{"id":2233300,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233300/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/2b4e9005cb7452c21937c99f570d774563b67b46.1778053560.git.jeuk20.kim@samsung.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<2b4e9005cb7452c21937c99f570d774563b67b46.1778053560.git.jeuk20.kim@samsung.com>","list_archive_url":null,"date":"2026-05-06T07:54:29","name":"[2/4] hw/ufs: Guard MCQ CQ accesses against missing queues","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f8e07b2206b4c6d0af1afdae52c6d2c7475c9882","submitter":{"id":86755,"url":"http://patchwork.ozlabs.org/api/1.2/people/86755/?format=json","name":"Jeuk Kim","email":"jeuk20.kim@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/2b4e9005cb7452c21937c99f570d774563b67b46.1778053560.git.jeuk20.kim@samsung.com/mbox/","series":[{"id":502929,"url":"http://patchwork.ozlabs.org/api/1.2/series/502929/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502929","date":"2026-05-06T07:54:27","name":"hw/ufs: Fix guest-triggerable MCQ crashes","version":1,"mbox":"http://patchwork.ozlabs.org/series/502929/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233300/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233300/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=IQ5PKjNX;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9SPh6tDYz1yKj\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 17:56:23 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKX6O-0002hp-B4; Wed, 06 May 2026 03:55:28 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <jeuk20.kim@gmail.com>)\n id 1wKX69-0002eQ-Lz\n for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:16 -0400","from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <jeuk20.kim@gmail.com>)\n id 1wKX66-000829-Sv\n for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:13 -0400","by mail-pj1-x1034.google.com with SMTP id\n 98e67ed59e1d1-3658c87160eso800092a91.0\n for <qemu-devel@nongnu.org>; Wed, 06 May 2026 00:55:10 -0700 (PDT)","from jeuk-MS-7D42.. ([211.226.54.223])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.07\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 06 May 2026 00:55:08 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1778054109; x=1778658909; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=orupH/ZosDBgw2QZSHIIN9b4U6Oo6D+nsWsNqobO55I=;\n b=IQ5PKjNX5oLZKZlIabZ6eZzWZIrklGaPDgm/jQ0LJTFgJXXwHYAq0VL0ZI8T6X611H\n VxmzEd6aqbUmMohidLARzYrcXU7GFL/q1I4Sb6FjWtdO9FDaM8fvdqGy9yAd32sndNHP\n K0T4lZDAvCirocsAK193AFVzuKII1AJPE5W7cuVyUP6miIpexokFgauqpQY1zaOsMq9x\n CGAkNN/Moi2/5x5r9ibcEys3uJppDSi1ZwjeVSZfWxA224Iszqqya0eAo+oMMmSf31QZ\n Jmz9DAzrsgCblUH2cbOWZmSSDeKWdPF+9msC+YXPs8viv6tHLY/BsSYlWq9hBc+cRZDw\n JKDg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778054109; x=1778658909;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=orupH/ZosDBgw2QZSHIIN9b4U6Oo6D+nsWsNqobO55I=;\n b=tJkA4xLtanim5tl1mJNiAeuGrlkelLsu56HzpgWrwvj1H6Mek8fZejLkHDRz29Bso9\n gWzePtYNVxRtnUkbfcZJJJRQmau/PnR+ErXmyDd36r3d/nLaDJT3iG/rfB6+VJriuKV9\n l55L6UN/Vwyaow/4KmqpW9njYAtk/hddYSLkrU5FOzzuD2bg0g01rMcr2LvnfnVFozkv\n YRT6W9vnjifQ9zBOyhBHAEtvEjX3NN7Led91et1Rp7UsqIo81ZEsVH5jQVqe30pJPKs1\n HQUoseTlGq15nrH7aSmcJZg2bCRfwPksF5HBnLI2LNXJbl1WyX5cZOkucAbrZ8GTTD65\n aIMQ==","X-Gm-Message-State":"AOJu0YxK7zY6zJ0Vxdxz3Os8TF58zSvhDiWpr8Ng1dkTixkdG5BcePF3\n GUaPrO3h13nYT/GTL0jtEdkUurFgUlfvcXPSNQyTDz+EUCcm64cxfP1OZ+DeVA==","X-Gm-Gg":"AeBDiet7IA2z49pD9ucTUQTlm5bQkIiQhUM72Cjb2Kfb0Rmc5jaqopvOMXQdEtxHYvT\n p/Q17ryiPn7RbZeGHOVoiu/C2AfLLxl1qwWD/3eVUrYZ9YnFk5uLhd6ETXixK98Bb6c2dUZWpy+\n orgEFi/a5HoF2NQ14D3Xhj1XN1ftqEN3B9Z/YM2hKCwbUYY7aYpEsfGOGpjs/HJf33sqa1j1p5d\n ZvmAOAACNZI3hDtfayg4E9r2Jtdyy3fVkPZMCnUodOo7+HBX1a6jC+TtJiibEUVmc/kucbAKXp0\n STo0oXklStEd/oz9nKvTgsPCv3twxz2MJzSVRiBSZG3auLaGXoDdxl6IEZEnQeHbxZqOpigQD58\n TGcGO33WmwvbJ5YKAo+kGk9BmDahWYohnmEOUNg48H7MAL5SntLhEtkHtXMhe82o84U4xq+fk0m\n iFaIHPchpOrICSx+KbXta5N+6Rhqz/1UEHCOzCzT++jA==","X-Received":"by 2002:a17:90b:6d0:b0:365:3154:7b1 with SMTP id\n 98e67ed59e1d1-365ac78f19amr2173356a91.26.1778054108983;\n Wed, 06 May 2026 00:55:08 -0700 (PDT)","From":"Jeuk Kim <jeuk20.kim@gmail.com>","X-Google-Original-From":"Jeuk Kim <jeuk20.kim@samsung.com>","To":"qemu-devel@nongnu.org","Cc":"jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org,\n j-young.choi@samsung.com,\n Rayhan Ramdhany Hanaputra <hanaputrarayhan@gmail.com>","Subject":"[PATCH 2/4] hw/ufs: Guard MCQ CQ accesses against missing queues","Date":"Wed,  6 May 2026 16:54:29 +0900","Message-ID":"\n <2b4e9005cb7452c21937c99f570d774563b67b46.1778053560.git.jeuk20.kim@samsung.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<cover.1778053560.git.jeuk20.kim@samsung.com>","References":"<cover.1778053560.git.jeuk20.kim@samsung.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::1034;\n envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x1034.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"A guest can ring an MCQ CQ doorbell before the completion queue exists.\nThe CQ head write path then dereferences a NULL CQ through\nufs_mcq_cq_full().\n\nIgnore CQ head updates for missing CQs, and make ufs_mcq_cq_full()\nhandle a missing CQ defensively.\n\nFixes: f78762a3cc8 (\"hw/ufs: Fix mcq completion queue wraparound\")\nReported-by: Rayhan Ramdhany Hanaputra <hanaputrarayhan@gmail.com>\nCc: qemu-stable@nongnu.org\nSigned-off-by: Jeuk Kim <jeuk20.kim@samsung.com>\n---\n hw/ufs/ufs.c | 4 ++++\n hw/ufs/ufs.h | 9 ++++++++-\n 2 files changed, 12 insertions(+), 1 deletion(-)","diff":"diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c\nindex d5fba15e2a..1819ba2e8a 100644\n--- a/hw/ufs/ufs.c\n+++ b/hw/ufs/ufs.c\n@@ -817,6 +817,10 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offset, uint32_t data,\n     case offsetof(UfsMcqOpReg, cq.hp): {\n         UfsCq *cq = u->cq[qid];\n \n+        if (!cq) {\n+            break;\n+        }\n+\n         if (ufs_mcq_cq_full(u, qid) && !QTAILQ_EMPTY(&cq->req_list)) {\n             /* Enqueueing to CQ was blocked because it was full */\n             qemu_bh_schedule(cq->bh);\ndiff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h\nindex 13d964c5ae..9e800cafac 100644\n--- a/hw/ufs/ufs.h\n+++ b/hw/ufs/ufs.h\n@@ -203,7 +203,14 @@ static inline bool ufs_mcq_cq_empty(UfsHc *u, uint32_t qid)\n static inline bool ufs_mcq_cq_full(UfsHc *u, uint32_t qid)\n {\n     uint32_t tail = ufs_mcq_cq_tail(u, qid);\n-    uint16_t cq_size = u->cq[qid]->size;\n+    UfsCq *cq = u->cq[qid];\n+    uint16_t cq_size;\n+\n+    if (!cq) {\n+        return false;\n+    }\n+\n+    cq_size = cq->size;\n \n     tail = (tail + sizeof(UfsCqEntry)) % (sizeof(UfsCqEntry) * cq_size);\n     return tail == ufs_mcq_cq_head(u, qid);\n","prefixes":["2/4"]}