params.mcq_maxq) {\n         trace_ufs_err_mcq_create_sq_invalid_sqid(qid);\n@@ -527,12 +529,17 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, uint32_t attr)\n         return false;\n     }\n \n+    if (!qsize) {\n+        trace_ufs_err_mcq_create_sq_invalid_size(qid);\n+        return false;\n+    }\n+\n     sq = g_malloc0(sizeof(*sq));\n     sq->u = u;\n     sq->sqid = qid;\n     sq->cq = u->cq[cqid];\n     sq->addr = ((uint64_t)reg->squba << 32) | reg->sqlba;\n-    sq->size = ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry);\n+    sq->size = qsize;\n \n     sq->bh = qemu_bh_new_guarded(ufs_mcq_process_sq, sq,\n                                  &DEVICE(u)->mem_reentrancy_guard);\n@@ -576,6 +583,8 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, uint32_t attr)\n {\n     UfsMcqReg *reg = &u->mcq_reg[qid];\n     UfsCq *cq;\n+    uint16_t qsize =\n+        ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry);\n \n     if (qid >= u->params.mcq_maxq) {\n         trace_ufs_err_mcq_create_cq_invalid_cqid(qid);\n@@ -587,11 +596,16 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, uint32_t attr)\n         return false;\n     }\n \n+    if (!qsize) {\n+        trace_ufs_err_mcq_create_cq_invalid_size(qid);\n+        return false;\n+    }\n+\n     cq = g_malloc0(sizeof(*cq));\n     cq->u = u;\n     cq->cqid = qid;\n     cq->addr = ((uint64_t)reg->cquba << 32) | reg->cqlba;\n-    cq->size = ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry);\n+    cq->size = qsize;\n \n     cq->bh = qemu_bh_new_guarded(ufs_mcq_process_cq, cq,\n                                  &DEVICE(u)->mem_reentrancy_guard);\n","prefixes":["3/4"]}