[PULL v2 0/1] ufs queue

[PULL v2 0/1] ufs queue

[Jeuk Kim]

From: Jeuk Kim <jeuk20.kim@samsung.com>

The following changes since commit 37fbfda8f4145ba1700f63f0cb7be4c108d545de:

  Merge tag 'edgar/xen-queue-2024-07-12.for-upstream' of https://gitlab.com/edgar.iglesias/qemu into staging (2024-07-12 09:53:22 -0700)

are available in the Git repository at:

  https://gitlab.com/jeuk20.kim/qemu.git tags/pull-ufs-20240714

for you to fetch changes up to 50475f1511964775ff73c2b07239c3ff571f75cd:

  hw/ufs: Fix mcq register range check logic (2024-07-14 17:11:21 +0900)

----------------------------------------------------------------
hw/ufs:
 - Fix invalid address access in mcq register check

I didn't cc qemu-stable@, as 5c079578d2e4 ("hw/ufs: Add support MCQ of
UFSHCI 4.0") is not yet included in any release tag. If I'm wrong,
please let me know. Thanks.

----------------------------------------------------------------
Jeuk Kim (1):
      hw/ufs: Fix mcq register range check logic

 hw/ufs/ufs.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

[PULL v2 1/1] hw/ufs: Fix mcq register range check logic

[Jeuk Kim]

From: Jeuk Kim <jeuk20.kim@samsung.com>

The function ufs_is_mcq_reg() and ufs_is_mcq_op_reg() only evaluated
the range of the mcq_reg and mcq_op_reg offset, which is defined as
a constant. Therefore, it was possible for them to return true
even though the ufs device is configured to not support the mcq.
This could cause ufs_mmio_read()/ufs_mmio_write() to result in
Null-pointer-dereference.
So fix it.

Resolves: #2428
Fixes: 5c079578d2e4 ("hw/ufs: Add support MCQ of UFSHCI 4.0")
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
---
 hw/ufs/ufs.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c
index 683fff5840..945a0ea127 100644
--- a/hw/ufs/ufs.c
+++ b/hw/ufs/ufs.c
@@ -57,14 +57,26 @@ static inline uint64_t ufs_reg_size(UfsHc *u)
 
 static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size)
 {
-    uint64_t mcq_reg_addr = ufs_mcq_reg_addr(u, 0);
+    uint64_t mcq_reg_addr;
+
+    if (!u->params.mcq) {
+        return false;
+    }
+
+    mcq_reg_addr = ufs_mcq_reg_addr(u, 0);
     return (addr >= mcq_reg_addr &&
             addr + size <= mcq_reg_addr + sizeof(u->mcq_reg));
 }
 
 static inline bool ufs_is_mcq_op_reg(UfsHc *u, uint64_t addr, unsigned size)
 {
-    uint64_t mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0);
+    uint64_t mcq_op_reg_addr;
+
+    if (!u->params.mcq) {
+        return false;
+    }
+
+    mcq_op_reg_addr = ufs_mcq_op_reg_addr(u, 0);
     return (addr >= mcq_op_reg_addr &&
             addr + size <= mcq_op_reg_addr + sizeof(u->mcq_op_reg));
 }
-- 
2.34.1

Re: [PULL v2 0/1] ufs queue

[Richard Henderson]

On 7/14/24 01:24, Jeuk Kim wrote:
> From: Jeuk Kim<jeuk20.kim@samsung.com>
> 
> The following changes since commit 37fbfda8f4145ba1700f63f0cb7be4c108d545de:
> 
>    Merge tag 'edgar/xen-queue-2024-07-12.for-upstream' ofhttps://gitlab.com/edgar.iglesias/qemu  into staging (2024-07-12 09:53:22 -0700)
> 
> are available in the Git repository at:
> 
>    https://gitlab.com/jeuk20.kim/qemu.git  tags/pull-ufs-20240714
> 
> for you to fetch changes up to 50475f1511964775ff73c2b07239c3ff571f75cd:
> 
>    hw/ufs: Fix mcq register range check logic (2024-07-14 17:11:21 +0900)
> 
> ----------------------------------------------------------------
> hw/ufs:
>   - Fix invalid address access in mcq register check
> 
> I didn't cc qemu-stable@, as 5c079578d2e4 ("hw/ufs: Add support MCQ of
> UFSHCI 4.0") is not yet included in any release tag. If I'm wrong,
> please let me know. Thanks.

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/9.1 as appropriate.

r~