From patchwork Thu Apr 18 17:49:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789813 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695395wrm; Thu, 18 Apr 2024 10:52:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVUDcVBIbPSn5df6yPQAZIhHf7a7K1LM4Aj1pSzxQ6i1jVgs5twdUMbMogYrLl+Ygxoo8Sb2YnPPFyY2PdxFayi X-Google-Smtp-Source: AGHT+IHJQo3KOK7ULZNCGsrjJ5ud/90jHKlbUWmp1eSXNaXMmeQKUdto/pMxo1LjA5hg7CP8CHGK X-Received: by 2002:a05:6358:7290:b0:183:9a25:848a with SMTP id w16-20020a056358729000b001839a25848amr4997568rwf.2.1713462766702; Thu, 18 Apr 2024 10:52:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462766; cv=none; d=google.com; s=arc-20160816; b=VTRpDkjSve0TCCBvc5XeGoG5XW8Yo47RX7HfmnH+VMWPLDb2tni1JDO/EVDJy1tbYs 73McvMVN2uHBj5WFin2JerQBNGgXGDruuyRxOy6cPEehiSe9wvpzQfcLnff2MLax93Ak JADoXyQRl+JOOVngJeYGWCH0UJB1QpJBBrjJHh3ANKpexPCoDu7Q4dUgwehsp6F13XPS pZulU0vMr+FHeBTJSXuiwDDxbR4/xRIUBx4r/lmTtNkWK0plbUUblE5Ur1Mrq5I9wTN6 srbaASaeeoTF+Jgi4WkvFdw9McjCk/BMyKi34/N3R68y/d813l/xV6ZKMxqybwubghQ5 3wzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=zW86xpumTwEW6quDKnKk9sNhgs+teHMYX6SAItgWVuA=; fh=bMaafE1clBtiBaCrlbrbcY1DSEPhhFUklUk4XoVHiPU=; b=xm9s+zpN/YHbOoGt2CHe0Do8FLBARz0vV2BEsi0UJNPD6ma4tfQzyLToGCwuSPFQom anpP38inxc5BW1aDjZWsubTqhf27HC6pyKNosfp2ajhniwMoP/8YtAfaVY3EAagN/go3 LVeB2LR7CHUj82KGvLHfr6/AI800P1XLcQdL7ZWb5od3ElYiEI7JPj6JukdkUBCeC91H pnGN+juIBXtEZd7mSuBjCs/HtPbfabhMtX7PzvQHQ8aetWCPCqE6V5WGlGIeAPCFth+y nQ7o8BfcVMxtUAQwWbj14vYHOkfDvD3xcWMbfajRblcVb5pgQ6lKuWdPvw2JiM4eUipM 6CXQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id k17-20020a05622a03d100b00434ba49a73bsi1994438qtx.114.2024.04.18.10.52.46 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:46 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVtd-00088P-6b; Thu, 18 Apr 2024 13:50:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtb-00087l-8R; Thu, 18 Apr 2024 13:50:03 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtY-0007I4-VE; Thu, 18 Apr 2024 13:50:02 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id B29495FD61; Thu, 18 Apr 2024 20:49:58 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 16EC1B9337; Thu, 18 Apr 2024 20:49:56 +0300 (MSK) Received: (nullmailer pid 947806 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Richard Henderson , Michael Tokarev Subject: [Stable-8.2.3 088/116] tcg/optimize: Do not attempt to constant fold neg_vec Date: Thu, 18 Apr 2024 20:49:18 +0300 Message-Id: <20240418174955.947730-1-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Richard Henderson Split out the tail of fold_neg to fold_neg_no_const so that we can avoid attempting to constant fold vector negate. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2150 Signed-off-by: Richard Henderson (cherry picked from commit e25fe886b89a396bae5847520b70c148587d490a) Signed-off-by: Michael Tokarev diff --git a/tcg/optimize.c b/tcg/optimize.c index 6fcdda68ef..5ead14972a 100644 --- a/tcg/optimize.c +++ b/tcg/optimize.c @@ -1830,16 +1830,10 @@ static bool fold_nand(OptContext *ctx, TCGOp *op) return false; } -static bool fold_neg(OptContext *ctx, TCGOp *op) +static bool fold_neg_no_const(OptContext *ctx, TCGOp *op) { - uint64_t z_mask; - - if (fold_const1(ctx, op)) { - return true; - } - /* Set to 1 all bits to the left of the rightmost. */ - z_mask = arg_info(op->args[1])->z_mask; + uint64_t z_mask = arg_info(op->args[1])->z_mask; ctx->z_mask = -(z_mask & -z_mask); /* @@ -1850,6 +1844,11 @@ static bool fold_neg(OptContext *ctx, TCGOp *op) return true; } +static bool fold_neg(OptContext *ctx, TCGOp *op) +{ + return fold_const1(ctx, op) || fold_neg_no_const(ctx, op); +} + static bool fold_nor(OptContext *ctx, TCGOp *op) { if (fold_const2_commutative(ctx, op) || @@ -2165,7 +2164,7 @@ static bool fold_sub_to_neg(OptContext *ctx, TCGOp *op) if (have_neg) { op->opc = neg_op; op->args[1] = op->args[2]; - return fold_neg(ctx, op); + return fold_neg_no_const(ctx, op); } return false; } diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target index 0efd565f05..70d728ae9a 100644 --- a/tests/tcg/aarch64/Makefile.target +++ b/tests/tcg/aarch64/Makefile.target @@ -10,7 +10,7 @@ VPATH += $(AARCH64_SRC) # Base architecture tests AARCH64_TESTS=fcvt pcalign-a64 lse2-fault -AARCH64_TESTS += test-2248 +AARCH64_TESTS += test-2248 test-2150 fcvt: LDFLAGS+=-lm diff --git a/tests/tcg/aarch64/test-2150.c b/tests/tcg/aarch64/test-2150.c new file mode 100644 index 0000000000..fb86c11958 --- /dev/null +++ b/tests/tcg/aarch64/test-2150.c @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* See https://gitlab.com/qemu-project/qemu/-/issues/2150 */ + +int main() +{ + asm volatile( + "movi v6.4s, #1\n" + "movi v7.4s, #0\n" + "sub v6.2d, v7.2d, v6.2d\n" + : : : "v6", "v7"); + return 0; +} From patchwork Thu Apr 18 17:49:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789807 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp694806wrm; Thu, 18 Apr 2024 10:51:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW1UeRxEl5TK4ku2O3uyTXMcyy0giZsoVNlVGU4c45kTd2b8I6zkwlVb1P32iFjckBaIEieeSJ6+aXGW5Iv8eKL X-Google-Smtp-Source: AGHT+IF1gxJx7gIZ/p01W1a/hmiGFvsX+TbReJ6XGaerzG2PIEz7ARU4oiUHsYWMKd1AuMOGUr/W X-Received: by 2002:ac8:5882:0:b0:437:b8d8:511d with SMTP id t2-20020ac85882000000b00437b8d8511dmr1154837qta.22.1713462667083; Thu, 18 Apr 2024 10:51:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462667; cv=none; d=google.com; s=arc-20160816; b=pKCkUcIBuFgUQFFAkR+muf3arsBgRvefOMftVis0uDHyOfua3t0vDdDNnDWHM5Iicn QiVVDDVnlYc1nfvot+3khvVHcQt1/QMQaJhS0xZ6RH0vAR7iwdgnOPe2bjSJTL15D+no 8dB5CVlTkr5wdALw8DGVceMYoxSPLMdkh40kdBVnP9oeTC6vw2Feh7hodQYt1X7CmiSg Sgh6dxBl1cF2ClHg6/8w2WLHl+eVZJHyIq715EsJyAhN2FqELcW+t7Xq5V0H7iBJ4nkF NSs19m73A8jz+mxv7B1PfHw6NugwqeIdb2EAxkyPPoPnwvShoYSMeiUOvy4avr/FToyc aPag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=wCp/DyMYE84q7vvjJpkJ9mFs+Zk6bbunncMMMGOVico=; fh=s1gKKDhkFfgLQwKUGKCVkWVHhmnGAhWn+inBTI2XnyU=; b=kay9XCBMKfnmDh5btXDiAzADdFaaf8/9l/qSjUuAiIvDcVfPJm9b8kIto5WmWQ19O3 wN2xz7jb3hGufr9OEe6l0pxuaiqORCv9H5U2GyYUNyZ//WetyFY9mrf4ERSI/KhKycUC ytUzjkuotwnMOybUwPp4q5e51deiSL0eEBwMMA9n4UQTH3D/KnvRRV4j+wjOdetfZza1 knfX6tDGd2syJSSOvc05a49rHfcsegPYE4H/C8E+ogBgTD6obm/QEFyY7OBcUXYuGtVr f+I/UE51TChn0nugoMkHVXJ0Y8wiOKURMob2JqtaaiGkBZ+Ytb2ABqnDClJBEgzu9SCL ZekA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id v23-20020a05622a189700b0043665ab30c5si2049384qtc.130.2024.04.18.10.51.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:51:07 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVtg-0008AL-T3; Thu, 18 Apr 2024 13:50:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVte-00089K-OL; Thu, 18 Apr 2024 13:50:07 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtc-0007NA-Qv; Thu, 18 Apr 2024 13:50:06 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 04BAD5FD62; Thu, 18 Apr 2024 20:49:59 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 4FB95B9338; Thu, 18 Apr 2024 20:49:56 +0300 (MSK) Received: (nullmailer pid 947809 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Richard Henderson , Alex Fan , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-8.2.3 089/116] linux-user: Fix waitid return of siginfo_t and rusage Date: Thu, 18 Apr 2024 20:49:19 +0300 Message-Id: <20240418174955.947730-2-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Richard Henderson The copy back to siginfo_t should be conditional only on arg3, not the specific values that might have been written. The copy back to rusage was missing entirely. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2262 Signed-off-by: Richard Henderson Tested-by: Alex Fan Reviewed-by: Philippe Mathieu-Daudé (cherry picked from commit f0907ff4cae743f1a4ef3d0a55a047029eed06ff) Signed-off-by: Michael Tokarev diff --git a/linux-user/syscall.c b/linux-user/syscall.c index e384e14248..834a254895 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -9154,14 +9154,24 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1, #ifdef TARGET_NR_waitid case TARGET_NR_waitid: { + struct rusage ru; siginfo_t info; - info.si_pid = 0; - ret = get_errno(safe_waitid(arg1, arg2, &info, arg4, NULL)); - if (!is_error(ret) && arg3 && info.si_pid != 0) { - if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_siginfo_t), 0))) + + ret = get_errno(safe_waitid(arg1, arg2, (arg3 ? &info : NULL), + arg4, (arg5 ? &ru : NULL))); + if (!is_error(ret)) { + if (arg3) { + p = lock_user(VERIFY_WRITE, arg3, + sizeof(target_siginfo_t), 0); + if (!p) { + return -TARGET_EFAULT; + } + host_to_target_siginfo(p, &info); + unlock_user(p, arg3, sizeof(target_siginfo_t)); + } + if (arg5 && host_to_target_rusage(arg5, &ru)) { return -TARGET_EFAULT; - host_to_target_siginfo(p, &info); - unlock_user(p, arg3, sizeof(target_siginfo_t)); + } } } return ret; From patchwork Thu Apr 18 17:49:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789806 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp694624wrm; Thu, 18 Apr 2024 10:50:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU3EjKUHC//NeJ3OJAR35tVK+ir+LI7R29iLGKZaWDRaCedAYZ1Y6Mp90viuPxYEGTD2AGf+MuYHxS9NsGB0W8f X-Google-Smtp-Source: AGHT+IH0QgLjyV6c72OygvDkdfokPJCI/6kE2KXJnMzxmK4qAhiolvtOuZ6WHQeGt+/TmKxt8IWW X-Received: by 2002:a05:6808:23c4:b0:3c6:f339:7f4c with SMTP id bq4-20020a05680823c400b003c6f3397f4cmr4599712oib.49.1713462639127; Thu, 18 Apr 2024 10:50:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462639; cv=none; d=google.com; s=arc-20160816; b=Nwyn1MLdov09pa7v5cdfT2qyKBZ37XOpVVka64EDxtSb783dKHUwa2d8UcHWZkseIc gy4RAEDGFeNy8KaIa6HuaX2tV2RW3NM+fOEW5awqp3GuqyVENsWelwQVP7RPxTbSZhpI HBYRQl6XMO8bT9jG3pxfbF8MVT/iBpSTi8/zZg4No9+3n3j76r8qEEw2tFlxh0O9TFCb v2J+8OvgEAs8X+HnOWkAx5CruJnX01NqLN4LRo7zIfgBJXp0VNkh/RUR2T7qL+a11dVM gNxzNuFq3hpTD1zuoiqoIemOkYt2kQZN0hfSw5hCKfARCGIf+1e73h7JFoyAmiPtF9La iZ7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=AsIWopV2yCWfMJ3utGpj1cPSTZQCPCjI5i0yNra11Ww=; fh=K4abbxCgZAPvqzOXA+PZ7RIZh+KufMVJze7rXLOwES0=; b=GUAP6gsvVTZPxmj/RBJmCYmJLp+FGVpBSXwi8+KxAKrDQdr9HJuUB/ZJvBG9BTuRlN 7m5+Cq+aW5WgrUTmME6URnqUipWwN9UnLGFz+a3JjEHH9hfc1/clFFR1LFCkXXoeo1YM KXtH+1Jd8DA/xK+lYWxsAEyAwihX18HG1xmP5cv9yPQ/95Vx1uOcB5QLCfAlKkpx7yuk T9zrQFHkUvA6rCleKIi99ocAkXF7D38tXhdRzsMPcAQDPUyLS5mZm8xsFYU2Ts885uXg ictoiNLGEhIayzqJl+e1b+KwlWGRsuvcAgRADkt2+/GGvOAwnVSNtl6xvEANVKwym5E5 +emA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id i26-20020a05620a0a1a00b0078f14ea3edbsi754242qka.50.2024.04.18.10.50.38 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:50:39 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVtk-0008CL-I2; Thu, 18 Apr 2024 13:50:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVth-0008Ay-TE; Thu, 18 Apr 2024 13:50:09 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtg-0007W8-7Z; Thu, 18 Apr 2024 13:50:09 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C40695FD64; Thu, 18 Apr 2024 20:49:59 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 13702B933A; Thu, 18 Apr 2024 20:49:57 +0300 (MSK) Received: (nullmailer pid 947815 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Richard Henderson , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-8.2.3 091/116] target/sh4: Merge mach and macl into a union Date: Thu, 18 Apr 2024 20:49:21 +0300 Message-Id: <20240418174955.947730-4-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Richard Henderson Allow host access to the entire 64-bit accumulator. Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Richard Henderson (cherry picked from commit 7d95db5e78a24d3315e3112d26909a7262355cb7) Signed-off-by: Michael Tokarev diff --git a/target/sh4/cpu.h b/target/sh4/cpu.h index 031dc0b457..adce3666a9 100644 --- a/target/sh4/cpu.h +++ b/target/sh4/cpu.h @@ -155,12 +155,22 @@ typedef struct CPUArchState { uint32_t pc; /* program counter */ uint32_t delayed_pc; /* target of delayed branch */ uint32_t delayed_cond; /* condition of delayed branch */ - uint32_t mach; /* multiply and accumulate high */ - uint32_t macl; /* multiply and accumulate low */ uint32_t pr; /* procedure register */ uint32_t fpscr; /* floating point status/control register */ uint32_t fpul; /* floating point communication register */ + /* multiply and accumulate: high, low and combined. */ + union { + uint64_t mac; + struct { +#if HOST_BIG_ENDIAN + uint32_t mach, macl; +#else + uint32_t macl, mach; +#endif + }; + }; + /* float point status register */ float_status fp_status; From patchwork Thu Apr 18 17:49:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789808 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp694922wrm; Thu, 18 Apr 2024 10:51:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXFvOyRuR9zBia+1g6w03vxW0WVEovaLni5fRXwySACTQlKWFBw99xBhCctfbsup6IHE61YQpj51ahegnnx8HTw X-Google-Smtp-Source: AGHT+IEJhgxJTD2vAEnalKeX8MHkUW6m5iMkPSQ2ew+Z5gRANxNcwhGm95hQ0j0WQlwf4dyl+pyn X-Received: by 2002:a05:6122:1d8a:b0:4d4:1cb7:f57a with SMTP id gg10-20020a0561221d8a00b004d41cb7f57amr4261123vkb.9.1713462685111; Thu, 18 Apr 2024 10:51:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462685; cv=none; d=google.com; s=arc-20160816; b=TNZh5C4waeu/Ajp6b0kCbkcWMbNXE1O27PJ/ix1bt6el6D/z8I015auuW7In0yOiLx Rvr9o/ezqK9ISWmDfqOOzB+zOLbi/iV/IwhAwrp540G6wydQCf7Fc9OXvesUco0Uze7t HWAwOQeetpgnOT7CU9B0u/9Tq2jaMGSgyROYluOGDdO+bcPT0fgrZwkQgfp/rjC+MZPX RKQD1iMqjVT/c2ZtzLYKQfSk9sQ0XgLgwhAs7hF6L2ksq1ZB/+aiyOgZNm1PECNA0L86 nTZWViSA6oNL+fNiD8nYwyynmUPGNIow+ct5gBRn26t8mIjwGfzaVabGOeQUnH4Zsad1 zx7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=zuwScqC/K7PwcYf0A9dOgmG4aI+gh5JKh+pXX5Jrjfs=; fh=PkL0BgRfEM9eqzQkbTyhz2VibunL6e7EEQCkTtdX0i8=; b=BKRovs7X40kei7T9MS8h2VmlQY39TBNA96phRiyI0OYgzmAtkyopgc7MuDFyUnoXq7 ngNvscxX4RKwr2dMo8kIBcbwE+ugP2MFqGtC5O/P2DZ02OHkmU+9JeqKEI+4sW/6SV2J cm+QDTpl52ien20UfeX7ENF1v7VjrjjVoCqwTuFrhfT+cJmdjm+WZzYwb6dd/EUEIHqf LSBbDoGcCickb3DPHTy1zIlMmSwt1lakn8XWyoc86iNw9IaIjogpzq94Z2CJJZZHj8WR Kxqy12jdUdTeMemHAP21hXPlZw0h6T3m4nLxenW4RrQ3OZyFYRE/jjtNvnXV5rzfHOoe m9Bg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id u10-20020a0562141c0a00b0069b0b59d115si2039979qvc.269.2024.04.18.10.51.24 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:51:25 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVu3-0008LE-GO; Thu, 18 Apr 2024 13:50:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtq-0008H2-OD; Thu, 18 Apr 2024 13:50:18 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVto-0007Xy-VL; Thu, 18 Apr 2024 13:50:18 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A5BD35FD69; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 0B78BB933F; Thu, 18 Apr 2024 20:49:59 +0300 (MSK) Received: (nullmailer pid 947830 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Gerd Hoffmann , "Michael S . Tsirkin" , Michael Tokarev Subject: [Stable-8.2.3 096/116] hw/virtio: Introduce virtio_bh_new_guarded() helper Date: Thu, 18 Apr 2024 20:49:26 +0300 Message-Id: <20240418174955.947730-9-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded() but using the transport memory guard, instead of the device one (there can only be one virtio device per virtio bus). Inspired-by: Gerd Hoffmann Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-2-philmd@linaro.org> (cherry picked from commit ec0504b989ca61e03636384d3602b7bf07ffe4da) Signed-off-by: Michael Tokarev diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index aa02c4937c..c177c31ca0 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -4145,3 +4145,13 @@ static void virtio_register_types(void) } type_init(virtio_register_types) + +QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, + QEMUBHFunc *cb, void *opaque, + const char *name) +{ + DeviceState *transport = qdev_get_parent_bus(dev)->parent; + + return qemu_bh_new_full(cb, opaque, name, + &transport->mem_reentrancy_guard); +} diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h index c8f72850bc..7d5ffdc145 100644 --- a/include/hw/virtio/virtio.h +++ b/include/hw/virtio/virtio.h @@ -22,6 +22,7 @@ #include "standard-headers/linux/virtio_config.h" #include "standard-headers/linux/virtio_ring.h" #include "qom/object.h" +#include "block/aio.h" /* * A guest should never accept this. It implies negotiation is broken @@ -508,4 +509,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev) bool virtio_legacy_allowed(VirtIODevice *vdev); bool virtio_legacy_check_disabled(VirtIODevice *vdev); +QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, + QEMUBHFunc *cb, void *opaque, + const char *name); +#define virtio_bh_new_guarded(dev, cb, opaque) \ + virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb))) + #endif From patchwork Thu Apr 18 17:49:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789817 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695439wrm; Thu, 18 Apr 2024 10:52:52 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWeoRfkszqP5s6/GajheceWpKEcBh7Cxnav2TseE3YRYqlbTQeofSxnhhKwmEng+1Whu8vQYgQy7JQzPPN2lSlf X-Google-Smtp-Source: AGHT+IGWZbu0pt3P7/PTfTzMYY8jUIrteG639TPPSwZV/2EjVEDAcgJxSYzlLHdkYUKU1F8VBGFo X-Received: by 2002:a0c:cdc1:0:b0:69b:13b6:f30f with SMTP id a1-20020a0ccdc1000000b0069b13b6f30fmr3562306qvn.5.1713462772416; Thu, 18 Apr 2024 10:52:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462772; cv=none; d=google.com; s=arc-20160816; b=MMpuZU8HZxkAqn5RW6fJCQ3kJon6zGdXPsC6p0WkD4kJNI/tlLYOVQVDLbzpERwZ9q x4IF/nIxAVkhuy8Z4d0qdEDVuLhbCtrCdZGi3bece3NnVv+RxdNE6Db+/eCXTvRODYwd /Q4Xtc9VJP0z3tJVvjsQiDFd8nK7lP0RvF3YRIt/ZOaVSx2Webe/IobIiFyI6kXQ0OFd CiR8/Lxc+IXVXJsuGJU9bjopQ5Tp+1nZO63zXGUzHmdtC5Xzqf8yMGRcniBiNKDGiFdS MVP4um9TplyiEqgibTd8PqfgyoWlzCfkLA27ZU/4oPMQr6ALV6lop0Cu0lXGXnf9mCnT +8wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=nVCRx4LmQ5zTmc6Qu1X2v39tOQHaaQICF0k27nJKHhM=; fh=QVoUuY2eq7zHDUh6dz5HBMfw52FYv6i5lf23Bb6vyq0=; b=TMu9HW8Yqc/3wjze8p3WyrWKR2IcSbH7lhlRqfpXnkJziqIS6RKlxhgkomV4bewZNL fAZf97PPD+Rlut1pst2sNxheg2JTkTjkwJqwtxxr9oDNCwJsYIz5Apud9i/M2a5JnwTK 7tLawfat3asZoaNKhkzVJvcQKipnlGNeak037iPD9GU+PlmiM73J1Ok0ILZuyiA6O4lf Jbr0JVdLcRstOH7zrirj/Ru7ZOPzeQxUyCE1tTgHTkwfQbguEgp7WiOTkex++mgHxLV2 ogueoaLHuir6rOLHi0LDiIyg7llaJe34C4MtrMUZopsnfpO1ckOYDg3r+3imdYoMqRdQ Qd9Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id jr15-20020a0562142a8f00b0069948077219si1925411qvb.597.2024.04.18.10.52.52 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:52 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVu5-00007n-S9; Thu, 18 Apr 2024 13:50:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtt-0008Hu-GW; Thu, 18 Apr 2024 13:50:23 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVtr-0007YK-E3; Thu, 18 Apr 2024 13:50:21 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id ED6B95FD6A; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 422BEB9340; Thu, 18 Apr 2024 20:49:59 +0300 (MSK) Received: (nullmailer pid 947833 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Alexander Bulekov , Yongkang Jia , Xiao Lei , Yiming Tao , Gerd Hoffmann , "Michael S . Tsirkin" , Michael Tokarev Subject: [Stable-8.2.3 097/116] hw/display/virtio-gpu: Protect from DMA re-entrancy bugs Date: Thu, 18 Apr 2024 20:49:27 +0300 Message-Id: <20240418174955.947730-10-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest \ -m 512M \ -device virtio-gpu \ -qtest stdio outl 0xcf8 0x80000820 outl 0xcfc 0xe0004000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0004030 0x4 0x024000e0 write 0xe0004028 0x1 0xff write 0xe0004020 0x4 0x00009300 write 0xe000401c 0x1 0x01 write 0x101 0x1 0x04 write 0x103 0x1 0x1c write 0x9301c8 0x1 0x18 write 0x105 0x1 0x1c write 0x107 0x1 0x1c write 0x109 0x1 0x1c write 0x10b 0x1 0x00 write 0x10d 0x1 0x00 write 0x10f 0x1 0x00 write 0x111 0x1 0x00 write 0x113 0x1 0x00 write 0x115 0x1 0x00 write 0x117 0x1 0x00 write 0x119 0x1 0x00 write 0x11b 0x1 0x00 write 0x11d 0x1 0x00 write 0x11f 0x1 0x00 write 0x121 0x1 0x00 write 0x123 0x1 0x00 write 0x125 0x1 0x00 write 0x127 0x1 0x00 write 0x129 0x1 0x00 write 0x12b 0x1 0x00 write 0x12d 0x1 0x00 write 0x12f 0x1 0x00 write 0x131 0x1 0x00 write 0x133 0x1 0x00 write 0x135 0x1 0x00 write 0x137 0x1 0x00 write 0x139 0x1 0x00 write 0xe0007003 0x1 0x00 EOF ... ================================================================= ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178 at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58 READ of size 8 at 0x60d000011178 thread T0 #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42 #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5 #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13 #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9 #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5 #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9 #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5 #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11 #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9 #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14 #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3 #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0) 0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8) freed by thread T0 here: #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662) #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9 #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9 #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5 #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5 #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18 previously allocated by thread T0 here: #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e) #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12 #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16 #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15 #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5 #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response With this change, the same reproducer triggers: qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6 Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov Reported-by: Yongkang Jia Reported-by: Xiao Lei Reported-by: Yiming Tao Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-3-philmd@linaro.org> (cherry picked from commit ba28e0ff4d95b56dc334aac2730ab3651ffc3132) Signed-off-by: Michael Tokarev diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index b016d3bac8..a7b16ba072 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -1463,10 +1463,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp) g->ctrl_vq = virtio_get_queue(vdev, 0); g->cursor_vq = virtio_get_queue(vdev, 1); - g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g, - &qdev->mem_reentrancy_guard); - g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g, - &qdev->mem_reentrancy_guard); + g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g); + g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g); g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g); qemu_cond_init(&g->reset_cond); QTAILQ_INIT(&g->reslist); From patchwork Thu Apr 18 17:49:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789814 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695406wrm; Thu, 18 Apr 2024 10:52:47 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW/HDshVaWxG9nDbmCGrZ1bLJ8QV2MPLvKPdVU8y62zbgojmvdkpoYng6IbflWhvDSUpT20CslrxaBCytyv7OjD X-Google-Smtp-Source: AGHT+IHyhwULiENAAIA4MKjF1FUyVFhWr3OkeWKdeujOr5/ANC1LRSmYBfkKm1z14k2BbkMvykNO X-Received: by 2002:a05:620a:2992:b0:78f:15b9:83a2 with SMTP id r18-20020a05620a299200b0078f15b983a2mr1057110qkp.3.1713462767600; Thu, 18 Apr 2024 10:52:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462767; cv=none; d=google.com; s=arc-20160816; b=iMFwi5hZaY+Xv6tZccXcF2pu5RiMGEYL6ha/uuD/xV2wbO3SndTUKwImAGGFeyn3uX a12I6HwdkdnDGSjGpp4QeMypz9MUD4DfqPJOH9b2MFIrDO/g7J9SSVUWfncyl1/dc1Sw VXCgcEC+YVoyTs+kyYpWNnT2/P2bgNOslp6I/Q3D2Xg5vlHqqB5BnduixqUzFWHTauwQ jmcDaRFRA0T0lhHyCJPh2IL7Q58L/PsHgumEsisDM+0t/MSIUNW7wN50meJSTByHodfC U4MpgQr+/o4BTmRfiiSiLkRZ5OoQdCGAGXQ3p1pL+ddf7uJPSvUJqvez1MpElRemEqk/ AUZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=XSnmGl4V6bmSMClnGXhqIyAezsxYcYtsJm9KOWlsLWA=; fh=0X897gCEnmYo52lVvW9LLW4tOQTGKWBMmNyCdCpJrAU=; b=QwGNLNXDpG51MVK/yACkQqemCqpyYAwCYRGB+Hc83/uV6QC0i+hyj/de45ljLdKpPA 32XD5aQ/0zKjV/sHpqSKj/MYYaV9CXlJP5UXD8LtrgMAgQ4ygNBQ0hdjhmyJpwnwA4Qz OnkIwlP6zItzuBYEyTTX/gb4XLHDocJnTSjLcRqLBawFqrMs8RxaV1YitoF33uWgu4Xf jnTH6EPQ5V9f5gCXjYHm+NUTqmyxkGTUZWBO729c73tjEshgcSEBWRQCQrY0JVum9Fg7 rLHqFW1+Khy1grKqG/a6Uysgydv+eeiZnyZjZDWE0pQ9M+oc7AU8cDDD06j30TSUGV0E xxrg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id k15-20020a05620a0b8f00b0078ef43c7087si1821547qkh.311.2024.04.18.10.52.47 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:47 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVuG-0000PI-95; Thu, 18 Apr 2024 13:50:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuD-0000O8-SQ; Thu, 18 Apr 2024 13:50:41 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuC-0007YX-7T; Thu, 18 Apr 2024 13:50:41 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3A80B5FD6B; Thu, 18 Apr 2024 20:50:02 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 88640B9341; Thu, 18 Apr 2024 20:49:59 +0300 (MSK) Received: (nullmailer pid 947836 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , "Michael S . Tsirkin" , Michael Tokarev Subject: [Stable-8.2.3 098/116] hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs Date: Thu, 18 Apr 2024 20:49:28 +0300 Message-Id: <20240418174955.947730-11-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-4-philmd@linaro.org> (cherry picked from commit b4295bff25f7b50de1d9cc94a9c6effd40056bca) Signed-off-by: Michael Tokarev diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c index dd619f0731..1221fb7f15 100644 --- a/hw/char/virtio-serial-bus.c +++ b/hw/char/virtio-serial-bus.c @@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp) return; } - port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port, - &dev->mem_reentrancy_guard); + port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port); port->elem = NULL; } From patchwork Thu Apr 18 17:49:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789815 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695410wrm; Thu, 18 Apr 2024 10:52:48 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWo190SvA/PcRjsALngaKzbqPPT1RCqso/ZIFAfKB4XI3si/xLLiG+ImbYkpIIr07ZVmdASfAK1VZ5g05IEhf3K X-Google-Smtp-Source: AGHT+IFCc+am1WfZt+7z4O7uKj2J8P8ePAbxedd2BqTsLKE8i8TkVJzpn+0AcyCDdv7the2YINAP X-Received: by 2002:a05:6359:4e85:b0:183:f634:104 with SMTP id os5-20020a0563594e8500b00183f6340104mr4522153rwb.7.1713462768534; Thu, 18 Apr 2024 10:52:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462768; cv=none; d=google.com; s=arc-20160816; b=MuFjpZQ1B+8IBZTZtSsOgHkFx8HeiLVfqRAl4Bp0XwY+AUnNST/JN3jtvbNU5Himyk TY2fxkdTxIeENXt4Fqdjntu7aayPTSPxdC4r5qz1Qx0xGJQwTvcMAlwgU8USjaYic9qZ qIZb0/IlL93I//V8wnWi/Xsl4q9VLzZLVY1TzgmzSBaLnKPQP1JCjwCqgsyWDOWf4HKd VV2V30l/Umb81OXcT9T4g/12E61UfJx641+ODY2cKtEf3zC5YfjN4Q9ylj5wFXMJX4hD uPYm2HOKum7UChIBl9CNrEcVJE6JoDNCX75Bn8jJQp2pIa7KkRLD48niMTfGs+S9U0/I T36Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=KPeWGdfvNJVgsKqMVGh3F0K7KkjbHa4NBeQpt9BTTE8=; fh=0X897gCEnmYo52lVvW9LLW4tOQTGKWBMmNyCdCpJrAU=; b=RxIA0QyDyrY0JjWgrx/+78/LoxvpTzQKIhEIwp98n8gW/Ka6SoZwypEXel1lJE7EJW jzKyHo17+Hg974EtzPDtU8NCyTjtaRN0SoZJZ+zGlj41eBVHbVgewuK5PVHt6Hf7LVtg WYBoT4Xz8+7ojrsLNqFfkSP78FLgSzwIsYFJSULbnV+yDHWbx/b/kySrRb4Yfnbi0yXd 6qG3TGUkbU2j0ayOyT2PDJvHYxYeOu4nR3kcn2WDscEwh9IrRohv4Vf3Lk3B5h23XBVT +tzK8wimWnxTCSEQgmUt7rzliTkeKcx8q0aUIJzLnorPHkzf/T20R/wUhWmOorCuoUQj XXmw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id u20-20020ac858d4000000b004347cf7c206si1971722qta.216.2024.04.18.10.52.48 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:48 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVuI-0000Qg-CK; Thu, 18 Apr 2024 13:50:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuG-0000Pe-Kt; Thu, 18 Apr 2024 13:50:44 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuF-0007Z0-1B; Thu, 18 Apr 2024 13:50:44 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 696EE5FD6C; Thu, 18 Apr 2024 20:50:02 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id CBB94B9342; Thu, 18 Apr 2024 20:49:59 +0300 (MSK) Received: (nullmailer pid 947839 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Alexander Bulekov , Gerd Hoffmann , "Michael S . Tsirkin" , Michael Tokarev Subject: [Stable-8.2.3 099/116] hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs Date: Thu, 18 Apr 2024 20:49:29 +0300 Message-Id: <20240418174955.947730-12-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() so the bus and device use the same guard. Otherwise the DMA-reentrancy protection can be bypassed. Fixes: CVE-2024-3446 Cc: qemu-stable@nongnu.org Suggested-by: Alexander Bulekov Reviewed-by: Gerd Hoffmann Acked-by: Michael S. Tsirkin Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Michael S. Tsirkin Message-Id: <20240409105537.18308-5-philmd@linaro.org> (cherry picked from commit f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc) Signed-off-by: Michael Tokarev diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index 0e2cc8d5a8..4aaced74be 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp) vcrypto->vqs[i].dataq = virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh); vcrypto->vqs[i].dataq_bh = - qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i], - &dev->mem_reentrancy_guard); + virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh, + &vcrypto->vqs[i]); vcrypto->vqs[i].vcrypto = vcrypto; } From patchwork Thu Apr 18 17:49:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789819 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695816wrm; Thu, 18 Apr 2024 10:53:51 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUuwaeSZyhrYqvIf6k8HJn+KGV7pJYBhmZ8nzhmKB7M/0eutl5mI3h9RtYxmN80oSvUATndDHe5Nlmpg5e0d7Vn X-Google-Smtp-Source: AGHT+IHDSelLzueeIjMLBkQa9tlfhjxbyLUuiF5SOEljPUrQ8wqBR4zRmYTcWHy5G5yfR5wnZHdg X-Received: by 2002:a05:6358:7a1:b0:183:645b:cfa4 with SMTP id n33-20020a05635807a100b00183645bcfa4mr4873416rwj.16.1713462831645; Thu, 18 Apr 2024 10:53:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462831; cv=none; d=google.com; s=arc-20160816; b=KL0SBg72NaxfRZi6hMagk+uj3PWk8fl/bsEwhqKyrKzE7+7QvhqTbaN1PRffMJ5oJ0 WiP/WZFOThSlfGm4E/Hm8oxVCLgdh17vvUVrPSGcnveUgSCVmJuWg9n8BFSmekntyImD 69nWtLGJvzsXISEHQESINmO55a843tI8cf6pDWmlq7rn2svvWmZj00Aig1bZA+KZy4/V qwf24YsKmbZT06XFUCMTtB2vC6pRO0I3x/Lx5Ts3Pj1FUhDUC9CXW1kzK/LOfU+4YxYf oOxRGA2STcKPmDP2BrhihFlk0wK1LNDqewHtAFw1is/DY+Gk3mvaBwbsNPV1tEoGFWb6 kjlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=p/AY3z3JHWEuhmfoeSip7mAKO3NOfEQtGnOFC4DBwLQ=; fh=duFCrbmW7QyIwJKOp0blY4kXHchuONJhRN0ZSjkPt6k=; b=0UISfD88l3wPxiIzPlKP4zq9U541MiyKfFykZmykaAdO4yx5WJMhSHHmqJ2RTpVi6h Mx3oT4m0PrUQVvfSZv6AdxwqDqawcpV6xemHBdOqc3XtfIp8hP2rC4fSu1Rg5R8VSoOX kWr7d6bdPjSP8QiRiA45v0TWLib6NXV4p8+webWQVXZwvyGfkCwjib4gqjU5uRWW1aIy +Wa32Woj+nSrVUgKDLHHzQ6yQXntCjGoNv5wHn5g5ywk9t4ySl8apXMnORzhak2h1zvK sYpOvrImM/hHQ0o8aFaz1MiAV1sgLnQuJmcZsIO6BGf4kA3+/lPTsVjxZZYV+l2P+B5E /Y5A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id n18-20020ac85a12000000b00434ea6f8743si1886851qta.404.2024.04.18.10.53.51 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:53:51 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVuL-0000Sr-90; Thu, 18 Apr 2024 13:50:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuJ-0000RO-Ql; Thu, 18 Apr 2024 13:50:47 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuI-0007ad-02; Thu, 18 Apr 2024 13:50:47 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id BA3B95FD6E; Thu, 18 Apr 2024 20:50:02 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 21462B9348; Thu, 18 Apr 2024 20:50:00 +0300 (MSK) Received: (nullmailer pid 947845 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Richard Henderson , Kevin Wolf , Michael Tokarev Subject: [Stable-8.2.3 101/116] hw/block/nand: Factor nand_load_iolen() method out Date: Thu, 18 Apr 2024 20:49:31 +0300 Message-Id: <20240418174955.947730-14-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Reviewed-by: Richard Henderson Reviewed-by: Kevin Wolf Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409135944.24997-2-philmd@linaro.org> (cherry picked from commit 7a86544f286d8af4fa5251101c1026ddae92cc3d) Signed-off-by: Michael Tokarev diff --git a/hw/block/nand.c b/hw/block/nand.c index 9c1b89cfa6..58ef547c5a 100644 --- a/hw/block/nand.c +++ b/hw/block/nand.c @@ -243,9 +243,28 @@ static inline void nand_pushio_byte(NANDFlashState *s, uint8_t value) } } +/* + * nand_load_block: Load block containing (s->addr + @offset). + * Returns length of data available at @offset in this block. + */ +static unsigned nand_load_block(NANDFlashState *s, unsigned offset) +{ + unsigned iolen; + + s->blk_load(s, s->addr, offset); + + iolen = (1 << s->page_shift); + if (s->gnd) { + iolen += 1 << s->oob_shift; + } + assert(offset <= iolen); + iolen -= offset; + + return iolen; +} + static void nand_command(NANDFlashState *s) { - unsigned int offset; switch (s->cmd) { case NAND_CMD_READ0: s->iolen = 0; @@ -271,12 +290,7 @@ static void nand_command(NANDFlashState *s) case NAND_CMD_NOSERIALREAD2: if (!(nand_flash_ids[s->chip_id].options & NAND_SAMSUNG_LP)) break; - offset = s->addr & ((1 << s->addr_shift) - 1); - s->blk_load(s, s->addr, offset); - if (s->gnd) - s->iolen = (1 << s->page_shift) - offset; - else - s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset; + s->iolen = nand_load_block(s, s->addr & ((1 << s->addr_shift) - 1)); break; case NAND_CMD_RESET: @@ -597,12 +611,7 @@ uint32_t nand_getio(DeviceState *dev) if (!s->iolen && s->cmd == NAND_CMD_READ0) { offset = (int) (s->addr & ((1 << s->addr_shift) - 1)) + s->offset; s->offset = 0; - - s->blk_load(s, s->addr, offset); - if (s->gnd) - s->iolen = (1 << s->page_shift) - offset; - else - s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset; + s->iolen = nand_load_block(s, offset); } if (s->ce || s->iolen <= 0) { From patchwork Thu Apr 18 17:49:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789811 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695158wrm; Thu, 18 Apr 2024 10:52:02 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWR5v41Zmo8UQhQSTvgnYVgpFtHA0N/MOVxeQwTxbtFRhR/Lfwm48Y1CwdU1WGZzQlZo0/G9Zdyq7npSgnh6b5v X-Google-Smtp-Source: AGHT+IFDVeIgaV8kksBPwDiNcz6li/VsoCFTEOlBVfqa1NKLpeXdIJkG+eGETrTiGAXO3yVi7uTx X-Received: by 2002:a05:690c:10c:b0:61b:108f:7dc0 with SMTP id bd12-20020a05690c010c00b0061b108f7dc0mr3691290ywb.45.1713462722533; Thu, 18 Apr 2024 10:52:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462722; cv=none; d=google.com; s=arc-20160816; b=yhWpYHm1mBhgeeVvvDiyWxacbUtdFhR4CELYDEpq147E11skLR/fT931tApPylkjfE dWe44qKPlC64vArqLwaRz/U762dZ6j5fO0G71Jdzf7YjRDmo2TJSJ9VBYr/AEr1/Mb2f BAupJCSV+0R0mpAayIMmLfs1nEyXBo70BAcqBWR7wgvD8SJL7Tsz5BFdVoJsm/07vVhK HxI2CjpLEC7oz8Ir+imaipI1kMWeu+Sw1Jkw8fwZUvAUqXylUX3INHnwhWicTdGuDan/ vdZWZ4DWhqD7hPNIQaAnehzwH53G/0sQwJDGB3gtZFuZKxfVP0HUQ0KJGb39hEbU2BYH II/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=CUmW0xCZQx4qm2x1BHh0uxvDPVZB4EHQlbOj9bc0RMg=; fh=duFCrbmW7QyIwJKOp0blY4kXHchuONJhRN0ZSjkPt6k=; b=Wi9secMBjX8DpsvOpInhJufr6J3fDUFxG6oj0GtE4cdHTj5Fl7kKJw+c47mKU7pvQe N+GkcSVyfH/z3OdF7xyDyQdW+K/utnhTc7JVJTsjfsWax1DO9msoXdYhtLAW3x3yU7Z1 5coo8aQnc51QUNOjasUiWZKO7p4GGy3o3avPD1ITIBspV6y/3U6HZIMjv8y742oKjw2O 4BlTIXfxc4cKlIoUN5QiAd9jPT0H2QIHXgW30tHc3Wd/RbecWAm7PGTjcmFwRDXtgwiG p/nGjWIiNfNYGhTMgAyIA0p8InKOYb/KXFREIVWcm23oaCshKnE9I7wfTtc/LvpTzhGw dtMw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id s7-20020a05622a178700b004364d54e6cdsi2031868qtk.286.2024.04.18.10.52.02 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:02 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVuM-0000U6-K9; Thu, 18 Apr 2024 13:50:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuK-0000Sf-Vf; Thu, 18 Apr 2024 13:50:48 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuI-0007ao-Cc; Thu, 18 Apr 2024 13:50:48 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id EF73C5FD6F; Thu, 18 Apr 2024 20:50:02 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 5659CB9349; Thu, 18 Apr 2024 20:50:00 +0300 (MSK) Received: (nullmailer pid 947848 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Richard Henderson , Kevin Wolf , Michael Tokarev Subject: [Stable-8.2.3 102/116] hw/block/nand: Have blk_load() take unsigned offset and return boolean Date: Thu, 18 Apr 2024 20:49:32 +0300 Message-Id: <20240418174955.947730-15-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Negative offset is meaningless, use unsigned type. Return a boolean value indicating success. Reviewed-by: Richard Henderson Reviewed-by: Kevin Wolf Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409135944.24997-3-philmd@linaro.org> (cherry picked from commit 2e3e09b368001f7eaeeca7a9b49cb1f0c9092d85) Signed-off-by: Michael Tokarev diff --git a/hw/block/nand.c b/hw/block/nand.c index 58ef547c5a..d945c0b9e3 100644 --- a/hw/block/nand.c +++ b/hw/block/nand.c @@ -84,7 +84,11 @@ struct NANDFlashState { void (*blk_write)(NANDFlashState *s); void (*blk_erase)(NANDFlashState *s); - void (*blk_load)(NANDFlashState *s, uint64_t addr, int offset); + /* + * Returns %true when block containing (@addr + @offset) is + * successfully loaded, otherwise %false. + */ + bool (*blk_load)(NANDFlashState *s, uint64_t addr, unsigned offset); uint32_t ioaddr_vmstate; }; @@ -772,11 +776,11 @@ static void glue(nand_blk_erase_, NAND_PAGE_SIZE)(NANDFlashState *s) } } -static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, - uint64_t addr, int offset) +static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, + uint64_t addr, unsigned offset) { if (PAGE(addr) >= s->pages) { - return; + return false; } if (s->blk) { @@ -804,6 +808,8 @@ static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, offset, NAND_PAGE_SIZE + OOB_SIZE - offset); s->ioaddr = s->io; } + + return true; } static void glue(nand_init_, NAND_PAGE_SIZE)(NANDFlashState *s) From patchwork Thu Apr 18 17:49:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789810 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695034wrm; Thu, 18 Apr 2024 10:51:42 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVz+UKZMIHuaMTjH4vX9qqh1jIb7vzxI44W62hmz9QlurxcDc16waO6bhVGg8jn6RRi98/794PrGAcSob+qnwbk X-Google-Smtp-Source: AGHT+IEVKFdjVNRZcH/8hAmZnXA5/VscvI5AQcDjJ3fLzPLc0LY7e990N+t6LH4070MVvVQh/ot8 X-Received: by 2002:a05:6102:3a07:b0:47a:22cd:bbb5 with SMTP id b7-20020a0561023a0700b0047a22cdbbb5mr4756651vsu.20.1713462702527; Thu, 18 Apr 2024 10:51:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462702; cv=none; d=google.com; s=arc-20160816; b=VNPhD++IY9HXOlJIXLEfe/kJ2K8186SGKhGYLB1vdWshMc6aRWX2ta/9KuKYcbX7XW JthQnofL9/OiLWR6C7oY0Y3uhbN93EEFYUKmnbp7Lo99EKWjjoSPrJpre8sHVfeIAuH6 /0U7iCCFuoHuE0H2WY1xRgUVJtUpItWVqFs/zPMIV4dISX74F3rWXkXpN6SvRQCRgXt5 s238+EtSik/1km2d6FFCtKHosxWsMCenfQyTnD6D0TmUcv5vAkrIWtJx8t2toVZwYhf+ UisDQAPrt5w+8MxfZyG92R9PVgvBlEcnjJvh6M9z9y/Td7r8LietWwtlcRk20iFKL1o0 DNGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=Wtv9PfzdX+mJtarXXCTy5KlxRZBFpD+9QIlA4zdQOHw=; fh=tRhOdRo3RUGB1Op9NsKs6zZ1tjf3Fks3D9Jm5ySYJkw=; b=m0C4UM58EjILIgQv83zyqapoVR2j0EQO7T3/pARtHU2A1frsOv8IyNcHRrboxG8PGV LrnVv2J3kR/2OzTNn/UGt3YkAlmFvLRYIPIcF3jaCrkUBMgtkeEmpOhX0/b+5J26Qdua g/QQYn86sWz2cT8k0QdSAA9vz1sokDHYdM1TRtx6HJN7ghnDuWqCeL/Z0zshacT7xHXM rDT4IkpYTCEhOh6p0YTDNYizuUycS8wgMY+EmJRBO87Upd6Ey6wnNTr75ASRh1wjUp5P dwDljPDO0QCGJITnud62J84tFMdmRy5Og1jh26kHVfjzDJDsb9AeVl7s1gn0piO9n5W1 PBdg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id h11-20020a0562140dab00b006a03fe210c8si1998869qvh.206.2024.04.18.10.51.42 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:51:42 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVum-0001SC-A4; Thu, 18 Apr 2024 13:51:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuh-0001Jo-NO; Thu, 18 Apr 2024 13:51:12 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuf-0007bL-MQ; Thu, 18 Apr 2024 13:51:11 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 437235FD70; Thu, 18 Apr 2024 20:50:03 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 8A276B934A; Thu, 18 Apr 2024 20:50:00 +0300 (MSK) Received: (nullmailer pid 947851 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Qiang Liu , Richard Henderson , Kevin Wolf , Michael Tokarev Subject: [Stable-8.2.3 103/116] hw/block/nand: Fix out-of-bound access in NAND block buffer Date: Thu, 18 Apr 2024 20:49:33 +0300 Message-Id: <20240418174955.947730-16-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé nand_command() and nand_getio() don't check @offset points into the block, nor the available data length (s->iolen) is not negative. In order to fix: - check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(), - do not set @iolen if blk_load() failed. Reproducer: $ cat << EOF | qemu-system-arm -machine tosa \ -monitor none -serial none \ -display none -qtest stdio write 0x10000111 0x1 0xca write 0x10000104 0x1 0x47 write 0x1000ca04 0x1 0xd7 write 0x1000ca01 0x1 0xe0 write 0x1000ca04 0x1 0x71 write 0x1000ca00 0x1 0x50 write 0x1000ca04 0x1 0xd7 read 0x1000ca02 0x1 write 0x1000ca01 0x1 0x10 EOF ================================================================= ==15750==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000de0 at pc 0x560e61557210 bp 0x7ffcfc4a59f0 sp 0x7ffcfc4a59e8 READ of size 1 at 0x61f000000de0 thread T0 #0 0x560e6155720f in mem_and hw/block/nand.c:101:20 #1 0x560e6155ac9c in nand_blk_write_512 hw/block/nand.c:663:9 #2 0x560e61544200 in nand_command hw/block/nand.c:293:13 #3 0x560e6153cc83 in nand_setio hw/block/nand.c:520:13 #4 0x560e61a0a69e in tc6393xb_nand_writeb hw/display/tc6393xb.c:380:13 #5 0x560e619f9bf7 in tc6393xb_writeb hw/display/tc6393xb.c:524:9 #6 0x560e647c7d03 in memory_region_write_accessor softmmu/memory.c:492:5 #7 0x560e647c7641 in access_with_adjusted_size softmmu/memory.c:554:18 #8 0x560e647c5f66 in memory_region_dispatch_write softmmu/memory.c:1514:16 #9 0x560e6485409e in flatview_write_continue softmmu/physmem.c:2825:23 #10 0x560e648421eb in flatview_write softmmu/physmem.c:2867:12 #11 0x560e64841ca8 in address_space_write softmmu/physmem.c:2963:18 #12 0x560e61170162 in qemu_writeb tests/qtest/videzzo/videzzo_qemu.c:1080:5 #13 0x560e6116eef7 in dispatch_mmio_write tests/qtest/videzzo/videzzo_qemu.c:1227:28 0x61f000000de0 is located 0 bytes to the right of 3424-byte region [0x61f000000080,0x61f000000de0) allocated by thread T0 here: #0 0x560e611276cf in malloc /root/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f7959a87e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98) #2 0x560e64b98871 in object_new qom/object.c:749:12 #3 0x560e64b5d1a1 in qdev_new hw/core/qdev.c:153:19 #4 0x560e61547ea5 in nand_init hw/block/nand.c:639:11 #5 0x560e619f8772 in tc6393xb_init hw/display/tc6393xb.c:558:16 #6 0x560e6390bad2 in tosa_init hw/arm/tosa.c:250:12 SUMMARY: AddressSanitizer: heap-buffer-overflow hw/block/nand.c:101:20 in mem_and ==15750==ABORTING Broken since introduction in commit 3e3d5815cb ("NAND Flash memory emulation and ECC calculation helpers for use by NAND controllers"). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1445 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1446 Reported-by: Qiang Liu Reviewed-by: Richard Henderson Reviewed-by: Kevin Wolf Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409135944.24997-4-philmd@linaro.org> (cherry picked from commit d39fdfff348fdf00173b7a58e935328a64db7d28) Signed-off-by: Michael Tokarev diff --git a/hw/block/nand.c b/hw/block/nand.c index d945c0b9e3..902cc56a03 100644 --- a/hw/block/nand.c +++ b/hw/block/nand.c @@ -255,7 +255,9 @@ static unsigned nand_load_block(NANDFlashState *s, unsigned offset) { unsigned iolen; - s->blk_load(s, s->addr, offset); + if (!s->blk_load(s, s->addr, offset)) { + return 0; + } iolen = (1 << s->page_shift); if (s->gnd) { @@ -783,6 +785,10 @@ static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s, return false; } + if (offset > NAND_PAGE_SIZE + OOB_SIZE) { + return false; + } + if (s->blk) { if (s->mem_oob) { if (blk_pread(s->blk, SECTOR(addr) << BDRV_SECTOR_BITS, From patchwork Thu Apr 18 17:49:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789812 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695203wrm; Thu, 18 Apr 2024 10:52:11 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV/PLVVbYOxYbkn+24PTMARiGVklzJfWyhPnKBqbP3VPd9LqaQmfm/fjOAQaOUt/z13wRsctiE73pZTVsqdMIDx X-Google-Smtp-Source: AGHT+IHSgCI8av2Uf60oeyT/0evYfe5jJfdB6xQIim/9tIT0Te8nka3aIX/4U1UvVYHu9Fshmtcm X-Received: by 2002:a05:622a:34f:b0:437:a0fc:9198 with SMTP id r15-20020a05622a034f00b00437a0fc9198mr2741663qtw.12.1713462731120; Thu, 18 Apr 2024 10:52:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462731; cv=none; d=google.com; s=arc-20160816; b=INF4GuyTmu70rBTs7s6oY5a6Z0YiaFYi+LHfpuDaQmXexjIq5LKLvgFQfoV2wEoaCH AiO+URQ5trPKOOdqLtH9ZIY6zdwwg/eJ17CnPYzMvsEO8iVOMQTO49k9FE3rgs89n+o+ 4nvOsZ6EpV7QW7j4L/35HA4FfhxIrgtkG+ImvlyvMTibSDfWtW9ZsxcnYDZKxy/h5E2M 1HuPQpFJwk3WocKB5ja0o4ycm/PfBft+9Dh/30tvfGzbgFBEapMdmhxqOJ8XnY57DeXJ j6sRj9m4Z2CE92omzJAd7b8NyBpe8YlS6cQEoY+hOZcrRSrPS6q8lWWnMkLlAeJ5VBsZ KjBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=PITDiwcEne1mvwImsIqQGnA5z4IfFwj1UMnzudlp+TQ=; fh=VnQSsLJ6tU3xftJEJWuGWplserK0coOB1jCu/kfGRn4=; b=CEgokWiM1fdW/7hXl0lEtEZVps/8Z7p5CRBU6cGJrbDE7IhVmACidlCS1DkuVtruMv JAKHMtUf1isvop24hEFsKJ9TMfdAzG4pDOJ56Cv/hYk13dzk2iTBWG0gEqeB7z4MBUjy cqlg/RldPa/FzSfTFIYPGyJ3oyqEz+c+oQopxAzOi/tbMjBldZ/R0uZJwUOWvjXDleUX 9yNDlIJfoJJMkq2zlHiwPqi1ZRHgFkY69TAv0PNz86pWP8aeEtUC28+ImvSCmroP/0YX xO1DUNCMRVl3igweXXpiRq5e/1D+MPxtEeJ7wDI7ADT0jct8Hq7IQYm4cD/vd4iov657 Q3hQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id u13-20020a05620a084d00b0078f162257edsi294578qku.425.2024.04.18.10.52.10 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:11 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVun-0001W3-FF; Thu, 18 Apr 2024 13:51:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVui-0001NN-K1; Thu, 18 Apr 2024 13:51:12 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVug-0007bW-HA; Thu, 18 Apr 2024 13:51:12 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6F8465FD71; Thu, 18 Apr 2024 20:50:03 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id CF003B934B; Thu, 18 Apr 2024 20:50:00 +0300 (MSK) Received: (nullmailer pid 947854 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Zheyu Ma , Peter Maydell , Michael Tokarev Subject: [Stable-8.2.3 104/116] hw/misc/applesmc: Fix memory leak in reset() handler Date: Thu, 18 Apr 2024 20:49:34 +0300 Message-Id: <20240418174955.947730-17-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé AppleSMCData is allocated with g_new0() in applesmc_add_key(): release it with g_free(). Leaked since commit 1ddda5cd36 ("AppleSMC device emulation"). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272 Reported-by: Zheyu Ma Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240408095217.57239-3-philmd@linaro.org> (cherry picked from commit fc09ff2979defdcf8d00c2db94022d5d610e36ba) Signed-off-by: Michael Tokarev diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c index 72300d0cbc..a77fb93e7f 100644 --- a/hw/misc/applesmc.c +++ b/hw/misc/applesmc.c @@ -274,6 +274,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev) /* Remove existing entries */ QLIST_FOREACH_SAFE(d, &s->data_def, node, next) { QLIST_REMOVE(d, node); + g_free(d); } s->status = 0x00; s->status_1e = 0x00; From patchwork Thu Apr 18 17:49:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789809 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp694983wrm; Thu, 18 Apr 2024 10:51:36 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV9j/TtgqbBmNu+laJjBfC+ztV5laApXbjtVqRHffWIBqBGtPRFE5QOQK/Sr6mGqXiKU6GyrzN/fxei8KXFDDML X-Google-Smtp-Source: AGHT+IGoF5JJYTCNcAJZlvmWjlSeLXv5Bz9BGPXNZNwuUz1Lo/fG4sh9lNMmiWMK1MtbtgcbU6yP X-Received: by 2002:a05:620a:1115:b0:78e:fd29:84bc with SMTP id o21-20020a05620a111500b0078efd2984bcmr3626983qkk.42.1713462696148; Thu, 18 Apr 2024 10:51:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462696; cv=none; d=google.com; s=arc-20160816; b=wnMrRrhxmbFwdTV9sTqb8VbhViWcRxqD0+zFiYKThvK71VzPspiQcMGEKUuDQ7J4AY YUVeSyKrtKeCKsCqUX5B2q+gzWlw5j0XFljyLzfvEDxs/Y+4CuH0J1DTtzXY+2EZtZk5 VM84OZ8FfzuKUk1jAIEFkHwUMjIyGbVqXJte8DdbZLkv3RnWCFr4azk9RoSs8woBk5Xm H+p2b1MxTwTrrys++ilzr+SfcyRMLvhMkzQx7q/nPOIMnQfVFbOnMO+TbhWE7FTQY/yl OSSsuBKTU0Hf0MRBZbUQXSbGhZt6OwaPnuyI0Vrvpb5bgP11aZkyBttlUkI/yqafPeZS Pcag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=OyaXeZLI95+FLzkNX/is0hT1EF3rL9/DzI7x8+cky/k=; fh=kcvrXg0b8ORyB3OpqOAjaCjQlgwib6p5RTCo7Fn5FsQ=; b=vSe9RPMmPZI/3w14lCkc8DNKXG9gP9niQR3DrDqsXt3VKzdYOXi2zoi2gQpDVBb3FN epa6VW3q480ERbhjwiAXf6l2mE+rq76+Y9nslVImWy2OPmhwGdnQA46ag2VA3tKJa2bn JrCZZSiTi4I6Vjn+MvvVWWeiE0Gf2vYDUIUkOwqH86WWVmHq1V/8pe3ELQx1iGyeQS8y 6+YMJv7CqWvEOu2+F9l2eLqu/JunwW/zZVXBforqMV6+5kQK4y4B+HQJ58pLj3KJkSFH oERfa3kNB/Kmveg/ffNXWuArKaQVPfNv1PZA7pT3zyyZa0Cwwo/GBKMjBFc3ArUISuIm E/kA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id q6-20020a05620a038600b00789e614090bsi1933457qkm.696.2024.04.18.10.51.36 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:51:36 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVuo-0001X8-9X; Thu, 18 Apr 2024 13:51:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuk-0001SB-UG; Thu, 18 Apr 2024 13:51:15 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuj-0007eV-7C; Thu, 18 Apr 2024 13:51:14 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A28ED5FD72; Thu, 18 Apr 2024 20:50:03 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 10D1AB934C; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: (nullmailer pid 947857 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Zheyu Ma , zhenwei pi , Michael Tokarev Subject: [Stable-8.2.3 105/116] backends/cryptodev: Do not abort for invalid session ID Date: Thu, 18 Apr 2024 20:49:35 +0300 Message-Id: <20240418174955.947730-18-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Instead of aborting when a session ID is invalid, return VIRTIO_CRYPTO_INVSESS ("Invalid session id"). Reproduced using: $ cat << EOF | qemu-system-i386 -display none \ -machine q35,accel=qtest -m 512M -nodefaults \ -object cryptodev-backend-builtin,id=cryptodev0 \ -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \ -qtest stdio outl 0xcf8 0x80000804 outw 0xcfc 0x06 outl 0xcf8 0x80000820 outl 0xcfc 0xe0008000 write 0x10800e 0x1 0x01 write 0xe0008016 0x1 0x01 write 0xe0008020 0x4 0x00801000 write 0xe0008028 0x4 0x00c01000 write 0xe000801c 0x1 0x01 write 0x110000 0x1 0x05 write 0x110001 0x1 0x04 write 0x108002 0x1 0x11 write 0x108008 0x1 0x48 write 0x10800c 0x1 0x01 write 0x108018 0x1 0x10 write 0x10801c 0x1 0x02 write 0x10c002 0x1 0x01 write 0xe000b005 0x1 0x00 EOF Assertion failed: (session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]), function cryptodev_builtin_close_session, file cryptodev-builtin.c, line 430. Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2274 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: zhenwei pi Message-Id: <20240409094757.9127-1-philmd@linaro.org> (cherry picked from commit eaf2bd29538d039df80bb4b1584de33a61312bc6) Signed-off-by: Michael Tokarev diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index 39d0455280..a514bbb310 100644 --- a/backends/cryptodev-builtin.c +++ b/backends/cryptodev-builtin.c @@ -427,7 +427,9 @@ static int cryptodev_builtin_close_session( CRYPTODEV_BACKEND_BUILTIN(backend); CryptoDevBackendBuiltinSession *session; - assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]); + if (session_id >= MAX_NUM_SESSIONS || !builtin->sessions[session_id]) { + return -VIRTIO_CRYPTO_INVSESS; + } session = builtin->sessions[session_id]; if (session->cipher) { From patchwork Thu Apr 18 17:49:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789821 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp696017wrm; Thu, 18 Apr 2024 10:54:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUhy26HX4sQl7lgWVUAaQeVGo9RIwToKKKmQcc4Q8tAVOBWZxa6JLrEfWcqv+tFESGCvffsVDLMTFq3Wy+GJzBt X-Google-Smtp-Source: AGHT+IFKwh0//mzievRr8qFmyNa9e5HsSdV+Il4vUd/kwC6RY3aiyT1PUjQDB0e71zuXGhAfrFsL X-Received: by 2002:a05:6214:5610:b0:699:4c5e:8a9a with SMTP id mg16-20020a056214561000b006994c5e8a9amr3837444qvb.51.1713462865102; Thu, 18 Apr 2024 10:54:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462865; cv=none; d=google.com; s=arc-20160816; b=ivQM+crcRYCRTtuya7wgM+pmdy0Ox/uwPZOnxYTI3PNBVit25WmaN2LCu+XDdJTZEi 1tUDZHGZeOU+zyHbOwH6shRxjPx/StO7IsliOkyTDpRfqYPZO5Ab/BAsPNqkHEA1Ctii HPjAw3bW3OFYcJds5+974QSNtjXR1pEiZCzbBDpWclBtxXEPGfU6ioLo4/BV8GZyj/7u ZCB20p/wLpiqNTekFVcfFg3MG2yqmNawRGhg/wo/SwEJ2k771PV66Q90R/qPPTh/6xvy WSle/U9u4Z66MajN6ffAXxZtPwxwEOrt+KR4F+IThVIhfYpRxtzNqA+j4beesL5QHHiv 7/Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=wA+hxFxLpBgP3NG1nmemhWBrgWC8+gkPwTe7jrVF6yk=; fh=m04Zw7Rd3szriI+fwMSRTbsn9jEhMzlDh3fvULRyulY=; b=fqmYfPLPrZr6VQW/AsbzbwRQIouWwWmIQAdoiBOQV+jrrlSIvx2IeINkI4USulGpb0 xO/PZi6dxeFdAi41wcG7W499kzVsWOzedz9Wd9+2R26AsxY6H0uKEYD/AcFvSd8hiIOk 4zK8A13OFk2u6yKCdm99MdwouaeZAP02CcRNOu1lF40HY7VGIF6eP3floofxYLwZ9u1J ucQI4CS+f1ZaZEjDnoLXBVml/i5rdXlrbQkZswf+bGN39GmtoO2jLyOWZOxzsYW4yMXd /oFqfcJyclxbVGhYsDxRylQz3+52/GaN3q0MGmdwiJ4FtSc8hpIYjQGVTjQBfuH1QwkU ftxQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id 8-20020a05621420a800b0069b5208c37fsi1874055qvd.491.2024.04.18.10.54.24 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:54:25 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVuv-0001kY-C0; Thu, 18 Apr 2024 13:51:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVum-0001T2-46; Thu, 18 Apr 2024 13:51:16 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVuj-0007ef-VC; Thu, 18 Apr 2024 13:51:15 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id CB6FA5FD73; Thu, 18 Apr 2024 20:50:03 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 3BE41B934D; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: (nullmailer pid 947860 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Peter Maydell , Michael Tokarev Subject: [Stable-8.2.3 106/116] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition Date: Thu, 18 Apr 2024 20:49:36 +0300 Message-Id: <20240418174955.947730-19-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé The magic 2048 is explained in the LAN9211 datasheet (DS00002414A) in chapter 1.4, "10/100 Ethernet MAC": The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. [...] Note, the use of the constant in lan9118_receive() reveals that our implementation is using the same buffer for both tx and rx. Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240409133801.23503-2-philmd@linaro.org> (cherry picked from commit a45223467e4e185fff1c76a6483784fa379ded77) Signed-off-by: Michael Tokarev diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c index cf7b8c897a..f0a8a3fa10 100644 --- a/hw/net/lan9118.c +++ b/hw/net/lan9118.c @@ -150,6 +150,12 @@ do { printf("lan9118: " fmt , ## __VA_ARGS__); } while (0) #define GPT_TIMER_EN 0x20000000 +/* + * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit + * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. + */ +#define MIL_TXFIFO_SIZE 2048 + enum tx_state { TX_IDLE, TX_B, @@ -166,7 +172,7 @@ typedef struct { int32_t pad; int32_t fifo_used; int32_t len; - uint8_t data[2048]; + uint8_t data[MIL_TXFIFO_SIZE]; } LAN9118Packet; static const VMStateDescription vmstate_lan9118_packet = { @@ -182,7 +188,7 @@ static const VMStateDescription vmstate_lan9118_packet = { VMSTATE_INT32(pad, LAN9118Packet), VMSTATE_INT32(fifo_used, LAN9118Packet), VMSTATE_INT32(len, LAN9118Packet), - VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048), + VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE), VMSTATE_END_OF_LIST() } }; @@ -544,7 +550,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf, return -1; } - if (size >= 2048 || size < 14) { + if (size >= MIL_TXFIFO_SIZE || size < 14) { return -1; } From patchwork Thu Apr 18 17:49:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789823 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp696577wrm; Thu, 18 Apr 2024 10:56:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXESXqLStbMg4llYm86cZs5xP21TynZjLyQAl5/Ov5sAfD0s22YROlTWQyGYMzPnxNm1pS+CJ6ZNwyzRuVpWueB X-Google-Smtp-Source: AGHT+IHpFHnMT0HyWeuat/D6ya+cal38vPEOK7vUYypCG8nO9mH2D0fhk4jC6NbKMi6+vnvlYDEu X-Received: by 2002:ac8:57cb:0:b0:437:b502:d912 with SMTP id w11-20020ac857cb000000b00437b502d912mr1253880qta.29.1713462960040; Thu, 18 Apr 2024 10:56:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462960; cv=none; d=google.com; s=arc-20160816; b=ffUmHyW1i8HKGTS3ZxZ7LG7VXCLlor03b0jXzWDTEvPTRUH9mKB9XvyflbFLcnvtNb XD0lDk57ezifHANSxMhfPjZa1lFLfQwOxcPyg+8VRae0juMT/Zu78byX2c3ZFJkMBEwF 7bmkQP2kAvaRXvRuHnHaK0cEhArTrJAFun/n+qWqMV+nhorDVY2istQAO4bV6U3amMPS hwhxbG7kOOG7zqgrlqXj/eWRqgg1v4PVjXvCVfkbPsV5sy9L+sAy0GyaBZIGgWDwjBeO fXjOhT0gf/jwXLFQRReyJCtEoYs9zRVfNL5LShzgbzuExWgO1ywmpXs7JqD9AH6n9KEj M8ZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=B+MajSl/WjMVKTSOLM09vsQXiCk6KMeFKbKfLJOUnbE=; fh=yKfcvcrg+Er+B+I7T0P1R4USoSs/nf8gXvBTFGEIYPs=; b=NFduwxGotD22YQ2rrustaaHxawBWeDYRx/BJ1GZfyLGsGI/RUl5Mkz3ekZhOgUWkAj C/5wxYR6zl6buKPy62e+xVOCzE7qlO8QAfMku1V7DI5yFRmZOiykaL/g8tQ2go7EhjJz KDxdEq2KyF8kzSUIXHoaZtJWoYCFZ/w1HOPej2pVGK4xUTEwcosGiuhn7jNWR6xNxkrk r32pRkiJ1TZYgkx0kKvMu3Nox+xl6Ccrl1zlOuaN/I+MBaM6XsYptSQJbB1U8pjlmIZR IVB+QnsDNjaZqaHfkjUk4dgpOiF9bYrK8X52NqXIcZE4ZUIXq4x6ICsbv6vfXq2k0g+b xW7Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id bb26-20020a05622a1b1a00b00437b776d4f8si555069qtb.731.2024.04.18.10.55.59 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:56:00 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVvA-0002f1-EX; Thu, 18 Apr 2024 13:51:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv8-0002UP-Bl; Thu, 18 Apr 2024 13:51:38 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv6-0007f9-E7; Thu, 18 Apr 2024 13:51:38 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id F1C835FD74; Thu, 18 Apr 2024 20:50:03 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 5F98DB934E; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: (nullmailer pid 947863 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Chuhong Yuan , Peter Maydell , Michael Tokarev Subject: [Stable-8.2.3 107/116] hw/net/lan9118: Fix overflow in MIL TX FIFO Date: Thu, 18 Apr 2024 20:49:37 +0300 Message-Id: <20240418174955.947730-20-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé When the MAC Interface Layer (MIL) transmit FIFO is full, truncate the packet, and raise the Transmitter Error (TXE) flag. Broken since model introduction in commit 2a42499017 ("LAN9118 emulation"). When using the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/2267 we get: hw/net/lan9118.c:798:17: runtime error: index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')     #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43     #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9     #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9     #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5     #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18     #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16     #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18     #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19     #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12     #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18 ... [*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER" Cc: qemu-stable@nongnu.org Reported-by: Will Lester Reported-by: Chuhong Yuan Suggested-by: Peter Maydell Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Message-Id: <20240409133801.23503-3-philmd@linaro.org> (cherry picked from commit ad766d603f39888309cfb1433ba2de1d0e9e4f58) Signed-off-by: Michael Tokarev diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c index f0a8a3fa10..4b081cc827 100644 --- a/hw/net/lan9118.c +++ b/hw/net/lan9118.c @@ -799,8 +799,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val) /* Documentation is somewhat unclear on the ordering of bytes in FIFO words. Empirical results show it to be little-endian. */ - /* TODO: FIFO overflow checking. */ while (n--) { + if (s->txp->len == MIL_TXFIFO_SIZE) { + /* + * No more space in the FIFO. The datasheet is not + * precise about this case. We choose what is easiest + * to model: the packet is truncated, and TXE is raised. + * + * Note, it could be a fragmented packet, but we currently + * do not handle that (see earlier TX_B case). + */ + qemu_log_mask(LOG_GUEST_ERROR, + "MIL TX FIFO overrun, discarding %u byte%s\n", + n, n > 1 ? "s" : ""); + s->int_sts |= TXE_INT; + break; + } s->txp->data[s->txp->len] = val & 0xff; s->txp->len++; val >>= 8; From patchwork Thu Apr 18 17:49:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789816 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695425wrm; Thu, 18 Apr 2024 10:52:50 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCURIVxC5wuoaaI8Rf2u+GaRuXZaLWtz6C5nUSHq7QMphSEy2J5LnbkZko1QpBJdkLjQY08Lchq8Eg5LUUebp783 X-Google-Smtp-Source: AGHT+IEYM+QrQcfFmen6g8kMyp7AqpBKpx4IBsuWe2aSURiV6sdtxroaYcKGVDmw5Yt6R8S4TPVM X-Received: by 2002:a05:620a:f0b:b0:78f:1714:a68e with SMTP id v11-20020a05620a0f0b00b0078f1714a68emr233663qkl.13.1713462770420; Thu, 18 Apr 2024 10:52:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462770; cv=none; d=google.com; s=arc-20160816; b=Ik4WwW0ggFmvNLawk26lkQ0Xr7MK2zYDahsaQTBVuw7gKxXkt4nfCIkbxyB77yxyM6 zp2t1eHg52XhYcsLRYcElHt9VIiqKTul7bSBIxijgrdyP9ZfKsfmpDMFjcv+qKMnxs+d WaHwukgcDK1U8kyKNxvaeT8LQhYp/xgoPuQrCJbIMFmjAPBs4TTPgr6Eq2fAWtsEsheb MqQdtxB5kaACCVso88EZgv+DX9nCSN41EZgb5IEPL6TGMtMA7hli+MbLPAHM3plKdoqt N1fzcJqgRP3hlcJugSEmFNIoCvTZYnmM5dpzKzJtnJNR8HHU0LWQc2YAyZlfmswjhpaP Cp1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=oaLDs8eIzsNHRjhoETSs3oJAI2QbuVMemSXJa9G3mLE=; fh=6fBILVUdoL7JCVULd2glCcobc4jAkou2rbBCvrT+SaU=; b=SseEfKRY6PUtUe9kb7XypmgS7qtjEdqRTXWTUeAuFsXt9ci64UxypkmFSWfJr0bS1f 4a88SUGXEkafrMW96CrBGlblXxVPie8T+qRcKr7R2J0FJSZ/6g5u/aFb6w5rclvC5MAd Sp8wQ5KxuXSkT12Bn4CPqZNKlyR3BHweh75lcV6NI8SXDHIZ0WanvCc/Xj4cJPss4YVX oImwNOatWG/TK0mL45T1pu1GQ1KhlDJNIwk7puqO6vzxuGEJiZWiy0oakOXnxHxU7H4q whz99GFvRqG3Bz/wkwfI0so+V9siPM5fuiX8vgOa7/7RxOl+O5exjEWzxD9ojKz8gCFg phrw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id i7-20020a05620a404700b0078d704a8e7esi2114081qko.490.2024.04.18.10.52.50 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:52:50 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVvG-0002zn-T9; Thu, 18 Apr 2024 13:51:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv9-0002eB-Tn; Thu, 18 Apr 2024 13:51:40 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv7-0007fS-I4; Thu, 18 Apr 2024 13:51:39 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 472705FD75; Thu, 18 Apr 2024 20:50:04 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 8F1E0B934F; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: (nullmailer pid 947866 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Alexander Bulekov , Chuhong Yuan , Peter Maydell , Michael Tokarev Subject: [Stable-8.2.3 108/116] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set Date: Thu, 18 Apr 2024 20:49:38 +0300 Message-Id: <20240418174955.947730-21-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Per "SD Host Controller Standard Specification Version 3.00": * 2.2.5 Transfer Mode Register (Offset 00Ch) Writes to this register shall be ignored when the Command Inhibit (DAT) in the Present State register is 1. Do not update the TRNMOD register when Command Inhibit (DAT) bit is set to avoid the present-status register going out of sync, leading to malicious guest using DMA mode and overflowing the FIFO buffer: $ cat << EOF | qemu-system-i386 \ -display none -nographic -nodefaults \ -machine accel=qtest -m 512M \ -device sdhci-pci,sd-spec-version=3 \ -device sd-card,drive=mydrive \ -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ -qtest stdio outl 0xcf8 0x80001013 outl 0xcfc 0x91 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0x9100002c 0x1 0x05 write 0x91000058 0x1 0x16 write 0x91000005 0x1 0x04 write 0x91000028 0x1 0x08 write 0x16 0x1 0x21 write 0x19 0x1 0x20 write 0x9100000c 0x1 0x01 write 0x9100000e 0x1 0x20 write 0x9100000f 0x1 0x00 write 0x9100000c 0x1 0x00 write 0x91000020 0x1 0x00 EOF Stack trace (part): ================================================================= ==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 WRITE of size 1 at 0x615000029900 thread T0 #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 ... 0x615000029900 is located 0 bytes to the right of 512-byte region [0x615000029700,0x615000029900) allocated by thread T0 here: #0 0x55d5f7237b27 in __interceptor_calloc #1 0x7f9e36dd4c50 in g_malloc0 #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10 #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 ... SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 in sdhci_write_dataport Add assertions to ensure the fifo_buffer[] is not overflowed by malicious accesses to the Buffer Data Port register. Fixes: CVE-2024-3447 Cc: qemu-stable@nongnu.org Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 Reported-by: Alexander Bulekov Reported-by: Chuhong Yuan Signed-off-by: Peter Maydell Message-Id: Signed-off-by: Philippe Mathieu-Daudé Message-Id: <20240409145524.27913-1-philmd@linaro.org> (cherry picked from commit 9e4b27ca6bf4974f169bbca7f3dca117b1208b6f) Signed-off-by: Michael Tokarev diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 40473b0db0..e95ea34895 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size) } for (i = 0; i < size; i++) { + assert(s->data_count < s->buf_maxsz); value |= s->fifo_buffer[s->data_count] << i * 8; s->data_count++; /* check if we've read all valid data (blksize bytes) from buffer */ @@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size) } for (i = 0; i < size; i++) { + assert(s->data_count < s->buf_maxsz); s->fifo_buffer[s->data_count] = value & 0xFF; s->data_count++; value >>= 8; @@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) { value &= ~SDHC_TRNS_DMA; } + + /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */ + if (s->prnsts & SDHC_DATA_INHIBIT) { + mask |= 0xffff; + } + MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK); MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16); From patchwork Thu Apr 18 17:49:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789820 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp696012wrm; Thu, 18 Apr 2024 10:54:24 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU14C1brRvareNuS/BEiDMBnoT5iucnBq0M+SPxyNZV7WTmwGvmBNDzeBvLmW8qksumTWkQ0AnM5I3Iz9Gk2lFq X-Google-Smtp-Source: AGHT+IE7Xmu5ChrqeLWwOmC8WdjBRrJDSbSbL2J9A14Wy5WBnEjlqVSIemMd8LMcIKyErLqwUjDy X-Received: by 2002:a05:6808:4387:b0:3c7:3d8f:7ef1 with SMTP id dz7-20020a056808438700b003c73d8f7ef1mr2408154oib.17.1713462864333; Thu, 18 Apr 2024 10:54:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462864; cv=none; d=google.com; s=arc-20160816; b=szY96M4PQ5A3pge01ZtnCGifBGVEa4qwQ/hDYYdvODit/k9cjO+dWktCv+/e8xI62K g/f/Vifa2661QqtnZ4Yizy6yHP+UwrkBF0gfLuUbHJh3NoZYUg9kD7Nl7+vMEa99yicv ZFNctbcsV3PHaK9JZVAWH+5t+DuhRERpHAnT1qd6Y9S8LapD3Y5XLJ6Eq7i69iuusShd U2gm1vf2Jd26SXtzFJWnEGA8lvOGtO/3tPGEn6O8lByz6hRuqWN4fCUGWllPwDDs3mIr 7BgWiGI8aGEVLCEqzz3LBabl7BrXdh/SuUdMR9vb6Py5zIQPFjNXfwvRQIp1BdVW9INa yMRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=b/FzRsoDQglyeVcXK/A4pRGwH7S3edEGDOgcNWid65Y=; fh=10ZgXUeGM9SH2AA17LufuF+GeYuDCHv+pUd6g6aMDJo=; b=J5YrgAujJ3rS0/BvnbOu2G8nIfpL/hslZ9BXqNGagyjbtrn2nA0vzIedlReRE9Cp7G 6/hKoo5tD4kf+YK6IyxtpLzlIugLIhB4/KEXiXXjhMizG2WlCdcTr4WN01zV1Vd9oei5 96jhz76rJjm75aT8ufL5WHSqCvcnIlMABKqHSJarJTPWnVxYjCCXt4BIHWJ4y03IFAdo d2syu7bjnfTzkuR9vl3HV9/ZJ5iSvQJpEIsDgdZrz4lGqPD3cSqMK7j3D3+eFT88nBJ/ TNyjcQt9hALKhQQs6rCtfZuECnGiQeCfmV2khhh+5GPkw+WyFhRSucoZf2sDfJwt7tPS CKRQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id o17-20020a05620a22d100b0078f0cbcf4dasi1798575qki.335.2024.04.18.10.54.24 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:54:24 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVvQ-0003Nw-96; Thu, 18 Apr 2024 13:51:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVvB-0002s3-VS; Thu, 18 Apr 2024 13:51:43 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVv9-0007gi-WB; Thu, 18 Apr 2024 13:51:41 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A0A825FD76; Thu, 18 Apr 2024 20:50:04 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id DE7F2B9350; Thu, 18 Apr 2024 20:50:01 +0300 (MSK) Received: (nullmailer pid 947869 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Zheyu Ma , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-8.2.3 109/116] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() Date: Thu, 18 Apr 2024 20:49:39 +0300 Message-Id: <20240418174955.947730-22-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé If a fragmented packet size is too short, do not try to calculate its checksum. Reproduced using: $ cat << EOF | qemu-system-i386 -display none -nodefaults \ -machine q35,accel=qtest -m 32M \ -device igb,netdev=net0 \ -netdev user,id=net0 \ -qtest stdio outl 0xcf8 0x80000810 outl 0xcfc 0xe0000000 outl 0xcf8 0x80000804 outw 0xcfc 0x06 write 0xe0000403 0x1 0x02 writel 0xe0003808 0xffffffff write 0xe000381a 0x1 0x5b write 0xe000381b 0x1 0x00 EOF Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 Fixes: CVE-2024-3567 Cc: qemu-stable@nongnu.org Reported-by: Zheyu Ma Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Akihiko Odaki Acked-by: Jason Wang Message-Id: <20240410070459.49112-1-philmd@linaro.org> (cherry picked from commit 83ddb3dbba2ee0f1767442ae6ee665058aeb1093) Signed-off-by: Michael Tokarev diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index 2134a18c4c..b7b1de816d 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt) uint32_t csum = 0; struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG; + if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) { + return false; + } + if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) { return false; } From patchwork Thu Apr 18 17:49:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789818 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp695799wrm; Thu, 18 Apr 2024 10:53:49 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW9S8xhaWlIl66xIVWRCc8NzgG3bn2UtoH456tSZu4FnkKHHN5DbXmziiA85+4WBQWu1OkjL/eCcU84vwrqoO9u X-Google-Smtp-Source: AGHT+IGsmbQJ6R30myGTOeOOeRLU2yrols0+GhnQDREod1Zp6EQoKBIaVI6RTIcVKuYQ6RU9O6nA X-Received: by 2002:a05:6214:d81:b0:69b:2515:4197 with SMTP id e1-20020a0562140d8100b0069b25154197mr5036979qve.13.1713462829164; Thu, 18 Apr 2024 10:53:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462829; cv=none; d=google.com; s=arc-20160816; b=YeFvDJCgaJl+jX7v20Az1oslzO44Npj5lmFSAtGGGe4Tw0Fdwlf1RjGAjx5vVHjM5z FpNp5FggXWX1m2CaR2ZlBHdgDDmlJFPK55rR2IngeGSktgUXCqFVN6ig5fAx7a7udf8L 3fnyTpro+b+Lu48COmgcjyGaWl9AyfFCzGvSboA6OITFrIgupWYiscWpo+sieytxm/lG NZEx27U8habDKSrrthgaE/FxReJ9dSqL/DjRr3wFYXcaI5L+EdemQhAnVg1iISnTomDm By6a4DkwU8BdM0QyKGmRsdL+cjolMMevdt5CPZ33FJWHlQ4V5IrnD/H6aQ1uFtXCFk8O uhEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=qxC5EkeyehtqYkgTOeNbML1CeTXW92CNx5ixK5FjFRA=; fh=bvQH3M8eKczB5xekR9Uqz9KNidVz4Iv4rI6Pj4LuWBg=; b=pter9XXzkaFOtFOmPWomF3DUFV2W8uYO91y9XkCJFltTVyZ0kAF4X9CJAQH0yaVa5E inYzbbpVtjKlyitnn05iZQpnyTB63pUEinwoz7xVm8n9clnrQ1lu0LccY6U6MRb1Plgw DKYENiGhwwyiEQ0cYKOe0xuLYxMije2tLxwV80ooCI2JtAPnaHafNnq26GuuI5wmJpU5 Z1xTGum5fQHzl/VVMQVzMGEUUkMla81ZWIthgyIBNQFT9DngDeSLKohpJfp+ybGn1Yh+ KhZ91DranOJ68P5BRhQDueWNJOJcT5Ch+9uo9impeG4O9LmUHJWxCBT6i0BJ/JYnhp3u b+vQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id jo19-20020a056214501300b0069b1f09605asi2079935qvb.301.2024.04.18.10.53.49 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:53:49 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVvV-0003nN-5l; Thu, 18 Apr 2024 13:52:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVvD-0002vn-Gf; Thu, 18 Apr 2024 13:51:43 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVvB-0007gz-8n; Thu, 18 Apr 2024 13:51:43 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1B7615FD77; Thu, 18 Apr 2024 20:50:05 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id 59F7CB9351; Thu, 18 Apr 2024 20:50:02 +0300 (MSK) Received: (nullmailer pid 947872 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Manos Pitsidianakis , Michael Tokarev Subject: [Stable-8.2.3 110/116] hw/audio/virtio-snd: Remove unused assignment Date: Thu, 18 Apr 2024 20:49:40 +0300 Message-Id: <20240418174955.947730-23-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Philippe Mathieu-Daudé Coverity reported: >>> CID 1542933: Code maintainability issues (UNUSED_VALUE) >>> CID 1542934: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "NULL" to "stream" here, but that stored value is overwritten before it can be used. Simply remove the unused assignments. Resolves: Coverity CID 1542933 Resolves: Coverity CID 1542934 Fixes: 731655f87f ("virtio-snd: rewrite invalid tx/rx message handling") Fixes: 20cd0c8655 ("virtio-snd: rewrite invalid tx/rx message handling" in stable-8.2) Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Manos Pitsidianakis Message-Id: <20240410053712.34747-1-philmd@linaro.org> (cherry picked from commit dcb0a1ac03d6b5ba6c7fcbe467f0215738006113) Signed-off-by: Michael Tokarev diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 256a132ece..823f9ab084 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -885,7 +885,9 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq) } trace_virtio_snd_handle_tx_xfer(); - for (VirtIOSoundPCMStream *stream = NULL;; stream = NULL) { + for (;;) { + VirtIOSoundPCMStream *stream; + elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); if (!elem) { break; @@ -964,7 +966,9 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq) } trace_virtio_snd_handle_rx_xfer(); - for (VirtIOSoundPCMStream *stream = NULL;; stream = NULL) { + for (;;) { + VirtIOSoundPCMStream *stream; + elem = virtqueue_pop(vq, sizeof(VirtQueueElement)); if (!elem) { break; From patchwork Thu Apr 18 17:49:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tokarev X-Patchwork-Id: 789822 Delivered-To: patch@linaro.org Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp696128wrm; Thu, 18 Apr 2024 10:54:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU/XMeDNZVuLm7K+lC7Hwgjqsg1U+40UfhWBx7ynxZbGVFDK+bwRei+VbxbmwYR6PBOxZ16GCY9+AKyEl/6GYaP X-Google-Smtp-Source: AGHT+IFWaMwiBfL3ufMm9jxwhcz/o6A96DXBT3Ajh9lLvNiMGiXiDQn0F2YvTXzMe5+u0aOjjxJO X-Received: by 2002:a05:622a:1a1b:b0:437:872c:2407 with SMTP id f27-20020a05622a1a1b00b00437872c2407mr5423228qtb.28.1713462883672; Thu, 18 Apr 2024 10:54:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713462883; cv=none; d=google.com; s=arc-20160816; b=ZYTSyeLY53SK3fp5vG4+zof1Quxtged3z9MU7lxf52lnMsd8fEoaVbA4ceuNMlgiEX JyS4gi10wxRUFZsqkT/0kd6oRE5Ip9lkyGCRYgVguUVRIlRXVRfWWQHFkpbPp4prlodZ o7AjrY1XG0lC0OIgW413UB/4uwb5WIIkTcW2ouGG5DhmUB+QUUdAvGaT3OuNzKZ9GMLN OI4IVgcSPPa5FwD73v3mYdeKT/GR6kb8tBOIJBX4ABImPuzJT1BoywjMNUJdcP9lhs8b fV3kC0Y7Bcl4IABglNRxBYBS7rSKVG+4EefAo6wP8nePTpuWfLgdw0rqEOVufenTyvjP ApqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=amr7pG90Pp3rONB2/DMpZE9ovsKzkJn0KXlnm4Ssalc=; fh=K4abbxCgZAPvqzOXA+PZ7RIZh+KufMVJze7rXLOwES0=; b=D+6gaiAE7YIeHC3108VwMXtl5QX/xyFZDGzs9qeu4uMONrcVfbHNB3ndvUR2VbtqtA 94gWfHYOZ689DrBOW/lRvk27J2GXK3dVuaBrX6UFRUBUV8lfiylc7pAcymKjbOcFT4wb Gg/jwpUB23p/LLEvlBxt0PLm6vRnLED8lLGYmLVlTB0QL0g1l7NhIIvgPxOaZqg6hl0m NNMSPdUJAKF9r3cm3lBBBlsOxmazm6Z54igmjfDwziZ4Z3c2wyt7ppl7vjltk9kcJpfu 1BdahC6+2oJj6fWV5Py1LJ1W4AkdLXfayzWaxlPj68ijVFLXFa/LW+Zt7dC8ulEcM7WM fVHw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id v12-20020a05622a130c00b00434363526f9si2121776qtk.125.2024.04.18.10.54.43 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Apr 2024 10:54:43 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org" Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rxVvW-0003zX-O9; Thu, 18 Apr 2024 13:52:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVvF-0003Ab-H4; Thu, 18 Apr 2024 13:51:46 -0400 Received: from isrv.corpit.ru ([86.62.121.231]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rxVvD-0007hR-IF; Thu, 18 Apr 2024 13:51:45 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 72C5B5FD78; Thu, 18 Apr 2024 20:50:05 +0300 (MSK) Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130]) by tsrv.corpit.ru (Postfix) with SMTP id C3E54B9352; Thu, 18 Apr 2024 20:50:02 +0300 (MSK) Received: (nullmailer pid 947875 invoked by uid 1000); Thu, 18 Apr 2024 17:49:55 -0000 From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Richard Henderson , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-8.2.3 111/116] linux-user/x86_64: Handle the vsyscall page in open_self_maps_{2, 4} Date: Thu, 18 Apr 2024 20:49:41 +0300 Message-Id: <20240418174955.947730-24-mjt@tls.msk.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -68 X-Spam_score: -6.9 X-Spam_bar: ------ X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: Richard Henderson This is the only case in which we expect to have no host memory backing for a guest memory page, because in general linux user processes cannot map any pages in the top half of the 64-bit address space. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2170 Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Richard Henderson (cherry picked from commit 4ef1f559f270c66b3ffc23f6c845ff3d008c6356) Signed-off-by: Michael Tokarev diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 834a254895..11c75e3b4e 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -7994,6 +7994,10 @@ static void open_self_maps_4(const struct open_self_maps_data *d, path = "[heap]"; } else if (start == info->vdso) { path = "[vdso]"; +#ifdef TARGET_X86_64 + } else if (start == TARGET_VSYSCALL_PAGE) { + path = "[vsyscall]"; +#endif } /* Except null device (MAP_ANON), adjust offset for this fragment. */ @@ -8082,6 +8086,18 @@ static int open_self_maps_2(void *opaque, target_ulong guest_start, uintptr_t host_start = (uintptr_t)g2h_untagged(guest_start); uintptr_t host_last = (uintptr_t)g2h_untagged(guest_end - 1); +#ifdef TARGET_X86_64 + /* + * Because of the extremely high position of the page within the guest + * virtual address space, this is not backed by host memory at all. + * Therefore the loop below would fail. This is the only instance + * of not having host backing memory. + */ + if (guest_start == TARGET_VSYSCALL_PAGE) { + return open_self_maps_3(opaque, guest_start, guest_end, flags); + } +#endif + while (1) { IntervalTreeNode *n = interval_tree_iter_first(d->host_maps, host_start, host_start);