From nobody Sat May 30 16:35:39 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778054205; cv=none; d=zohomail.com; s=zohoarc; b=CJfjNkcZlBjEXkPwdUnP7cJ95ocrLzGDyJu6ZKjDxzdO6awXHi8C20a7SPiJYDj3+RG41kqiT7tbZIZ4VIPzNWlLgE7UM+0srZvjV5LJwIcCszm5HmfPRxfLSiJN+sF+UtiwSOruLHG5oAOvukYPCHMksefXY+YId0RNtVRf0/w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778054205; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Vpz2GXMM6c2b9OSumI0x/yIWAjgMb6Nrdlpfn8YZXuI=; b=DDOOwUl9TQOLu40X4byuKtInFEIpFX8U7MzC1FXYWBoemOL5HdKnKrdwuMUno4dyTKZ2p+uOpzh8tTH5s7B4aCr8E2tmCWEqCH/X1QEsK5g5npfsuSJAA3GpKuTHZ59LrCc46hXSimDqvPE8c+ECn/oZdP+pimn0BqR8OgUs2HI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778054205110997.1276101189968; Wed, 6 May 2026 00:56:45 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKX6N-0002hG-Im; Wed, 06 May 2026 03:55:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKX66-0002ck-V8 for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:11 -0400 Received: from mail-pj1-x102c.google.com ([2607:f8b0:4864:20::102c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wKX65-00081G-1j for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:10 -0400 Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-35fb7c1a455so2250428a91.3 for ; Wed, 06 May 2026 00:55:08 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 00:55:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778054107; x=1778658907; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Vpz2GXMM6c2b9OSumI0x/yIWAjgMb6Nrdlpfn8YZXuI=; b=FbSuGjbFA0sdDBbhrrbR9flYCcYaab3Vve9TSIRAl7g6JTWSMody97Z6ToKSu9VJTY D7vDPEpHwJhq7QCdwMzoZ+5X/8cr7EyZIpetjHFcy300aJ9mvPx6MblE5HCHN95Cda5A fC1FjKkRLd29MtBK6IMnogmecPO+/nnIatGN9LVlS81X66f1k6O284Qp9CBM91Q/0uG6 42I+u/kT5PF8UwRsJ/NvJ6iTcATcG8Nr2AifGoc2cnah5zvsSwJhP31bl/HNNyabW3yZ yo4RAHpic65aoH+A6k2qaxb+0FqxzlKn2KDaLbpMfn96GsFv2/gQXntbdeAjGuAci9Nr F6tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778054107; x=1778658907; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Vpz2GXMM6c2b9OSumI0x/yIWAjgMb6Nrdlpfn8YZXuI=; b=Xkt1j7hXozEnuObUxDwzdZhKK0GPZWy3SFNZPdtSxlUPQCjxF6JBTW/kd0iETMwD7J nNim759UbMAnvmff3rA00Tuu2qB8SWF/NiebZvGz6uEpcTokjX68246konvnQlqVc8qF wnOzwbu372i+aN7vlznOO+DD50zNmb4JrAFX84GvzSfRY4dYe2Wb1WKxLcak2JgRV5ks SqKpN6oe3pM/tc1s6dW846a+uM4uY7+Ydpzc1jgWSTcYfKYNnNjDRzjY82FxCbW5iut2 51VQZwSoEZuruNIVOHm/JkHvM9//bg35V3+QP5TbihWukTqyIXBIVdFH36N+T5a1DUE1 qgCw== X-Gm-Message-State: AOJu0YwwKnwdrMOndnVIKompKMLxh6a/zp4vE7VgTyGduzp5uuhkGRIU gaZ8VbGxNAACJrRc18T4YsLI2tvDJaAl7aJ3FcljKwoA6OtXCzYgJYOZan+89g== X-Gm-Gg: AeBDieuMqCbtz/bHs81J/S0cL2+16x9vQKkwIdDfINS6tulzA9Zf36k/F1q88Xb3j5A Vtm5IRJl/WByCSfbiWgMcyI2hxrmo2slofL6zCu0KAfOGQc2Qrcs8NgFUkZE6Aq7lIER+bX9Lz+ DrQcZ/wdvgVpnmS/UumhUB5ef1tpOS8RwmjIvfCcMwDa9lCuVtYv61ysj9EKVXF6K0bINcd81fD 0Y2cos2B04I5RfWK3J5KSQ6Z+afBXTijTYsz6TurZK6hDEY9W7+CCbUdQJ8sF/ckKCoAolsup6c LHcBthxKxpoK6ncDYv5orJ42M3WqHMSIhEHy29Qjwd7lYM9Zv60V85FgnTtWnFeQKB4rod2/qDS dbotQA3aEVJ/bZH5Pcv8RddNBLTtU8QYuVkxvGNsfwkjMsoPr8Rl4POuIX5xV0ns+eRzfxhr5zX ElwlSKYScWk49ViI8U+tTYG+qNGOjaXVvqIhkmestfdSXL2g3+gVoj X-Received: by 2002:a17:90b:4b87:b0:361:45df:114 with SMTP id 98e67ed59e1d1-365ac2751c7mr2067483a91.19.1778054107042; Wed, 06 May 2026 00:55:07 -0700 (PDT) From: Jeuk Kim X-Google-Original-From: Jeuk Kim To: qemu-devel@nongnu.org Cc: jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, j-young.choi@samsung.com, Rayhan Ramdhany Hanaputra Subject: [PATCH 1/4] hw/ufs: Validate MCQ SQ references before use Date: Wed, 6 May 2026 16:54:28 +0900 Message-ID: <23d46a0e034b9420125dfe40bffba445fc4ee19f.1778053560.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::102c; envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x102c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778054205574158500 Content-Type: text/plain; charset="utf-8" A guest can program an out-of-range SQATTR.CQID value, or ring an MCQ SQ doorbell before the submission queue exists. Reject SQ creation when the referenced CQ is invalid, and ignore SQ doorbells for queues that have not been created. This prevents a guest-triggerable out-of-bounds read and NULL pointer dereference. Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Reported-by: Rayhan Ramdhany Hanaputra Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/ufs.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index cb74cb56bc..d5fba15e2a 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -517,8 +517,13 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, u= int32_t attr) return false; } =20 + if (cqid >=3D u->params.mcq_maxq) { + trace_ufs_err_mcq_create_sq_invalid_cqid(cqid); + return false; + } + if (!u->cq[cqid]) { - trace_ufs_err_mcq_create_sq_invalid_cqid(qid); + trace_ufs_err_mcq_create_sq_invalid_cqid(cqid); return false; } =20 @@ -775,6 +780,11 @@ static void ufs_mcq_process_db(UfsHc *u, uint8_t qid, = uint32_t db) } =20 sq =3D u->sq[qid]; + if (!sq) { + trace_ufs_err_mcq_db_wr_invalid_sqid(qid); + return; + } + if (sq->size * sizeof(UfsSqEntry) <=3D db) { trace_ufs_err_mcq_db_wr_invalid_db(qid, db); return; @@ -788,7 +798,14 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offs= et, uint32_t data, unsigned size) { int qid =3D offset / sizeof(UfsMcqOpReg); - UfsMcqOpReg *opr =3D &u->mcq_op_reg[qid]; + UfsMcqOpReg *opr; + + if (qid >=3D u->params.mcq_maxq) { + trace_ufs_err_invalid_register_offset(offset); + return; + } + + opr =3D &u->mcq_op_reg[qid]; =20 switch (offset % sizeof(UfsMcqOpReg)) { case offsetof(UfsMcqOpReg, sq.tp): --=20 2.43.0 From nobody Sat May 30 16:35:39 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778054181; cv=none; d=zohomail.com; s=zohoarc; b=lAHnWn02uNc+InPqdWM16FD56zLx9TcyutLZXPmzQbVe1ZcTXEnSR1Ej7+fWKdHAvC7iKFvodlHpEFLs1vILMJkC/JolMPauBfMuJzSK3KbU7b1aJuqZMShIxKVVW5MsDoOZX8WCPaDItc6W11CYPmvgQN1JXZT1CcYQNkWB0a0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778054181; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=orupH/ZosDBgw2QZSHIIN9b4U6Oo6D+nsWsNqobO55I=; b=Jc6x1/PN81hw0Kr7lH3GnVqBpoy6KivRbD0m306ALiircQZvo/zFVLfAYnkXVZ9kS7eduADBsBgoDqKP8E+RmeORGXxtp9w0YzA/6qPesw9fWfcAXKGFUhWOwko7l5h1cwh6+XIEkx/h+QAyrnpAdH2bJyMG/DAEpxNgMQVRTuo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778054181806916.9157267497038; Wed, 6 May 2026 00:56:21 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKX6O-0002hp-B4; Wed, 06 May 2026 03:55:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKX69-0002eQ-Lz for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:16 -0400 Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wKX66-000829-Sv for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:13 -0400 Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-3658c87160eso800092a91.0 for ; Wed, 06 May 2026 00:55:10 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 00:55:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778054109; x=1778658909; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=orupH/ZosDBgw2QZSHIIN9b4U6Oo6D+nsWsNqobO55I=; b=IQ5PKjNX5oLZKZlIabZ6eZzWZIrklGaPDgm/jQ0LJTFgJXXwHYAq0VL0ZI8T6X611H VxmzEd6aqbUmMohidLARzYrcXU7GFL/q1I4Sb6FjWtdO9FDaM8fvdqGy9yAd32sndNHP K0T4lZDAvCirocsAK193AFVzuKII1AJPE5W7cuVyUP6miIpexokFgauqpQY1zaOsMq9x CGAkNN/Moi2/5x5r9ibcEys3uJppDSi1ZwjeVSZfWxA224Iszqqya0eAo+oMMmSf31QZ Jmz9DAzrsgCblUH2cbOWZmSSDeKWdPF+9msC+YXPs8viv6tHLY/BsSYlWq9hBc+cRZDw JKDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778054109; x=1778658909; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=orupH/ZosDBgw2QZSHIIN9b4U6Oo6D+nsWsNqobO55I=; b=tJkA4xLtanim5tl1mJNiAeuGrlkelLsu56HzpgWrwvj1H6Mek8fZejLkHDRz29Bso9 gWzePtYNVxRtnUkbfcZJJJRQmau/PnR+ErXmyDd36r3d/nLaDJT3iG/rfB6+VJriuKV9 l55L6UN/Vwyaow/4KmqpW9njYAtk/hddYSLkrU5FOzzuD2bg0g01rMcr2LvnfnVFozkv YRT6W9vnjifQ9zBOyhBHAEtvEjX3NN7Led91et1Rp7UsqIo81ZEsVH5jQVqe30pJPKs1 HQUoseTlGq15nrH7aSmcJZg2bCRfwPksF5HBnLI2LNXJbl1WyX5cZOkucAbrZ8GTTD65 aIMQ== X-Gm-Message-State: AOJu0YxK7zY6zJ0Vxdxz3Os8TF58zSvhDiWpr8Ng1dkTixkdG5BcePF3 GUaPrO3h13nYT/GTL0jtEdkUurFgUlfvcXPSNQyTDz+EUCcm64cxfP1OZ+DeVA== X-Gm-Gg: AeBDiet7IA2z49pD9ucTUQTlm5bQkIiQhUM72Cjb2Kfb0Rmc5jaqopvOMXQdEtxHYvT p/Q17ryiPn7RbZeGHOVoiu/C2AfLLxl1qwWD/3eVUrYZ9YnFk5uLhd6ETXixK98Bb6c2dUZWpy+ orgEFi/a5HoF2NQ14D3Xhj1XN1ftqEN3B9Z/YM2hKCwbUYY7aYpEsfGOGpjs/HJf33sqa1j1p5d ZvmAOAACNZI3hDtfayg4E9r2Jtdyy3fVkPZMCnUodOo7+HBX1a6jC+TtJiibEUVmc/kucbAKXp0 STo0oXklStEd/oz9nKvTgsPCv3twxz2MJzSVRiBSZG3auLaGXoDdxl6IEZEnQeHbxZqOpigQD58 TGcGO33WmwvbJ5YKAo+kGk9BmDahWYohnmEOUNg48H7MAL5SntLhEtkHtXMhe82o84U4xq+fk0m iFaIHPchpOrICSx+KbXta5N+6Rhqz/1UEHCOzCzT++jA== X-Received: by 2002:a17:90b:6d0:b0:365:3154:7b1 with SMTP id 98e67ed59e1d1-365ac78f19amr2173356a91.26.1778054108983; Wed, 06 May 2026 00:55:08 -0700 (PDT) From: Jeuk Kim X-Google-Original-From: Jeuk Kim To: qemu-devel@nongnu.org Cc: jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, j-young.choi@samsung.com, Rayhan Ramdhany Hanaputra Subject: [PATCH 2/4] hw/ufs: Guard MCQ CQ accesses against missing queues Date: Wed, 6 May 2026 16:54:29 +0900 Message-ID: <2b4e9005cb7452c21937c99f570d774563b67b46.1778053560.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::1034; envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x1034.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778054183585154100 Content-Type: text/plain; charset="utf-8" A guest can ring an MCQ CQ doorbell before the completion queue exists. The CQ head write path then dereferences a NULL CQ through ufs_mcq_cq_full(). Ignore CQ head updates for missing CQs, and make ufs_mcq_cq_full() handle a missing CQ defensively. Fixes: f78762a3cc8 ("hw/ufs: Fix mcq completion queue wraparound") Reported-by: Rayhan Ramdhany Hanaputra Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/ufs.c | 4 ++++ hw/ufs/ufs.h | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index d5fba15e2a..1819ba2e8a 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -817,6 +817,10 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offs= et, uint32_t data, case offsetof(UfsMcqOpReg, cq.hp): { UfsCq *cq =3D u->cq[qid]; =20 + if (!cq) { + break; + } + if (ufs_mcq_cq_full(u, qid) && !QTAILQ_EMPTY(&cq->req_list)) { /* Enqueueing to CQ was blocked because it was full */ qemu_bh_schedule(cq->bh); diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h index 13d964c5ae..9e800cafac 100644 --- a/hw/ufs/ufs.h +++ b/hw/ufs/ufs.h @@ -203,7 +203,14 @@ static inline bool ufs_mcq_cq_empty(UfsHc *u, uint32_t= qid) static inline bool ufs_mcq_cq_full(UfsHc *u, uint32_t qid) { uint32_t tail =3D ufs_mcq_cq_tail(u, qid); - uint16_t cq_size =3D u->cq[qid]->size; + UfsCq *cq =3D u->cq[qid]; + uint16_t cq_size; + + if (!cq) { + return false; + } + + cq_size =3D cq->size; =20 tail =3D (tail + sizeof(UfsCqEntry)) % (sizeof(UfsCqEntry) * cq_size); return tail =3D=3D ufs_mcq_cq_head(u, qid); --=20 2.43.0 From nobody Sat May 30 16:35:39 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778054182; cv=none; d=zohomail.com; s=zohoarc; b=eYT6hdknjATUZo8QmkQoe40KyfMqckHsqJtFgNiBgVdGeuGVEM+V7p9BKGokgUd1q70AqGtEwye7WfSYpJG5Zrk4cOtWpOFduqBAkk5/9Gy8mheyOK6oe0ggxhmZyxoucQbeeJxlicX6gK+amw6OMEsTbLwK6fj6Geb9ZVDmDE0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778054182; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=; b=ACCLki3kkzDwc/Hxb6GQByG0DMftEsaGmh0L7qYi0Bg8k6CcuSlmXo18EOzDK09yj8gHaVdZtr887R1u65mNtRMUhx+5CJIKFW0R24k7ZQd1/eHDfKnr+xCelDi9j+go+JGq0NFsP+nv1cq+39+Ed2w/5iISIWnVJ5k6EgTuF5c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778054182707723.734820533936; Wed, 6 May 2026 00:56:22 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKX6R-0002ii-Bo; Wed, 06 May 2026 03:55:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKX6B-0002eX-Dz for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:20 -0400 Received: from mail-pj1-x102b.google.com ([2607:f8b0:4864:20::102b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wKX68-00082z-Hi for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:14 -0400 Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-36534668247so3330979a91.1 for ; Wed, 06 May 2026 00:55:12 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 00:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778054111; x=1778658911; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=; b=YXaBINPOmPnoWIf7qAQnXJBRf0UnUgNmUV0PtKRAMU9DghZ5rg3cezr3QD5sUiUnzJ M2XnHEk0mT1yxGkXGIC5hxKH9HSCVahr7m3+IS2Z50jA+8H96Hxt+6WTXfrxLE/Ey/0p oqL2chmEPcIpbe9gKG4Scj+U5ExAm4lLOE55cVSly6w9PiEdBuIlWEJDIdiiIz1QFy/S wD4g0OvlRTKlL9MhgZvHcfXHs+TOWLelnFTr5mCmK7NBYa1ZMeqmA8x5l9uFOrjKQ8bN 50VYq/Opq195j5UwpA+aebMP05g6GK6zaQz+T+VVsxIZ+2+f2ldpssMR5xdqN/LwHqMy pY9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778054111; x=1778658911; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ZPf1WJ1+U+u46IYFp/g9GCUhxcS1hDN0tG9RbQh1S9c=; b=niUtWfvwhdiRoYl6S5jm8ZvfM7VnIoixvz5d2CkarWsXtpucWLNW3ANTnwOWX8FTV4 QfMEOAKAfSGGYYFM2AOhXk+VvypDB/hmNu2GvWbF3kaBrFK4ZIllcMm+NqW/lD/ezHy4 83LTfAmQXrbWUqFYrvFbahUkGfAiPaNnyscWJCcBmA7Aa7KXILWN658CB2apFleXWJea 2Fb0QQ2oSn1ivhnmt2fT9kg2dxmvaD1PBgkoKzWaBE5B8pBzIco1YxcwEl6rDfY3z9JG wV64T3QJzMzY/5pggYti5avj8y/cbOBZodgMCC2JBcmbkwN3mUK7kiAwMqmwn3fVFYyJ EXrw== X-Gm-Message-State: AOJu0YxPbMjevIJAXYPo0i3C60BbMGd2GLgIo8evMojv7xk/tygCcR79 yfntHHJY2SEmiA5dv+NtZFB/rowypX8+5UiDhpM1cQt/98p0Hb4YtR/e+r3SVQ== X-Gm-Gg: AeBDieuBhew26RWcFGumgaRhEQiLvcagY4GWWeKK7rmgbqRZSXMkurFVsFwpGQOwZoL MN1uoDE105dwX7Ch9eUv4izBAwDNYpmuoxKkMS1SoVMFSYFIcwwgHmiYARSQ128Q4InI2FAflQc /y3t6l4K9RNUknMTz2m/QZw2CJWmV6AzcjMKv+wbhmChq6LkWl/vgLiN4jITPFQquCUyQ+lMGSo qZavhIDe3Ngv3ygLdjOGqEhYkku75P2hpL3q6byb+fv3Hm4AOk6fwJpHi3LXmwwf10x+E/b/4Vk KoFJ0NSKL4G2YO8fhiSzVu7DxDLXSuNLusvj0MvpQAWPnNEtb7rkgJpLSQXeca17kqvNHKSxjp5 p7o0hnJMvlsfhYCn61rIqAt0E/1eWOd9YsqVYFv1ykZW/gtf57k3eVfDk/rTPYc06OiQYVLjvRo hFbdzNMdoZoDDJj6Towwpa6Di9W2MWmg4oFhrcKlXblUx4Cj0KvT24 X-Received: by 2002:a17:90b:33d1:b0:359:f43d:4a6e with SMTP id 98e67ed59e1d1-365aa93c123mr2307983a91.0.1778054110764; Wed, 06 May 2026 00:55:10 -0700 (PDT) From: Jeuk Kim X-Google-Original-From: Jeuk Kim To: qemu-devel@nongnu.org Cc: jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, j-young.choi@samsung.com Subject: [PATCH 3/4] hw/ufs: Reject zero-depth MCQ queues Date: Wed, 6 May 2026 16:54:30 +0900 Message-ID: <8d3bc0e97de971ec10727f5bc2b5f9183eb62976.1778053560.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::102b; envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x102b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778054183699158500 Content-Type: text/plain; charset="utf-8" Reject SQATTR.SIZE and CQATTR.SIZE values that produce zero-entry MCQ queues. Such queues can later trigger a divide-by-zero while advancing queue pointers. Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/trace-events | 2 ++ hw/ufs/ufs.c | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events index 531dcfc686..7734b35f08 100644 --- a/hw/ufs/trace-events +++ b/hw/ufs/trace-events @@ -40,10 +40,12 @@ ufs_err_mcq_db_wr_invalid_sqid(uint8_t qid) "invalid mc= q sqid %"PRIu8"" ufs_err_mcq_db_wr_invalid_db(uint8_t qid, uint32_t db) "invalid mcq doorbe= ll sqid %"PRIu8", db %"PRIu32"" ufs_err_mcq_create_sq_invalid_sqid(uint8_t qid) "invalid mcq sqid %"PRIu8"" ufs_err_mcq_create_sq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" +ufs_err_mcq_create_sq_invalid_size(uint8_t qid) "invalid mcq sq size for s= qid %"PRIu8"" ufs_err_mcq_create_sq_already_exists(uint8_t qid) "mcq sqid %"PRIu8 "alrea= dy exists" ufs_err_mcq_delete_sq_invalid_sqid(uint8_t qid) "invalid mcq sqid %"PRIu8"" ufs_err_mcq_delete_sq_not_exists(uint8_t qid) "mcq sqid %"PRIu8 "not exist= s" ufs_err_mcq_create_cq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" +ufs_err_mcq_create_cq_invalid_size(uint8_t qid) "invalid mcq cq size for c= qid %"PRIu8"" ufs_err_mcq_create_cq_already_exists(uint8_t qid) "mcq cqid %"PRIu8 "alrea= dy exists" ufs_err_mcq_delete_cq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" ufs_err_mcq_delete_cq_not_exists(uint8_t qid) "mcq cqid %"PRIu8 "not exist= s" diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 1819ba2e8a..4ccd7aa64d 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -506,6 +506,8 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, ui= nt32_t attr) UfsMcqReg *reg =3D &u->mcq_reg[qid]; UfsSq *sq; uint8_t cqid =3D FIELD_EX32(attr, SQATTR, CQID); + uint16_t qsize =3D + ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry); =20 if (qid >=3D u->params.mcq_maxq) { trace_ufs_err_mcq_create_sq_invalid_sqid(qid); @@ -527,12 +529,17 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, = uint32_t attr) return false; } =20 + if (!qsize) { + trace_ufs_err_mcq_create_sq_invalid_size(qid); + return false; + } + sq =3D g_malloc0(sizeof(*sq)); sq->u =3D u; sq->sqid =3D qid; sq->cq =3D u->cq[cqid]; sq->addr =3D ((uint64_t)reg->squba << 32) | reg->sqlba; - sq->size =3D ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsS= qEntry); + sq->size =3D qsize; =20 sq->bh =3D qemu_bh_new_guarded(ufs_mcq_process_sq, sq, &DEVICE(u)->mem_reentrancy_guard); @@ -576,6 +583,8 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, ui= nt32_t attr) { UfsMcqReg *reg =3D &u->mcq_reg[qid]; UfsCq *cq; + uint16_t qsize =3D + ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry); =20 if (qid >=3D u->params.mcq_maxq) { trace_ufs_err_mcq_create_cq_invalid_cqid(qid); @@ -587,11 +596,16 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, = uint32_t attr) return false; } =20 + if (!qsize) { + trace_ufs_err_mcq_create_cq_invalid_size(qid); + return false; + } + cq =3D g_malloc0(sizeof(*cq)); cq->u =3D u; cq->cqid =3D qid; cq->addr =3D ((uint64_t)reg->cquba << 32) | reg->cqlba; - cq->size =3D ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsC= qEntry); + cq->size =3D qsize; =20 cq->bh =3D qemu_bh_new_guarded(ufs_mcq_process_cq, cq, &DEVICE(u)->mem_reentrancy_guard); --=20 2.43.0 From nobody Sat May 30 16:35:39 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778054199; cv=none; d=zohomail.com; s=zohoarc; b=WFG1JatdKyYlfSYJnjbf4Qd4EZRpnR/InPc2o3SM5FdyCntVAam4kUbnnha9TSa/SMtvHkThvA3N+NLDE5SnN/nz79rG/KscuFz/P4Dt4fsLR9wHfaHQjsFI2b26aSbOLv/U65+Pw9QjEy4SRypxgpbIGxZVPeRVuczYfn/cgHU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778054199; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=0IdASMODNaa9Qa5EkhRzMRiJsje/vGTTLmetdjczDI4=; b=UJ0l/t4YgUXRYQKMRYBe3TZKlIolWJn45/ymJUgrTgmpMgRI4ICRqmKmFpw59v9xV3M9UE300gPPC9xby/Tx7qzVtkjJE3wU3MwZRH5YtVR/6y69ZNudzKlPXWYwccElgjiZlsToUrcdc6i6OS7TTkoJ41GHUfKekfanYOjdnyQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778054199081730.3590132200021; Wed, 6 May 2026 00:56:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKX6R-0002ih-Bh; Wed, 06 May 2026 03:55:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKX6E-0002el-0v for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:20 -0400 Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wKX6B-00085p-6e for qemu-devel@nongnu.org; Wed, 06 May 2026 03:55:17 -0400 Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-3658c87160eso800131a91.0 for ; Wed, 06 May 2026 00:55:14 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-365b4bcaa49sm1380997a91.1.2026.05.06.00.55.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 May 2026 00:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778054113; x=1778658913; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0IdASMODNaa9Qa5EkhRzMRiJsje/vGTTLmetdjczDI4=; b=OEjv26tdWnScgYlYdNVtoFyH6Jt2lZsGbH2KI3yS1yxdcAeZWxSGyQsDLTzlb0nIeE WBzLreYc8VXw6I+yXYr8O/Ed72Yf8aYx0p7qtDKUS6p4u1JwfEdmaCjFhLX5odcjif09 lMROU5CMmTxcKauC63suH1pU2wQHy9PvnRXNhuO+HFLANu+BY4MQXIWQkvbNZntcVoHd lY+eAN9Kye2OIWzhgNNqeMLQwu64Gu1zC04Q5QuU4I8aaeSfLOC/drOOkQK5IegVNGQN i5F+MitPxoB2lpi5k12qdk2IlKqkaGZZxVeY9KDb1RjGJu4PZ8n3zDqe5oJv34M+QWqi 7JEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778054113; x=1778658913; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0IdASMODNaa9Qa5EkhRzMRiJsje/vGTTLmetdjczDI4=; b=M0dvKL48DeQu5FhfSFKF831P3TZD0mRCuLEbqUEQBoFiwTxXCyq1VAmOTWIOAxOeMM gem+vZl8A13Frp7ule1wC9l4AekNZybittbFSS5JpA7itFrXLDmmxmuF7j35NEifmM2B Qsnp9WJBzvo+Upjp6dMCQUDfgQcX86raZQoJHdFERD4oEvlG+z3l49KCj+iz+uef02gW hrbRKamz1BwrhV9IA6nZuWxizv3ZCgd4DkYgOhueMJ7zinAZjaFTF7Lx2elxPVF8LHz+ lcG8YyiPMJMq1AhR9qqTQCPyO1wzQ7DSuuUjj25JxbG6msD+eRjkuqLEpTvYk5wI602x FyXA== X-Gm-Message-State: AOJu0Yxuz8hsYw66RIlqtgr7cSiFiWwgBSPXhaGd7pE4iPivxXxBk7JP 1P2S3lVJZZr56+7ulVE34zupBGFWUWo/8u0pn3g4J+pM9pkb83B5hWeS22XGyQ== X-Gm-Gg: AeBDietJK0WMQffuBfV8DAdk2tZwgns/E+cAUfVPuRXiSz+0Yzpi1teQAhaJdWhehki S9L6Uxhc56HOvfK0dK83OA2x8QAMB5kFr3XuyI3Qc67bYygMqvuCA7MTDswjIRXr90wiX72n94C 8YKpegcGXrV3b1t0BuC1lgj7/w2MqlEBa2rJOWNExNQySP+GC7squYsRIxN3+8ADN69FnPV3lgn 14Pl2HUaA0aYuxWnxeLclEpWqb+rCOmnZq8NBk7aa+q+JVAcB9McXynHY8WVif688xVG5+lf7v+ +y5DxGd+TAvJwRuWkRy97KiYF+ndaISJArNiuIePYYJj8iRndHPc2lG/LxjxTj7wlMlR0el2ebS OCOsYQu0wdwroD61Qlru2AO/tBE2O7chHt7r55tJhV9Fjromm3T5kLi78X+59hTr9+5ue0DI7GL Owm+r1UrERTFdLt8wuNagjjsnBeFIwksf1DSefNec3QQ== X-Received: by 2002:a17:90b:1c8b:b0:364:534b:a898 with SMTP id 98e67ed59e1d1-365abad59c2mr2116123a91.8.1778054112510; Wed, 06 May 2026 00:55:12 -0700 (PDT) From: Jeuk Kim X-Google-Original-From: Jeuk Kim To: qemu-devel@nongnu.org Cc: jeuk20.kim@samsung.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, j-young.choi@samsung.com Subject: [PATCH 4/4] hw/ufs: Keep MCQ SQs alive while requests are outstanding Date: Wed, 6 May 2026 16:54:31 +0900 Message-ID: <3472fb763391a8efa096adc5d169c55e327112df.1778053560.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::1036; envelope-from=jeuk20.kim@gmail.com; helo=mail-pj1-x1036.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778054199664158500 Content-Type: text/plain; charset="utf-8" MCQ requests are allocated with their SQ, but can remain in flight on the CQ list or in the SCSI layer after leaving the SQ free list. Reject runtime SQ deletion while any request is still outstanding, and use separate teardown helpers so device exit can still release MCQ queues after child devices have been unrealized. Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/trace-events | 1 + hw/ufs/ufs.c | 49 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events index 7734b35f08..6f7ea9c95f 100644 --- a/hw/ufs/trace-events +++ b/hw/ufs/trace-events @@ -44,6 +44,7 @@ ufs_err_mcq_create_sq_invalid_size(uint8_t qid) "invalid = mcq sq size for sqid %" ufs_err_mcq_create_sq_already_exists(uint8_t qid) "mcq sqid %"PRIu8 "alrea= dy exists" ufs_err_mcq_delete_sq_invalid_sqid(uint8_t qid) "invalid mcq sqid %"PRIu8"" ufs_err_mcq_delete_sq_not_exists(uint8_t qid) "mcq sqid %"PRIu8 "not exist= s" +ufs_err_mcq_delete_sq_busy(uint8_t qid) "mcq sqid %"PRIu8" has outstanding= requests" ufs_err_mcq_create_cq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" ufs_err_mcq_create_cq_invalid_size(uint8_t qid) "invalid mcq cq size for c= qid %"PRIu8"" ufs_err_mcq_create_cq_already_exists(uint8_t qid) "mcq cqid %"PRIu8 "alrea= dy exists" diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 4ccd7aa64d..6548f0f637 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -556,6 +556,31 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, u= int32_t attr) return true; } =20 +static bool ufs_mcq_sq_has_outstanding_req(UfsSq *sq) +{ + UfsRequest *req; + uint16_t free_reqs =3D 0; + + QTAILQ_FOREACH(req, &sq->req_list, entry) + { + free_reqs++; + } + + return free_reqs !=3D sq->size; +} + +static void ufs_mcq_free_sq(UfsSq *sq) +{ + qemu_bh_delete(sq->bh); + + for (int i =3D 0; i < sq->size; i++) { + ufs_clear_req(&sq->req[i]); + } + + g_free(sq->req); + g_free(sq); +} + static bool ufs_mcq_delete_sq(UfsHc *u, uint8_t qid) { UfsSq *sq; @@ -572,9 +597,12 @@ static bool ufs_mcq_delete_sq(UfsHc *u, uint8_t qid) =20 sq =3D u->sq[qid]; =20 - qemu_bh_delete(sq->bh); - g_free(sq->req); - g_free(sq); + if (ufs_mcq_sq_has_outstanding_req(sq)) { + trace_ufs_err_mcq_delete_sq_busy(qid); + return false; + } + + ufs_mcq_free_sq(sq); u->sq[qid] =3D NULL; return true; } @@ -617,6 +645,12 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, u= int32_t attr) return true; } =20 +static void ufs_mcq_free_cq(UfsCq *cq) +{ + qemu_bh_delete(cq->bh); + g_free(cq); +} + static bool ufs_mcq_delete_cq(UfsHc *u, uint8_t qid) { UfsCq *cq; @@ -640,8 +674,7 @@ static bool ufs_mcq_delete_cq(UfsHc *u, uint8_t qid) =20 cq =3D u->cq[qid]; =20 - qemu_bh_delete(cq->bh); - g_free(cq); + ufs_mcq_free_cq(cq); u->cq[qid] =3D NULL; return true; } @@ -1884,12 +1917,14 @@ static void ufs_exit(PCIDevice *pci_dev) =20 for (int i =3D 0; i < ARRAY_SIZE(u->sq); i++) { if (u->sq[i]) { - ufs_mcq_delete_sq(u, i); + ufs_mcq_free_sq(u->sq[i]); + u->sq[i] =3D NULL; } } for (int i =3D 0; i < ARRAY_SIZE(u->cq); i++) { if (u->cq[i]) { - ufs_mcq_delete_cq(u, i); + ufs_mcq_free_cq(u->cq[i]); + u->cq[i] =3D NULL; } } } --=20 2.43.0