From patchwork Thu Apr 18 20:02:02 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789853
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp747126wrm;
 Thu, 18 Apr 2024 13:03:30 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXTzQK3vOftXKmzhOZJYCBwRYaEIxzsDB+YHgEOVa64c3JZkNgHkjdVvbslHt1ydF1aFWm/oEHNM88dSVKAd8Hh
X-Google-Smtp-Source: AGHT+IFaGePo4qgMahbwJzTwamGDL6XBJz445y4e8jiJPF1p14Q9fjqHcxFYl2jEM6KYlw+RP8Ar
X-Received: by 2002:a9d:67d1:0:b0:6eb:71f0:829 with SMTP id
 c17-20020a9d67d1000000b006eb71f00829mr23025otn.37.1713470610377;
 Thu, 18 Apr 2024 13:03:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470610; cv=none;
 d=google.com; s=arc-20160816;
 b=Dy9QWWOLq/PufOS8wTyOab8MUWIUJiC+BVEp3Nhk7B0lkoEZAPo3A0Pp9sFJNBVZIR
 s774EjClk8oycS+8VP3Oq+Nu6zrYu8F02bZXOqU6aL1PhdYA/hHofZqnQEW5Peb7hc58
 knSaBiXwqsx9/0iVY4CryO7gPfVdVaYiVrIOJDaQs3CL0VrRAg5UBsJ370M/RTHYK+Cg
 3JUSNGn/u0vLQhooPxJYUtrKmbWDD9T6tQ98lJSBj01QK9UFZyUPnE4mhtIw/wPqPN22
 nxEyNBvY0+H5Vb0SlOJVzhTIZRbC1Dy1xCOrh2yTZ/X0qNX3MnJBjVWV+YHG1NBsrvAx
 VTcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=PYkZpHdcT0po+dxox5DgZw1L7RI86YqBgFpoJqNP6+Q=;
 fh=bMaafE1clBtiBaCrlbrbcY1DSEPhhFUklUk4XoVHiPU=;
 b=fSQwLUtVppZJKpV/oxagRpZ3GwL8BVh0IUbD+R73sAD2GAOyLMe7mLTIvWBbSQ+Pz0
 j8H5C7apElQwr7uTc+SBpTr+Z1Rt7r5rzpX5erQ2QJXnkMeeMNwAXqlkgI62QPSanMUh
 JTOxfXJ/9ZeSCD/gNYNEfZwPZeuihH/QRNenQiP46khd+oOGzBzbwce27a5MIZWC+0Ah
 6P05qDr6ChRkh8TMJruMRbedjiTbnYtYl3U2fUdxD1lDFmvXQdpL1cizEXWKqFcUli2t
 BZ1yzf/9iTpJ7/hUOS7QMTxVghEFZsvuRp6M5r90T7Hl3G2HhTGN2UYqVpHxOkDJpIyg
 Y7SQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 f9-20020a0561020c8900b00479d969b25asi552791vst.361.2024.04.18.13.03.30
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:03:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXxu-0001VL-Vd; Thu, 18 Apr 2024 16:02:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxn-0001UN-GW; Thu, 18 Apr 2024 16:02:33 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxl-0005Fp-FZ; Thu, 18 Apr 2024 16:02:31 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 346515FE09;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 9647BB93EF;
 Thu, 18 Apr 2024 23:02:24 +0300 (MSK)
Received: (nullmailer pid 952842 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>, 
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 42/59] tcg/optimize: Do not attempt to constant fold
 neg_vec
Date: Thu, 18 Apr 2024 23:02:02 +0300
Message-Id: <20240418200224.952785-1-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Richard Henderson <richard.henderson@linaro.org>

Split out the tail of fold_neg to fold_neg_no_const so that we
can avoid attempting to constant fold vector negate.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2150
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit e25fe886b89a396bae5847520b70c148587d490a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fixup in tests/tcg/aarch64/Makefile.target)

diff --git a/tcg/optimize.c b/tcg/optimize.c
index b6f6436c74..100b75efd8 100644
--- a/tcg/optimize.c
+++ b/tcg/optimize.c
@@ -1634,16 +1634,10 @@ static bool fold_nand(OptContext *ctx, TCGOp *op)
     return false;
 }
 
-static bool fold_neg(OptContext *ctx, TCGOp *op)
+static bool fold_neg_no_const(OptContext *ctx, TCGOp *op)
 {
-    uint64_t z_mask;
-
-    if (fold_const1(ctx, op)) {
-        return true;
-    }
-
     /* Set to 1 all bits to the left of the rightmost.  */
-    z_mask = arg_info(op->args[1])->z_mask;
+    uint64_t z_mask = arg_info(op->args[1])->z_mask;
     ctx->z_mask = -(z_mask & -z_mask);
 
     /*
@@ -1654,6 +1648,11 @@ static bool fold_neg(OptContext *ctx, TCGOp *op)
     return true;
 }
 
+static bool fold_neg(OptContext *ctx, TCGOp *op)
+{
+    return fold_const1(ctx, op) || fold_neg_no_const(ctx, op);
+}
+
 static bool fold_nor(OptContext *ctx, TCGOp *op)
 {
     if (fold_const2_commutative(ctx, op) ||
@@ -1949,7 +1948,7 @@ static bool fold_sub_to_neg(OptContext *ctx, TCGOp *op)
     if (have_neg) {
         op->opc = neg_op;
         op->args[1] = op->args[2];
-        return fold_neg(ctx, op);
+        return fold_neg_no_const(ctx, op);
     }
     return false;
 }
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index 474f61bc30..bd29446835 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -10,7 +10,7 @@ VPATH 		+= $(AARCH64_SRC)
 
 # Base architecture tests
 AARCH64_TESTS=fcvt pcalign-a64
-AARCH64_TESTS += test-2248
+AARCH64_TESTS += test-2248 test-2150
 
 fcvt: LDFLAGS+=-lm
 
diff --git a/tests/tcg/aarch64/test-2150.c b/tests/tcg/aarch64/test-2150.c
new file mode 100644
index 0000000000..fb86c11958
--- /dev/null
+++ b/tests/tcg/aarch64/test-2150.c
@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* See https://gitlab.com/qemu-project/qemu/-/issues/2150 */
+
+int main()
+{
+    asm volatile(
+        "movi     v6.4s, #1\n"
+        "movi     v7.4s, #0\n"
+        "sub      v6.2d, v7.2d, v6.2d\n"
+        : : : "v6", "v7");
+    return 0;
+}

From patchwork Thu Apr 18 20:02:03 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789857
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp747489wrm;
 Thu, 18 Apr 2024 13:04:12 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVn8y+Ba7c8DuruQAeTzoq8v2HnzwfltzE3LMtnz6OR5VJXnhoJLag7eSqTX6A/IMtGNBupY4p4TkvtmVKzwBGc
X-Google-Smtp-Source: AGHT+IFGCBq63D607+JWx9y/Gof1tUn+pzMw0Jtr4I9+hhJpGqjd9gFHWF6ZOWqZgaltS+uYoG3k
X-Received: by 2002:a25:b317:0:b0:dcf:9018:67 with SMTP id
 l23-20020a25b317000000b00dcf90180067mr4090666ybj.42.1713470652616;
 Thu, 18 Apr 2024 13:04:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470652; cv=none;
 d=google.com; s=arc-20160816;
 b=uT56dBtpb0M73/Piy6FqeVeKxR292U0eItOghFuV9Iws2hajizWY36M+/jaycf9Xp7
 wsYsMJanenaGSqq/qgnB0sVHJDlw98xvpehccVc4S7bK0igTBPUiL3JrxW2POcZ84l9X
 /jOKFM1u5lWU0SYz4Jg0RnY4ZDQjwccQQFuRpVesm8fgtN6NI16k1HeSZRGcPdajolVJ
 l5A4sQMYfDA9Tx8bFvb1RKa+7rXOAzy7/cBD04kVcNnr64xmdKHrg3YHH3NDuIIrP0Mc
 MbmCME+CMIKcV+7Vd9U+0uG3cTx3om9zwfjfe0CD+YE9g0s/pJRD5YPl0KnRLzVNvqfL
 xKfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=c2D3JGI20LJLWt+r4+mwa+QK1SZ7eJhW2z5cPvRg3+Q=;
 fh=s1gKKDhkFfgLQwKUGKCVkWVHhmnGAhWn+inBTI2XnyU=;
 b=e1icojrEIbLgR3cRylsGnE8C/B8bS5NXOW+KF7qZDO3jvFCQBhQiwVcpe2l9gwg9oH
 AUdQwVulNpaUJV5uWljAvnl8lZZvgUc4z8YCoItzkiSFLo/zKKcVfBu1ICyAjRxLqUC/
 6wTgyHjTtcloGz4Ku77aqh3GI5KxN1non2tK1jmnF9uHFfO9rCSWwWObyxDd7MsJjST8
 cUZUR96xFMmn++rcheRtQRkegAcpmULa2TXiYSXWiAvUAUCyrTmpikarIwfHsRjZ4tDO
 aKYNzRcp91Cr6a0E1Y+76dEf8lbhmBTikGuOyrZoLnommgGXKuJNcsh1uUIwmbXeh5aL
 uTUA==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 m1-20020ac5cac1000000b004daa91c11f3si490631vkl.204.2024.04.18.13.04.12
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:04:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXxx-0001WB-Ic; Thu, 18 Apr 2024 16:02:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxq-0001Ur-S2; Thu, 18 Apr 2024 16:02:35 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxo-0005GT-Uj; Thu, 18 Apr 2024 16:02:34 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 45E395FE0A;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id A59BBB93F0;
 Thu, 18 Apr 2024 23:02:24 +0300 (MSK)
Received: (nullmailer pid 952845 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Richard Henderson <richard.henderson@linaro.org>, 
 Alex Fan <alex.fan.q@gmail.com>,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 43/59] linux-user: Fix waitid return of siginfo_t and
 rusage
Date: Thu, 18 Apr 2024 23:02:03 +0300
Message-Id: <20240418200224.952785-2-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Richard Henderson <richard.henderson@linaro.org>

The copy back to siginfo_t should be conditional only on arg3,
not the specific values that might have been written.
The copy back to rusage was missing entirely.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2262
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Fan <alex.fan.q@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit f0907ff4cae743f1a4ef3d0a55a047029eed06ff)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index aead0f6ac9..41017b0df2 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8759,14 +8759,24 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
 #ifdef TARGET_NR_waitid
     case TARGET_NR_waitid:
         {
+            struct rusage ru;
             siginfo_t info;
-            info.si_pid = 0;
-            ret = get_errno(safe_waitid(arg1, arg2, &info, arg4, NULL));
-            if (!is_error(ret) && arg3 && info.si_pid != 0) {
-                if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_siginfo_t), 0)))
+
+            ret = get_errno(safe_waitid(arg1, arg2, (arg3 ? &info : NULL),
+                                        arg4, (arg5 ? &ru : NULL)));
+            if (!is_error(ret)) {
+                if (arg3) {
+                    p = lock_user(VERIFY_WRITE, arg3,
+                                  sizeof(target_siginfo_t), 0);
+                    if (!p) {
+                        return -TARGET_EFAULT;
+                    }
+                    host_to_target_siginfo(p, &info);
+                    unlock_user(p, arg3, sizeof(target_siginfo_t));
+                }
+                if (arg5 && host_to_target_rusage(arg5, &ru)) {
                     return -TARGET_EFAULT;
-                host_to_target_siginfo(p, &info);
-                unlock_user(p, arg3, sizeof(target_siginfo_t));
+                }
             }
         }
         return ret;

From patchwork Thu Apr 18 20:02:04 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789855
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp747227wrm;
 Thu, 18 Apr 2024 13:03:41 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCV7Mx4j3wQzMzmvCqpvtFmoRo1nE7Pj8SdvmOiKjt3xg0yhzfseqYKGcl03Qqnod0qluidtZIFDjkVqYIkBxW/Z
X-Google-Smtp-Source: AGHT+IGqVdeNeTjJ8i1sbh73gPQ+xj9wdDjeD768HihaXg1b6xDJPuVn7CIMAwSAWAHRzp3ca5Pg
X-Received: by 2002:a05:6122:1825:b0:4d4:ef9:71b0 with SMTP id
 ay37-20020a056122182500b004d40ef971b0mr4348999vkb.7.1713470621723;
 Thu, 18 Apr 2024 13:03:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470621; cv=none;
 d=google.com; s=arc-20160816;
 b=PSdnLKm9aPKpTVgHLcQr1kUas0sle+KIWBl/nLxlzqTcnbubH6Ogrz/g/3keZpqfFw
 SWKyD6AJ/aGIK2HRS358GTx4pqd0HO9LhZsTG/I5aotcIpRTJnooWi50PJg+qbVFUnGM
 qWOCzqviC/Yt3ZpZj7Q1Txln1FbDPpA6Zbtk/sIv9hUcjZGmnf7tDp1LxqAwj0Danznm
 z7KeKTkwZM7bpKEqadAKSpJizulEeZqoG9Y6NsVqtxsLQ5Ozovo3Nlr58yr3MLmYjZ3k
 WNxAyUEuKj8sLXWbRuEB59I0n9TQo3u2c7AVnbzQiKIagBKlDRoZcdqaSzRbFTvWZjj0
 2cYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=8cU0FLgU3hT/CvkzFHg80l8uR0pf1fRdgLt0JUXYiIY=;
 fh=PkL0BgRfEM9eqzQkbTyhz2VibunL6e7EEQCkTtdX0i8=;
 b=ZkI9P59jZrQTGj+aqsKCPZS1ozoly1Ol5k5k0Bc/xiVhGmwoAqi28POrxq39iiO9iA
 v4QlnJTyLHGDLaLSO+FSULjvVVcB3jOnh8m9bd+bUAa/FpycttW4eenr8BbMSLsVHDYZ
 f8bfPVihNB/ykL5gMGcH/VLYGsZjdJf2ZFqxenmbkg16p+kt0Xy+AD+PtTgJ0wSTEqTC
 b09oyFQtX/1zFgsSZcpdqkg2a0w0vqSMc1MuavKRkilTQT3FbUR1AonlnBGNFVV0AZLM
 VU06jzaB6YCEHCpJVZy/anJMub56jLIUQl4w3eo+bS5L/QTj7qA58A+JOhSZBt3A8urK
 Z4IA==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 s14-20020a056102370e00b0047b928fda45si597403vst.728.2024.04.18.13.03.41
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:03:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyL-0001Zf-Fe; Thu, 18 Apr 2024 16:03:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxr-0001Uu-6r; Thu, 18 Apr 2024 16:02:35 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxp-0005GY-4X; Thu, 18 Apr 2024 16:02:34 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 56DFB5FE0B;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id B6C8CB93F1;
 Thu, 18 Apr 2024 23:02:24 +0300 (MSK)
Received: (nullmailer pid 952848 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Gerd Hoffmann <kraxel@redhat.com>, "Michael S . Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 44/59] hw/virtio: Introduce virtio_bh_new_guarded()
 helper
Date: Thu, 18 Apr 2024 23:02:04 +0300
Message-Id: <20240418200224.952785-3-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded()
but using the transport memory guard, instead of the device one
(there can only be one virtio device per virtio bus).

Inspired-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20240409105537.18308-2-philmd@linaro.org>
(cherry picked from commit ec0504b989ca61e03636384d3602b7bf07ffe4da)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: trivial #include context fixup in include/hw/virtio/virtio.h)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index e4f8ed1e63..4a35d7cb0c 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -5029,3 +5029,13 @@ static void virtio_register_types(void)
 }
 
 type_init(virtio_register_types)
+
+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
+                                   QEMUBHFunc *cb, void *opaque,
+                                   const char *name)
+{
+    DeviceState *transport = qdev_get_parent_bus(dev)->parent;
+
+    return qemu_bh_new_full(cb, opaque, name,
+                            &transport->mem_reentrancy_guard);
+}
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index 96a56430a6..c1a7c9bd3b 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -23,6 +23,7 @@
 #include "standard-headers/linux/virtio_ring.h"
 #include "qom/object.h"
 #include "hw/virtio/vhost.h"
+#include "block/aio.h"
 
 /*
  * A guest should never accept this. It implies negotiation is broken
@@ -463,4 +464,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
 bool virtio_legacy_allowed(VirtIODevice *vdev);
 bool virtio_legacy_check_disabled(VirtIODevice *vdev);
 
+QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
+                                   QEMUBHFunc *cb, void *opaque,
+                                   const char *name);
+#define virtio_bh_new_guarded(dev, cb, opaque) \
+    virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
+
 #endif

From patchwork Thu Apr 18 20:02:05 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789865
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748896wrm;
 Thu, 18 Apr 2024 13:07:19 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWxgExuccad7WRX1hoksKnzdAU2xFiXt2uvqkVAcKnEsd5Vsy9RhojBdfUeBOMSQy/82bIor2U30ob4lpXUaIMt
X-Google-Smtp-Source: AGHT+IGZ57+N7j3P7OogfbeI4P3RNtZV8qHVj/Ea/y2tkWRXJhkUtXshRblW3zCCjYIWqxGYtrkM
X-Received: by 2002:ac8:59ca:0:b0:437:9b17:c6e4 with SMTP id
 f10-20020ac859ca000000b004379b17c6e4mr229640qtf.2.1713470838904;
 Thu, 18 Apr 2024 13:07:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470838; cv=none;
 d=google.com; s=arc-20160816;
 b=VC8Lfs+2uCLl7ffgltiSt6LdtcfuhExPzrKxC/joAdqeZThqL4vpk1NmkXi5d7CSXA
 nVuiWFeiNm9W1OSn2V0Rxx1SpWiyER6lDUBWYZbTTKartnDTmioBxE/46IOHhTX7caJ4
 oV9GmE217Jh4vZiIv0ThKGdjT1mV+hNygpYdrgGGTpGJVq5BGIv2K0RR4TMAJJMX6vRB
 YHSFKsAmErfRsnoNUb+MFbhBIA5lFAhlVXHsErRh02x6dA+wpBbpQhM4eB1r8INBB/q+
 IX0VfDG7BjahNR/A4guZdx8eS76iPmlbWpYi9U2qvjUe+Ehu7qeeyTkHdeb+BkSZhcOY
 e3zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=vt5sRiH+5XrhJy1DqvoyZtasno6CgvZHRZuspuFlX3s=;
 fh=QVoUuY2eq7zHDUh6dz5HBMfw52FYv6i5lf23Bb6vyq0=;
 b=HO0yly7vICWo00sQqkjOK//6MsyxK4c4+uzHWzOMopR14dxGfADTSVx97WYvyiLoAR
 hZn+m26x/MNmgwvquoZiXmUe7J0cagjBiFDPDi/CCyRWd9kMDTDtH+NTApi1EmmotD18
 Ct5n3aACEAm6cIuvSN75+UcBjw6zuQv2CiqEWArM3GVdEqZfIBwK8l+Cfafiux48HZZk
 3PEhn20pRbWtMosqrQKVjoinqPYzHXdGwMGBehZBF11ArJrb5hO7qzk44MwBQ9MX8R3q
 e2TLeUbpH79j6Smiy25nekFHsiPOST8C5yAP3IimZVZRfmeVMrPbngLKPQTp+bJC8NGQ
 rl7g==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 ay26-20020a05622a229a00b00432c273f671si2166865qtb.656.2024.04.18.13.07.18
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:07:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyQ-0001e7-0Q; Thu, 18 Apr 2024 16:03:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxu-0001Va-Sb; Thu, 18 Apr 2024 16:02:38 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxs-0005Gu-8i; Thu, 18 Apr 2024 16:02:37 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 6FB665FE0C;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id C7CF7B93F2;
 Thu, 18 Apr 2024 23:02:24 +0300 (MSK)
Received: (nullmailer pid 952851 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Alexander Bulekov <alxndr@bu.edu>, Yongkang Jia <kangel@zju.edu.cn>,
 Xiao Lei <nop.leixiao@gmail.com>, Yiming Tao <taoym@zju.edu.cn>,
 Gerd Hoffmann <kraxel@redhat.com>, "Michael S . Tsirkin" <mst@redhat.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 45/59] hw/display/virtio-gpu: Protect from DMA
 re-entrancy bugs
Date: Thu, 18 Apr 2024 23:02:05 +0300
Message-Id: <20240418200224.952785-4-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed:

  $ cat << EOF | qemu-system-i386 -display none -nodefaults \
                                  -machine q35,accel=qtest \
                                  -m 512M \
                                  -device virtio-gpu \
                                  -qtest stdio
  outl 0xcf8 0x80000820
  outl 0xcfc 0xe0004000
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  write 0xe0004030 0x4 0x024000e0
  write 0xe0004028 0x1 0xff
  write 0xe0004020 0x4 0x00009300
  write 0xe000401c 0x1 0x01
  write 0x101 0x1 0x04
  write 0x103 0x1 0x1c
  write 0x9301c8 0x1 0x18
  write 0x105 0x1 0x1c
  write 0x107 0x1 0x1c
  write 0x109 0x1 0x1c
  write 0x10b 0x1 0x00
  write 0x10d 0x1 0x00
  write 0x10f 0x1 0x00
  write 0x111 0x1 0x00
  write 0x113 0x1 0x00
  write 0x115 0x1 0x00
  write 0x117 0x1 0x00
  write 0x119 0x1 0x00
  write 0x11b 0x1 0x00
  write 0x11d 0x1 0x00
  write 0x11f 0x1 0x00
  write 0x121 0x1 0x00
  write 0x123 0x1 0x00
  write 0x125 0x1 0x00
  write 0x127 0x1 0x00
  write 0x129 0x1 0x00
  write 0x12b 0x1 0x00
  write 0x12d 0x1 0x00
  write 0x12f 0x1 0x00
  write 0x131 0x1 0x00
  write 0x133 0x1 0x00
  write 0x135 0x1 0x00
  write 0x137 0x1 0x00
  write 0x139 0x1 0x00
  write 0xe0007003 0x1 0x00
  EOF
  ...
  =================================================================
  ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178
  at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58
  READ of size 8 at 0x60d000011178 thread T0
      #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42
      #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5
      #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13
      #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9
      #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5
      #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
      #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5
      #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5
      #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8)
      #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9
      #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5
      #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11
      #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9
      #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14
      #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3
      #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0)

  0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8)
  freed by thread T0 here:
      #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662)
      #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9
      #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9
      #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5
      #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5
      #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18

  previously allocated by thread T0 here:
      #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e)
      #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678)
      #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12
      #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16
      #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15
      #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5
      #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13
      #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5

  SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response

With this change, the same reproducer triggers:

  qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Yongkang Jia <kangel@zju.edu.cn>
Reported-by: Xiao Lei <nop.leixiao@gmail.com>
Reported-by: Yiming Tao <taoym@zju.edu.cn>
Buglink: https://bugs.launchpad.net/qemu/+bug/1888606
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20240409105537.18308-3-philmd@linaro.org>
(cherry picked from commit ba28e0ff4d95b56dc334aac2730ab3651ffc3132)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: context fixup in hw/display/virtio-gpu.c:virtio_gpu_device_realize()
 due to missing v8.1.0-rc2-69-ga41e2d97f92b
 "virtio-gpu: reset gfx resources in main thread".
 Maybe it's worth to pick this too)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7c13b056b9..d353b99e93 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1356,10 +1356,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
 
     g->ctrl_vq = virtio_get_queue(vdev, 0);
     g->cursor_vq = virtio_get_queue(vdev, 1);
-    g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g,
-                                     &qdev->mem_reentrancy_guard);
-    g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g,
-                                       &qdev->mem_reentrancy_guard);
+    g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g);
+    g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g);
     QTAILQ_INIT(&g->reslist);
     QTAILQ_INIT(&g->cmdq);
     QTAILQ_INIT(&g->fenceq);

From patchwork Thu Apr 18 20:02:06 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789856
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp747316wrm;
 Thu, 18 Apr 2024 13:03:53 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXyp4gdwKmwh2xnDtxKjP6qJt9fdhMBi91idmi1iUXLDr4yqc6SUYAM9ze1B85CuKI3K8wf4cmaaDQLi1h/HUJk
X-Google-Smtp-Source: AGHT+IE/L1Uk8r+kJuGYDDryILcqsoArdwhRSS1WGz5RO0TVg02/dXOOxuNQ/FFXOCQn+jRbcC0R
X-Received: by 2002:a67:f70e:0:b0:47b:c50e:54f1 with SMTP id
 m14-20020a67f70e000000b0047bc50e54f1mr7997vso.4.1713470633391;
 Thu, 18 Apr 2024 13:03:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470633; cv=none;
 d=google.com; s=arc-20160816;
 b=Z1v6z1stoSmgK4Uk7EaNKmNKeQg0ltyuFVCF6sr/yoN8zJKNyzerBn0sXd6Wdpiwnh
 SI/jxsnuUP1xKrJMEq0Nmb/+mMYTmI/yEhez0eUOD/pi40KTJvCEUny6w7eTUFwbbvLw
 E5VjjWH6Z33P3YVu5EUOWAZ/FJIJ2njDjyldUPqdIMF7Px6Wh/CI2xUpHyy3BdgdyQVp
 cONu428HhfVYpGlizJes1sdgA3XqMfwzz/GFj5UZrLIZ/4QW++GrjdIJwHxq5UHkrQux
 WPS7gkDN6EGQaDy3tWSAjayw/21Vvll3QGsvNu3uiqQDsDAS3DeeRyrSHHC/PJ/FhKEV
 Hk3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=XSnmGl4V6bmSMClnGXhqIyAezsxYcYtsJm9KOWlsLWA=;
 fh=0X897gCEnmYo52lVvW9LLW4tOQTGKWBMmNyCdCpJrAU=;
 b=wso+bvQj8kRDeRILISYFZEtwMOB0T+5JDwsmYkjgw1lAOclfzDUzZDCC2ycGzsrlvY
 d7SdAFlXIgy+6sSIRb5MTC9pKu6OsqYzCXQxbZGInr05a8URHzfzj2/oo/NkFkgtZy31
 s+1aIH50ickXBR+/aZB7EOXayxXxJLvtDZ6AyWEpphl5IJLnm8eB84hVKmd3biz58Nj1
 5PC06l1PrvTOrerv2iszbHXm3GqvUJeNx8UfGrkQmqVHS7R5B3rekRvsgJnqORuKQtDe
 HQ/5SUgiPYihx08NEYSX/QrQ+JehGB3O+MwUynmbNdPyVrgr7clWQygU28qdY6X0J9Pw
 p9uA==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 e11-20020a0561020f8b00b0047ba52f26b5si638819vsv.427.2024.04.18.13.03.53
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:03:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXxw-0001W9-Mj; Thu, 18 Apr 2024 16:02:40 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxu-0001Vb-US; Thu, 18 Apr 2024 16:02:39 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxs-0005H2-Kx; Thu, 18 Apr 2024 16:02:38 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 818E55FE0D;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id E07E2B93F3;
 Thu, 18 Apr 2024 23:02:24 +0300 (MSK)
Received: (nullmailer pid 952854 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Alexander Bulekov <alxndr@bu.edu>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S . Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 46/59] hw/char/virtio-serial-bus: Protect from DMA
 re-entrancy bugs
Date: Thu, 18 Apr 2024 23:02:06 +0300
Message-Id: <20240418200224.952785-5-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20240409105537.18308-4-philmd@linaro.org>
(cherry picked from commit b4295bff25f7b50de1d9cc94a9c6effd40056bca)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
index dd619f0731..1221fb7f15 100644
--- a/hw/char/virtio-serial-bus.c
+++ b/hw/char/virtio-serial-bus.c
@@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp)
         return;
     }
 
-    port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port,
-                                   &dev->mem_reentrancy_guard);
+    port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port);
     port->elem = NULL;
 }
 

From patchwork Thu Apr 18 20:02:07 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789866
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748916wrm;
 Thu, 18 Apr 2024 13:07:22 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWJWFpuO1fWyuzGBS+e5Van434Didiszs13g15fStZ01/rwWGNK/MAXRNLNQYpX4mPWYOIVUK881fqwwekWHOmt
X-Google-Smtp-Source: AGHT+IHfSht2duMePBDYUJx8Mv2eFa7SxdnhH99q5F9HjQ/2UaqO9EeGXyV7FxqVZgsvq3EmUdVP
X-Received: by 2002:a05:620a:2159:b0:78f:1040:4d2a with SMTP id
 m25-20020a05620a215900b0078f10404d2amr184622qkm.35.1713470841927;
 Thu, 18 Apr 2024 13:07:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470841; cv=none;
 d=google.com; s=arc-20160816;
 b=sg3htAJnj2ZQNqj/qjIA/PyCvyXelXsvZXJQuyQls0ILP1RVsYOwoaQHEBv2UCKXeA
 fCCIIa269VpGUGpHHoK5xLMYOdGU76kHVwQEwOE6t/xjboYxWrBzozeYw4xyp53kXnDu
 c4Gf5qAhLHkvA9vHD+t1TFnsNPUNJvE02o+OcA/DwUEq18S+Sxu2zNT1/i3WncTzBIhf
 gdKPFX7OUvFQxx32pBAWO8KKAm5yWY4w8BaNcEanhp9sAVPXvB59wa7jCOxYWjor6E4q
 DQDQcQlCfUxouaDMg0+v5oYki+jBHzWjS8jJQHtJpdG6Yesfw4ew2kTHhGdodX3pacGP
 lRUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=tyeteKFRjlfeqsxs9Z4U3Q7mznRxJtfiErQsAPO6n8k=;
 fh=0X897gCEnmYo52lVvW9LLW4tOQTGKWBMmNyCdCpJrAU=;
 b=O+By8ydCPFS5IOsIQwgUdOmrTrTFYYZWxa8XRnUFowM8NawSkQvxFUKXF/pHKpN8J7
 u3uIy4NFr/0YRVqJTyWhLEWtvjuRre4qURF8EmnTTwsTgdyriqCOKKAVK+YTnJOR7bm4
 VG+jFUTCLoP0xkZNSZe3v9jjgMlYN+Zr7ogThqEFObv7pY5k2s8udfcHt/6PnVS3m57M
 xvngw0XS8ad01a9FvcNlbWSqdE9n3W/v4aAROtVNmCDv/lgJODpdygwUoqk/gXLGjdfH
 rrliwo52JND19G/rciWu0PkQx52TZ/rO+G3yJGcAgDuoZhQ932ndGRrUbd8Sg7DLK4mO
 q0ug==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 h13-20020a05620a13ed00b0078842405561si2228428qkl.734.2024.04.18.13.07.21
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:07:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyQ-0001ea-CB; Thu, 18 Apr 2024 16:03:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy1-0001YN-7A; Thu, 18 Apr 2024 16:02:45 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXxx-0005HV-Pt; Thu, 18 Apr 2024 16:02:44 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 943B85FE0E;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id F28F3B93F4;
 Thu, 18 Apr 2024 23:02:24 +0300 (MSK)
Received: (nullmailer pid 952857 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Alexander Bulekov <alxndr@bu.edu>, Gerd Hoffmann <kraxel@redhat.com>,
 "Michael S . Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 47/59] hw/virtio/virtio-crypto: Protect from DMA
 re-entrancy bugs
Date: Thu, 18 Apr 2024 23:02:07 +0300
Message-Id: <20240418200224.952785-6-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Replace qemu_bh_new_guarded() by virtio_bh_new_guarded()
so the bus and device use the same guard. Otherwise the
DMA-reentrancy protection can be bypassed.

Fixes: CVE-2024-3446
Cc: qemu-stable@nongnu.org
Suggested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20240409105537.18308-5-philmd@linaro.org>
(cherry picked from commit f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index b2e0646d9a..ce995c66d8 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -1057,8 +1057,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp)
         vcrypto->vqs[i].dataq =
                  virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
         vcrypto->vqs[i].dataq_bh =
-                 qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
-                                     &dev->mem_reentrancy_guard);
+                 virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
+                                       &vcrypto->vqs[i]);
         vcrypto->vqs[i].vcrypto = vcrypto;
     }
 

From patchwork Thu Apr 18 20:02:09 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789864
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748889wrm;
 Thu, 18 Apr 2024 13:07:18 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXGU0Y0XNny/UDITctbbkID4ElsTVRzKbqv0kYUqTF+TxAzsLXUz/edOeMXQt8i9M983kxL2rLvteWmUysxfdKj
X-Google-Smtp-Source: AGHT+IHXMB+2ftvYV1A0ZooqFWY8RWyCAZLXO9uThtbimx1UCIqQgJSGLkqsR2XbGfvLr1ewKaPE
X-Received: by 2002:ad4:540c:0:b0:699:2eb9:9c09 with SMTP id
 f12-20020ad4540c000000b006992eb99c09mr77903qvt.24.1713470837601;
 Thu, 18 Apr 2024 13:07:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470837; cv=none;
 d=google.com; s=arc-20160816;
 b=hn5PA+/Oqug5W+fVYkVtZVnAYyIvlhhM1oe0gd7NpJ3m8olkzk5MS5A5FWskThfoGF
 9jpEv4EEW7x9okcEUXFWRSHKN4i/JAcANhmVCGEY/P4kFfL3zi+m7Xl2fongLQ8+uL24
 oaDgIUALMDLUkj+MBBqKJlDj0R+NmvxKLmmLTVrxS/Rqsb0WELJefS1fYv+M10vbcCmn
 ow1nbXJOjsxSUhfJsfaoNwc7riuUQ7tNJ3rDYq/vWXVsH6UkeeU9UdonXKPCTz+8yYNh
 rRNuH3xzFK/iTy/zNl0LmVCtePPnwvmpSIF6uY+BtAENaBcyjBhPXYGWqD1YnY2cck90
 x8rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=KR1aj0FSaKCwCGPTE/sjM8kywVPKJqFNADcV61rePSM=;
 fh=duFCrbmW7QyIwJKOp0blY4kXHchuONJhRN0ZSjkPt6k=;
 b=lQUN3ONRKx7RAvJbxX1AVRnFQrCIGsN6ENLUkbYo+lq3e30KYe/+cFD1i44Am3Wn9P
 f2T9kWVy01P8vblQa2wI7pU+17GSrXG/zKa0FYRWpi1HTlBEoumaiKCBPT7rNUziYLzd
 GfTWfwPOziKKOIw8XA6EyT6NT4+q6zZ4Wr+kPWIAjZNrzF0Y3aE9xfyW/R3AlFUzHja3
 N8xLQoPTAhdrJodsJi0NBgu5RhqufYSId8M8VXS7ZVUUh4iDHjkRt8tKYa4OmuQeRYfW
 ERQi47LW4NFg1vPfedWj6iB/PSkKo4R6ELbvRXDDK/UMmkiyf7jGtRBeSw63BGmXO+jO
 TupQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 7-20020a0562140d0700b0069b6e13fcaesi2297651qvh.116.2024.04.18.13.07.17
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:07:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyc-0001lp-F6; Thu, 18 Apr 2024 16:03:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy5-0001Ys-9I; Thu, 18 Apr 2024 16:02:52 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy2-0005IK-Lp; Thu, 18 Apr 2024 16:02:48 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id B54435FE10;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 211C1B93F6;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952863 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 49/59] hw/block/nand: Factor nand_load_iolen() method
 out
Date: Thu, 18 Apr 2024 23:02:09 +0300
Message-Id: <20240418200224.952785-8-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240409135944.24997-2-philmd@linaro.org>
(cherry picked from commit 7a86544f286d8af4fa5251101c1026ddae92cc3d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/block/nand.c b/hw/block/nand.c
index 1aee1cb2b1..4e3d7fb065 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -243,9 +243,28 @@ static inline void nand_pushio_byte(NANDFlashState *s, uint8_t value)
     }
 }
 
+/*
+ * nand_load_block: Load block containing (s->addr + @offset).
+ * Returns length of data available at @offset in this block.
+ */
+static unsigned nand_load_block(NANDFlashState *s, unsigned offset)
+{
+    unsigned iolen;
+
+    s->blk_load(s, s->addr, offset);
+
+    iolen = (1 << s->page_shift);
+    if (s->gnd) {
+        iolen += 1 << s->oob_shift;
+    }
+    assert(offset <= iolen);
+    iolen -= offset;
+
+    return iolen;
+}
+
 static void nand_command(NANDFlashState *s)
 {
-    unsigned int offset;
     switch (s->cmd) {
     case NAND_CMD_READ0:
         s->iolen = 0;
@@ -271,12 +290,7 @@ static void nand_command(NANDFlashState *s)
     case NAND_CMD_NOSERIALREAD2:
         if (!(nand_flash_ids[s->chip_id].options & NAND_SAMSUNG_LP))
             break;
-        offset = s->addr & ((1 << s->addr_shift) - 1);
-        s->blk_load(s, s->addr, offset);
-        if (s->gnd)
-            s->iolen = (1 << s->page_shift) - offset;
-        else
-            s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset;
+        s->iolen = nand_load_block(s, s->addr & ((1 << s->addr_shift) - 1));
         break;
 
     case NAND_CMD_RESET:
@@ -597,12 +611,7 @@ uint32_t nand_getio(DeviceState *dev)
     if (!s->iolen && s->cmd == NAND_CMD_READ0) {
         offset = (int) (s->addr & ((1 << s->addr_shift) - 1)) + s->offset;
         s->offset = 0;
-
-        s->blk_load(s, s->addr, offset);
-        if (s->gnd)
-            s->iolen = (1 << s->page_shift) - offset;
-        else
-            s->iolen = (1 << s->page_shift) + (1 << s->oob_shift) - offset;
+        s->iolen = nand_load_block(s, offset);
     }
 
     if (s->ce || s->iolen <= 0) {

From patchwork Thu Apr 18 20:02:10 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789854
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp747172wrm;
 Thu, 18 Apr 2024 13:03:34 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCV2GjX/03vdhpXwV92ZILVedupRXbB8WgeEJ6/x38Koz0uozLhlHXy+ncW5U8/YE0BAeTxrjHzbRgyBlCAFAYef
X-Google-Smtp-Source: AGHT+IHvZEc+Li0WZuUXRRMJ4yNyNyzrvj9xF5egCCL3cLYeI2xrtrRF7+2XoaK9JganFF+MeWP+
X-Received: by 2002:a05:6359:7606:b0:186:c06f:4379 with SMTP id
 wg6-20020a056359760600b00186c06f4379mr353440rwc.14.1713470614252;
 Thu, 18 Apr 2024 13:03:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470614; cv=none;
 d=google.com; s=arc-20160816;
 b=NenI6STaGSRy/XG60gquzsfz3I7TmXYKLXxUPRX1jBnSgu8lCBU+7O+5paYD+1AHRK
 PTk4BUpLNQ404B75CKjn6o6hFZfQli/TbQQrY4l+OXdhqHAsiU/ec3xTnJ+dyg0Ckx2f
 jiSEX2ep5HUsTQCvoUTCu8jRKBtofUonuKMbwPNTm4ekTc5IVFJz4RGOBTTUr407pSOM
 Y3r+Bk/xHNNHtaRiQrTX/v2gobyU3Npdg/WYTlcjkEQbhdUhG43zcLTwzluIU9IwNomI
 2Hcf3eslCNlNrGVSHjZaUU6H1zXbBfJ5lFAomHZNLozwBtOtbL1FePR4gOl6rBCI683j
 EeEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=7bD5miNBzNbL62vhRkya0W0rKMV0w2F9y8euYmSyX1A=;
 fh=duFCrbmW7QyIwJKOp0blY4kXHchuONJhRN0ZSjkPt6k=;
 b=NzsSV/6E3enHmyU/ekyam6/0/KFQ020wK8Cs5dqDpZkzxJiU7Oi5ueO3gWDAu+Kx4i
 DIXCRS73gf3fZXdNbYL+QMYh4HsuaHQJXZCJyKlIJyb0IRQMtYReGshrL1hmoMPuPSXG
 DsS3tg0stFR/FgAq+7zh5Fn+QyCZAYOSzjtG5YNmNo+rcNskV65f+naHABgAAIwdwR+7
 gnVsITcOHWQ2OmRkK6A8OKadQPOpTA9tXyi/R2cg0UU57V0yG92UW9dgStqUdXf4kPZy
 GAcaCrbnJLAAyEkh49GPQr/dlsrn10YQGrwYuVuGwmBdV6/ehJQZBrgmW78pDE3wVjXF
 CTtQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 hy6-20020a67e7c6000000b0047913e536ccsi655472vsb.803.2024.04.18.13.03.34
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:03:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyO-0001cJ-8o; Thu, 18 Apr 2024 16:03:08 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy5-0001Yr-98; Thu, 18 Apr 2024 16:02:51 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy2-0005II-JA; Thu, 18 Apr 2024 16:02:47 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id C647F5FE11;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 323A3B93F7;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952866 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Richard Henderson <richard.henderson@linaro.org>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 50/59] hw/block/nand: Have blk_load() take unsigned
 offset and return boolean
Date: Thu, 18 Apr 2024 23:02:10 +0300
Message-Id: <20240418200224.952785-9-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Negative offset is meaningless, use unsigned type.
Return a boolean value indicating success.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240409135944.24997-3-philmd@linaro.org>
(cherry picked from commit 2e3e09b368001f7eaeeca7a9b49cb1f0c9092d85)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/block/nand.c b/hw/block/nand.c
index 4e3d7fb065..81b2bb804d 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -84,7 +84,11 @@ struct NANDFlashState {
 
     void (*blk_write)(NANDFlashState *s);
     void (*blk_erase)(NANDFlashState *s);
-    void (*blk_load)(NANDFlashState *s, uint64_t addr, int offset);
+    /*
+     * Returns %true when block containing (@addr + @offset) is
+     * successfully loaded, otherwise %false.
+     */
+    bool (*blk_load)(NANDFlashState *s, uint64_t addr, unsigned offset);
 
     uint32_t ioaddr_vmstate;
 };
@@ -772,11 +776,11 @@ static void glue(nand_blk_erase_, NAND_PAGE_SIZE)(NANDFlashState *s)
     }
 }
 
-static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
-                uint64_t addr, int offset)
+static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
+                                                 uint64_t addr, unsigned offset)
 {
     if (PAGE(addr) >= s->pages) {
-        return;
+        return false;
     }
 
     if (s->blk) {
@@ -804,6 +808,8 @@ static void glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
                         offset, NAND_PAGE_SIZE + OOB_SIZE - offset);
         s->ioaddr = s->io;
     }
+
+    return true;
 }
 
 static void glue(nand_init_, NAND_PAGE_SIZE)(NANDFlashState *s)

From patchwork Thu Apr 18 20:02:11 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789863
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748826wrm;
 Thu, 18 Apr 2024 13:07:10 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXJtp+2vZF10HAieBsTo9Ebasy+4OELPsVTGN1NRef0QQ0UKSmcih8I7KzmK6GKHSB74BCeFLwbNoSW9xa4KQFk
X-Google-Smtp-Source: AGHT+IHMIjakRpiCA3hCFTKTP4Jd5oKdxjA+XGATjEcX/BIgSvNeTTiwgwdLlTdFRphQ2yxhjHtK
X-Received: by 2002:a05:6358:4b01:b0:186:249a:c8de with SMTP id
 kr1-20020a0563584b0100b00186249ac8demr358110rwc.5.1713470829884;
 Thu, 18 Apr 2024 13:07:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470829; cv=none;
 d=google.com; s=arc-20160816;
 b=ybKyTzkT6ypS+m70wTt/TDR8KqbVp/5xH1JYjYz4G32jsAYRXk8U8RGqDHAEcWQ7RK
 DNCg12PrfVzRsBAKefAiReARARRzG3fXyRzlCFa74jbA6aECSvPJow3KSbAPE7K9ljM9
 vB+EC3zgJdMrEzj4s64brM8JU2WtN+9j3Q9VNBoKhM1zHjHTZNpfMnNDotSl5rdPvqQe
 bIid6YYs6bkFm4Yh5LRQZohbspmQYEUNSydFpbO0LTAyZV8k+h+58FY+Jc7hlvQgT4ax
 C9DPkHJo5oOmijTsBYsdb7PiEYm3e4Cxu5XSVgD0QYsXAJWLNH7+j9ZseaIj0aP1at9I
 FUew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=Euw+OU7XLFwGu2EhJCZq7uqCAlPqlFFFHDIAVSBRPhU=;
 fh=tRhOdRo3RUGB1Op9NsKs6zZ1tjf3Fks3D9Jm5ySYJkw=;
 b=vxUS0TVjuCRuQ2gXdLaxL5PG4E5FqrnPmUlJ2WcWLbl5neBAql/zX+zYOzOlOstwb1
 ZCnHnoYDv6zyXG2Zmh9Iuu3XQF/Jyw6eJjvossQuGCMC0OgSdubkINY6vBV1X6UclX8D
 Aq58dJEStdJ6nwUrIlPbK1dAnX3X6SNUZyDctw+b52rI20WxqvhpYWSJqe3GT8nMQlQl
 UcclIc0tT47uYQAjISCbMwqLwDL2PAARZAGyIBJPth0Gkuokahkw2Qgw85tQqRgkqDvW
 aHnvKP29PrLlhXXHqKpLEhJSCg8arbxe3/N5uvyyvx80wGWyKsT/lgo13IQWYT7Yr6IX
 AuiA==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 g4-20020a0562140ac400b006a04d4c2eebsi2232262qvi.569.2024.04.18.13.07.09
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:07:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyc-0001lr-Fr; Thu, 18 Apr 2024 16:03:22 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyA-0001ZU-W8; Thu, 18 Apr 2024 16:02:59 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy6-0005LH-Lm; Thu, 18 Apr 2024 16:02:54 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id DA62D5FE12;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 4303FB93F8;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952869 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Qiang Liu <cyruscyliu@gmail.com>,
 Richard Henderson <richard.henderson@linaro.org>,
 Kevin Wolf <kwolf@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 51/59] hw/block/nand: Fix out-of-bound access in NAND
 block buffer
Date: Thu, 18 Apr 2024 23:02:11 +0300
Message-Id: <20240418200224.952785-10-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.

In order to fix:

- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if blk_load() failed.

Reproducer:

  $ cat << EOF | qemu-system-arm -machine tosa \
                                 -monitor none -serial none \
                                 -display none -qtest stdio
  write 0x10000111 0x1 0xca
  write 0x10000104 0x1 0x47
  write 0x1000ca04 0x1 0xd7
  write 0x1000ca01 0x1 0xe0
  write 0x1000ca04 0x1 0x71
  write 0x1000ca00 0x1 0x50
  write 0x1000ca04 0x1 0xd7
  read 0x1000ca02 0x1
  write 0x1000ca01 0x1 0x10
  EOF

=================================================================
==15750==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000de0
 at pc 0x560e61557210 bp 0x7ffcfc4a59f0 sp 0x7ffcfc4a59e8
READ of size 1 at 0x61f000000de0 thread T0
    #0 0x560e6155720f in mem_and hw/block/nand.c:101:20
    #1 0x560e6155ac9c in nand_blk_write_512 hw/block/nand.c:663:9
    #2 0x560e61544200 in nand_command hw/block/nand.c:293:13
    #3 0x560e6153cc83 in nand_setio hw/block/nand.c:520:13
    #4 0x560e61a0a69e in tc6393xb_nand_writeb hw/display/tc6393xb.c:380:13
    #5 0x560e619f9bf7 in tc6393xb_writeb hw/display/tc6393xb.c:524:9
    #6 0x560e647c7d03 in memory_region_write_accessor softmmu/memory.c:492:5
    #7 0x560e647c7641 in access_with_adjusted_size softmmu/memory.c:554:18
    #8 0x560e647c5f66 in memory_region_dispatch_write softmmu/memory.c:1514:16
    #9 0x560e6485409e in flatview_write_continue softmmu/physmem.c:2825:23
    #10 0x560e648421eb in flatview_write softmmu/physmem.c:2867:12
    #11 0x560e64841ca8 in address_space_write softmmu/physmem.c:2963:18
    #12 0x560e61170162 in qemu_writeb tests/qtest/videzzo/videzzo_qemu.c:1080:5
    #13 0x560e6116eef7 in dispatch_mmio_write tests/qtest/videzzo/videzzo_qemu.c:1227:28

0x61f000000de0 is located 0 bytes to the right of 3424-byte region [0x61f000000080,0x61f000000de0)
allocated by thread T0 here:
    #0 0x560e611276cf in malloc /root/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f7959a87e98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
    #2 0x560e64b98871 in object_new qom/object.c:749:12
    #3 0x560e64b5d1a1 in qdev_new hw/core/qdev.c:153:19
    #4 0x560e61547ea5 in nand_init hw/block/nand.c:639:11
    #5 0x560e619f8772 in tc6393xb_init hw/display/tc6393xb.c:558:16
    #6 0x560e6390bad2 in tosa_init hw/arm/tosa.c:250:12

SUMMARY: AddressSanitizer: heap-buffer-overflow hw/block/nand.c:101:20 in mem_and
==15750==ABORTING

Broken since introduction in commit 3e3d5815cb ("NAND Flash memory
emulation and ECC calculation helpers for use by NAND controllers").

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1445
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1446
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240409135944.24997-4-philmd@linaro.org>
(cherry picked from commit d39fdfff348fdf00173b7a58e935328a64db7d28)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/block/nand.c b/hw/block/nand.c
index 81b2bb804d..d994bfe372 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -255,7 +255,9 @@ static unsigned nand_load_block(NANDFlashState *s, unsigned offset)
 {
     unsigned iolen;
 
-    s->blk_load(s, s->addr, offset);
+    if (!s->blk_load(s, s->addr, offset)) {
+        return 0;
+    }
 
     iolen = (1 << s->page_shift);
     if (s->gnd) {
@@ -783,6 +785,10 @@ static bool glue(nand_blk_load_, NAND_PAGE_SIZE)(NANDFlashState *s,
         return false;
     }
 
+    if (offset > NAND_PAGE_SIZE + OOB_SIZE) {
+        return false;
+    }
+
     if (s->blk) {
         if (s->mem_oob) {
             if (blk_pread(s->blk, SECTOR(addr) << BDRV_SECTOR_BITS,

From patchwork Thu Apr 18 20:02:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789860
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748404wrm;
 Thu, 18 Apr 2024 13:06:09 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVilKSnhKVFcq9NnC6n0qT01ElQ68WqZK5KuL7qQXcMzuEvf6TuBp4WHON8S4cBmwj4R6lLdr92D71+LjBUS7Ki
X-Google-Smtp-Source: AGHT+IHDvYzau06Jp2WyKfHrqCXXKC/DaVTs6OzWOx6jPxpUGsSMc26IDiD+UgN9YDGgUW2pljE/
X-Received: by 2002:a05:6808:34d:b0:3c5:fed9:ea2f with SMTP id
 j13-20020a056808034d00b003c5fed9ea2fmr46230oie.24.1713470769317;
 Thu, 18 Apr 2024 13:06:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470769; cv=none;
 d=google.com; s=arc-20160816;
 b=gEl7kN5x7R50NVuub9nHqtElyk6UEm+IFTM85T1cxEsb+etOaxfKq8igRrP9RsYRQq
 B1oxVDUHmc2umu2fh87ERlGjCDyR8bKFdkzaq33YvetJgLxhpRGvi8nMZIdu3PKv2los
 4Ietr4SKGoJa0b6mwy2IymVWgbUKwMupsVm6ZwEsnuYpxff9tqtqg5ugzKaEjD1YyTeq
 knef5GPbPccuNjSy78CiXYJooDyV1HrLc8a1dNasJIojFjKeAG0ioet/Rq9qyLkiSJoX
 +VknvEXhqlSN2R1hgo30h/hC9VmOgi+ejYdITO4uMr5RFCxA35bcHibyYZIXbsR8YIq1
 9Ncg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=Y8pZDpswLWJDvYcSo+s2beflW/ytyUxJjPHLjxCjYm4=;
 fh=VnQSsLJ6tU3xftJEJWuGWplserK0coOB1jCu/kfGRn4=;
 b=BkhxPvFTWbk7VzOaTW/Ahte8zOESeDhnlvqLaSelHqu4nKrHOwX/JQFl31H2SRVlpH
 4Cz5NqeaUS03u8nboaw8tgdu10Kr+KLineYnFemwLeHv2G7k0tMznxHygZjt41FsmW/K
 DfM83rylP6PrhWKsXvcpnpHfMaO3tdSMQdguZ4DpBr0bjjsC59ghFi59f8+KvNA4vojD
 rrm4b66Cg3rFNDcV5oEFO7hOqOCkqtZ8GMeyzRO0R9UBCaWFLt4zpK3R//pCh7579kzu
 JEDoku7G4zxS6Lck70V3DIw4K86KvK7ggstIyeJRWnVOE7I4f8OVbbAr8R4z2//m/ZBa
 QKEw==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 z25-20020ab02259000000b007e3e7eafc48si459129uan.81.2024.04.18.13.06.09
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:06:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyg-0001ok-0n; Thu, 18 Apr 2024 16:03:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyA-0001ZT-Jq; Thu, 18 Apr 2024 16:02:59 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXy6-0005LK-Nt; Thu, 18 Apr 2024 16:02:54 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id EAF275FE13;
 Thu, 18 Apr 2024 23:02:27 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 5668CB93F9;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952872 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Zheyu Ma <zheyuma97@gmail.com>, Peter Maydell <peter.maydell@linaro.org>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 52/59] hw/misc/applesmc: Fix memory leak in reset()
 handler
Date: Thu, 18 Apr 2024 23:02:12 +0300
Message-Id: <20240418200224.952785-11-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

AppleSMCData is allocated with g_new0() in applesmc_add_key():
release it with g_free().

Leaked since commit 1ddda5cd36 ("AppleSMC device emulation").

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240408095217.57239-3-philmd@linaro.org>
(cherry picked from commit fc09ff2979defdcf8d00c2db94022d5d610e36ba)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c
index 5f9c742e50..80642efc57 100644
--- a/hw/misc/applesmc.c
+++ b/hw/misc/applesmc.c
@@ -273,6 +273,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev)
     /* Remove existing entries */
     QLIST_FOREACH_SAFE(d, &s->data_def, node, next) {
         QLIST_REMOVE(d, node);
+        g_free(d);
     }
     s->status = 0x00;
     s->status_1e = 0x00;

From patchwork Thu Apr 18 20:02:13 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789858
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp747558wrm;
 Thu, 18 Apr 2024 13:04:20 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUjM885Zkp8UsDTScOHmp1kwqVRjQY/wLnWf/9/Tah1iSgKQ+6JcXu6FE3g25K3rq7h1WIHTUfpLGPs+CQhhqfY
X-Google-Smtp-Source: AGHT+IGZIGoSAM64dmVMNJ+gBTaHyiIGlCKYAXvK1oeksWRrC5Zv+/9F+cCdzt9LgMinyNhHhahX
X-Received: by 2002:a67:f3c3:0:b0:47b:b7ac:1733 with SMTP id
 j3-20020a67f3c3000000b0047bb7ac1733mr23697vsn.1.1713470660726;
 Thu, 18 Apr 2024 13:04:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470660; cv=none;
 d=google.com; s=arc-20160816;
 b=hLBW0TL0aZkKhaO9fxSxDFDUgNSsEG75HnV9RyKRt8qsOVrWW/9IxOGAySKTDCROjX
 SihkaQEg89HxIQyFs9T3oWlIe0h8laqUDs10BbDfVnXBdVwo+dV9oBb+V59tEJJcnHXp
 SAryHywXZOZBFUng7b11CkxF+tgb54/SdoBjnqLKGua3LntGcPCG0yJ68E7iMytwhGf2
 loeTapp4KMawckVDATxo5d86cwG3kAVovQrMjtPXWS1f/EXoNlj5B/PsJiPEmWxIuECr
 I/VBDMinKkeQqJcQXDbNYB4ghfjGuuJ+vzk6eEVtPKyDQZQlBShKIRbpI+5Cuu8GwGSN
 Diug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=YPzkY6tlXuarV1+AgE4dUlu+ou5WZCQG6UdI/auKwn4=;
 fh=kcvrXg0b8ORyB3OpqOAjaCjQlgwib6p5RTCo7Fn5FsQ=;
 b=Q/tfYexxfoPAU6A/bKb3bjW+0/9iSTORQhcl0PEdCh9t8gyT/J7IuyLtRCVMv1A1od
 S9nrtvZIF+Y1Tg5Zt5x6pw3LAugGr861bFQZ2dYnX3CXTT6VUcnSF2oxNdCozZ1a49Aw
 t0qXsLHD7trKw5MKXsDuag8iGTtf3W/SMHYDb/GW01h3eg10jXgVUCACC0hupLtwEal/
 rYFMT2ZoKaLWRRugFIuIXAG4MDnOl+W++m12CF0yQjquJtADHUoCCHfiGmpQykxgupFo
 Buc3dpzU2s+hnmWWSiz9di5n2E98VM9NzPj3GoDofkKjiHJu79rTYQ67Be2QRKvmxfJN
 9rhQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 o17-20020a056102345100b00476c54668e7si397703vsj.551.2024.04.18.13.04.20
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:04:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyY-0001jW-Pq; Thu, 18 Apr 2024 16:03:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyG-0001ac-DD; Thu, 18 Apr 2024 16:03:05 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyD-0005PR-6K; Thu, 18 Apr 2024 16:03:00 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 079295FE14;
 Thu, 18 Apr 2024 23:02:28 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 67541B93FA;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952875 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Zheyu Ma <zheyuma97@gmail.com>, zhenwei pi <pizhenwei@bytedance.com>,
 Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 53/59] backends/cryptodev: Do not abort for invalid
 session ID
Date: Thu, 18 Apr 2024 23:02:13 +0300
Message-Id: <20240418200224.952785-12-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Instead of aborting when a session ID is invalid,
return VIRTIO_CRYPTO_INVSESS ("Invalid session id").

Reproduced using:

  $ cat << EOF | qemu-system-i386 -display none \
     -machine q35,accel=qtest -m 512M -nodefaults \
     -object cryptodev-backend-builtin,id=cryptodev0 \
     -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
     -qtest stdio
  outl 0xcf8 0x80000804
  outw 0xcfc 0x06
  outl 0xcf8 0x80000820
  outl 0xcfc 0xe0008000
  write 0x10800e 0x1 0x01
  write 0xe0008016 0x1 0x01
  write 0xe0008020 0x4 0x00801000
  write 0xe0008028 0x4 0x00c01000
  write 0xe000801c 0x1 0x01
  write 0x110000 0x1 0x05
  write 0x110001 0x1 0x04
  write 0x108002 0x1 0x11
  write 0x108008 0x1 0x48
  write 0x10800c 0x1 0x01
  write 0x108018 0x1 0x10
  write 0x10801c 0x1 0x02
  write 0x10c002 0x1 0x01
  write 0xe000b005 0x1 0x00
  EOF
  Assertion failed: (session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]),
  function cryptodev_builtin_close_session, file cryptodev-builtin.c, line 430.

Cc: qemu-stable@nongnu.org
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2274
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: zhenwei pi <pizhenwei@bytedance.com>
Message-Id: <20240409094757.9127-1-philmd@linaro.org>
(cherry picked from commit eaf2bd29538d039df80bb4b1584de33a61312bc6)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index cda6ca3b71..2e792be756 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -416,7 +416,9 @@ static int cryptodev_builtin_close_session(
                       CRYPTODEV_BACKEND_BUILTIN(backend);
     CryptoDevBackendBuiltinSession *session;
 
-    assert(session_id < MAX_NUM_SESSIONS && builtin->sessions[session_id]);
+    if (session_id >= MAX_NUM_SESSIONS || !builtin->sessions[session_id]) {
+        return -VIRTIO_CRYPTO_INVSESS;
+    }
 
     session = builtin->sessions[session_id];
     if (session->cipher) {

From patchwork Thu Apr 18 20:02:14 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789862
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748790wrm;
 Thu, 18 Apr 2024 13:07:04 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXItDkyUzkkFsmoDfzVWPTDSm9gZT/N6OsundIEZelzwDajRe+wnJeMJ/1NxisNlj6JpcsWhHtaY+5DOph1MkH0
X-Google-Smtp-Source: AGHT+IE22vP8o6wyK221/3UN/bBrjq8DdNPVxhOJsGucyfEOHAtlVQEOE8auVebH4c6o1k3Aw4H8
X-Received: by 2002:ac8:594b:0:b0:434:fef3:8ee2 with SMTP id
 11-20020ac8594b000000b00434fef38ee2mr127143qtz.68.1713470823813;
 Thu, 18 Apr 2024 13:07:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470823; cv=none;
 d=google.com; s=arc-20160816;
 b=Qb8Cu0faRV3rjfx4DnHlP85koMOZulqpvnXXEeMz/rglDGvgCZLMfEA7A6MFeeRj61
 W10V8ZaVvSBrX7jiq3AuoZ75gcbuICzAprNmNnEOteKTGqT7wJDiZcBYdddWnjH0r/OO
 N41bm+YKVMJQz0dhHwbVSusiL5jutmobWs3EcFFFADdhmjz5P94L7H1QjMA3xGV8qpZR
 q3roquKvZf8+WnYEgwBsgUsy7PIO5Tnh8hUn+wPGrV5rHEzM9ngkDeW5OzX9BRZ6etgB
 v535prC1g1B2gRdekfKQ+6JEpWcl0vw23J5HV8PokJhEYJqdwfWTkVygn+UC9UYk2kuQ
 tNbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=KmegJfz/hVKJ6ehEAX+LAYmktMIlXEyZ672R/73QFqk=;
 fh=yKfcvcrg+Er+B+I7T0P1R4USoSs/nf8gXvBTFGEIYPs=;
 b=lt6EkIvpK0xouKAKAd/bqGc30dyuR/cxh84lukmdSOsBhBQDMbU036kFim4Jranp3r
 hHeXvFBVyIzPMQtb7uhrrxR+yxT8Sr9iN8zp0Yu/K1HhOJhvp8+OAK4XMmfBM3RUf8Jh
 V9vWUKnpLqBGKE/sCnZul7PhuNkil08c/M6vd9BcAYufiKApPM3Lc+nsPDj6oQG4EpaU
 KvVA8azuZhKi4KWl/+JVoLdg+5UbU1y/Ex0EHweW8Jm5liR85a6d0vnqUOMnbgSYNkAA
 6rJXlwGKotcfnCwG3Dt110Uys/5HJk3p7luh08PtgGjkGjQCEHlSlQ67oDswUngtp1B1
 C0Ag==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 o5-20020ac85a45000000b0043661d18b22si2155755qta.355.2024.04.18.13.07.03
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:07:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyh-0001p7-UL; Thu, 18 Apr 2024 16:03:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXya-0001lY-Lv; Thu, 18 Apr 2024 16:03:21 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyY-0005QJ-Te; Thu, 18 Apr 2024 16:03:20 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 199E65FE15;
 Thu, 18 Apr 2024 23:02:28 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 784EBB93FB;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952878 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Chuhong Yuan <hslester96@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 54/59] hw/net/lan9118: Fix overflow in MIL TX FIFO
Date: Thu, 18 Apr 2024 23:02:14 +0300
Message-Id: <20240418200224.952785-13-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

When the MAC Interface Layer (MIL) transmit FIFO is full,
truncate the packet, and raise the Transmitter Error (TXE)
flag.

Broken since model introduction in commit 2a42499017
("LAN9118 emulation").

When using the reproducer from
https://gitlab.com/qemu-project/qemu/-/issues/2267 we get:

  hw/net/lan9118.c:798:17: runtime error:
  index 2048 out of bounds for type 'uint8_t[2048]' (aka 'unsigned char[2048]')
    #0 0x563ec9a057b1 in tx_fifo_push hw/net/lan9118.c:798:43
    #1 0x563ec99fbb28 in lan9118_writel hw/net/lan9118.c:1042:9
    #2 0x563ec99f2de2 in lan9118_16bit_mode_write hw/net/lan9118.c:1205:9
    #3 0x563ecbf78013 in memory_region_write_accessor system/memory.c:497:5
    #4 0x563ecbf776f5 in access_with_adjusted_size system/memory.c:573:18
    #5 0x563ecbf75643 in memory_region_dispatch_write system/memory.c:1521:16
    #6 0x563ecc01bade in flatview_write_continue_step system/physmem.c:2713:18
    #7 0x563ecc01b374 in flatview_write_continue system/physmem.c:2743:19
    #8 0x563ecbff1c9b in flatview_write system/physmem.c:2774:12
    #9 0x563ecbff1768 in address_space_write system/physmem.c:2894:18
    ...

[*] LAN9118 DS00002266B.pdf, Table 5.3.3 "INTERRUPT STATUS REGISTER"

Cc: qemu-stable@nongnu.org
Reported-by: Will Lester
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2267
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240409133801.23503-3-philmd@linaro.org>
(cherry picked from commit ad766d603f39888309cfb1433ba2de1d0e9e4f58)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 00a6d82efb..bf81c84984 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -798,8 +798,22 @@ static void tx_fifo_push(lan9118_state *s, uint32_t val)
             /* Documentation is somewhat unclear on the ordering of bytes
                in FIFO words.  Empirical results show it to be little-endian.
                */
-            /* TODO: FIFO overflow checking.  */
             while (n--) {
+                if (s->txp->len == MIL_TXFIFO_SIZE) {
+                    /*
+                     * No more space in the FIFO. The datasheet is not
+                     * precise about this case. We choose what is easiest
+                     * to model: the packet is truncated, and TXE is raised.
+                     *
+                     * Note, it could be a fragmented packet, but we currently
+                     * do not handle that (see earlier TX_B case).
+                     */
+                    qemu_log_mask(LOG_GUEST_ERROR,
+                                  "MIL TX FIFO overrun, discarding %u byte%s\n",
+                                  n, n > 1 ? "s" : "");
+                    s->int_sts |= TXE_INT;
+                    break;
+                }
                 s->txp->data[s->txp->len] = val & 0xff;
                 s->txp->len++;
                 val >>= 8;

From patchwork Thu Apr 18 20:02:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789859
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748099wrm;
 Thu, 18 Apr 2024 13:05:27 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXM7ssukhdwNk3rC8XIUooywwZlJb4V10qd8GtA+FViTjesqHiME7cEGmfcpFEvijcf88WG8UaAlFltDL1TOJJy
X-Google-Smtp-Source: AGHT+IFQDGBLNbPEOdAlvqaVAMuPtkibCAzIVMLAlAIQGqRciW3fJkA48U055iT4wZE4S5fjOMW3
X-Received: by 2002:a05:6358:1902:b0:186:1805:c6c2 with SMTP id
 w2-20020a056358190200b001861805c6c2mr397673rwm.0.1713470727359;
 Thu, 18 Apr 2024 13:05:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470727; cv=none;
 d=google.com; s=arc-20160816;
 b=ssrTxtD8IlkUTcMwsdBUpWG9MkhmXJlfBgEZxS+uhonnKtCvjwUQDquUDVKI9sjrOV
 wCVTe8jNLMr5LesAITmKcuP0Vi30soC2+9aXDRDjwjFMV+A9iAJfpvWrD5z/+uC5SbLo
 jkSG6QnkpAa/wBZJEVXkiUbECnU9W41YHgW2vTf2//qAOFXhcXWFBgtJU9wUYy60eAwH
 veOV6oaZrIp8GMpNCHm+oDR98z2lmF6zbm9CrmGEwwqowSGqCwzE7Y8whE6/Ca8Y+1SI
 44tG0U5YLfdqQEXWXFP/+Y6w4bK0za4NJI5EWv0UYjAONpvg+L1ZJrZjpbgFwAe5LAEz
 hShA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=1tzZTrBEzsoBY4O0+LL4pDGANfHz8watBAaqbKbs4UA=;
 fh=m04Zw7Rd3szriI+fwMSRTbsn9jEhMzlDh3fvULRyulY=;
 b=1KGhKFurilRxdXObytkoP8v2sRZRFydpNBzuNMj/Q1WezFspqNp31EtCEv38qcZmIW
 hQ1SVBNwSTd0duRHq5RKRqSLqmz9pwz9SYTf8J/XcGjnEu1buQFAw31NJsfDzSRIyMcW
 0IPWl5GIUoqgdKPbFxxYuqaYjyy4pq2na15iu3bZgCV2Mw/Z/Lk28ICs4zhdPhcRjmku
 RJthKM9bMPm6DufpbaaFPg8+ppIRM4cSQHhhoU8rN6p3cqYdbifIgUMkVoA+sbq1yMXR
 ulcVSHFrI6MjZkPvLYQKn4hSYMuVaC7V/rSGC185G170ct1Prft8RCKvtnHV2X8rUYdY
 Om6g==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 gc12-20020a056214230c00b0069b55db0afdsi2186752qvb.442.2024.04.18.13.05.27
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:05:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyj-0001qV-8W; Thu, 18 Apr 2024 16:03:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyg-0001p5-Ei; Thu, 18 Apr 2024 16:03:26 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXye-0005R2-Qf; Thu, 18 Apr 2024 16:03:26 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 285545FE16;
 Thu, 18 Apr 2024 23:02:28 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 894A2B93FC;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952882 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 55/59] hw/net/lan9118: Replace magic '2048' value by
 MIL_TXFIFO_SIZE definition
Date: Thu, 18 Apr 2024 23:02:15 +0300
Message-Id: <20240418200224.952785-14-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

The magic 2048 is explained in the LAN9211 datasheet (DS00002414A)
in chapter 1.4, "10/100 Ethernet MAC":

  The MAC Interface Layer (MIL), within the MAC, contains a
  2K Byte transmit and a 128 Byte receive FIFO which is separate
  from the TX and RX FIFOs. [...]

Note, the use of the constant in lan9118_receive() reveals that
our implementation is using the same buffer for both tx and rx.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240409133801.23503-2-philmd@linaro.org>
(cherry picked from commit a45223467e4e185fff1c76a6483784fa379ded77)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index bf81c84984..f269d72d9e 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -155,6 +155,12 @@ do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
 
 #define GPT_TIMER_EN    0x20000000
 
+/*
+ * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit
+ * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs.
+ */
+#define MIL_TXFIFO_SIZE         2048
+
 enum tx_state {
     TX_IDLE,
     TX_B,
@@ -171,7 +177,7 @@ typedef struct {
     int32_t pad;
     int32_t fifo_used;
     int32_t len;
-    uint8_t data[2048];
+    uint8_t data[MIL_TXFIFO_SIZE];
 } LAN9118Packet;
 
 static const VMStateDescription vmstate_lan9118_packet = {
@@ -187,7 +193,7 @@ static const VMStateDescription vmstate_lan9118_packet = {
         VMSTATE_INT32(pad, LAN9118Packet),
         VMSTATE_INT32(fifo_used, LAN9118Packet),
         VMSTATE_INT32(len, LAN9118Packet),
-        VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
+        VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -549,7 +555,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
         return -1;
     }
 
-    if (size >= 2048 || size < 14) {
+    if (size >= MIL_TXFIFO_SIZE || size < 14) {
         return -1;
     }
 

From patchwork Thu Apr 18 20:02:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Tokarev <mjt@tls.msk.ru>
X-Patchwork-Id: 789861
Delivered-To: patch@linaro.org
Received: by 2002:adf:e6ca:0:b0:346:15ad:a2a with SMTP id y10csp748678wrm;
 Thu, 18 Apr 2024 13:06:47 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXqiwJMx3xIW7MEOYdJWpFxY3dBxczzT32Lj9cttd1ekcHVKhXYAuFLIDRb4Xlw/Q3ZQHOKyrNTlZ+T0kzxSWXw
X-Google-Smtp-Source: AGHT+IEmVFVZL1tUqzisku4sKxmBnM+JbXj9NQHHIo9QmrW0P164b7ZsbID4/ZOgZ+qAvBecuMLF
X-Received: by 2002:a05:6359:4dc7:b0:17e:8e7f:59f9 with SMTP id
 pj7-20020a0563594dc700b0017e8e7f59f9mr217692rwb.26.1713470807303;
 Thu, 18 Apr 2024 13:06:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713470807; cv=none;
 d=google.com; s=arc-20160816;
 b=WNds4jImPmCrSGELAUA8v2+rn4m0lTbPWQsP++6YK+kkutYK6dadjryTKmfxLeADYr
 cich1n4+t5bxyqGC56Wq1KU05eeqAUamzDDABgA4tS0FpYb8sZlfxLhB3/yDa3SOL0Lq
 0HRUJbRsGUo67RsAMAw2SUvkz1DzsQeyN7mjKL2DM1eAAxhVLTVw4qG67EalVvkirKTg
 Ed99XF2IB7KOvBlDQS3HydtqoQ4wZbRUCOPdQiK5MtZCDTEXbZyo1+zV9B5DKKgg8KDH
 78vMZguOlIJGJLD8x7ige1I1c2LUuv9b8rEZdk2mWcRCBrUMIN+/xbmbFeGHKJVX4dCi
 NU/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from; bh=AKrQaDebnRsCIbmOF5kuKWWs6Ud6kVjiEI185QavyQo=;
 fh=6fBILVUdoL7JCVULd2glCcobc4jAkou2rbBCvrT+SaU=;
 b=m/I+Mh/UOFkt2XnO9zrH7eBNzwKXCopVPRyyhc73nay98l8tJGIvG2WI1TCi2mALcM
 ZNkboxy7xubnpLUKaif1Aj1aNkkZyS9hKEvyFCYgVhB4GHQhaIbb0cziJOxBOyz+hj6h
 bkfQO/9BKZk8bqZBz+ytAhEyrKclTorC9ufhFuGr3KlVrE5DbK6cRobIY06lIDyRRPES
 AC8VMVw99pq7pZppbEQxseVqPf493pZtnQvqgt2y0g5ZXlOVepstfvyv+wv4xdQzUo2u
 tjOMeGuuANoUZDyxWwVltvuu+6Z+4avVPkp0tJ71LC1D2SAHKSLitwk/rPaZZ/cpiK+7
 9PeQ==; dara=google.com
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Return-Path: <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17])
 by mx.google.com with ESMTPS id
 y7-20020a05612211a700b004da963ef742si463747vkn.262.2024.04.18.13.06.47
 for <patch@linaro.org>
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 18 Apr 2024 13:06:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as
 permitted sender)
 smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"
Received: from localhost ([::1] helo=lists1p.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <qemu-devel-bounces@nongnu.org>)
 id 1rxXyh-0001p6-UB; Thu, 18 Apr 2024 16:03:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXye-0001nf-HK; Thu, 18 Apr 2024 16:03:25 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1rxXyc-0005Sq-7Q; Thu, 18 Apr 2024 16:03:24 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 3B8D65FE17;
 Thu, 18 Apr 2024 23:02:28 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id 98A83B93FD;
 Thu, 18 Apr 2024 23:02:25 +0300 (MSK)
Received: (nullmailer pid 952885 invoked by uid 1000);
 Thu, 18 Apr 2024 20:02:24 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org,
 =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Alexander Bulekov <alxndr@bu.edu>, Chuhong Yuan <hslester96@gmail.com>,
 Peter Maydell <peter.maydell@linaro.org>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 56/59] hw/sd/sdhci: Do not update TRNMOD when Command
 Inhibit (DAT) is set
Date: Thu, 18 Apr 2024 23:02:16 +0300
Message-Id: <20240418200224.952785-15-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240418230159@cover.tls.msk.ru>
MIME-Version: 1.0
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org

From: Philippe Mathieu-Daudé <philmd@linaro.org>

Per "SD Host Controller Standard Specification Version 3.00":

  * 2.2.5 Transfer Mode Register (Offset 00Ch)

    Writes to this register shall be ignored when the Command
    Inhibit (DAT) in the Present State register is 1.

Do not update the TRNMOD register when Command Inhibit (DAT)
bit is set to avoid the present-status register going out of
sync, leading to malicious guest using DMA mode and overflowing
the FIFO buffer:

  $ cat << EOF | qemu-system-i386 \
                     -display none -nographic -nodefaults \
                     -machine accel=qtest -m 512M \
                     -device sdhci-pci,sd-spec-version=3 \
                     -device sd-card,drive=mydrive \
                     -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \
                     -qtest stdio
  outl 0xcf8 0x80001013
  outl 0xcfc 0x91
  outl 0xcf8 0x80001001
  outl 0xcfc 0x06000000
  write 0x9100002c 0x1 0x05
  write 0x91000058 0x1 0x16
  write 0x91000005 0x1 0x04
  write 0x91000028 0x1 0x08
  write 0x16 0x1 0x21
  write 0x19 0x1 0x20
  write 0x9100000c 0x1 0x01
  write 0x9100000e 0x1 0x20
  write 0x9100000f 0x1 0x00
  write 0x9100000c 0x1 0x00
  write 0x91000020 0x1 0x00
  EOF

Stack trace (part):
=================================================================
==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468
WRITE of size 1 at 0x615000029900 thread T0
    #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39
    #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13
    #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5
    #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18
    #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16
    #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23
    #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12
    #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18
    ...
0x615000029900 is located 0 bytes to the right of 512-byte region
[0x615000029700,0x615000029900) allocated by thread T0 here:
    #0 0x55d5f7237b27 in __interceptor_calloc
    #1 0x7f9e36dd4c50 in g_malloc0
    #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5
    #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9
    #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13
    #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5
    #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5
    #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10
    #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15
    #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12
    #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10
    #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11
    #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11
    #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14
    #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5
    #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5
    #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9
    ...
SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39
in sdhci_write_dataport

Add assertions to ensure the fifo_buffer[] is not overflowed by
malicious accesses to the Buffer Data Port register.

Fixes: CVE-2024-3447
Cc: qemu-stable@nongnu.org
Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller")
Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <CAFEAcA9iLiv1XGTGKeopgMa8Y9+8kvptvsb8z2OBeuy+5=NUfg@mail.gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20240409145524.27913-1-philmd@linaro.org>
(cherry picked from commit 9e4b27ca6bf4974f169bbca7f3dca117b1208b6f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index ef60badc6b..abd503d168 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size)
     }
 
     for (i = 0; i < size; i++) {
+        assert(s->data_count < s->buf_maxsz);
         value |= s->fifo_buffer[s->data_count] << i * 8;
         s->data_count++;
         /* check if we've read all valid data (blksize bytes) from buffer */
@@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size)
     }
 
     for (i = 0; i < size; i++) {
+        assert(s->data_count < s->buf_maxsz);
         s->fifo_buffer[s->data_count] = value & 0xFF;
         s->data_count++;
         value >>= 8;
@@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
         if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) {
             value &= ~SDHC_TRNS_DMA;
         }
+
+        /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */
+        if (s->prnsts & SDHC_DATA_INHIBIT) {
+            mask |= 0xffff;
+        }
+
         MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK);
         MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);