diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch new file mode 100644 index 0000000000..37e122f781 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch @@ -0,0 +1,83 @@ +From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:43:05 +0100 +Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While the reply queue values fit in 16-bit, they are accessed +as 32-bit: + + 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); + 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES; + 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); + 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + +Having: + + 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */ + +In order to update the ld/st*_pci_dma() API to pass the address +of the value to access, it is simpler to have the head/tail declared +as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in +the MegasasState structure. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997] + +Acked-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-20-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/scsi/megasas.c | 4 ++-- + hw/scsi/trace-events | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 8f35784..14ec6d6 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -109,8 +109,8 @@ struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + uint16_t reply_queue_len; +- uint16_t reply_queue_head; +- uint16_t reply_queue_tail; ++ uint32_t reply_queue_head; ++ uint32_t reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 92d5b40..ae8551f 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_ + + # megasas.c + megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " " +-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x" ++megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x" + megasas_initq_map_failed(int frame) "scmd %d: failed to map queue" + megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64 + megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d" + megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x" + megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64 + megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx" +-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" +-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d" ++megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" ++megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu" + megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " " +-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" ++megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy" + megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x" + megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu" +-- +1.8.3.1 + |