From patchwork Sun Mar 23 17:45:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?C=C3=A9dric_Le_Goater?= X-Patchwork-Id: 14026578 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A2D7CC28B30 for ; Sun, 23 Mar 2025 17:49:00 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twPQ0-0004TE-69; Sun, 23 Mar 2025 13:47:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twPOk-0002fh-Nb for qemu-devel@nongnu.org; Sun, 23 Mar 2025 13:46:16 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twPOi-00041o-AX for qemu-devel@nongnu.org; Sun, 23 Mar 2025 13:46:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1742751966; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CyDOAolXDC8JHNY7vW5wrsU9AZ5Pv4aAsrkKN68TzCY=; b=YSx6Ib2Y8c6xNKiBtC5dxC5RRyCj9E8gf37yR6aWpPiOFHNx5yPvGcQEg1rRNAIiJ9YBnt VG6ZMRLLHWNGunRxVTxmiYfgfv3kP93S+o4YiohKFoi5CmpyHamWWgS+9O9I1Kj1RYwJu+ NZo11wU7CQg3IU25D73wSIg6qjbW3rI= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-453-EWT7iP3COLyDYn-OBMQupg-1; Sun, 23 Mar 2025 13:45:59 -0400 X-MC-Unique: EWT7iP3COLyDYn-OBMQupg-1 X-Mimecast-MFC-AGG-ID: EWT7iP3COLyDYn-OBMQupg_1742751958 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8FCB81945103; Sun, 23 Mar 2025 17:45:53 +0000 (UTC) Received: from corto.redhat.com (unknown [10.44.32.3]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 6BAC11955BC0; Sun, 23 Mar 2025 17:45:51 +0000 (UTC) From: =?utf-8?q?C=C3=A9dric_Le_Goater?= To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: Troy Lee , =?utf-8?q?C=C3=A9dric_Le_Goater?= Subject: [PULL 1/3] aspeed: Fix maximum number of spi controller Date: Sun, 23 Mar 2025 18:45:39 +0100 Message-ID: <20250323174541.406860-2-clg@redhat.com> In-Reply-To: <20250323174541.406860-1-clg@redhat.com> References: <20250323174541.406860-1-clg@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 Received-SPF: pass client-ip=170.10.129.124; envelope-from=clg@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Troy Lee Commit 6de4aa8dc544 ("hw/arm/aspeed_ast27x0: Add SoC Support for AST2700 A1") extends ast2700a1 spis_num to 3, but ASPEED_SPIS_NUM defines the maximum number of spi controller to 2, result in ehci[0] is being overwritten in runtime. Signed-off-by: Troy Lee Fixes: 6de4aa8dc544 ("hw/arm/aspeed_ast27x0: Add SoC Support for AST2700 A1") Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250317065938.1902272-1-troy_lee@aspeedtech.com Signed-off-by: Cédric Le Goater --- include/hw/arm/aspeed_soc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index f899356ed94c..f069d17d1629 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -42,7 +42,7 @@ #include "hw/char/serial-mm.h" #include "hw/intc/arm_gicv3.h" -#define ASPEED_SPIS_NUM 2 +#define ASPEED_SPIS_NUM 3 #define ASPEED_EHCIS_NUM 2 #define ASPEED_WDTS_NUM 8 #define ASPEED_CPUS_NUM 4 From patchwork Sun Mar 23 17:45:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?C=C3=A9dric_Le_Goater?= X-Patchwork-Id: 14026576 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2C72EC28B30 for ; Sun, 23 Mar 2025 17:47:24 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twPPN-0003c2-Os; Sun, 23 Mar 2025 13:46:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twPOg-0002Zo-FT for qemu-devel@nongnu.org; Sun, 23 Mar 2025 13:46:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twPOb-00040m-OZ for qemu-devel@nongnu.org; Sun, 23 Mar 2025 13:46:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1742751960; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0zrBPoVoU+HLkajTGv8FNra5OrxM1lKlyJrqR1Ud79Y=; b=KW3E+O5ld0z2LtXfC8bd6I6YXSNgddMHwABaML/yrYdOXel4pLkRCe+hG1JHJJ0VnzFpXA 6ege1/DlDlU0lXdmZWV9zBMVrVont50zJVhwJ/PcCgmMkf3beldVLqCtJ26G0dxaou5bBn 1kg+LRmdlV41TZ/fFYTaRMazL29/eQA= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-402-u14d4ikdP0mZcB1wLHkJzA-1; Sun, 23 Mar 2025 13:45:59 -0400 X-MC-Unique: u14d4ikdP0mZcB1wLHkJzA-1 X-Mimecast-MFC-AGG-ID: u14d4ikdP0mZcB1wLHkJzA_1742751958 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0E45B180035C; Sun, 23 Mar 2025 17:45:58 +0000 (UTC) Received: from corto.redhat.com (unknown [10.44.32.3]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8D9D51956095; Sun, 23 Mar 2025 17:45:53 +0000 (UTC) From: =?utf-8?q?C=C3=A9dric_Le_Goater?= To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: Steven Lee , =?utf-8?q?C=C3=A9dric_Le_Goater?= Subject: [PULL 2/3] hw/intc/aspeed: Fix IRQ handler mask check Date: Sun, 23 Mar 2025 18:45:40 +0100 Message-ID: <20250323174541.406860-3-clg@redhat.com> In-Reply-To: <20250323174541.406860-1-clg@redhat.com> References: <20250323174541.406860-1-clg@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 Received-SPF: pass client-ip=170.10.133.124; envelope-from=clg@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.01, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Steven Lee Updated the IRQ handler mask check to AND with select variable. This ensures that the interrupt service routine is correctly triggered for the interrupts within the same irq group. For example, both `eth0` and the debug UART are handled in `GICINT132`. Without this fix, the debug console may hang if the `eth0` ISR is not handled. Signed-off-by: Steven Lee Change-Id: Ic3609eb72218dfd68be6057d78b8953b18828709 Reviewed-by: Cédric Le Goater Fixes: d831c5fd8682 ("aspeed/intc: Add AST2700 support") Link: https://lore.kernel.org/qemu-devel/20250320092543.4040672-2-steven_lee@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/intc/aspeed_intc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/intc/aspeed_intc.c b/hw/intc/aspeed_intc.c index 3fd417084f5b..f17bf439256a 100644 --- a/hw/intc/aspeed_intc.c +++ b/hw/intc/aspeed_intc.c @@ -111,7 +111,7 @@ static void aspeed_intc_set_irq_handler(AspeedINTCState *s, outpin_idx = intc_irq->outpin_idx; inpin_idx = intc_irq->inpin_idx; - if (s->mask[inpin_idx] || s->regs[status_reg]) { + if ((s->mask[inpin_idx] & select) || (s->regs[status_reg] & select)) { /* * a. mask is not 0 means in ISR mode * sources interrupt routine are executing. From patchwork Sun Mar 23 17:45:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?C=C3=A9dric_Le_Goater?= X-Patchwork-Id: 14026579 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 51938C28B30 for ; Sun, 23 Mar 2025 17:49:51 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1twPPI-0003M2-KU; Sun, 23 Mar 2025 13:46:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twPOi-0002dv-Hp for qemu-devel@nongnu.org; Sun, 23 Mar 2025 13:46:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1twPOg-00041M-7Z for qemu-devel@nongnu.org; Sun, 23 Mar 2025 13:46:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1742751964; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MvcPmepQnYaqXyzcNgX6ZnHaPADmQDVdyjY/kGblWr4=; b=OulJpfcw870c0+UuwI6D34j7ONQCkj72TabXwYxaz7euxPMU6qLov49hnPOBmjGt0BKMmW NNE5Iv6ydDCNUcUGCkjbNTS1qqgaMxEoUahCqzrorbVTicO5u45rap3Nkfroa9RjMKw8+R bXTlots/ZgJrzvre93F/uNffuBjYDx8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-446-t5hOVJvmOfuI_my2LcqDCg-1; Sun, 23 Mar 2025 13:46:02 -0400 X-MC-Unique: t5hOVJvmOfuI_my2LcqDCg-1 X-Mimecast-MFC-AGG-ID: t5hOVJvmOfuI_my2LcqDCg_1742751961 Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2A47C180899B; Sun, 23 Mar 2025 17:46:00 +0000 (UTC) Received: from corto.redhat.com (unknown [10.44.32.3]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 88BC61956095; Sun, 23 Mar 2025 17:45:58 +0000 (UTC) From: =?utf-8?q?C=C3=A9dric_Le_Goater?= To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: Jamin Lin , =?utf-8?q?C=C3=A9dric_Le_Goater?= Subject: [PULL 3/3] hw/misc/aspeed_hace: Fix buffer overflow in has_padding function Date: Sun, 23 Mar 2025 18:45:41 +0100 Message-ID: <20250323174541.406860-4-clg@redhat.com> In-Reply-To: <20250323174541.406860-1-clg@redhat.com> References: <20250323174541.406860-1-clg@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 Received-SPF: pass client-ip=170.10.133.124; envelope-from=clg@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.01, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Jamin Lin The maximum padding size is either 64 or 128 bytes and should always be smaller than "req_len". If "padding_size" exceeds "req_len", then "req_len - padding_size" underflows due to "uint32_t" data type, leading to a large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory access, potentially leading to a buffer overflow. Added a check to ensure "padding_size" does not exceed "req_len" before computing "pad_offset". This prevents "req_len - padding_size" from underflowing and avoids accessing invalid memory. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Fixes: 5cd7d8564a8b563da724b9e6264c967f0a091afa ("aspeed/hace: Support AST2600 HACE ") Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/misc/aspeed_hace.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c index 32a5dbded3c6..d75da3335336 100644 --- a/hw/misc/aspeed_hace.c +++ b/hw/misc/aspeed_hace.c @@ -128,6 +128,11 @@ static bool has_padding(AspeedHACEState *s, struct iovec *iov, if (*total_msg_len <= s->total_req_len) { uint32_t padding_size = s->total_req_len - *total_msg_len; uint8_t *padding = iov->iov_base; + + if (padding_size > req_len) { + return false; + } + *pad_offset = req_len - padding_size; if (padding[*pad_offset] == 0x80) { return true;