1From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001 2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> 3Date: Fri, 17 Dec 2021 22:31:11 +0100 4Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult 5MIME-Version: 1.0 6Content-Type: text/plain; charset=utf8 7Content-Transfer-Encoding: 8bit 8 9dma_memory_read() returns a MemTxResult type. Do not discard 10it, return it to the caller. 11 12Update the few callers. 13 14CVE: CVE-2021-3611 15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621] 16 17Reviewed-by: Richard Henderson <richard.henderson@linaro.org> 18Reviewed-by: Cédric Le Goater <clg@kaod.org> 19Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> 20Message-Id: <20211223115554.3155328-19-philmd@redhat.com> 21Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> 22--- 23 hw/intc/pnv_xive.c | 8 ++++---- 24 hw/usb/hcd-xhci.c | 7 ++++--- 25 include/hw/pci/pci.h | 6 ++++-- 26 include/hw/ppc/spapr_vio.h | 6 +++++- 27 include/sysemu/dma.h | 25 ++++++++++++------------- 28 5 files changed, 29 insertions(+), 23 deletions(-) 29 30diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c 31index d9249bb..bb20751 100644 32--- a/hw/intc/pnv_xive.c 33+++ b/hw/intc/pnv_xive.c 34@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, 35 36 /* Get the page size of the indirect table. */ 37 vsd_addr = vsd & VSD_ADDRESS_MASK; 38- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); 39+ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); 40 41 if (!(vsd & VSD_ADDRESS_MASK)) { 42 #ifdef XIVE_DEBUG 43@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, 44 /* Load the VSD we are looking for, if not already done */ 45 if (vsd_idx) { 46 vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; 47- vsd = ldq_be_dma(&address_space_memory, vsd_addr, 48- MEMTXATTRS_UNSPECIFIED); 49+ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, 50+ MEMTXATTRS_UNSPECIFIED); 51 52 if (!(vsd & VSD_ADDRESS_MASK)) { 53 #ifdef XIVE_DEBUG 54@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) 55 56 /* Get the page size of the indirect table. */ 57 vsd_addr = vsd & VSD_ADDRESS_MASK; 58- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); 59+ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); 60 61 if (!(vsd & VSD_ADDRESS_MASK)) { 62 #ifdef XIVE_DEBUG 63diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c 64index d960b81..da5a407 100644 65--- a/hw/usb/hcd-xhci.c 66+++ b/hw/usb/hcd-xhci.c 67@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, 68 assert(slotid >= 1 && slotid <= xhci->numslots); 69 70 dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); 71- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); 72+ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED); 73 ictx = xhci_mask64(pictx); 74 octx = xhci_mask64(poctx); 75 76@@ -3429,6 +3429,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) 77 uint32_t slot_ctx[4]; 78 uint32_t ep_ctx[5]; 79 int slotid, epid, state; 80+ uint64_t addr; 81 82 dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); 83 84@@ -3437,8 +3438,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) 85 if (!slot->addressed) { 86 continue; 87 } 88- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, 89- MEMTXATTRS_UNSPECIFIED)); 90+ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); 91+ slot->ctx = xhci_mask64(addr); 92 xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); 93 slot->uport = xhci_lookup_uport(xhci, slot_ctx); 94 if (!slot->uport) { 95diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h 96index 0613308..8c5f2ed 100644 97--- a/include/hw/pci/pci.h 98+++ b/include/hw/pci/pci.h 99@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, 100 static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ 101 dma_addr_t addr) \ 102 { \ 103- return ld##_l##_dma(pci_get_address_space(dev), addr, \ 104- MEMTXATTRS_UNSPECIFIED); \ 105+ uint##_bits##_t val; \ 106+ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ 107+ MEMTXATTRS_UNSPECIFIED); \ 108+ return val; \ 109 } \ 110 static inline void st##_s##_pci_dma(PCIDevice *dev, \ 111 dma_addr_t addr, uint##_bits##_t val) \ 112diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h 113index d2ec9b0..7eae1a4 100644 114--- a/include/hw/ppc/spapr_vio.h 115+++ b/include/hw/ppc/spapr_vio.h 116@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, 117 #define vio_stq(_dev, _addr, _val) \ 118 (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) 119 #define vio_ldq(_dev, _addr) \ 120- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) 121+ ({ \ 122+ uint64_t _val; \ 123+ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \ 124+ _val; \ 125+ }) 126 127 int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); 128 129diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h 130index 895044d..b3faef4 100644 131--- a/include/sysemu/dma.h 132+++ b/include/sysemu/dma.h 133@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(AddressSpace *as, 134 } 135 136 #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ 137- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ 138- dma_addr_t addr, \ 139- MemTxAttrs attrs) \ 140- { \ 141- uint##_bits##_t val; \ 142- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ 143- return _end##_bits##_to_cpu(val); \ 144- } \ 145+ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \ 146+ dma_addr_t addr, \ 147+ uint##_bits##_t *pval, \ 148+ MemTxAttrs attrs) \ 149+ { \ 150+ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \ 151+ _end##_bits##_to_cpus(pval); \ 152+ return res; \ 153+ } \ 154 static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ 155 dma_addr_t addr, \ 156 uint##_bits##_t val, \ 157@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(AddressSpace *as, 158 return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ 159 } 160 161-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) 162+static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr, 163+ uint8_t *val, MemTxAttrs attrs) 164 { 165- uint8_t val; 166- 167- dma_memory_read(as, addr, &val, 1, attrs); 168- return val; 169+ return dma_memory_read(as, addr, val, 1, attrs); 170 } 171 172 static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, 173-- 1741.8.3.1 175 176