summaryrefslogtreecommitdiff
path: root/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch')
-rw-r--r--poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch167
1 files changed, 167 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch b/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
new file mode 100644
index 0000000000..d65e0b4305
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
@@ -0,0 +1,167 @@
+From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 16 Dec 2021 11:27:23 +0100
+Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void
+ pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+DMA operations are run on any kind of buffer, not arrays of
+uint8_t. Convert dma_buf_read/dma_buf_write functions to take
+a void pointer argument and save us pointless casts to uint8_t *.
+
+Remove this pointless casts in the megasas device model.
+
+CVE: CVE-2021-3611
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4]
+
+Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211223115554.3155328-9-philmd@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ hw/scsi/megasas.c | 22 +++++++++++-----------
+ include/sysemu/dma.h | 4 ++--
+ softmmu/dma-helpers.c | 4 ++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 14ec6d6..2dae33f 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+ MFI_INFO_PDMIX_SATA |
+ MFI_INFO_PDMIX_LD);
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd)
+ info.disable_preboot_cli = 1;
+ info.cluster_disable = 1;
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd)
+ info.expose_all_drives = 1;
+ }
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd)
+
+ fw_time = cpu_to_le64(megasas_fw_time());
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd)
+ info.shutdown_seq_num = cpu_to_le32(s->shutdown_event);
+ info.boot_seq_num = cpu_to_le32(s->boot_event);
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd)
+ info.size = cpu_to_le32(offset);
+ info.count = cpu_to_le32(num_pd_disks);
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd)
+ info.ld_count = cpu_to_le32(num_ld_disks);
+ trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
+
+- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ cmd->iov_size = dcmd_size - resid;
+ return MFI_STAT_OK;
+ }
+@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd)
+ info.size = dcmd_size;
+ trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
+
+- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ cmd->iov_size = dcmd_size - resid;
+ return MFI_STAT_OK;
+ }
+@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
+ ld_offset += sizeof(struct mfi_ld_config);
+ }
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd)
+ info.ecc_bucket_leak_rate = cpu_to_le16(1440);
+ info.expose_encl_devices = 1;
+
+- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
+ return MFI_STAT_OK;
+ }
+
+@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
+ dcmd_size);
+ return MFI_STAT_INVALID_PARAMETER;
+ }
+- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
++ dma_buf_write(&info, dcmd_size, &cmd->qsg);
+ trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
+ return MFI_STAT_OK;
+ }
+diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
+index 97ff6f2..0d5b836 100644
+--- a/include/sysemu/dma.h
++++ b/include/sysemu/dma.h
+@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk,
+ BlockAIOCB *dma_blk_write(BlockBackend *blk,
+ QEMUSGList *sg, uint64_t offset, uint32_t align,
+ BlockCompletionFunc *cb, void *opaque);
+-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg);
+-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg);
++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg);
+
+ void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
+ QEMUSGList *sg, enum BlockAcctType type);
+diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
+index 09e2999..7f37548 100644
+--- a/softmmu/dma-helpers.c
++++ b/softmmu/dma-helpers.c
+@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
+ return resid;
+ }
+
+-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg)
++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
+ {
+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE);
+ }
+
+-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg)
++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
+ {
+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE);
+ }
+--
+1.8.3.1
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-11 05:00:24 +0300