From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.47 as permitted sender) client-ip=209.85.221.47; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f47.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.47 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616433385; cv=none; d=zohomail.com; s=zohoarc; b=B+JNsXVcD7B19CmczjGjoGOfeL62flurlcNT/XQXSkov6ZHZMM9zdChPoQtDV81d8LToWo6sheVGKQphQ/Rp2mFTMFy9rrSg/HXvAHl4nT9KP2/axsGgFQnpSTRUlbSURzBMYix/Sipej0WCkQ3Wp8v7WqMaLtLpFRszcS0Q1j8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433385; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=8E3GnaRyznlGDwlFLypYasSTouiBJiHtygX/SKxe+b8=; b=f+SgXJ/i6sl6fGtl44X4Su2OuTn7bcqroHxqfBn6Ufd4T0IZ+BuBgyCN2qd3jLWSaeSk9Im/dHYTKnDAtQPK6jG59Z4Zrzcqp7FngHVg0Lq+82tprXkLBlH4ZOBc22ohwL8ZgwTNbTTBUheOh0/Yf3wV1ShyYwaw1JCoPUYb3kM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.47 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.zohomail.com with SMTPS id 1616433383626200.89390006591987; Mon, 22 Mar 2021 10:16:23 -0700 (PDT) Received: by mail-wr1-f47.google.com with SMTP id 61so17941709wrm.12 for ; Mon, 22 Mar 2021 10:16:22 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id 21sm84835wme.6.2021.03.22.10.16.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=8E3GnaRyznlGDwlFLypYasSTouiBJiHtygX/SKxe+b8=; b=sqju1Nwi8QDPw1ydpiI/Mb656v5SAbeXib8KvihotG5sY9veAvI0XfQvyKXUVrYWMM xYGM3nYta+h81qKuvt8RKycVsmUcWRfI2cpddWjKJwLB3vH+9S9/5rGN6/3fx1SFRIZx au1ZPItMV9J9pyJTjo7ljGRvzOgr3HugOM2zr/mty3nU2HcXa1wWHYVMI56g4UeAW+UP zIg1ACuwzRvGL6SuMaaGKJZnzq9iJ6t/FNecc/4cMDIAJZ6xa5MzUoPGYnVMGC5OB4nw l6lkqxsAexm1AQcWS9esqM1CwXOXh7oOb9dXYz/W/6QAn8Pp5v/KIgTPf6JBjO0aXvJG Tl6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=8E3GnaRyznlGDwlFLypYasSTouiBJiHtygX/SKxe+b8=; b=HF6z9U6vgI6+0EZyTmY2sYpxhJc3zLqjaDUtqio7DH0CaB/UCRspsI7bkz+D7k5jss tDCUSmdzHzQcNxoRDHKQUtfCi9jBecfVSUHxoTHy/IAdZ2gdLfyZJutrD3WL3thELzLX ysFyT8BudDpOxPDP6dnz3v6cdrwYHViO3DiOQgYKddrT2diSnsZI4orAx87LBfG+7KFV CDyeKL2J2+Vlb3mE1BQSaI8CRA1FGEplIldXe5/lSeYjHRp81rn8YsWH6E6Cyu7vgu7v ZFkGOtnWsLfLgzS4lhdcrN9su0Bgb+GP+VAFSHO1YgCtXiFL+4gacKjxBFUx4wKuJefo sdwA== X-Gm-Message-State: AOAM530LYJnLgOLKbHtOp7NIgky0E2ouKBFn2pmcqZip0Y7zwV1ADOA9 48IrYlXiZsp9WtfWtV3U04YAZg7u9i0oHw== X-Google-Smtp-Source: ABdhPJy5ITa9ZN41kKVfG3RogYxFLGiymuvPXNCABf2IfRAC5CzcBWQ3oqoUlp/uy8x36qFaxha2RQ== X-Received: by 2002:adf:c389:: with SMTP id p9mr572428wrf.410.1616433378173; Mon, 22 Mar 2021 10:16:18 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org Subject: [PULL 1/7] hw/sd: sd: Fix build error when DEBUG_SD is on Date: Mon, 22 Mar 2021 18:16:04 +0100 Message-Id: <20210322171610.4183696-2-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng "qemu-common.h" should be included to provide the forward declaration of qemu_hexdump() when DEBUG_SD is on. Signed-off-by: Bin Meng Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-Id: <20210228050609.24779-1-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 8b397effbcc..7b09ce9c2ef 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -47,6 +47,7 @@ #include "qemu/timer.h" #include "qemu/log.h" #include "qemu/module.h" +#include "qemu-common.h" #include "sdmmc-internal.h" #include "trace.h" =20 --=20 2.26.2 From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.52 as permitted sender) client-ip=209.85.221.52; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f52.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.52 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616433384; cv=none; d=zohomail.com; s=zohoarc; b=fVE9DNGbP5eIqWJlEoKdXrsKyKkc1Q4mcDFN/B41RmrmOkGFZ78FL2LuTzLBRODOWd1pb+ekTtI4EcqcVAl1HBNdiv6wmOYDxxgT5UQ+vNAcFVKRTDDLcOSsQKHrkMfMvEXRncjomlWg6VksQsIhiPbEkiAysqJDcsEOolmhKDE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433384; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ohREe5zF+9RenfzBySXXkP5MaNeGCcx5njG2MsDavJw=; b=LGuBAZPSgZM9LjJ4vl67W8YPwpAKnB5m0zL6rQGonUUTKpbjPjGC8FSEMxz6gBXc+2oUd6NppMFwz9By703tXJRAj6eFVVNnB08PFtJ/DYIxPFocTbBjCPBROuY9XqMwokGEmCzQ8D657qNOM77SkU8zf322DQTjm+/yHXv+8Zg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.52 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.zohomail.com with SMTPS id 1616433384857239.49089764482278; Mon, 22 Mar 2021 10:16:24 -0700 (PDT) Received: by mail-wr1-f52.google.com with SMTP id j7so17987378wrd.1 for ; Mon, 22 Mar 2021 10:16:24 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id j20sm53865wmp.30.2021.03.22.10.16.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ohREe5zF+9RenfzBySXXkP5MaNeGCcx5njG2MsDavJw=; b=FJm7rpWqsoZ47JMdcUHelWBOagV2fOHdQVKmmBfwW+MANIFQ6MvPZwxRAKpTS6Bq/G V8c9lpdgJcBUlGu+fyDS+/3ifU/gWGep21qUaG+pUzgpDCXgoa6/Y7NE4XqwxxfsbRcb lkxDc9ZR3APcGQyn4S5B4tNVF3H53JZRyOG8zkVcHlQ5EbzsW0vKlgIE/eYasPs5VJfJ NYKcxhhq8sriUxo7EWw15vleYLGGZhob0lrSVt8sUUJsCluxoMcd9mMy9xNYis+lqeWZ Oo9qy9WE3eDqCxOggSb6y21lRx0sdQHOO2AaJTUoRcVHyPmSAQ6S5ANMN7cHYa+F2BKZ kwPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=ohREe5zF+9RenfzBySXXkP5MaNeGCcx5njG2MsDavJw=; b=XmMiZ7nGM3x8R240tIcvm70Ywyq+oJVhVi8hfM6MLu4wst+qr+mPL8kgwUuHXztW3K oCEzSylJfgYBy0vlbBLTxgpSg5jCR205HczZ6HBQLNV8ReOKQoMib9/RIImESC75Z6VH /p3USbvH4zUZGplLyEu2pW5hIpVWqMq2aEehda8XELgbFmTNyso5XtDGw7S01OzkODV2 82Y5q2iwCRrr9d7vUrwkj+F4ld/2U08pZ67NEqQD1GlLQXP2yu9MjwyRc3S6P/sbvRGU 7gCDLVHfR5XXdrEvM2HC+lxb+nyiHs/9aZDK2590Ah+5QBLNL95QssZmXzccWDAyxUbp Ymlg== X-Gm-Message-State: AOAM532fvHuCnHGMdZP624uQn0WVf/gIrXVRVZV2zftQZmlNgKX0Fu8M Adqqkn9V/j9SnPiGUMoE3ac= X-Google-Smtp-Source: ABdhPJxnb5kN3O3S7bHsQfHMFEVgotGZ6L5/lfeNKkWfL/DIQSYnB11QO4OIoxrs8ztO6jbYXyutmg== X-Received: by 2002:a5d:4d0f:: with SMTP id z15mr601313wrt.192.1616433383099; Mon, 22 Mar 2021 10:16:23 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org Subject: [PULL 2/7] hw/sd: sd: Actually perform the erase operation Date: Mon, 22 Mar 2021 18:16:05 +0100 Message-Id: <20210322171610.4183696-3-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng At present the sd_erase() does not erase the requested range of card data to 0xFFs. Let's make the erase operation actually happen. Signed-off-by: Bin Meng Message-Id: <1613811493-58815-1-git-send-email-bmeng.cn@gmail.com> Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sd.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/hw/sd/sd.c b/hw/sd/sd.c index 7b09ce9c2ef..282d39a7042 100644 --- a/hw/sd/sd.c +++ b/hw/sd/sd.c @@ -763,10 +763,12 @@ static void sd_blk_write(SDState *sd, uint64_t addr, = uint32_t len) =20 static void sd_erase(SDState *sd) { - int i; uint64_t erase_start =3D sd->erase_start; uint64_t erase_end =3D sd->erase_end; bool sdsc =3D true; + uint64_t wpnum; + uint64_t erase_addr; + int erase_len =3D 1 << HWBLOCK_SHIFT; =20 trace_sdcard_erase(sd->erase_start, sd->erase_end); if (sd->erase_start =3D=3D INVALID_ADDRESS @@ -795,17 +797,19 @@ static void sd_erase(SDState *sd) sd->erase_end =3D INVALID_ADDRESS; sd->csd[14] |=3D 0x40; =20 - /* Only SDSC cards support write protect groups */ - if (sdsc) { - erase_start =3D sd_addr_to_wpnum(erase_start); - erase_end =3D sd_addr_to_wpnum(erase_end); - - for (i =3D erase_start; i <=3D erase_end; i++) { - assert(i < sd->wpgrps_size); - if (test_bit(i, sd->wp_groups)) { + memset(sd->data, 0xff, erase_len); + for (erase_addr =3D erase_start; erase_addr <=3D erase_end; + erase_addr +=3D erase_len) { + if (sdsc) { + /* Only SDSC cards support write protect groups */ + wpnum =3D sd_addr_to_wpnum(erase_addr); + assert(wpnum < sd->wpgrps_size); + if (test_bit(wpnum, sd->wp_groups)) { sd->card_status |=3D WP_ERASE_SKIP; + continue; } } + BLK_WRITE_BLOCK(erase_addr, erase_len); } } =20 --=20 2.26.2 From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.128.49 as permitted sender) client-ip=209.85.128.49; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f49.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616433389; cv=none; d=zohomail.com; s=zohoarc; b=FOy3yL7/hfGkr/sobmjYnPF20cYF5n27PE0QSkJlmqan/ZmTGhJthUcnTmFNa+UCzMq3aKt+54hWgkz0j1wiNXUneeV2zWYtCdU4LTHaz3Q8lD4qhVLPQMd3AZYX6Zt701NRCJWO+44DrNcwlMllNPUX7gwCLqLJ4hI4OS6a7yU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433389; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=c6fcUI3H7jskHCLqFpINNM6Pf5bSNLsoK0ZIXh21OqY=; b=PZjKJ89o/Lyk72Ao1BsQN6JkFBSw/qGavUQivEWD48VLDTq+2R5/NdmaoAnvj5WEr7HWoBBAzNr2sdZ6WxmEj+MsjyFHdOXJBNSZjYODfq8IHuFBiD0dAsg5a8NNKETQAetKBiGjnbU3G4CXyL7ctoBjHX7RiUgopyNFVWOJxMk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.zohomail.com with SMTPS id 1616433389908507.1974379019688; Mon, 22 Mar 2021 10:16:29 -0700 (PDT) Received: by mail-wm1-f49.google.com with SMTP id j20-20020a05600c1914b029010f31e15a7fso3557792wmq.1 for ; Mon, 22 Mar 2021 10:16:29 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id c9sm20388115wrr.78.2021.03.22.10.16.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c6fcUI3H7jskHCLqFpINNM6Pf5bSNLsoK0ZIXh21OqY=; b=SjcdtENv/ls/aZ+dct5ApBlHANT3gGZS+8UrHW1Lw3L8PJ9QEfg9AoTgbqsh6rQ17D maorTRLbgvOukCvVCB03R2AU+P/54lCNPwk2mWbQv/EBTUBn3IV/lrA3hcmMef7KpQo1 gvidZMe7XyRL4M3WEvKtOuWPVCkG26VANUtRYeF9eKWlP6Bu3G6YiqDI9l1a4tzZ5ztH raC1OvixGOz2/jtbtHCsQRrU4QJW288eoSLjV4l3ribKp+xT3qCM0ARASj9SQBcWSL2j smhjEMaWRglYvSPGyWxjrX99v1cVLiOSfo5r6FTQ/d7KBt16qF6iFb02saMIZcxvBp0X ODjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=c6fcUI3H7jskHCLqFpINNM6Pf5bSNLsoK0ZIXh21OqY=; b=k8vHtWbc1YDYaNfEaW3qBBx3VMWAisjgYP5qFz/Y4mYcWu0HRUN6bVD/xirLz+DCBU yd8YlydLMy7WbBjPxymkbFyUfpS0+yvWpZGTiguRHpCe+WSP2CZ4aX2J40xL3ZmtPzW+ vtniWe5ANsALlZmivBoNz9U0sN2pjBuf76So3OAcNFO8jNSYHYvrCWZFMcYPWllhZWaE /Y/y21GCBQ+alOiea/IqtIwGP5Yt3WqWhnimY1GuC4lbe5URJazOGqxgBzGuXflkyu60 S/MJvJux4qVzsJt9qXgOOYwMbppMCjIzYBbCHhNz5FQA7/FD72tKn6mswuJtjZc480/B qL0Q== X-Gm-Message-State: AOAM531ybfFXB//mcNQ28qWtioHL8abbxOJOcrhwR4gXkJLwR4jFoJKb RcVMDYpaDifvHglEQBS9ePo= X-Google-Smtp-Source: ABdhPJw7QtCP0ILOM2QNNRP9etNkscziNk27vGny4qjpom5tnhelnCRL4xa/d404d9Y0dcUNRZZtkA== X-Received: by 2002:a05:600c:4f8e:: with SMTP id n14mr89352wmq.166.1616433388030; Mon, 22 Mar 2021 10:16:28 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org, Bin Meng , qemu-stable@nongnu.org, Alexander Bulekov , Alistair Francis Subject: [PULL 3/7] hw/sd: sdhci: Don't transfer any data when command time out Date: Mon, 22 Mar 2021 18:16:06 +0100 Message-Id: <20210322171610.4183696-4-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng At the end of sdhci_send_command(), it starts a data transfer if the command register indicates data is associated. But the data transfer should only be initiated when the command execution has succeeded. With this fix, the following reproducer: outl 0xcf8 0x80001810 outl 0xcfc 0xe1068000 outl 0xcf8 0x80001804 outw 0xcfc 0x7 write 0xe106802c 0x1 0x0f write 0xe1068004 0xc 0x2801d10101fffffbff28a384 write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f6051= 4233241505f write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c8= 0d000255a80d000256880d0002576 write 0xe1068003 0x1 0xfe cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive \ -device sd-card,drive=3Dmydrive \ -monitor none -serial none -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-Universit=C3=A4t Bochum) Reported-by: Sergej Schumilo (Ruhr-Universit=C3=A4t Bochum) Reported-by: Simon W=C3=B6rner (Ruhr-Universit=C3=A4t Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Acked-by: Alistair Francis Tested-by: Alexander Bulekov Tested-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Bin Meng Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sdhci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 9acf4467a32..f72d76c1784 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) SDRequest request; uint8_t response[16]; int rlen; + bool timeout =3D false; =20 s->errintsts =3D 0; s->acmd12errsts =3D 0; @@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) trace_sdhci_response16(s->rspreg[3], s->rspreg[2], s->rspreg[1], s->rspreg[0]); } else { + timeout =3D true; trace_sdhci_error("timeout waiting for command response"); if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { s->errintsts |=3D SDHC_EIS_CMDTIMEOUT; @@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) =20 sdhci_update_irq(s); =20 - if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { s->data_count =3D 0; sdhci_data_transfer(s); } --=20 2.26.2 From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.128.41 as permitted sender) client-ip=209.85.128.41; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-f41.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616433394; cv=none; d=zohomail.com; s=zohoarc; b=RbjY+IjZPc0j0pNG6coN6W5uYR5j/Xuct9bBC8MDaVjdhu8OQE8QcenlqVDWZ5oa5lP2DjCMt+NeNHfv81Cu9IFYfzbLlxXxXMrqCZCP9Y4epQPuKNSHfmNY6HXgP/WwyifYdolbEL8Yku7/LP0EQCmJ4/2BMd61Kg1ytTDfwV4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433394; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Fx8VAm9zrYSDZ0ArHiV/e2cWDHJq/XM1NI+23XhEP5s=; b=T7B2h7KLhv6qDZEQRiaKkBHikMHSnVectqoxUbUZoWf9q9EMuwVmfTJgGApMpObZq6h/hrCZqkpG/njbVloMlcsD6tSEsxPkCEzWOaj2MbwBX/jSD/wpnfOJBorud3vOws3Ohmy9r6WXYMo/jv5WVklZ8UHDbEmp8bOUi5Q/VPs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.128.41 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.zohomail.com with SMTPS id 1616433394971832.0523159682615; Mon, 22 Mar 2021 10:16:34 -0700 (PDT) Received: by mail-wm1-f41.google.com with SMTP id p19so9635739wmq.1 for ; Mon, 22 Mar 2021 10:16:34 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id h9sm49147wmb.35.2021.03.22.10.16.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Fx8VAm9zrYSDZ0ArHiV/e2cWDHJq/XM1NI+23XhEP5s=; b=teSb+2zDD9ku6nM71ltqTkhjpzKwsAYyP1CAxpZkpLjwJjRVVBAhL2fRkpu86cia1A Q/aygWwXM2Zz645iua6XRWtrUICnRuagOv3oypiilPhzHKFwgBt2QZupml9N2ZA7bJGh XkQsypN7soufJsCFrTvvB7RzzFkOpUgvC7ezZTKm870pcuAlgIeabWbVd/5tJVxLh7K2 xWF2OQHe30KR/Z4WRz+vbnNUbibEiIOFkNkjSDK3493RrXzH0hCHbmHKZNGAny8+2swX 4qe4AZyUmQei3eGjBc/lwx78inuVpaFXIRQ4SGf5Rq4GCwePlK6c/+RIXbX45gCcB153 6D2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=Fx8VAm9zrYSDZ0ArHiV/e2cWDHJq/XM1NI+23XhEP5s=; b=meF4tuYmEdD9vQRgEtdFENrSuCbmJqlWDx+kLcsBhaLNuEAMy2uFzn7QpmlXc/rozk 0UJCOPH6q7X2hmtU9iCJt07YFbcN+M01a25BrCoCjYokTDzmMLqCFVkBWLaWuX40c30c zlcW1Cf8CiGcmeLJ31wHRYbFq/9nnp4h2tXUVwzgUnbEbokkvx9lSLgvkMf9Jv2xZfg/ iTwR1qITpDQiu/0oGwCaGWyBM8ITFqAlJbLz8SLAoXDeIhvDg6DTRj6jxZjxqqwhKVLp vvKgPhgFS949VohnZveEJ+b25yHmAWLDjG0gp9lfgErCjZ2rw/tT9mYuiztcIpbV+Rr1 rOHA== X-Gm-Message-State: AOAM532GdH3MTf1uVoaS4VC4KJWJvQE8oBtV8ymsa64RgY94Jtx3phYj uoxiNzqPfx1bzlSWft59SWU= X-Google-Smtp-Source: ABdhPJxZcMSzTeQBY93rK+f3r8ICZQPutHFagS8VWd+sgdSy9ofv6EoPVhxAMm+X6tvr0g6QFJaNQA== X-Received: by 2002:a05:600c:4f94:: with SMTP id n20mr109516wmq.18.1616433393080; Mon, 22 Mar 2021 10:16:33 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org, Bin Meng , qemu-stable@nongnu.org, Alexander Bulekov Subject: [PULL 4/7] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress Date: Mon, 22 Mar 2021 18:16:07 +0100 Message-Id: <20210322171610.4183696-5-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng Per "SD Host Controller Standard Specification Version 7.00" chapter 2.2.1 SDMA System Address Register: This register can be accessed only if no transaction is executing (i.e., after a transaction has stopped). With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xfbefff00 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xfbefff2c 0x1 0x05 write 0xfbefff0f 0x1 0x37 write 0xfbefff0a 0x1 0x01 write 0xfbefff0f 0x1 0x29 write 0xfbefff0f 0x1 0x02 write 0xfbefff0f 0x1 0x03 write 0xfbefff04 0x1 0x01 write 0xfbefff05 0x1 0x01 write 0xfbefff07 0x1 0x02 write 0xfbefff0c 0x1 0x33 write 0xfbefff0e 0x1 0x20 write 0xfbefff0f 0x1 0x00 write 0xfbefff2a 0x1 0x01 write 0xfbefff0c 0x1 0x00 write 0xfbefff03 0x1 0x00 write 0xfbefff05 0x1 0x00 write 0xfbefff2a 0x1 0x02 write 0xfbefff0c 0x1 0x32 write 0xfbefff01 0x1 0x01 write 0xfbefff02 0x1 0x01 write 0xfbefff03 0x1 0x01 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=3Dqtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive= \ -device sd-card,drive=3Dmydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-Universit=C3=A4t Bochum) Reported-by: Sergej Schumilo (Ruhr-Universit=C3=A4t Bochum) Reported-by: Simon W=C3=B6rner (Ruhr-Universit=C3=A4t Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Tested-by: Alexander Bulekov Signed-off-by: Bin Meng Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sdhci.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index f72d76c1784..3feb6c3a1fe 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t v= al, unsigned size) =20 switch (offset & ~0x3) { case SDHC_SYSAD: - s->sdmasysad =3D (s->sdmasysad & mask) | value; - MASKED_WRITE(s->sdmasysad, mask, value); - /* Writing to last byte of sdmasysad might trigger transfer */ - if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blk= cnt && - s->blksize && SDHC_DMA_TYPE(s->hostctl1) =3D=3D SDHC_CTRL_= SDMA) { - if (s->trnmod & SDHC_TRNS_MULTI) { - sdhci_sdma_transfer_multi_blocks(s); - } else { - sdhci_sdma_transfer_single_block(s); + if (!TRANSFERRING_DATA(s->prnsts)) { + s->sdmasysad =3D (s->sdmasysad & mask) | value; + MASKED_WRITE(s->sdmasysad, mask, value); + /* Writing to last byte of sdmasysad might trigger transfer */ + if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && + SDHC_DMA_TYPE(s->hostctl1) =3D=3D SDHC_CTRL_SDMA) { + if (s->trnmod & SDHC_TRNS_MULTI) { + sdhci_sdma_transfer_multi_blocks(s); + } else { + sdhci_sdma_transfer_single_block(s); + } } } break; --=20 2.26.2 From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) client-ip=209.85.221.54; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f54.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616433403; cv=none; d=zohomail.com; s=zohoarc; b=eOsc8r2C3TFMDS38yvdtSQVWEgnhxPV1c+ghOQiVPVbjMYfSHfR8TMKVr8BGK/BhupD17Hk1YOd62Rmf0akhx46n9d2vTtr7HVh0Wy7kvzGKRwtAbVSxisg/IOyfYe6jQgB7m3KRd4BZJyVxsAoKa+i5KfgaKWEq4SJ29d1n3YE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433403; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=n4TrH0YlHvVigHvwxkcJ/B0YohntEhHzwVsdqcia4dU=; b=CpQJZ0RyJCt+50Yvm21sF48PabELl+TBWvwe5bWYKnSx+7T0rCi0pm9NmoW7KVonFd3/rMG2C3J8DV2mbZwbd//wmOYtwArw+3sNOiKr9YJg+qQN6UBbM01l54h8/hMUDlEcuh/E0KBvEFoX+UCDptJcHd5x+3pxaAxPy8+zzy8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.zohomail.com with SMTPS id 1616433403488114.90659825038153; Mon, 22 Mar 2021 10:16:43 -0700 (PDT) Received: by mail-wr1-f54.google.com with SMTP id v11so17951509wro.7 for ; Mon, 22 Mar 2021 10:16:42 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id u17sm80121wmq.3.2021.03.22.10.16.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=n4TrH0YlHvVigHvwxkcJ/B0YohntEhHzwVsdqcia4dU=; b=plXtfhyZkC5+/FzyE0QyYpcQT0SU9h9gSp9U2s0gOkSjNkQNPL7PRWErS8r7/RDje3 qiZx9oTnNqJV2TlhZeM+1sy/IOso9I7QtrFouunaqzQFnU8vGdOHXUdFHba/zM0nmASw XB8z9OGRsUDgxiNxdKO5kfU4Faibaw+AtOYv/GQDAydKsrbIs74UCjfrB/okT/ib5htP MiF9qLTRG5SJtmLWISFlK4QqNaKp4Rkwv+VvDf5Uyk3xC/MaqB46aCqy3xtf6DDsEYdQ 1KOYiL6QIrCMxnE6Vrem1sMC+ANlcwfRYm2NXtPqvOIafYQDoKYNI+Js6uit9aBNaAgU FKJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=n4TrH0YlHvVigHvwxkcJ/B0YohntEhHzwVsdqcia4dU=; b=N7x1cKRmN0/A0jFZ1h2kFy7PwnUmnjEkxlThGTrznP2WHJzzbuVHzj7jygJmFq6sCE hTqf9hL+rHpKBUNn8x8EKiaQPM4pHK/l7larJpCv+3C2Iks0bLpvwrDzN4QGSsmf5TNR Gk/1A2J3NhhJynaetzoJoCLIVO5TpThDdSOCY5A8b4r+62HPWIBrkvY32r3epDceIuND el+IJqu8tVoBgJxzsit6Bi7omMr29Y5mFpoe6b+I4g1lS1qK7XrcuLNepG3niHdyQAZt aL9LFcPvmSBtX/Rc/k/ct1MQ/sCwRDZ7loTPYbsjr+bjBpP06XTghsY416DgD3lZAhU3 YNig== X-Gm-Message-State: AOAM533dgCDGQ31UyOajdGpd/u2xgd9jXXPDWC8RLVdNfZJ+wAoRxA1f ZWMTaOwro0KzCr9Mkjj6eb8= X-Google-Smtp-Source: ABdhPJxx27VeTVJ+Fy2q9lpIjvF1fN3XD4TAm6c9ME6g2Evgshcx2RbjmmMHLxu4k9z777Qv1w9lSQ== X-Received: by 2002:adf:d217:: with SMTP id j23mr570031wrh.113.1616433398136; Mon, 22 Mar 2021 10:16:38 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org, Bin Meng , qemu-stable@nongnu.org, Alexander Bulekov Subject: [PULL 5/7] hw/sd: sdhci: Correctly set the controller status for ADMA Date: Mon, 22 Mar 2021 18:16:08 +0100 Message-Id: <20210322171610.4183696-6-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng When an ADMA transfer is started, the codes forget to set the controller status to indicate a transfer is in progress. With this fix, the following 2 reproducers: https://paste.debian.net/plain/1185136 https://paste.debian.net/plain/1185141 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=3Dqtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive \ -device sd-card,drive=3Dmydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-Universit=C3=A4t Bochum) Reported-by: Sergej Schumilo (Ruhr-Universit=C3=A4t Bochum) Reported-by: Simon W=C3=B6rner (Ruhr-Universit=C3=A4t Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Bin Meng Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sdhci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 3feb6c3a1fe..7a2003b28b3 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s) =20 switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ + s->prnsts |=3D SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; if (s->trnmod & SDHC_TRNS_READ) { + s->prnsts |=3D SDHC_DOING_READ; while (length) { if (s->data_count =3D=3D 0) { sdbus_read_data(&s->sdbus, s->fifo_buffer, block_s= ize); @@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s) } } } else { + s->prnsts |=3D SDHC_DOING_WRITE; while (length) { begin =3D s->data_count; if ((length + begin) < block_size) { --=20 2.26.2 From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) client-ip=209.85.221.54; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f54.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1616433404; cv=none; d=zohomail.com; s=zohoarc; b=fJkMRIJbM/Y0Rd59jZpXnqFUgbLAu4TsjYHVXVEEASkSlqIvUVB6xrwT2EACIQVD3TEFueISFxEReKO6IqbCyds/juwGg2ZV83BkakWd79ms7hEQt9LgyeRXRAl9Hbx9eRGLuqsRks1QtlomgH+VWqmcEM+ZlceCm9bA191mt4I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433404; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=YLOYqak8FH/Oy3wkw1CvXecOB1ns32LF4jnKjXataKE=; b=bpkQqPvmlEWzaMQM80j4aZS4pRDWsbWC2QkAm1bp/MrgIz2Y5dhIvHyzUcz6XSLZ/fhHpGPoFePojb75EG6OCCx8rMCl9vLud+Kn2zLTMCl0FYQepFU4NxnjE8JHHhDDEYzRXKvVDLJM9hju43BOdINEA0xs7b6UccjOeHvkZAk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.54 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.zohomail.com with SMTPS id 161643340455034.747371328356394; Mon, 22 Mar 2021 10:16:44 -0700 (PDT) Received: by mail-wr1-f54.google.com with SMTP id x16so17966247wrn.4 for ; Mon, 22 Mar 2021 10:16:43 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id b17sm20175272wrt.17.2021.03.22.10.16.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YLOYqak8FH/Oy3wkw1CvXecOB1ns32LF4jnKjXataKE=; b=qOZde7UGHg+ylofNVFwHrY1IcuggeWMt82llp3E7ouKux3icKMcmDszezpOD+e8Nqk TbQBhvrP1xhgYe9R99v+o+CYlQqDCtG1rPdaO50Bds6M8vAHsEjCkqoH9XCpRlykwtCj 2Bj3X6LepoqeVqqFc8516PjE3PPz9qqMaA1DXo8qbJGKLo0SU8WWspBTxUxiJksMiJQY 1c1OhqvpfC3E3U52nwszyhqmSEULlpl/6mYiGnTK1+C9ToKYduI1UpvVOn48OQnA/eGa qcXijM09y3EsodchqSfO9R9pTaBhgOy7hO4bKSptGSzfc4mhSQErP5OoT/cT2M9n1nL2 UCtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=YLOYqak8FH/Oy3wkw1CvXecOB1ns32LF4jnKjXataKE=; b=NCp0cKtyV5WhDtShfncmu8DCnF28zmCj7oq80N714K1Vyle2evdHE+bRYEouKYHsM0 a44Wxtc9r9hHdv3OOUvRDgOpMQXBd0nWxTB95Gm5m+IZL1iBxIj7ViTI2jdW9tfXXy6I cCu6m4+EYHnTu8N8Ns/Y7eONSlyRogvpH6i6mQxaLTYR0Mrjy1rcdLuhTfoUmEQx0VnJ ibftuEAu6tcY90Uvbhk5BTvscbaoK5pr1dJxM43t5aR27iy58gYdqsuyXEpKnCdGRGV7 2d4xrNkPUR2+CswIC2/0TU0omsTBWB+jk/9LzFp3b9qMKtA3ODfeCD/BbCK4y8EL1NLY nzkA== X-Gm-Message-State: AOAM532zdWcXc2g/OdPlufbGg0EM8uJ9Sx6iufsiVngkwrnHxQRcVzlI OdsHCkeSE+wVar0lgm8IQ0c= X-Google-Smtp-Source: ABdhPJyi6H/GJyGS9HlD7l7tHfQrN9bdkJb7fcQMA0y4nG6G2xl/65iDHZ4H/kWuH5YDr3y0H7mYSQ== X-Received: by 2002:adf:e791:: with SMTP id n17mr579784wrm.322.1616433402744; Mon, 22 Mar 2021 10:16:42 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org, Bin Meng , Alexander Bulekov Subject: [PULL 6/7] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable Date: Mon, 22 Mar 2021 18:16:09 +0100 Message-Id: <20210322171610.4183696-7-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng The codes to limit the maximum block size is only necessary when SDHC_BLKSIZE register is writable. Tested-by: Alexander Bulekov Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Bin Meng Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sdhci.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index 7a2003b28b3..d0c8e293c0b 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t v= al, unsigned size) if (!TRANSFERRING_DATA(s->prnsts)) { MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - } =20 - /* Limit block size to the maximum buffer size */ - if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { - qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " - "the maximum buffer 0x%x\n", __func__, s->blksiz= e, - s->buf_maxsz); + /* Limit block size to the maximum buffer size */ + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger th= an " + "the maximum buffer 0x%x\n", __func__, s->bl= ksize, + s->buf_maxsz); =20 - s->blksize =3D deposit32(s->blksize, 0, 12, s->buf_maxsz); + s->blksize =3D deposit32(s->blksize, 0, 12, s->buf_maxsz); + } } =20 break; --=20 2.26.2 From nobody Sun Apr 28 14:05:23 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.43 as permitted sender) client-ip=209.85.221.43; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f43.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.43 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com; dmarc=fail(p=none dis=none) header.from=amsat.org ARC-Seal: i=1; a=rsa-sha256; t=1616433409; cv=none; d=zohomail.com; s=zohoarc; b=EP2JDnmPed4lIyTFg+jMFwVpvdpyd63kSNNiB45wm1aOnLukt6FJ9R4rSh60IQzNu1FAZAD60zsx1WChkGt0rHKlSdxMSHR4WBl7YpZ97hR9UTvONXxVEH4wwJSgWcNOUxoqhSgxw8s92wzj2ycwe3BqWeiKaOZaGJY/W9C6idc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1616433409; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Sender:Subject:To; bh=e70W9uzyKpOsFheDpYOYyrHpDU6wCRfHiqNqYkONK9M=; b=gS51UfL5ptZWpEVz9IfcdAZhuRDKer2obNfsOMdu7ZHtAAA0nCDQ2VAFf0gGCpPkI/CMO4giTX1lkADws5utonrXBDe/vXIBhgXT2jqJveIQdXHTkOWZaSIhmzgs26dGrXQe16EZawZDQYhedeAtuoP6XjghNP519kIRSR2v/Z8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.43 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.zohomail.com with SMTPS id 1616433409487134.93491324992783; Mon, 22 Mar 2021 10:16:49 -0700 (PDT) Received: by mail-wr1-f43.google.com with SMTP id b9so17972417wrt.8 for ; Mon, 22 Mar 2021 10:16:48 -0700 (PDT) Return-Path: Return-Path: Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id c8sm51766wmb.34.2021.03.22.10.16.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 10:16:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=e70W9uzyKpOsFheDpYOYyrHpDU6wCRfHiqNqYkONK9M=; b=dgZuUUpCyVXaLr+jwsgCADs4MqprbrmPJxEZdqvaRQjIUzeRM72QU8mY3rKieczzUW IeRbANrUmVJ4a3I/47YuWdih9z+K8Ke0B1GYw/FuRPtZae/QICerrlBNTEbtklxUxw63 qUPgHctWTAK0jjLDPxzqQqdEptex83wTErfCtFgQH6yXdz7nC3RSnNUZ09Ds2XYAVMP+ kmiB3xL9S67RVam3k4ZsjAZa7uZDO+zen+9Js2tblQVazQZj/PQiAjaNHtCec4zq8ntV hYXdPcdLfF11kHkkGJLGS+4GuvqZNF4TWoJLE/z8EFFYqNcuxeD2R6i6J073qq54Sq9q aHWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=e70W9uzyKpOsFheDpYOYyrHpDU6wCRfHiqNqYkONK9M=; b=W1kHw5nDBjdxQJZvkEyioGdsg1qOdnhmx8gf/CGoJ0e7c6Ganomj4Uj7ppBCP/X0ph o+2TnIdKk/CA/gMCkuAkcL+zeumJmwLH9GxDP/sAEmMO6WGX3QgWFWMmJl4tRZwqw9uv zke5y1IjHQ9nryKEynF98XsjCbY7juYcelTfp/Wytf0BVgfjUiT2EV6F5X1TjjTxnaXs neFxkh82NtscbtfMM5vAFkdKwQMGh94onS4ekjdkOgOlTWWIYxwYeO8cB5vcxyuowG42 6vBc12Nw1zd/d09KqScfrJA/tvZqli0aqM3UOZYeNTJ3OuHnfc4P3ghlsIQyEZe8ttsw 6BNA== X-Gm-Message-State: AOAM531RF0BHAJ/1BgCB3OraKvFpzRotTkMHYOhL25fIGS9ZeRo7P79L uvwlVGWE51wo8stbvFnMyTM= X-Google-Smtp-Source: ABdhPJywopL+GmuIEalv64+RFWA+XvTfuATTBMZHIXoIniRBWoR5BBrUQDIsCOO4W/y3beuXEyMDFg== X-Received: by 2002:adf:dfc3:: with SMTP id q3mr563250wrn.121.1616433407774; Mon, 22 Mar 2021 10:16:47 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Muhammad Alifa Ramdhan , Bin Meng , Cornelius Aschermann , =?UTF-8?q?Simon=20W=C3=B6rner?= , Sergej Schumilo , qemu-block@nongnu.org, Bin Meng , qemu-stable@nongnu.org, Alexander Bulekov Subject: [PULL 7/7] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed Date: Mon, 22 Mar 2021 18:16:10 +0100 Message-Id: <20210322171610.4183696-8-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210322171610.4183696-1-f4bug@amsat.org> References: <20210322171610.4183696-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) From: Bin Meng If the block size is programmed to a different value from the previous one, reset the data pointer of s->fifo_buffer[] so that s->fifo_buffer[] can be filled in using the new block size in the next transfer. With this fix, the following reproducer: outl 0xcf8 0x80001010 outl 0xcfc 0xe0000000 outl 0xcf8 0x80001001 outl 0xcfc 0x06000000 write 0xe000002c 0x1 0x05 write 0xe0000005 0x1 0x02 write 0xe0000007 0x1 0x01 write 0xe0000028 0x1 0x10 write 0x0 0x1 0x23 write 0x2 0x1 0x08 write 0xe000000c 0x1 0x01 write 0xe000000e 0x1 0x20 write 0xe000000f 0x1 0x00 write 0xe000000c 0x1 0x32 write 0xe0000004 0x2 0x0200 write 0xe0000028 0x1 0x00 write 0xe0000003 0x1 0x40 cannot be reproduced with the following QEMU command line: $ qemu-system-x86_64 -nographic -machine accel=3Dqtest -m 512M \ -nodefaults -device sdhci-pci,sd-spec-version=3D3 \ -drive if=3Dsd,index=3D0,file=3Dnull-co://,format=3Draw,id=3Dmydrive \ -device sd-card,drive=3Dmydrive -qtest stdio Cc: qemu-stable@nongnu.org Fixes: CVE-2020-17380 Fixes: CVE-2020-25085 Fixes: CVE-2021-3409 Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") Reported-by: Alexander Bulekov Reported-by: Cornelius Aschermann (Ruhr-Universit=C3=A4t Bochum) Reported-by: Sergej Schumilo (Ruhr-Universit=C3=A4t Bochum) Reported-by: Simon W=C3=B6rner (Ruhr-Universit=C3=A4t Bochum) Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1928146 Tested-by: Alexander Bulekov Signed-off-by: Bin Meng Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/sd/sdhci.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c index d0c8e293c0b..5b8678110b0 100644 --- a/hw/sd/sdhci.c +++ b/hw/sd/sdhci.c @@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val= , unsigned size) break; case SDHC_BLKSIZE: if (!TRANSFERRING_DATA(s->prnsts)) { + uint16_t blksize =3D s->blksize; + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); =20 @@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t va= l, unsigned size) =20 s->blksize =3D deposit32(s->blksize, 0, 12, s->buf_maxsz); } + + /* + * If the block size is programmed to a different value from + * the previous one, reset the data pointer of s->fifo_buffer[] + * so that s->fifo_buffer[] can be filled in using the new blo= ck + * size in the next transfer. + */ + if (blksize !=3D s->blksize) { + s->data_count =3D 0; + } } =20 break; --=20 2.26.2