From nobody Sat May 30 17:43:31 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778561055; cv=none; d=zohomail.com; s=zohoarc; b=JA1cDA8xtI6lwIXULm6SNrsty70XBCrK8gdC0bT093QCj3Oj/4sQImzUgTo14SumC+ERjqRFNYqsVd7x1zuH/QzpFxFq0Dwmhi14bmLgpEW6kxaYOWMs05GSxIZlXaGH1gYBazxW6GxCCUzDM65/6Li5o53zHsHx09AsPg0jEJQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778561055; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=CfNfbmfumQccuX8qMq74MCT7/fIYFt3RmQiDbRRXf9c=; b=cYRRlOZMqWI1JOO3EJcnG1KGPfR5Z9uL+/+bzK6cBmZzuPtowBvoTQMQPxfe8sXG84tO69V2pK1JPD9DIuGKV1+d7h6EiN+fL71zuezu8QbMQy1ikbTFlDtz69b4qbGFdh+AKgBurUNQBEEwfNNvLyYijH6xPy3Mx1WEo+g/fEg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177856105593919.05037780458815; Mon, 11 May 2026 21:44:15 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wMext-0006Jr-Qg; Tue, 12 May 2026 00:43:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wMexm-0006Gv-Hj for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:23 -0400 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wMexi-00075O-BY for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:20 -0400 Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-2bab82d75fdso27498095ad.2 for ; Mon, 11 May 2026 21:43:17 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1ebe7f1sm108938215ad.78.2026.05.11.21.43.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 21:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778560996; x=1779165796; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CfNfbmfumQccuX8qMq74MCT7/fIYFt3RmQiDbRRXf9c=; b=e7eKN9YSz74qI3CkhbUtqWstXsz8GV6D7vcVIjm6RItpj7C3G3PDIpzrxmqtAAafOX 5jsD7S8o4u6xQLiGCj/eTDipmw/qN5F68HGiaLVb5C4i6EfIJfwRNpY4HoTFRopBtOmZ 3ATRKumhClZDXGck1OxY+yK1PXpQJDAydrH2uu5K+1pMKukTbd2q0EBOjdVeBkBmX7pv aLN0x6gnKNdnlx8Xt4b1ymTrwWGbhz3TFef+T2PPB61uxY/fQpS0vjdYanUryRuCnnyp 1MjHIokjpNjygP2dTlK8m/nzPZgsKbWeVgGxbdLqG4mBmYfVOK2g0k4MKXBDNcnUL14m t+8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778560996; x=1779165796; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=CfNfbmfumQccuX8qMq74MCT7/fIYFt3RmQiDbRRXf9c=; b=Xqk4gJejJWV/0Y3hDz/X9gCatxXo3Qd6IMEX+4f6iUcrLflWERujn5Yh0XJ1biKl/u N/WRxZpgYxBWy73kt7GN8Kc3r/Ch03zHhULzTSrjzcPlEO0jjBmyYBp6KGeodbQKi32y X78RrtnT1yt5a52Ft/XVqIggsDnmYYeHn1wkgQ9gWqqA5t7lO5wPPPRqS+DEmPSlakWg DSbHENIRNskHoMLoQCI0oYUVnXX0HYOgcBHbCM6egYm6CuOZGxFdPynjiowi/yqhOzd/ the+zd0uX6hwhcY5aaCZacXTLo3ov3PZfUx/lNf42mmjfajh0wOxW2dEZO5Y20vSaZvc tBWw== X-Gm-Message-State: AOJu0YyZVsM//kjJvuJsGwRysafi74LgC9RapnPdJsVVx5s4iQf7ItHr Qg/oFKkq757tAxaiH15QlUj3rQ0rWS6jGbRLovf+sZq/V8s+N5HaMnrHSJ1JKA== X-Gm-Gg: Acq92OFz7hmt37xTwVUA+Pp3h+HlY+4Mcb9/oJfSkAJRWJRTWgICpkYXC3CSz72y1LW EV+pq8HlPTaqArcClEu1semCyeQWf3gKIAQbLkK+MTvVREhcdP25A4TVuCCrsrRXkBTPBloAkS0 Eaasdx5TCFi6ahUOo6Hkk20IuDGyO/S6V42mEbEQiTRl67IR7tMa+if6ubAv1uuTWURSfmKclWa DWM06R3urHZdmYT5rIwyDxvUSOiESCT/vDtfgbKJYB2TIEf1Oxoi6HGPyZnunSCKOcOXft7mEya qxHluyj33CWjI9A4oEFScXc2QJaV5A6gqOneHy0cvCUFM/5jSmhcnf1IrZ2NxQdyMbswfUiVWx1 PcDYFwPgPHniT9r8pXxPQayisY/0bsG9CjXaj8H6aALHMEO8IfjgVxY7tO/00G34tY/pTHw4MWx Cf2vi8p14/nfIwqLCoNEmia6kgKH04 X-Received: by 2002:a17:903:1a28:b0:2b9:f8e9:70e2 with SMTP id d9443c01a7336-2bc7a990b6emr127377925ad.8.1778560995429; Mon, 11 May 2026 21:43:15 -0700 (PDT) From: Jeuk Kim To: qemu-devel@nongnu.org Cc: stefanha@redhat.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, jeuk20.kim@samsung.com, j-young.choi@samsung.com, Rayhan Ramdhany Hanaputra Subject: [PULL 1/5] hw/ufs: Validate MCQ SQ references before use Date: Tue, 12 May 2026 13:42:51 +0900 Message-ID: <332ea29787800fff2b49e9b89ec93bd370a11965.1778560533.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::633; envelope-from=jeuk20.kim@gmail.com; helo=mail-pl1-x633.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778561057477158500 Content-Type: text/plain; charset="utf-8" From: Jeuk Kim A guest can program an out-of-range SQATTR.CQID value, or ring an MCQ SQ doorbell before the submission queue exists. Reject SQ creation when the referenced CQ is invalid, and ignore SQ doorbells for queues that have not been created. This prevents a guest-triggerable out-of-bounds read and NULL pointer dereference. Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Reported-by: Rayhan Ramdhany Hanaputra Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/ufs.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index cb74cb56bc..d5fba15e2a 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -517,8 +517,13 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, u= int32_t attr) return false; } =20 + if (cqid >=3D u->params.mcq_maxq) { + trace_ufs_err_mcq_create_sq_invalid_cqid(cqid); + return false; + } + if (!u->cq[cqid]) { - trace_ufs_err_mcq_create_sq_invalid_cqid(qid); + trace_ufs_err_mcq_create_sq_invalid_cqid(cqid); return false; } =20 @@ -775,6 +780,11 @@ static void ufs_mcq_process_db(UfsHc *u, uint8_t qid, = uint32_t db) } =20 sq =3D u->sq[qid]; + if (!sq) { + trace_ufs_err_mcq_db_wr_invalid_sqid(qid); + return; + } + if (sq->size * sizeof(UfsSqEntry) <=3D db) { trace_ufs_err_mcq_db_wr_invalid_db(qid, db); return; @@ -788,7 +798,14 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offs= et, uint32_t data, unsigned size) { int qid =3D offset / sizeof(UfsMcqOpReg); - UfsMcqOpReg *opr =3D &u->mcq_op_reg[qid]; + UfsMcqOpReg *opr; + + if (qid >=3D u->params.mcq_maxq) { + trace_ufs_err_invalid_register_offset(offset); + return; + } + + opr =3D &u->mcq_op_reg[qid]; =20 switch (offset % sizeof(UfsMcqOpReg)) { case offsetof(UfsMcqOpReg, sq.tp): --=20 2.43.0 From nobody Sat May 30 17:43:31 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778561071; cv=none; d=zohomail.com; s=zohoarc; b=DS56i0GWMzJ84+1MzIFszcjy4Av4Z4ot400pjPTyVjVyttY2Zs78FhS/xRvqqnZUgJsy1IIk3MbDppDcIrdcv/2o+03yvY2gpXhOpPHduKYOYiNwIHzQvTxL2FZUPf57LKfnGSMpmyhJEF85PBeLndG3n30gVlFfBBiaduQluTc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778561071; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=+eDB1l1/PVI48NXBHGAF6ykZYQWCGY5zXP5eqTSYuaI=; b=fSO8vK3nKcfgVOr8jxYthYTisesTN/187niQ7pjp2tSz8TQze5hYUnjvUjM0ps7G4DmF6wb6maA1mfF5yuxLBJNHDFGXAidStTf/V/UfL0w8vqgSAm0BpXEjf3m7FD4RfF6y7KD4ihQNbLe/2gc4KStQ8nWRD7CyXRLQOyGCCZY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778561071097736.7194463909757; Mon, 11 May 2026 21:44:31 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wMeyQ-0006Rh-Rs; Tue, 12 May 2026 00:44:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wMexp-0006HY-Bu for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:26 -0400 Received: from mail-pl1-x62c.google.com ([2607:f8b0:4864:20::62c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wMexm-000760-AQ for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:24 -0400 Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-2bcd730e090so11318885ad.2 for ; Mon, 11 May 2026 21:43:19 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1ebe7f1sm108938215ad.78.2026.05.11.21.43.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 21:43:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778560998; x=1779165798; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+eDB1l1/PVI48NXBHGAF6ykZYQWCGY5zXP5eqTSYuaI=; b=ZPesKLr/dd5tq2MtOJxrrqaJ87pmNOt1NC5aDdy2wFRLGEc5NOHg61jqVdQzpaQbXd 8EZ3arGzRURCmYOgRVde9bfX9+iaq4CziYgzBQ9t2fTJltt3//Cu8we99dhc7GFrJQzI yQ9FB4GXsLag7nJCMalDj3ColkSH35wUQL4oM76AKIjDxodW7fGMVHYDwN51+5g8a2aV /M6aykBOVPFBm00P/ChUuUNq3Km/RNVSqqoHwEzhIE6p24MCmLAPqBGZz4LiLrvUsdsf RRvou12vITyQ48d3Fy7rCqYsarAVoity6lYtAikDJ3Qmq+bSGzWctetAdOrls8h9nLOS NIzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778560998; x=1779165798; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+eDB1l1/PVI48NXBHGAF6ykZYQWCGY5zXP5eqTSYuaI=; b=iIFl0+FquLmMTdgK46osB/auFJLFTzg9PThtTPsQe2VboewOVe/skHK+koUXq8DUvB Q2D7BQLmS3fDy5lfjcl7EcqQl/6zIEBlpw7HGt4ARFptP3vCBFulWD5GTMckr2aDMD92 o3Q9fv676KLFtCPsbgPuOuXyb/AuEPKkgKFS6f/+vgTiIZmSMWcv3U7M3KRtpSisjDrK qtnw3H8yW7yrP0cY+wfXuQbDqd+8mUvCPp2qWCynF/jpPEQ0AZfOOiQWQC+2GtCll/yg 0x8ugSdWfDE/S4xkoEWK/2Pr4A0Jrh/CfQcO/pCcWW/c1ND/WoeW5mbmmd6oPmfNFfvF poUQ== X-Gm-Message-State: AOJu0Yw8YbfLv0pCMQslGXJcQfChKR/xlBod8p5uZv9Rv+U2TvCY1pxz a6CCStOA2FGZg9uFyi1IcqlZJNLpslTYdxNk/yrwUnlu62FuEJjeeS2f7Xuzrw== X-Gm-Gg: Acq92OHQ7xe1HI0cw2SPM/ZKpm7tmiH3CFG7O85DQrzzzvn733uvdi1w4s8i8Gnoi0H ehnL+Gz6EckdCJhIjkYFV0DjCIuMt3AJSRO1wVgWDp/RP5lZplWydfjJViRrWMz5vEPGAlTtJTH LVsZZtIhH6usOOs2E3SFbwUEYAyASPNrOw19vA2QL64mcBWWMusJo751PPqNduSnMDb+Jef8LVg 1wXh/Bhqo+Pz9kY5+gVDocVqCr7pPmeVSybz2O65IntGDSgI6WFKeetvkKlRmEPw3nWC5Ump366 lQvc6MLKtQRZCL2aF6UIpZS634iAMzhpu3RgZUrYZ1zO66FpiWlruAeSN81QovAel2vtCorLqq+ AjkLDXsPr1oSldl+LndjvYE/p1xOeAsrPn9ewU34ByTZ74s6AQMKekFZ2RzOqFE5UAFdrm57F5Y 7+b4GzF6dHZjsKNcDB9B0Q5jIo82UL X-Received: by 2002:a17:903:1b10:b0:2b0:bebb:1081 with SMTP id d9443c01a7336-2ba7a20ce22mr278454615ad.28.1778560997718; Mon, 11 May 2026 21:43:17 -0700 (PDT) From: Jeuk Kim To: qemu-devel@nongnu.org Cc: stefanha@redhat.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, jeuk20.kim@samsung.com, j-young.choi@samsung.com, Rayhan Ramdhany Hanaputra Subject: [PULL 2/5] hw/ufs: Guard MCQ CQ accesses against missing queues Date: Tue, 12 May 2026 13:42:52 +0900 Message-ID: <283d921e771e8a98a5c3d1eed1ed791b89ba47a8.1778560533.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::62c; envelope-from=jeuk20.kim@gmail.com; helo=mail-pl1-x62c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778561072879158500 Content-Type: text/plain; charset="utf-8" From: Jeuk Kim A guest can ring an MCQ CQ doorbell before the completion queue exists. The CQ head write path then dereferences a NULL CQ through ufs_mcq_cq_full(). Ignore CQ head updates for missing CQs, and make ufs_mcq_cq_full() handle a missing CQ defensively. Fixes: f78762a3cc8 ("hw/ufs: Fix mcq completion queue wraparound") Reported-by: Rayhan Ramdhany Hanaputra Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/ufs.c | 4 ++++ hw/ufs/ufs.h | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index d5fba15e2a..1819ba2e8a 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -817,6 +817,10 @@ static void ufs_write_mcq_op_reg(UfsHc *u, hwaddr offs= et, uint32_t data, case offsetof(UfsMcqOpReg, cq.hp): { UfsCq *cq =3D u->cq[qid]; =20 + if (!cq) { + break; + } + if (ufs_mcq_cq_full(u, qid) && !QTAILQ_EMPTY(&cq->req_list)) { /* Enqueueing to CQ was blocked because it was full */ qemu_bh_schedule(cq->bh); diff --git a/hw/ufs/ufs.h b/hw/ufs/ufs.h index 13d964c5ae..9e800cafac 100644 --- a/hw/ufs/ufs.h +++ b/hw/ufs/ufs.h @@ -203,7 +203,14 @@ static inline bool ufs_mcq_cq_empty(UfsHc *u, uint32_t= qid) static inline bool ufs_mcq_cq_full(UfsHc *u, uint32_t qid) { uint32_t tail =3D ufs_mcq_cq_tail(u, qid); - uint16_t cq_size =3D u->cq[qid]->size; + UfsCq *cq =3D u->cq[qid]; + uint16_t cq_size; + + if (!cq) { + return false; + } + + cq_size =3D cq->size; =20 tail =3D (tail + sizeof(UfsCqEntry)) % (sizeof(UfsCqEntry) * cq_size); return tail =3D=3D ufs_mcq_cq_head(u, qid); --=20 2.43.0 From nobody Sat May 30 17:43:31 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778561089; cv=none; d=zohomail.com; s=zohoarc; b=YHm5UNmER9vZ8KVIWkkRYuhtinRBTQApduBktUF+wTx4QSUKPBVTwGX9SdY7p6cDKWoHfhZx+TPGlgjUjZ++Ym+L/JK3OjFlypWz3JRRenNWEXo3p1+YuDw0gpgK1qutsEJKW0QuMXztJN/8TIQajjwvE1igsw6JtSkmWJGqG84= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778561089; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=konCHW8lvM+pkBpHalqNVGWKkcAXDmRlJyrbHkVFMjo=; b=WBAwjQkh9sVZrFPYOxax0WBns7VZB06u+XGiWWAfMhFEOc69s2w6Gpy32ySlvktJFIg72fGd39taAwLQUO95g3ymPzI0X3krFyKAm2T99eQbpwvoPMo4vqEppF92zziTd/r81eLz9wJDblBDbVBVxzjZZcxXp4jz0SWTMMR/VJ8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778561089309318.3078663239685; Mon, 11 May 2026 21:44:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wMeyG-0006Mx-1e; Tue, 12 May 2026 00:43:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wMexp-0006He-Jr for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:26 -0400 Received: from mail-pl1-x631.google.com ([2607:f8b0:4864:20::631]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wMexm-00076K-Az for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:25 -0400 Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-2ba4a1a0325so35875125ad.0 for ; Mon, 11 May 2026 21:43:21 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1ebe7f1sm108938215ad.78.2026.05.11.21.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 21:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778561000; x=1779165800; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=konCHW8lvM+pkBpHalqNVGWKkcAXDmRlJyrbHkVFMjo=; b=R9k1vz1MDICwPrIl8YkqxvSu0r8aLe7HyoTbxfdYf3L2ann05kxY8GteUs96/8XWhk glSQhC4SKxnMrJF4a8iEsKkP3Wx57b/qeGmFAkQjf8ydCBLlZn+D0+e8Ht4HVYgnuiAp MYQqhYO1YHIDQWMJ6JiSxNpYTyGa5V5hODbCcZN0NEAA2UIDUsEAAiG6chY7RHXrFyso vW/rPK2esemA/+qcvaHb5BkOI94kLRmA+psMnupl+6c+sqbqga6XypRw0SGsfWTCFMRR QUnOtyY4SGamWe+l+yxAstwpGP5QEnDH+X+sQ0xBuFlu8o5x7RDLTlNvukTvSxJIuF8T oFfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778561000; x=1779165800; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=konCHW8lvM+pkBpHalqNVGWKkcAXDmRlJyrbHkVFMjo=; b=QlW8n4m8MixRJ6kqD0rWQLj4pkYX7Pdshy21DJqkXms8IoXh2WB2WnOanPYKn/hB9v Y/oTd10+EIcHvy8AQs83oKJ64qkwxHIaWkr+Z6nfCwriGmKrY4shj2ZsoE3NAwO1H7Hv bpCit8jHa30z2FGBHE6USJwQJNqZzZrHr3aSr1wJfq3e4lRWyEgVmwUCfpYKs1InsrGE g3Qo+dEvgggxLCnHj2ZAg/OdWh0Bh/bLNyWyJFuBr/jBUwd4SHtj6YtNZ8FjeiqE2HDe +/Z+LoKQPtkWZnMhBFvm05XOuseWTtDJQwU4J27/8D2Jwf0vBQRIac2gGV4ytfH2I/ks jgyA== X-Gm-Message-State: AOJu0Yxs3XH1vMX1WEkgd0l1MyjUG6j8lmZuoGAHE+4lgD1/yTlFnMye pef8C25Nho+q+gwSfgeJF9hjxnr6sctRj/0VMJENMy8bg7ydDhBHoX2fSK3bRA== X-Gm-Gg: Acq92OEU2jrjP99G5bjEZl+GU4cEpFtHqb4/Gu2ywYZsbF6taAabRo2+Bp2J8l37nGd 4lrwvE9gioHxGp9GhE3Xp3A941NcWHCXYGXim7VQ4xB+CYs2H+NVtKZslt7wtpV+d3tSb/TUhrg raSOvqw+oJvghKSiedVoB0Hnu48kOBtohRSL+kGlX5WWVvGyqcm/KwM8ovNzWGJJJWMn1uN/57k s3nmtbwOa/UDY7tRdB1LVPqLBXMd9uCB6AchzsuRy6twf12wLhthD4ws3MCU6hoDjGetci6vsk6 4eNlLLduUXAA0GNNNkyPvRrL3JKOQDhO2etnUzeuHQaUE/TLoABR3QDyHtpI8yrBqVjahe+2z1Z Djpl5jasC56arcZqhPu9iO4JXjm+yv+6O23kN20OW6/6N7Sbih2a6aXRiWJegdzOrPzE1CGIJXN iUMYxyUThh0MNNNJHa4C4lGrRYiu7p X-Received: by 2002:a17:902:b187:b0:2bc:cf07:9244 with SMTP id d9443c01a7336-2bccf079339mr50852375ad.2.1778560999730; Mon, 11 May 2026 21:43:19 -0700 (PDT) From: Jeuk Kim To: qemu-devel@nongnu.org Cc: stefanha@redhat.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, jeuk20.kim@samsung.com, j-young.choi@samsung.com Subject: [PULL 3/5] hw/ufs: Reject zero-depth MCQ queues Date: Tue, 12 May 2026 13:42:53 +0900 Message-ID: <4a909c00b9e18478e67a792c7f7cfae62cb6c865.1778560533.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::631; envelope-from=jeuk20.kim@gmail.com; helo=mail-pl1-x631.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778561091587154100 Content-Type: text/plain; charset="utf-8" From: Jeuk Kim Reject SQATTR.SIZE and CQATTR.SIZE values that produce zero-entry MCQ queues. Such queues can later trigger a divide-by-zero while advancing queue pointers. Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/trace-events | 2 ++ hw/ufs/ufs.c | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events index 531dcfc686..7734b35f08 100644 --- a/hw/ufs/trace-events +++ b/hw/ufs/trace-events @@ -40,10 +40,12 @@ ufs_err_mcq_db_wr_invalid_sqid(uint8_t qid) "invalid mc= q sqid %"PRIu8"" ufs_err_mcq_db_wr_invalid_db(uint8_t qid, uint32_t db) "invalid mcq doorbe= ll sqid %"PRIu8", db %"PRIu32"" ufs_err_mcq_create_sq_invalid_sqid(uint8_t qid) "invalid mcq sqid %"PRIu8"" ufs_err_mcq_create_sq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" +ufs_err_mcq_create_sq_invalid_size(uint8_t qid) "invalid mcq sq size for s= qid %"PRIu8"" ufs_err_mcq_create_sq_already_exists(uint8_t qid) "mcq sqid %"PRIu8 "alrea= dy exists" ufs_err_mcq_delete_sq_invalid_sqid(uint8_t qid) "invalid mcq sqid %"PRIu8"" ufs_err_mcq_delete_sq_not_exists(uint8_t qid) "mcq sqid %"PRIu8 "not exist= s" ufs_err_mcq_create_cq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" +ufs_err_mcq_create_cq_invalid_size(uint8_t qid) "invalid mcq cq size for c= qid %"PRIu8"" ufs_err_mcq_create_cq_already_exists(uint8_t qid) "mcq cqid %"PRIu8 "alrea= dy exists" ufs_err_mcq_delete_cq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" ufs_err_mcq_delete_cq_not_exists(uint8_t qid) "mcq cqid %"PRIu8 "not exist= s" diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 1819ba2e8a..4ccd7aa64d 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -506,6 +506,8 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, ui= nt32_t attr) UfsMcqReg *reg =3D &u->mcq_reg[qid]; UfsSq *sq; uint8_t cqid =3D FIELD_EX32(attr, SQATTR, CQID); + uint16_t qsize =3D + ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsSqEntry); =20 if (qid >=3D u->params.mcq_maxq) { trace_ufs_err_mcq_create_sq_invalid_sqid(qid); @@ -527,12 +529,17 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, = uint32_t attr) return false; } =20 + if (!qsize) { + trace_ufs_err_mcq_create_sq_invalid_size(qid); + return false; + } + sq =3D g_malloc0(sizeof(*sq)); sq->u =3D u; sq->sqid =3D qid; sq->cq =3D u->cq[cqid]; sq->addr =3D ((uint64_t)reg->squba << 32) | reg->sqlba; - sq->size =3D ((FIELD_EX32(attr, SQATTR, SIZE) + 1) << 2) / sizeof(UfsS= qEntry); + sq->size =3D qsize; =20 sq->bh =3D qemu_bh_new_guarded(ufs_mcq_process_sq, sq, &DEVICE(u)->mem_reentrancy_guard); @@ -576,6 +583,8 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, ui= nt32_t attr) { UfsMcqReg *reg =3D &u->mcq_reg[qid]; UfsCq *cq; + uint16_t qsize =3D + ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsCqEntry); =20 if (qid >=3D u->params.mcq_maxq) { trace_ufs_err_mcq_create_cq_invalid_cqid(qid); @@ -587,11 +596,16 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, = uint32_t attr) return false; } =20 + if (!qsize) { + trace_ufs_err_mcq_create_cq_invalid_size(qid); + return false; + } + cq =3D g_malloc0(sizeof(*cq)); cq->u =3D u; cq->cqid =3D qid; cq->addr =3D ((uint64_t)reg->cquba << 32) | reg->cqlba; - cq->size =3D ((FIELD_EX32(attr, CQATTR, SIZE) + 1) << 2) / sizeof(UfsC= qEntry); + cq->size =3D qsize; =20 cq->bh =3D qemu_bh_new_guarded(ufs_mcq_process_cq, cq, &DEVICE(u)->mem_reentrancy_guard); --=20 2.43.0 From nobody Sat May 30 17:43:31 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778561097; cv=none; d=zohomail.com; s=zohoarc; b=DTBKXbG3q6mZbwp8Y63YrKwRyMws1kHF2r0D5C11YaSOtTE8aRn2foN/XDulDLM3zSWqyTN/vjjQ2WBWHHoWLBOiq4gZpC0OXjA6oWeK99xk8iPIcR4bqwB2o1twIoUE2dtOXWLSwPISy5JMoIPAJgKynf20SDKte74yfa8WJjE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778561097; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=uenl0enR9nzgcOfC5e4ACNKv62NFjpchkb2UC2eCaLo=; b=ebk07jPfhRZkZwP1VRR6yy2wDevfyLKUZF9Tp7w1lKubvbHSUPfXxbaBNOUAqAx2BF3qb7yCltGO5g1XwhUmZXqPtFvuTebJmTsg4t43V2iR9prqdEmeUat+OqzaFSewspaY7dE6/M+F8jTvxrLeb/Jdhx19nR8FtLFUcN44K0s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778561097187371.82721410831755; Mon, 11 May 2026 21:44:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wMeyG-0006My-1O; Tue, 12 May 2026 00:43:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wMexq-0006Ht-Th for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:27 -0400 Received: from mail-pl1-x62e.google.com ([2607:f8b0:4864:20::62e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wMexo-00076n-01 for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:26 -0400 Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-2ba928852a5so33270005ad.1 for ; Mon, 11 May 2026 21:43:23 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1ebe7f1sm108938215ad.78.2026.05.11.21.43.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 21:43:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778561002; x=1779165802; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uenl0enR9nzgcOfC5e4ACNKv62NFjpchkb2UC2eCaLo=; b=jmCM2x8EE1cnePqD0xRqfPVx8jgaFclB2DS/O9vYgnNzIl4M6VQQIrCpqToHt/Toa+ vNLRSd7s/LHNchexImYKGBzwEDKQp+eXerXxlVod0urTR+ofMef4MzBO2b8d7ebw5RkA YNEAHuIL5zBAE7P33omyasV09nk5uUr02zT6T2btxgZp34e31RwdfNdq2Jt+JGTx6y+D CROflfNvqz98RUnELK5vIz/y5zCPLfWgZaRLEvVhAI/5I15/h/utFpxedxhaxdR5sF1/ TO86lcNH56ewkUsiKKPu0+ThAPrsosi/LNGbcfCFLziGv15tv6+GN4BWyvvrLnH3rNNg 4Izg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778561002; x=1779165802; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=uenl0enR9nzgcOfC5e4ACNKv62NFjpchkb2UC2eCaLo=; b=oMrYvS6yuuMbtXt2nSE0SGWO6V7xpMds13MFKyf3y8oykecTR4Y1R0yW7lDGNWMVpG DAjT76098LQm/EURm4konzM6sI/AR8WfsjGF9JdyzQ1tenJ3BeeshMuiIoXIqFNHtRKg TwDUdaYX9x4FoDtv0g1ypGkuv4x8ZQZEN3iq1tLoY5C4SWXkpW+ovigZoLHgi6PbFiDN kIYcTA+Dg9EY61k0LTgsROqMeWXMDkU+VYPL5Vdb2vmDzKN/huAqHvqpmmHC/49LyOCf vJerZSPd11v83Z/XMfLqSXzqLLOLJ1aEp9Zee+oY/NTVS+q3ECRfunpHxtzd/fws21V5 b3zA== X-Gm-Message-State: AOJu0YyVVKNMYgZ5OYsp1xcOwrpzYT9rj4M3JAxjyjhKtc8pAdAaZt+9 QIVJYYnG1B7g5pOgH7QK+um5bpCwGhhWntmYCbl7yhWYNX9l8YeXZ3B/dztKuw== X-Gm-Gg: Acq92OHDY1t9AyooPr3U/Vfcm/fXgF387kijUY2G+WZGQiPfXIDFebiXtr9c4j7TUuj bG0VOCFtsDJTHvtVJrYbVa81CTYGTZak/IsviTHqru7NpO2P9Fbu+dXraM2vl8CKwj25XxdkJZj vdBBRl45O9VUGlVgMMo81v8y9XCBM3HatuNSbvV9eWf+AX1Y/vg9splcvdg+PbQWOkqw1zaf9nm qk8NwIk8G7F1nOP0YsVehcuxIjQ0BZQfrGqczz9ivCrr8Rf3p9Y7ESi4NXXRohFEgqSx/V5GkE5 f9ZUBA/B0d6grigjDXo+bgOTACQtqPPYtZW6nLxUA+HlakXYwxGHTbzEWplWLOaDpGKVbYawJ3j KSt74Jho+615Ii9nW9OIiSU0cKeb45fXJuXpB2lKMi5xuUQdadL3UshajgYcEY2KavAAtGFitfW 9dtl8M07J3ykoLzGTAs8jtioUi945U X-Received: by 2002:a17:903:1ab0:b0:2b2:a267:784a with SMTP id d9443c01a7336-2bc7aa20417mr132376525ad.24.1778561001570; Mon, 11 May 2026 21:43:21 -0700 (PDT) From: Jeuk Kim To: qemu-devel@nongnu.org Cc: stefanha@redhat.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, jeuk20.kim@samsung.com, j-young.choi@samsung.com Subject: [PULL 4/5] hw/ufs: Keep MCQ SQs alive while requests are outstanding Date: Tue, 12 May 2026 13:42:54 +0900 Message-ID: <619c2da19a05668dabe7912afb789e50b8635c4d.1778560533.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::62e; envelope-from=jeuk20.kim@gmail.com; helo=mail-pl1-x62e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778561099662154100 Content-Type: text/plain; charset="utf-8" From: Jeuk Kim MCQ requests are allocated with their SQ, but can remain in flight on the CQ list or in the SCSI layer after leaving the SQ free list. Reject runtime SQ deletion while any request is still outstanding, and use separate teardown helpers so device exit can still release MCQ queues after child devices have been unrealized. Fixes: 5c079578d2e ("hw/ufs: Add support MCQ of UFSHCI 4.0") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/trace-events | 1 + hw/ufs/ufs.c | 49 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/hw/ufs/trace-events b/hw/ufs/trace-events index 7734b35f08..6f7ea9c95f 100644 --- a/hw/ufs/trace-events +++ b/hw/ufs/trace-events @@ -44,6 +44,7 @@ ufs_err_mcq_create_sq_invalid_size(uint8_t qid) "invalid = mcq sq size for sqid %" ufs_err_mcq_create_sq_already_exists(uint8_t qid) "mcq sqid %"PRIu8 "alrea= dy exists" ufs_err_mcq_delete_sq_invalid_sqid(uint8_t qid) "invalid mcq sqid %"PRIu8"" ufs_err_mcq_delete_sq_not_exists(uint8_t qid) "mcq sqid %"PRIu8 "not exist= s" +ufs_err_mcq_delete_sq_busy(uint8_t qid) "mcq sqid %"PRIu8" has outstanding= requests" ufs_err_mcq_create_cq_invalid_cqid(uint8_t qid) "invalid mcq cqid %"PRIu8"" ufs_err_mcq_create_cq_invalid_size(uint8_t qid) "invalid mcq cq size for c= qid %"PRIu8"" ufs_err_mcq_create_cq_already_exists(uint8_t qid) "mcq cqid %"PRIu8 "alrea= dy exists" diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 4ccd7aa64d..6548f0f637 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -556,6 +556,31 @@ static bool ufs_mcq_create_sq(UfsHc *u, uint8_t qid, u= int32_t attr) return true; } =20 +static bool ufs_mcq_sq_has_outstanding_req(UfsSq *sq) +{ + UfsRequest *req; + uint16_t free_reqs =3D 0; + + QTAILQ_FOREACH(req, &sq->req_list, entry) + { + free_reqs++; + } + + return free_reqs !=3D sq->size; +} + +static void ufs_mcq_free_sq(UfsSq *sq) +{ + qemu_bh_delete(sq->bh); + + for (int i =3D 0; i < sq->size; i++) { + ufs_clear_req(&sq->req[i]); + } + + g_free(sq->req); + g_free(sq); +} + static bool ufs_mcq_delete_sq(UfsHc *u, uint8_t qid) { UfsSq *sq; @@ -572,9 +597,12 @@ static bool ufs_mcq_delete_sq(UfsHc *u, uint8_t qid) =20 sq =3D u->sq[qid]; =20 - qemu_bh_delete(sq->bh); - g_free(sq->req); - g_free(sq); + if (ufs_mcq_sq_has_outstanding_req(sq)) { + trace_ufs_err_mcq_delete_sq_busy(qid); + return false; + } + + ufs_mcq_free_sq(sq); u->sq[qid] =3D NULL; return true; } @@ -617,6 +645,12 @@ static bool ufs_mcq_create_cq(UfsHc *u, uint8_t qid, u= int32_t attr) return true; } =20 +static void ufs_mcq_free_cq(UfsCq *cq) +{ + qemu_bh_delete(cq->bh); + g_free(cq); +} + static bool ufs_mcq_delete_cq(UfsHc *u, uint8_t qid) { UfsCq *cq; @@ -640,8 +674,7 @@ static bool ufs_mcq_delete_cq(UfsHc *u, uint8_t qid) =20 cq =3D u->cq[qid]; =20 - qemu_bh_delete(cq->bh); - g_free(cq); + ufs_mcq_free_cq(cq); u->cq[qid] =3D NULL; return true; } @@ -1884,12 +1917,14 @@ static void ufs_exit(PCIDevice *pci_dev) =20 for (int i =3D 0; i < ARRAY_SIZE(u->sq); i++) { if (u->sq[i]) { - ufs_mcq_delete_sq(u, i); + ufs_mcq_free_sq(u->sq[i]); + u->sq[i] =3D NULL; } } for (int i =3D 0; i < ARRAY_SIZE(u->cq); i++) { if (u->cq[i]) { - ufs_mcq_delete_cq(u, i); + ufs_mcq_free_cq(u->cq[i]); + u->cq[i] =3D NULL; } } } --=20 2.43.0 From nobody Sat May 30 17:43:31 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1778561097; cv=none; d=zohomail.com; s=zohoarc; b=Ba2GWsM0+w8DxLI+1FtIxro1ohoSl2tYgSZl+OLm8NFx3I0IJGasvMoRF9ssJzyXFZc/PLOduWn7DaAHTygQTojXeYGYwMR82QTdHM+Vv1ICMJ9fNHqc42g8lRFtCIVHqB49fQCbU7jmGLMMW/Qfh6YtfaILX2AptYmQqQPkub8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778561097; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=PDZF1y7Mn8Y8hY0V63j89ooKWGLaAhoP/CbntwCqFU4=; b=N1YqjHawOhODFkDW8Hsjo4kyzAIdNoUki95m9WF4Ooi/COIdjjgxgMZvsouOMqfU8FFWHOH6xvFpKzmq6Jyzs+XXAwEIn4XuUnTXzs4nAoVlCe7TcuSEyLsAWarh3WiT0uCDhupg+4/8TiWplqBv26SXkHW+AP80eySd0Rs/vSg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778561097615295.332265037041; Mon, 11 May 2026 21:44:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wMeyR-0006Rv-Cw; Tue, 12 May 2026 00:44:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wMexr-0006Hw-18 for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:27 -0400 Received: from mail-pl1-x636.google.com ([2607:f8b0:4864:20::636]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wMexp-00077R-BV for qemu-devel@nongnu.org; Tue, 12 May 2026 00:43:26 -0400 Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-2ba17c8cfacso52047415ad.2 for ; Mon, 11 May 2026 21:43:24 -0700 (PDT) Received: from jeuk-MS-7D42.. ([211.226.54.223]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1ebe7f1sm108938215ad.78.2026.05.11.21.43.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 21:43:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778561003; x=1779165803; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PDZF1y7Mn8Y8hY0V63j89ooKWGLaAhoP/CbntwCqFU4=; b=T0kzef3hLSvwXc354qb7FZVf7Qy/CiX39BrQ3yuhLaDdrPjamJD+LDfhgAbGlLwEEL sPTu6OYj1SGKSIWuf2zU3BVCKOyu22MPvvRlZa4M9vLt6BhvnKMbyYT7ZD7VQLMM1bxw zToCHzpOtbgqBQNasHDACFZk5NLDxGIkFgVOhJKKAQkprTlY0aWNRBKp1IFedlcFhQIP /ffXf+cMw+UhRwWgGbSdSkxIzNBqgRAd+q8cCHJaPWoSs5p42Lcbj0Kzn8rkjBttBOPv vulWEXpWm4BnDLJkJjTxVmB+aQKjnR9g3lAZKK6IdLAGFx2yz7kQG5th9yVoPl/TJWJ3 KLtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778561003; x=1779165803; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PDZF1y7Mn8Y8hY0V63j89ooKWGLaAhoP/CbntwCqFU4=; b=Q+CAStUPm9gQqCohcf76KEHwEF/BkXwSfWUtyA8rmmTymblK5Nh+7xuhJYFWhr+xne L2kuGGK3kpAhPhYshxdNo5bj5TyvTYfwAU/e2R32QHseXC7JF6lclbfR+LBssePL++wO gKc8ovlhpY4puFBsDLMeCF5ujqzqT+8VvOQ6IovMBVIMkBGYfO9tZ0OBfsdjhVzMIkS4 xyFQEXblzHhWJO1pmV4Ei83+hgNveiczgQlKZ32Z38Ntmq2SUQQu+jcPJS3Nvz+Qa6H7 3O0AlGgB/J32KEqZpx8vLpqNvmuIICdOy6l9gRuDCaddQzZlEk64AG/hldL6LClPWeFl gf4Q== X-Gm-Message-State: AOJu0Yyj4xXY2A42Ro70lDriOGwKOohxslV0zfhXr1H7fRhcQqKbyO0q FgXOiUgNVrHSg8lSqj9385QtZgsoUTWlmyM4sLQt8rvbeWPAcNZSj9ES0YwIXw== X-Gm-Gg: Acq92OGS24/qcFTxyfQBTa01bNFADUUxldS1eJ9hS69CJ1nUUI/SNg+4rgjoG42g86+ qQTKQ3c8xN6iRzU2Urf8VNrk5+5X8MxuhyGBfTw6l6CNXy9kv9nyrkEbTUV11fdUBy3F/+joLA1 OWGGGYospKZJOI81fGL/PZMfuHqAShhUUd9QlQcebYTr9xEE8Y80/QXcrQZeZO7EcDprOs6kgr+ LkZJ53Gty9SIHS+umK6wvpMJfUMZWqx/fe6CdyjIwZnYPcFI4cGk6MnnLDjtKl+S0AbgL8PfOW8 Rz1MJM56X6mnowxU2zl+70hANT4A8P8SbSDayX2hF352PdDXWE1qNuWai3rp9ds22v6QmqdFOuE 2BF/AEwr6xCh3GpJ3cEKP9jwRQlWuODsULrIqmgxtzZESOt+vSuPLP2WWJZukLz8bVkouhr7nvc Vp4lh97EcTXsHa6tHtIxFk6uSk0Pfj X-Received: by 2002:a17:902:ed8b:b0:2b0:7531:b61e with SMTP id d9443c01a7336-2bd0135ec3bmr11534585ad.41.1778561003509; Mon, 11 May 2026 21:43:23 -0700 (PDT) From: Jeuk Kim To: qemu-devel@nongnu.org Cc: stefanha@redhat.com, qemu-block@nongnu.org, qemu-stable@nongnu.org, jeuk20.kim@samsung.com, j-young.choi@samsung.com Subject: [PULL 5/5] hw/ufs: Zero reserved bytes in REPORT LUNS response header Date: Tue, 12 May 2026 13:42:55 +0900 Message-ID: <042dbcff8382393b20b716294a6c4b1a4af6b3f1.1778560533.git.jeuk20.kim@samsung.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::636; envelope-from=jeuk20.kim@gmail.com; helo=mail-pl1-x636.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1778561098956158500 Content-Type: text/plain; charset="utf-8" From: Jeuk Kim ufs_emulate_report_luns() writes the 4-byte LUN list length into outbuf[0..3] via stl_be_p() but leaves outbuf[4..7], the reserved field, uninitialized. Those bytes are then DMA'd to guest memory, leaking uninitialized QEMU stack data. Fixes: 7708e298180 ("hw/ufs/lu: skip automatic zero-init of large array") Cc: qemu-stable@nongnu.org Signed-off-by: Jeuk Kim --- hw/ufs/lu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/ufs/lu.c b/hw/ufs/lu.c index 3f3c9589ce..709d6adcf6 100644 --- a/hw/ufs/lu.c +++ b/hw/ufs/lu.c @@ -101,6 +101,10 @@ static int ufs_emulate_report_luns(UfsRequest *req, ui= nt8_t *outbuf, return SCSI_COMMAND_FAIL; } =20 + if (outbuf_len < 8) { + return SCSI_COMMAND_FAIL; + } + memset(outbuf, 0, 8); len +=3D 8; =20 for (uint8_t lun =3D 0; lun < UFS_MAX_LUS; ++lun) { --=20 2.43.0