From patchwork Mon Oct 17 23:08:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13938 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6351DC433FE for ; Mon, 17 Oct 2022 23:08:56 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web10.637.1666048126345212705 for ; Mon, 17 Oct 2022 16:08:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=fFi/lUpf; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id b5so11775176pgb.6 for ; Mon, 17 Oct 2022 16:08:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NkpK5/z6J5rsCU0B9aKXkOTwJcU4KgaoIp8VeGw6OIA=; b=fFi/lUpfMzvxbw7GZBrgsZ/kBfttDzYjyxHU7GM0/izfL4ft1gpCeUWj5LWATKN4tL gXYQIEu/WK56JW3NgOV9qL5h/O4KgEy2anxhOfR3gdleln5dDMH9peiAsWvyjLcRWw5I +S/vlhzSwRQabQEnf6CM/rLJelzgqBDsqaGavERLAckIFOUQV55JQJijFGZiLH6HhYrV eVp5bRrHWaWeaeA4sYP0a7MpuDHm8qODhC/jpubw8dVDFpT/LWPYG20847QtuObrUkTX RYYNwQuZI1PPRg+Dqw3YtTCOzOOM0MmG2jwpJEpN0bkf4vedDj4LnQvPopUdTm7YLjP0 1ebA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NkpK5/z6J5rsCU0B9aKXkOTwJcU4KgaoIp8VeGw6OIA=; b=n1ZLzxk3C6974467uDNxZmGpzjLa/XyVcuMruJbQFa2fDfSmm1Eus8HsKhrdeuR1UF QmJimX8bfC7UIwBF99qb8nf6EYME+wQksTOGeoEKxdr7wHW9WTIZ4gdwGdUKEnGvvUBV 8FgMB5vg/oflxOVPjyvOAckbSRipmO0Cl1XI+Fr8ylH+vGId0BVZI7cARCOFAE4PS2Hi 1UFFkrqg23qlUW1UHXSnHJ2+ZynvaJ2+Ul9eaXJDD0BBXqegb3Ne+bdlAJDtQsiA8aMv QjSw2EgGAA0e+dRE3O+8YclDmhax4PHDrfiE3294zsFx42WM0+dd2ZAr29KbJ/D19Nfv VWeg== X-Gm-Message-State: ACrzQf0E1dw47ULM5lWplKmEdz4vE1O4873lHMuicQgFlkUdszUbMOw0 RbAlku81fMJLMZ37aOxhLYw3DcFbN3+dxxxM X-Google-Smtp-Source: AMsMyM6OAcpvBnvv5btgsSR8b5pmzSOrFyi+SYc1rYc+MpGnDqztjgHePjsnGb3Tg2pcSqg/4dE/nA== X-Received: by 2002:a05:6a00:cce:b0:565:cbe0:16c6 with SMTP id b14-20020a056a000cce00b00565cbe016c6mr161153pfv.56.1666048125009; Mon, 17 Oct 2022 16:08:45 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/13] tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869 Date: Mon, 17 Oct 2022 13:08:17 -1000 Message-Id: <90a65fbefee1b7f615933f1bbbf5f83b6f928e8d.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:08:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171919 From: Teoh Jay Shen This series of patches include fixes for CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869. These patches are modified using devtool and a review was conducted to make sure they all get applied in the correct location. References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2867 https://security-tracker.debian.org/tracker/CVE-2022-2867 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2868 https://security-tracker.debian.org/tracker/CVE-2022-2868 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2869 https://security-tracker.debian.org/tracker/CVE-2022-2869 Merge request: https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=7d7bfa4416366ec64068ac389414241ed4730a54 Patches from: https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294 https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294 https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294 Notes: These CVEs are fixed in tiff v4.4.0 Signed-off-by: Teoh Jay Shen Signed-off-by: Steve Sakoman --- .../libtiff/tiff/CVE-2022-2867.patch | 129 ++++++++++++++++++ .../libtiff/tiff/CVE-2022-2869.patch | 84 ++++++++++++ ...ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 45 ++++++ meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 + 4 files changed, 261 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch create mode 100644 meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch new file mode 100644 index 0000000000..ae33a3b4e7 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch @@ -0,0 +1,129 @@ +From 6ad097dac1d4908705f5a9d43dea76b7f2de89eb Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 6 Feb 2022 17:53:53 +0100 +Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351. + + Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0 + in getCropOffsets(). + +CVE: CVE-2022-2867 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen + +--- + tools/tiffcrop.c | 58 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 40 insertions(+), 18 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 4a4ace8..0ef5bb2 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- /* region needs to be within image sizes 0.. width-1; 0..length-1 +- * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) + */ +- if (x1 > image->width - 1) ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) + crop->regionlist[i].x1 = image->width - 1; +- else if (x1 > 0) +- crop->regionlist[i].x1 = (uint32_t) (x1 - 1); ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + +- if (x2 > image->width - 1) +- crop->regionlist[i].x2 = image->width - 1; +- else if (x2 > 0) +- crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ if (x2 > image->width - 1) ++ crop->regionlist[i].x2 = image->width - 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); + +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + + if (y1 > image->length - 1) + crop->regionlist[i].y1 = image->length - 1; +@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + else if (y2 > 0) + crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; +- ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + bmargin = (uint32_t) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32_t) 0; +@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + i + 1, zwidth, zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch new file mode 100644 index 0000000000..9a23e23fed --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch @@ -0,0 +1,84 @@ +From 0ec36342df880f5ad41576cb1b03061b8697dabd Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 6 Feb 2022 10:53:45 +0100 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + + uint32_t underflow. + +CVE: CVE-2022-2869 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen + +--- + tools/tiffcrop.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b9b13d8..4a4ace8 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else ++ /* region needs to be within image sizes 0.. width-1; 0..length-1 ++ * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ++ */ ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) + crop->regionlist[i].x1 = (uint32_t) (x1 - 1); + +- if (x2 > image->width - 1) +- crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32_t) (x2 - 1); ++ if (x2 > image->width - 1) ++ crop->regionlist[i].x2 = image->width - 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ + zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32_t) (y1 - 1); ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32_t) (y2 - 1); ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + +@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + crop_width = endx - startx + 1; + crop_length = endy - starty + 1; + +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); +@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); diff --git a/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch new file mode 100644 index 0000000000..1fa6a11104 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch @@ -0,0 +1,45 @@ +From 740111312ca6ae718f233d914662a9969e6820ee Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 6 Feb 2022 19:52:17 +0100 +Subject: [PATCH] Move the crop_width and crop_length computation after the + sanity check to avoid warnings when built with + -fsanitize=unsigned-integer-overflow. + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen + +--- + tools/tiffcrop.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 0ef5bb2..99e4208 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5389,15 +5389,13 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- + if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +@@ -5407,6 +5405,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index b5ccd859f3..f84057c46b 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -22,6 +22,9 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-1354.patch \ file://CVE-2022-1355.patch \ file://CVE-2022-34526.patch \ + file://CVE-2022-2869.patch \ + file://CVE-2022-2867.patch \ + file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" From patchwork Mon Oct 17 23:08:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13941 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7531FC4167B for ; Mon, 17 Oct 2022 23:08:56 +0000 (UTC) Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web11.643.1666048129009144618 for ; Mon, 17 Oct 2022 16:08:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=BRBLBUWJ; spf=softfail (domain: sakoman.com, ip: 209.85.216.45, mailfrom: steve@sakoman.com) Received: by mail-pj1-f45.google.com with SMTP id t12-20020a17090a3b4c00b0020b04251529so12330953pjf.5 for ; Mon, 17 Oct 2022 16:08:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xUSHjFEH0udIfqycN+CiY5CCo/Tvar/ANRGSiBILaVY=; b=BRBLBUWJUZ5y4qzes2/fgxq2CUbR2tN52m4hLLmGHZ1Oe8ifogBP+CbZ9jgm5UlunW CCPQFjinUXg+b+w3ewwZF4pwtXMqQK3IjGaTh5rP/WmBMxUFW1nmHUiOwWPSvfox+VVk XzXVTmUiSCy0+GLQkoqf7sGtXJ5zPkvtkY74Z31dIuvydTznjiNfx5EB4VnMOXgh+7tH 0nYwILqZ0OHSskozJqnG6h6qsbzXjeaSkV9CcmWtPonfHWO88mGV6PKXaT33zkm7px3M HMffuL2Pf0c8VDG5GsrOCR8CvExaJFArnC19To5ECYeF/+AdQo5QhsSUmS1Ya+MzKfrp L7Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xUSHjFEH0udIfqycN+CiY5CCo/Tvar/ANRGSiBILaVY=; b=0hn3X/Ar6nKer35NUPQ+8Kv9g45cm6brvJcxU8jV4rqnZHjlllFG2wrDzcxmLn41sS iZHIQrVhHYi4+PotieoY6WMp9EeAwuy6H90tCP/BBYebW8IP0P1vnvIwaTFSTiNLlSjc D1qhYKKFJ1yK4xHq79eC2PKoFuZbezUfZpzNEALexaNqfEeEA0frniHyDfOo8qPkXoty JXhf3rgekHJ5u7n4c/FWvqwGO2//X+BZDpwcEj7IOjDyFOjkfjTA38zSzt5nIGSWwYf4 Kqfb+N+ecPKuUYrtUHslAnj5NB928D84MM3CK4fzMXDiyWuv50rjUqCtBcXUuM8Olq54 t8Sg== X-Gm-Message-State: ACrzQf3RwgvHfmAR7yFOn0z6laAvrt4JvZcrscHC46NNFXspPmLN5Whd WqUdfCLWC+oDWzkcy7GsikBHRtf69EdyxWic X-Google-Smtp-Source: AMsMyM4u9tCQl6rvG2xUYIf7IOEQGFsfVoBQjtvmRt4hzXSg0rbsNQP2Z6503deANVLtqlOB6vRYJw== X-Received: by 2002:a17:902:f541:b0:186:4b91:4501 with SMTP id h1-20020a170902f54100b001864b914501mr31443plf.171.1666048127331; Mon, 17 Oct 2022 16:08:47 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/13] binutils : Fix CVE-2022-38128 Date: Mon, 17 Oct 2022 13:08:18 -1000 Message-Id: <21fb0b441096ec8b5cfa1d5b645f9a3a2ace1e09.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:08:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171920 From: pgowda Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f07c08e115e27cddf5a0030dc6332bbee1bd9c6a] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=175b91507b83ad42607d2f6dadaf55b7b511bdbe] Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff] Signed-off-by: pgowda Signed-off-by: Steve Sakoman --- .../binutils/binutils-2.38.inc | 3 + .../binutils/0018-CVE-2022-38128-1.patch | 350 ++++++++++++++ .../binutils/0018-CVE-2022-38128-2.patch | 436 ++++++++++++++++++ .../binutils/0018-CVE-2022-38128-3.patch | 95 ++++ 4 files changed, 884 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index fc88d4a79e..8259ec3232 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -39,5 +39,8 @@ SRC_URI = "\ file://0017-CVE-2022-38127-2.patch \ file://0017-CVE-2022-38127-3.patch \ file://0017-CVE-2022-38127-4.patch \ + file://0018-CVE-2022-38128-1.patch \ + file://0018-CVE-2022-38128-2.patch \ + file://0018-CVE-2022-38128-3.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch new file mode 100644 index 0000000000..0a490d86b3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch @@ -0,0 +1,350 @@ +From f07c08e115e27cddf5a0030dc6332bbee1bd9c6a Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 21 Jul 2022 08:38:14 +0930 +Subject: [PATCH] binutils/dwarf.c: abbrev caching + +I'm inclined to think that abbrev caching is counter-productive. The +time taken to search the list of abbrevs converted to internal form is +non-zero, and it's easy to decode the raw abbrevs. It's especially +silly to cache empty lists of decoded abbrevs (happens with zero +padding in .debug_abbrev), or abbrevs as they are displayed when there +is no further use of those abbrevs. This patch stops caching in those +cases. + + * dwarf.c (record_abbrev_list_for_cu): Add free_list param. + Put abbrevs on abbrev_lists here. + (new_abbrev_list): Delete function. + (process_abbrev_set): Return newly allocated list. Move + abbrev base, offset and size checking to.. + (find_and_process_abbrev_set): ..here, new function. Handle + lookup of cached abbrevs here, and calculate start and end + for process_abbrev_set. Return free_list if newly alloc'd. + (process_debug_info): Consolidate cached list lookup, new list + alloc and processing into find_and_process_abbrev_set call. + Free list when not cached. + (display_debug_abbrev): Similarly. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f07c08e115e27cddf5a0030dc6332bbee1bd9c6a] + +Signed-off-by: Pgowda +--- + binutils/dwarf.c | 208 +++++++++++++++++++++++++---------------------- + 1 file changed, 110 insertions(+), 98 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 267ed3bb382..2fc352f74c5 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -882,8 +882,15 @@ static unsigned long next_free_abbrev_m + #define ABBREV_MAP_ENTRIES_INCREMENT 8 + + static void +-record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, abbrev_list * list) ++record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, ++ abbrev_list *list, abbrev_list *free_list) + { ++ if (free_list != NULL) ++ { ++ list->next = abbrev_lists; ++ abbrev_lists = list; ++ } ++ + if (cu_abbrev_map == NULL) + { + num_abbrev_map_entries = INITIAL_NUM_ABBREV_MAP_ENTRIES; +@@ -936,20 +943,6 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-new_abbrev_list (dwarf_vma abbrev_base, dwarf_vma abbrev_offset) +-{ +- abbrev_list * list = (abbrev_list *) xcalloc (sizeof * list, 1); +- +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- +- list->next = abbrev_lists; +- abbrev_lists = list; +- +- return list; +-} +- +-static abbrev_list * + find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, + dwarf_vma abbrev_offset) + { +@@ -966,7 +959,7 @@ find_abbrev_list_by_abbrev_offset (dwarf + /* Find the abbreviation map for the CU that includes OFFSET. + OFFSET is an absolute offset from the start of the .debug_info section. */ + /* FIXME: This function is going to slow down readelf & objdump. +- Consider using a better algorithm to mitigate this effect. */ ++ Not caching abbrevs is likely the answer. */ + + static abbrev_map * + find_abbrev_map_by_offset (dwarf_vma offset) +@@ -1033,40 +1026,18 @@ add_abbrev_attr (unsigned long attrib + list->last_abbrev->last_attr = attr; + } + +-/* Processes the (partial) contents of a .debug_abbrev section. +- Returns NULL if the end of the section was encountered. +- Returns the address after the last byte read if the end of +- an abbreviation set was found. */ ++/* Return processed (partial) contents of a .debug_abbrev section. ++ Returns NULL on errors. */ + +-static unsigned char * ++static abbrev_list * + process_abbrev_set (struct dwarf_section *section, +- dwarf_vma abbrev_base, +- dwarf_vma abbrev_size, +- dwarf_vma abbrev_offset, +- abbrev_list *list) ++ unsigned char *start, ++ unsigned char *end) + { +- if (abbrev_base >= section->size +- || abbrev_size > section->size - abbrev_base) +- { +- /* PR 17531: file:4bcd9ce9. */ +- warn (_("Debug info is corrupted, abbrev size (%lx) is larger than " +- "abbrev section size (%lx)\n"), +- (unsigned long) (abbrev_base + abbrev_size), +- (unsigned long) section->size); +- return NULL; +- } +- if (abbrev_offset >= abbrev_size) +- { +- warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than " +- "abbrev section size (%lx)\n"), +- (unsigned long) abbrev_offset, +- (unsigned long) abbrev_size); +- return NULL; +- } ++ abbrev_list *list = xmalloc (sizeof (*list)); ++ list->first_abbrev = NULL; ++ list->last_abbrev = NULL; + +- unsigned char *start = section->start + abbrev_base; +- unsigned char *end = start + abbrev_size; +- start += abbrev_offset; + while (start < end) + { + unsigned long entry; +@@ -1079,14 +1050,18 @@ process_abbrev_set (struct dwarf_section + /* A single zero is supposed to end the set according + to the standard. If there's more, then signal that to + the caller. */ +- if (start == end) +- return NULL; +- if (entry == 0) +- return start; ++ if (start == end || entry == 0) ++ { ++ list->start_of_next_abbrevs = start != end ? start : NULL; ++ return list; ++ } + + READ_ULEB (tag, start, end); + if (start == end) +- return NULL; ++ { ++ free (list); ++ return NULL; ++ } + + children = *start++; + +@@ -1121,9 +1096,67 @@ process_abbrev_set (struct dwarf_section + /* Report the missing single zero which ends the section. */ + error (_(".debug_abbrev section not zero terminated\n")); + ++ free (list); + return NULL; + } + ++/* Return a sequence of abbrevs in SECTION starting at ABBREV_BASE ++ plus ABBREV_OFFSET and finishing at ABBREV_BASE + ABBREV_SIZE. ++ If FREE_LIST is non-NULL search the already decoded abbrevs on ++ abbrev_lists first and if found set *FREE_LIST to NULL. If ++ searching doesn't find a matching abbrev, set *FREE_LIST to the ++ newly allocated list. If FREE_LIST is NULL, no search is done and ++ the returned abbrev_list is always newly allocated. */ ++ ++static abbrev_list * ++find_and_process_abbrev_set (struct dwarf_section *section, ++ dwarf_vma abbrev_base, ++ dwarf_vma abbrev_size, ++ dwarf_vma abbrev_offset, ++ abbrev_list **free_list) ++{ ++ if (free_list) ++ *free_list = NULL; ++ ++ if (abbrev_base >= section->size ++ || abbrev_size > section->size - abbrev_base) ++ { ++ /* PR 17531: file:4bcd9ce9. */ ++ warn (_("Debug info is corrupted, abbrev size (%lx) is larger than " ++ "abbrev section size (%lx)\n"), ++ (unsigned long) (abbrev_base + abbrev_size), ++ (unsigned long) section->size); ++ return NULL; ++ } ++ if (abbrev_offset >= abbrev_size) ++ { ++ warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than " ++ "abbrev section size (%lx)\n"), ++ (unsigned long) abbrev_offset, ++ (unsigned long) abbrev_size); ++ return NULL; ++ } ++ ++ unsigned char *start = section->start + abbrev_base + abbrev_offset; ++ unsigned char *end = section->start + abbrev_base + abbrev_size; ++ abbrev_list *list = NULL; ++ if (free_list) ++ list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ if (list == NULL) ++ { ++ list = process_abbrev_set (section, start, end); ++ if (list) ++ { ++ list->abbrev_base = abbrev_base; ++ list->abbrev_offset = abbrev_offset; ++ list->next = NULL; ++ } ++ if (free_list) ++ *free_list = list; ++ } ++ return list; ++} ++ + static const char * + get_TAG_name (unsigned long tag) + { +@@ -3670,7 +3703,6 @@ process_debug_info (struct dwarf_section + dwarf_vma cu_offset; + unsigned int offset_size; + struct cu_tu_set * this_set; +- abbrev_list * list; + unsigned char *end_cu; + + hdrptr = start; +@@ -3726,22 +3758,18 @@ process_debug_info (struct dwarf_section + abbrev_size = this_set->section_sizes [DW_SECT_ABBREV]; + } + +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, +- compunit.cu_abbrev_offset); +- if (list == NULL) +- { +- unsigned char * next; +- +- list = new_abbrev_list (abbrev_base, +- compunit.cu_abbrev_offset); +- next = process_abbrev_set (&debug_displays[abbrev_sec].section, +- abbrev_base, abbrev_size, +- compunit.cu_abbrev_offset, list); +- list->start_of_next_abbrevs = next; +- } +- ++ abbrev_list *list; ++ abbrev_list *free_list; ++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section, ++ abbrev_base, abbrev_size, ++ compunit.cu_abbrev_offset, ++ &free_list); + start = end_cu; +- record_abbrev_list_for_cu (cu_offset, start - section_begin, list); ++ if (list != NULL && list->first_abbrev != NULL) ++ record_abbrev_list_for_cu (cu_offset, start - section_begin, ++ list, free_list); ++ else if (free_list != NULL) ++ free_abbrev_list (free_list); + } + + for (start = section_begin, unit = 0; start < end; unit++) +@@ -3757,7 +3785,6 @@ process_debug_info (struct dwarf_section + struct cu_tu_set *this_set; + dwarf_vma abbrev_base; + size_t abbrev_size; +- abbrev_list * list = NULL; + unsigned char *end_cu; + + hdrptr = start; +@@ -3936,20 +3963,10 @@ process_debug_info (struct dwarf_section + } + + /* Process the abbrevs used by this compilation unit. */ +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, +- compunit.cu_abbrev_offset); +- if (list == NULL) +- { +- unsigned char *next; +- +- list = new_abbrev_list (abbrev_base, +- compunit.cu_abbrev_offset); +- next = process_abbrev_set (&debug_displays[abbrev_sec].section, +- abbrev_base, abbrev_size, +- compunit.cu_abbrev_offset, list); +- list->start_of_next_abbrevs = next; +- } +- ++ abbrev_list *list; ++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section, ++ abbrev_base, abbrev_size, ++ compunit.cu_abbrev_offset, NULL); + level = 0; + last_level = level; + saved_level = -1; +@@ -4128,6 +4145,8 @@ process_debug_info (struct dwarf_section + if (entry->children) + ++level; + } ++ if (list != NULL) ++ free_abbrev_list (list); + } + + /* Set num_debug_info_entries here so that it can be used to check if +@@ -6353,24 +6372,15 @@ display_debug_abbrev (struct dwarf_secti + + do + { +- abbrev_list * list; +- dwarf_vma offset; +- +- offset = start - section->start; +- list = find_abbrev_list_by_abbrev_offset (0, offset); ++ dwarf_vma offset = start - section->start; ++ abbrev_list *list = find_and_process_abbrev_set (section, 0, ++ section->size, offset, ++ NULL); + if (list == NULL) +- { +- list = new_abbrev_list (0, offset); +- start = process_abbrev_set (section, 0, section->size, offset, list); +- list->start_of_next_abbrevs = start; +- } +- else +- start = list->start_of_next_abbrevs; +- +- if (list->first_abbrev == NULL) +- continue; ++ break; + +- printf (_(" Number TAG (0x%lx)\n"), (long) offset); ++ if (list->first_abbrev) ++ printf (_(" Number TAG (0x%lx)\n"), (long) offset); + + for (entry = list->first_abbrev; entry; entry = entry->next) + { +@@ -6391,6 +6401,8 @@ display_debug_abbrev (struct dwarf_secti + putchar ('\n'); + } + } ++ start = list->start_of_next_abbrevs; ++ free_abbrev_list (list); + } + while (start); + diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch new file mode 100644 index 0000000000..b867b04e96 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch @@ -0,0 +1,436 @@ +From 175b91507b83ad42607d2f6dadaf55b7b511bdbe Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 20 Jul 2022 18:28:50 +0930 +Subject: [PATCH] miscellaneous dwarf.c tidies + + * dwarf.c: Leading and trailing whitespace fixes. + (free_abbrev_list): New function. + (free_all_abbrevs): Use the above. Free cu_abbrev_map here too. + (process_abbrev_set): Print actual section name on error. + (get_type_abbrev_from_form): Add overflow check. + (free_debug_memory): Don't free cu_abbrev_map here.. + (process_debug_info): ..or here. Warn on another case of not + finding a neeeded abbrev. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=175b91507b83ad42607d2f6dadaf55b7b511bdbe] + +Signed-off-by: Pgowda +--- + binutils/dwarf.c | 216 +++++++++++++++++++++++------------------------ + 1 file changed, 106 insertions(+), 110 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2b1eec49422..267ed3bb382 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -954,38 +954,41 @@ record_abbrev_list_for_cu (dwarf_vma sta + next_free_abbrev_map_entry ++; + } + +-static void +-free_all_abbrevs (void) ++static abbrev_list * ++free_abbrev_list (abbrev_list *list) + { +- abbrev_list * list; ++ abbrev_entry *abbrv = list->first_abbrev; + +- for (list = abbrev_lists; list != NULL;) ++ while (abbrv) + { +- abbrev_list * next = list->next; +- abbrev_entry * abbrv; ++ abbrev_attr *attr = abbrv->first_attr; + +- for (abbrv = list->first_abbrev; abbrv != NULL;) ++ while (attr) + { +- abbrev_entry * next_abbrev = abbrv->next; +- abbrev_attr * attr; +- +- for (attr = abbrv->first_attr; attr;) +- { +- abbrev_attr *next_attr = attr->next; +- +- free (attr); +- attr = next_attr; +- } +- +- free (abbrv); +- abbrv = next_abbrev; ++ abbrev_attr *next_attr = attr->next; ++ free (attr); ++ attr = next_attr; + } + +- free (list); +- list = next; ++ abbrev_entry *next_abbrev = abbrv->next; ++ free (abbrv); ++ abbrv = next_abbrev; + } + +- abbrev_lists = NULL; ++ abbrev_list *next = list->next; ++ free (list); ++ return next; ++} ++ ++static void ++free_all_abbrevs (void) ++{ ++ while (abbrev_lists) ++ abbrev_lists = free_abbrev_list (abbrev_lists); ++ ++ free (cu_abbrev_map); ++ cu_abbrev_map = NULL; ++ next_free_abbrev_map_entry = 0; + } + + static abbrev_list * +@@ -1017,7 +1020,7 @@ find_abbrev_map_by_offset (dwarf_vma off + && cu_abbrev_map[i].end > offset) + return cu_abbrev_map + i; + +- return NULL; ++ return NULL; + } + + static void +@@ -1140,7 +1143,7 @@ process_abbrev_set (struct dwarf_section + } + + /* Report the missing single zero which ends the section. */ +- error (_(".debug_abbrev section not zero terminated\n")); ++ error (_("%s section not zero terminated\n"), section->name); + + free (list); + return NULL; +@@ -1917,7 +1920,7 @@ fetch_alt_indirect_string (dwarf_vma off + dwarf_vmatoa ("x", offset)); + return _(""); + } +- ++ + static const char * + get_AT_name (unsigned long attribute) + { +@@ -2199,7 +2202,8 @@ get_type_abbrev_from_form (unsigned long + case DW_FORM_ref4: + case DW_FORM_ref8: + case DW_FORM_ref_udata: +- if (uvalue + cu_offset > (size_t) (cu_end - section->start)) ++ if (uvalue + cu_offset < uvalue ++ || uvalue + cu_offset > (size_t) (cu_end - section->start)) + { + warn (_("Unable to resolve ref form: uvalue %lx + cu_offset %lx > CU size %lx\n"), + uvalue, (long) cu_offset, (long) (cu_end - section->start)); +@@ -2236,7 +2240,7 @@ get_type_abbrev_from_form (unsigned long + else + *map_return = NULL; + } +- ++ + READ_ULEB (abbrev_number, data, section->start + section->size); + + for (entry = map->list->first_abbrev; entry != NULL; entry = entry->next) +@@ -2837,7 +2841,7 @@ read_and_display_attr_value (unsigned lo + if (!do_loc) + printf ("%c<0x%s>", delimiter, dwarf_vmatoa ("x", uvalue + cu_offset)); + break; +- ++ + default: + warn (_("Unrecognized form: 0x%lx\n"), form); + /* What to do? Consume a byte maybe? */ +@@ -3009,7 +3013,7 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx3: + case DW_FORM_strx4: + add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false, +- debug_info_p->str_offsets_base), ++ debug_info_p->str_offsets_base), + cu_offset); + break; + case DW_FORM_string: +@@ -3043,7 +3047,7 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx3: + case DW_FORM_strx4: + add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false, +- debug_info_p->str_offsets_base), ++ debug_info_p->str_offsets_base), + cu_offset); + break; + case DW_FORM_string: +@@ -3671,11 +3675,8 @@ process_debug_info (struct dwarf_section + introduce (section, false); + + free_all_abbrevs (); +- free (cu_abbrev_map); +- cu_abbrev_map = NULL; +- next_free_abbrev_map_entry = 0; + +- /* In order to be able to resolve DW_FORM_ref_attr forms we need ++ /* In order to be able to resolve DW_FORM_ref_addr forms we need + to load *all* of the abbrevs for all CUs in this .debug_info + section. This does effectively mean that we (partially) read + every CU header twice. */ +@@ -4029,12 +4030,11 @@ process_debug_info (struct dwarf_section + + /* Scan through the abbreviation list until we reach the + correct entry. */ +- if (list == NULL) +- continue; +- +- for (entry = list->first_abbrev; entry != NULL; entry = entry->next) +- if (entry->number == abbrev_number) +- break; ++ entry = NULL; ++ if (list != NULL) ++ for (entry = list->first_abbrev; entry != NULL; entry = entry->next) ++ if (entry->number == abbrev_number) ++ break; + + if (entry == NULL) + { +@@ -4442,7 +4442,7 @@ display_debug_sup (struct dwarf_section + + SAFE_BYTE_GET_AND_INC (is_supplementary, start, 1, end); + if (is_supplementary != 0 && is_supplementary != 1) +- warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n")); ++ warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n")); + + sup_filename = start; + if (is_supplementary && sup_filename[0] != 0) +@@ -5621,7 +5621,7 @@ display_debug_lines_decoded (struct dwar + printf ("%s %11d %#18" DWARF_VMA_FMT "x", + newFileName, state_machine_regs.line, + state_machine_regs.address); +- } ++ } + else + { + if (xop == -DW_LNE_end_sequence) +@@ -6075,7 +6075,7 @@ display_debug_macro (struct dwarf_sectio + load_debug_section_with_follow (str, file); + load_debug_section_with_follow (line, file); + load_debug_section_with_follow (str_index, file); +- ++ + introduce (section, false); + + while (curr < end) +@@ -6519,7 +6519,7 @@ display_loc_list (struct dwarf_section * + + /* Check base address specifiers. */ + if (is_max_address (begin, pointer_size) +- && !is_max_address (end, pointer_size)) ++ && !is_max_address (end, pointer_size)) + { + base_address = end; + print_dwarf_vma (begin, pointer_size); +@@ -6697,7 +6697,7 @@ display_loclists_list (struct dwarf_sect + case DW_LLE_default_location: + begin = end = 0; + break; +- ++ + case DW_LLE_offset_pair: + READ_ULEB (begin, start, section_end); + begin += base_address; +@@ -6993,7 +6993,7 @@ display_offset_entry_loclists (struct dw + unsigned char * start = section->start; + unsigned char * const end = start + section->size; + +- introduce (section, false); ++ introduce (section, false); + + do + { +@@ -7042,14 +7042,14 @@ display_offset_entry_loclists (struct dw + section->name, segment_selector_size); + return 0; + } +- ++ + if (offset_entry_count == 0) + { + warn (_("The %s section contains a table without offset\n"), + section->name); + return 0; + } +- ++ + printf (_("\n Offset Entries starting at 0x%lx:\n"), + (long)(start - section->start)); + +@@ -8295,12 +8295,12 @@ display_debug_ranges (struct dwarf_secti + next = section_begin + offset + debug_info_p->rnglists_base; + + /* If multiple DWARF entities reference the same range then we will +- have multiple entries in the `range_entries' list for the same +- offset. Thanks to the sort above these will all be consecutive in +- the `range_entries' list, so we can easily ignore duplicates +- here. */ ++ have multiple entries in the `range_entries' list for the same ++ offset. Thanks to the sort above these will all be consecutive in ++ the `range_entries' list, so we can easily ignore duplicates ++ here. */ + if (i > 0 && last_offset == offset) +- continue; ++ continue; + last_offset = offset; + + if (dwarf_check != 0 && i > 0) +@@ -10336,7 +10336,7 @@ display_debug_names (struct dwarf_sectio + break; + if (tagno >= 0) + printf ("%s<%lu>", +- (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"), ++ (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"), + (unsigned long) abbrev_tag); + + for (entry = abbrev_lookup; +@@ -10901,7 +10901,7 @@ process_cu_tu_index (struct dwarf_sectio + Check for integer overflow (can occur when size_t is 32-bit) + with overlarge ncols or nused values. */ + if (nused == -1u +- || _mul_overflow ((size_t) ncols, 4, &temp) ++ || _mul_overflow ((size_t) ncols, 4, &temp) + || _mul_overflow ((size_t) nused + 1, temp, &total) + || total > (size_t) (limit - ppool)) + { +@@ -10909,7 +10909,7 @@ process_cu_tu_index (struct dwarf_sectio + section->name); + return 0; + } +- ++ + if (do_display) + { + printf (_(" Offset table\n")); +@@ -11413,8 +11413,8 @@ add_separate_debug_file (const char * fi + + static bool + debuginfod_fetch_separate_debug_info (struct dwarf_section * section, +- char ** filename, +- void * file) ++ char ** filename, ++ void * file) + { + size_t build_id_len; + unsigned char * build_id; +@@ -11432,14 +11432,14 @@ debuginfod_fetch_separate_debug_info (st + + filelen = strnlen ((const char *)section->start, section->size); + if (filelen == section->size) +- /* Corrupt debugaltlink. */ +- return false; ++ /* Corrupt debugaltlink. */ ++ return false; + + build_id = section->start + filelen + 1; + build_id_len = section->size - (filelen + 1); + + if (build_id_len == 0) +- return false; ++ return false; + } + else + return false; +@@ -11451,25 +11451,25 @@ debuginfod_fetch_separate_debug_info (st + + client = debuginfod_begin (); + if (client == NULL) +- return false; ++ return false; + + /* Query debuginfod servers for the target file. If found its path +- will be stored in filename. */ ++ will be stored in filename. */ + fd = debuginfod_find_debuginfo (client, build_id, build_id_len, filename); + debuginfod_end (client); + + /* Only free build_id if we allocated space for a hex string +- in get_build_id (). */ ++ in get_build_id (). */ + if (build_id_len == 0) +- free (build_id); ++ free (build_id); + + if (fd >= 0) +- { +- /* File successfully retrieved. Close fd since we want to +- use open_debug_file () on filename instead. */ +- close (fd); +- return true; +- } ++ { ++ /* File successfully retrieved. Close fd since we want to ++ use open_debug_file () on filename instead. */ ++ close (fd); ++ return true; ++ } + } + + return false; +@@ -11482,7 +11482,7 @@ load_separate_debug_info (const char * + parse_func_type parse_func, + check_func_type check_func, + void * func_data, +- void * file ATTRIBUTE_UNUSED) ++ void * file ATTRIBUTE_UNUSED) + { + const char * separate_filename; + char * debug_filename; +@@ -11597,11 +11597,11 @@ load_separate_debug_info (const char * + & tmp_filename, + file)) + { +- /* File successfully downloaded from server, replace +- debug_filename with the file's path. */ +- free (debug_filename); +- debug_filename = tmp_filename; +- goto found; ++ /* File successfully downloaded from server, replace ++ debug_filename with the file's path. */ ++ free (debug_filename); ++ debug_filename = tmp_filename; ++ goto found; + } + } + #endif +@@ -11766,12 +11766,12 @@ load_build_id_debug_file (const char * m + /* In theory we should extract the contents of the section into + a note structure and then check the fields. For now though + just use hard coded offsets instead: +- ++ + Field Bytes Contents + NSize 0...3 4 + DSize 4...7 8+ + Type 8..11 3 (NT_GNU_BUILD_ID) +- Name 12.15 GNU\0 ++ Name 12.15 GNU\0 + Data 16.... */ + + /* FIXME: Check the name size, name and type fields. */ +@@ -11783,7 +11783,7 @@ load_build_id_debug_file (const char * m + warn (_(".note.gnu.build-id data size is too small\n")); + return; + } +- ++ + if (build_id_size > (section->size - 16)) + { + warn (_(".note.gnu.build-id data size is too bug\n")); +@@ -12075,10 +12075,6 @@ free_debug_memory (void) + + free_all_abbrevs (); + +- free (cu_abbrev_map); +- cu_abbrev_map = NULL; +- next_free_abbrev_map_entry = 0; +- + free (shndx_pool); + shndx_pool = NULL; + shndx_pool_size = 0; diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch new file mode 100644 index 0000000000..04d06ed6b6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch @@ -0,0 +1,95 @@ +From 695c6dfe7e85006b98c8b746f3fd5f913c94ebff Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Thu, 21 Jul 2022 09:56:15 +0930 +Subject: [PATCH] PR29370, infinite loop in display_debug_abbrev + +The PR29370 testcase is a fuzzed object file with multiple +.trace_abbrev sections. Multiple .trace_abbrev or .debug_abbrev +sections are not a violation of the DWARF standard. The DWARF5 +standard even gives an example of multiple .debug_abbrev sections +contained in groups. Caching and lookup of processed abbrevs thus +needs to be done by section and offset rather than base and offset. +(Why base anyway?) Or, since section contents are kept, by a pointer +into the contents. + + PR 29370 + * dwarf.c (struct abbrev_list): Replace abbrev_base and + abbrev_offset with raw field. + (find_abbrev_list_by_abbrev_offset): Delete. + (find_abbrev_list_by_raw_abbrev): New function. + (process_abbrev_set): Set list->raw and list->next. + (find_and_process_abbrev_set): Replace abbrev list lookup with + new function. Don't set list abbrev_base, abbrev_offset or next. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff] + +Signed-off-by: Pgowda +--- + binutils/dwarf.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2fc352f74c5..99fb3566994 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -856,8 +856,7 @@ typedef struct abbrev_list + { + abbrev_entry * first_abbrev; + abbrev_entry * last_abbrev; +- dwarf_vma abbrev_base; +- dwarf_vma abbrev_offset; ++ unsigned char * raw; + struct abbrev_list * next; + unsigned char * start_of_next_abbrevs; + } +@@ -946,14 +945,12 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, +- dwarf_vma abbrev_offset) ++find_abbrev_list_by_raw_abbrev (unsigned char *raw) + { + abbrev_list * list; + + for (list = abbrev_lists; list != NULL; list = list->next) +- if (list->abbrev_base == abbrev_base +- && list->abbrev_offset == abbrev_offset) ++ if (list->raw == raw) + return list; + + return NULL; +@@ -1040,6 +1037,7 @@ process_abbrev_set (struct dwarf_section + abbrev_list *list = xmalloc (sizeof (*list)); + list->first_abbrev = NULL; + list->last_abbrev = NULL; ++ list->raw = start; + + while (start < end) + { +@@ -1055,6 +1053,7 @@ process_abbrev_set (struct dwarf_section + the caller. */ + if (start == end || entry == 0) + { ++ list->next = NULL; + list->start_of_next_abbrevs = start != end ? start : NULL; + return list; + } +@@ -1144,16 +1143,10 @@ find_and_process_abbrev_set (struct dwar + unsigned char *end = section->start + abbrev_base + abbrev_size; + abbrev_list *list = NULL; + if (free_list) +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ list = find_abbrev_list_by_raw_abbrev (start); + if (list == NULL) + { + list = process_abbrev_set (section, start, end); +- if (list) +- { +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- list->next = NULL; +- } + if (free_list) + *free_list = list; + } From patchwork Mon Oct 17 23:08:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13940 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74FC5C4321E for ; Mon, 17 Oct 2022 23:08:56 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web08.695.1666048130714695003 for ; Mon, 17 Oct 2022 16:08:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=qdubNJPk; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id l6so11764594pgu.7 for ; Mon, 17 Oct 2022 16:08:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UyONofP2IeZ+Lu+6b8uH1qqq873IiqdstuX/UogVugI=; b=qdubNJPkdfs6A6jiL6JVzuXhFrf3c2rApAdjBa0A6JLq5JNN3Yw9fAbWak5O21hfIR cHcRECBCf3iu1tSAIN1tJBZd0HY6FBsPyYu0y4ATt3o66AzgXLJ6U94xRS5cPmXUg+PP leO7nUT4LGKMOCC6TPBjGR+yvOOSSaZ9qvL36jDhYXfJCMbmknMlmdQGxlT+iiULoo6g 8irdMnqD53ZX6EetB6DIfYylm4SgKnLYCfjocdr3I6/tTm8OwPIzRRF0iXAs3UrnogXc odFP1tja8OCZFWBS9N/zALQBe2w4xI+ELfxmpocr+gc5tjvSPrGGfEavbxn/Mu2Vr4Ha Vxow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UyONofP2IeZ+Lu+6b8uH1qqq873IiqdstuX/UogVugI=; b=E9OeVtGLdSzP6XLrC8WEcG523tkeZskJmG4sybo9VE5l/x60MiFKhTgfwee2TFCTej b1CiGGtd6YBuX+YsL5PXcWtLdQ5ZDhnQnAIvAWbPO6ZyUWPnmFZEC5Ixl9yVdwDxLi51 HDBKzybDtaLFuPlAeRi6JAtIoknOMnibUKAhaaYMCgwFcvP+x+uJDIljttdFYDvU5Ruo y7qTAO7ehUhOnBjMwB3srib9ncz1Pn6Wa9fUn32RqAPLzM9kqXRMyL+8xhoYyw+oWqt7 dwaa4GfDq+8iSXv0MuZDx6p5O++qF+x5E18w4EssnDjTmDO7EM37HzjtzN/mebCbyD7o cbPQ== X-Gm-Message-State: ACrzQf0ntVJ0wMtUOVD+K8j2SEQB9rLj7pA8EBXEGFy/8bDtimzJa0Sm SZQwuQlPF+t+o1IeliMPBoqln9CXnf1EYKj8 X-Google-Smtp-Source: AMsMyM4rG7cqAZY6NJrG9/uW3xi/cb/V42tU0cQYR56c35K3kqaMQ2ET7cL9xi86inx0+9s6aXnyPA== X-Received: by 2002:a65:6042:0:b0:440:56aa:d5cf with SMTP id a2-20020a656042000000b0044056aad5cfmr112260pgp.81.1666048129443; Mon, 17 Oct 2022 16:08:49 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:48 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/13] qemu: Fix CVE-2021-3750 for qemu Date: Mon, 17 Oct 2022 13:08:19 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:08:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171921 From: Virendra Thakur Add patch to fix CVE-2021-3750 Signed-off-by: Virendra Thakur Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 3 + .../qemu/qemu/CVE-2021-3750-1.patch | 59 +++++++ .../qemu/qemu/CVE-2021-3750-2.patch | 65 ++++++++ .../qemu/qemu/CVE-2021-3750-3.patch | 156 ++++++++++++++++++ 4 files changed, 283 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a493ac8add..816f9a7eac 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -43,6 +43,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2022-0358.patch \ file://CVE-2022-0216_1.patch \ file://CVE-2022-0216_2.patch \ + file://CVE-2021-3750-1.patch \ + file://CVE-2021-3750-2.patch \ + file://CVE-2021-3750-3.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch new file mode 100644 index 0000000000..e898c20767 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch @@ -0,0 +1,59 @@ +From b9d383ab797f54ae5fa8746117770709921dc529 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Peter Maydell +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-DaudÃf© +Signed-off-by: Peter Maydell +Signed-off-by: Virendra Thakur + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529] +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index c8ff3ec..99b11ca 100644 +--- a/hw/intc/arm_gicv3_redist.c ++++ b/hw/intc/arm_gicv3_redist.c +@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch new file mode 100644 index 0000000000..f163b4fab3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch @@ -0,0 +1,65 @@ +From 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu +Reviewed-by: David Hildenbrand +Reviewed-by: Alexander Bulekov +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Philippe Mathieu-DaudÃf© +Message-Id: <20211215182421.418374-3-philmd@redhat.com> +Signed-off-by: Thomas Huth +Signed-off-by: Virendra Thakur + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] +--- + softmmu/physmem.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 43ae70f..3d968ca 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -2826,14 +2826,11 @@ static MemTxResult flatview_write(FlatVi + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +- MemTxResult result = MEMTX_OK; + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); +- result = flatview_write_continue(fv, addr, attrs, buf, len, +- addr1, l, mr); +- +- return result; ++ return flatview_write_continue(fv, addr, attrs, buf, len, ++ addr1, l, mr); + } + + /* Called within RCU critical section. */ +@@ -3130,12 +3127,10 @@ bool address_space_access_valid(AddressS + MemTxAttrs attrs) + { + FlatView *fv; +- bool result; + + RCU_READ_LOCK_GUARD(); + fv = address_space_to_flatview(as); +- result = flatview_access_valid(fv, addr, len, is_write, attrs); +- return result; ++ return flatview_access_valid(fv, addr, len, is_write, attrs); + } + + static hwaddr +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch new file mode 100644 index 0000000000..24668ad1a5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch @@ -0,0 +1,156 @@ +From 3ab6fdc91b72e156da22848f0003ff4225690ced Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 19:24:21 +0100 +Subject: [PATCH] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Add the 'memory' bit to the memory attributes to restrict bus +controller accesses to memories. + +Introduce flatview_access_allowed() to check bus permission +before running any bus transaction. + +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is +restricted. + +There is no change for the default case where 'memory' is not set. + +Signed-off-by: Philippe Mathieu-DaudÃf© +Message-Id: <20211215182421.418374-4-philmd@redhat.com> +Reviewed-by: Richard Henderson +Reviewed-by: Stefan Hajnoczi +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] +Signed-off-by: Thomas Huth +Signed-off-by: Virendra Thakur + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced] +--- + include/exec/memattrs.h | 9 +++++++++ + softmmu/physmem.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h +index 95f2d20..9fb98bc 100644 +--- a/include/exec/memattrs.h ++++ b/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + /* Invert endianness for this page */ +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 3d968ca..4e1b27a 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -41,6 +41,7 @@ + #include "qemu/config-file.h" + #include "qemu/error-report.h" + #include "qemu/qemu-print.h" ++#include "qemu/log.h" + #include "exec/memory.h" + #include "exec/ioport.h" + #include "sysemu/dma.h" +@@ -2759,6 +2760,33 @@ static bool prepare_mmio_access(MemoryRe + return release_lock; + } + ++/** ++ * flatview_access_allowed ++ * @mr: #MemoryRegion to be accessed ++ * @attrs: memory transaction attributes ++ * @addr: address within that memory region ++ * @len: the number of bytes to access ++ * ++ * Check if a memory transaction is allowed. ++ * ++ * Returns: true if transaction is allowed, false if denied. ++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -2773,7 +2801,10 @@ static MemTxResult flatview_write_contin + const uint8_t *buf = ptr; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -2818,6 +2849,9 @@ static MemTxResult flatview_write(FlatVi + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +@@ -2836,7 +2870,10 @@ MemTxResult flatview_read_continue(FlatV + + fuzz_dma_read_cb(addr, len, mr); + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -2879,6 +2916,9 @@ static MemTxResult flatview_read(FlatVie + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +-- +1.8.3.1 + From patchwork Mon Oct 17 23:08:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13944 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70668C43217 for ; Mon, 17 Oct 2022 23:08:56 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web08.696.1666048135178046796 for ; Mon, 17 Oct 2022 16:08:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=ljy2WSdS; spf=softfail (domain: sakoman.com, ip: 209.85.215.176, mailfrom: steve@sakoman.com) Received: by mail-pg1-f176.google.com with SMTP id 78so11753195pgb.13 for ; Mon, 17 Oct 2022 16:08:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=QerNynIfwduH3E/ILFp4CHl4kHaLAYiLlvQj4ORZtz4=; b=ljy2WSdSECNSHuo1Dn2t5BZAHj5j43yEil0AT6txBfD6Oy+vJwNm+Qo8fnJwimsONq pU0dpW0nO7hFrf9U1h3ZkZpH/A3sPNGmh9XZcOmBz9vs8nI5EXXG2X/qWozTJPOY8601 UlB8XL9O3eOlGd6ZnsvkUXks3BXj3lAtSHf2Vt1lZUjJZ7yi5Vhxy3h4CQ3ydvbBoCAy gudUL5fP0qykUtbq0W5NJUPYalPa79YyJKZEgEDcyaPCHlJBFhwPP8BH/bNkOjrSBC4+ sjAEu5xGqT47D4vUhehYMpVQhsnZtjAMviDiRzXIaSBpkvmJ7fMPutQqgZdE8EiXL7H6 Sxbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QerNynIfwduH3E/ILFp4CHl4kHaLAYiLlvQj4ORZtz4=; b=UsqnMVQCCw+LguQz3FgQmwS8aSkGQ3Ivt1GgM4BntRvhfH6eU09MS+gb4v4W5yupUm NszW0BXQTSaL7xuK1mBxDoaq22/ZiYgX8ZD1nIRpm65nU7b5/+MZljvX655rAIVIdi6/ hs60wSJpAYURWVcruoq60Vv9SZAO8yB4x24qs8apUkzOGPEm5PagkqXkkHmRGajAJPqA zKgK4vA9iklhdv7iCZ5cSerhuLWjPBdtoCqjPuTjyQxXUJwS4wSgeaUc3drz2f+qfus2 RU0FaRr/H6ON+Nxdcx4MlvllS+OneFvKw6L69djNHtMPispLt6XkBNwhXXZToG9rk7HI MCMg== X-Gm-Message-State: ACrzQf0CHjTmARHUIUfk5uxNueYYeBpHRE9OPDqMg4DMFa40xpUIWVR4 MENds+EvZVNCicd8LPvWUSSAdhWAqNhfpU1b X-Google-Smtp-Source: AMsMyM7ygHvUg7+YQ52JrB5NAMd5tKMDLvI0cJDzPj0N3BwFqzEXSGJ6xj1FIS7+RvegL5KUHuCDZQ== X-Received: by 2002:a05:6a00:c91:b0:562:aa06:2848 with SMTP id a17-20020a056a000c9100b00562aa062848mr15347139pfv.2.1666048132165; Mon, 17 Oct 2022 16:08:52 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:51 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/13] qemu: Fix CVE-2021-3611 Date: Mon, 17 Oct 2022 13:08:20 -1000 Message-Id: <388ce95cdf17b829663764061e686bcb3a56d096.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:08:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171922 From: Bhabu Bindu As per the ubuntu community [https://ubuntu.com/security/CVE-2021-3611] To fix CVE-2021-3611 we need to backport the below support patches as well Link: https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997 https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219 https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60 https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132 https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040 https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081 https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4 https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543 https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1 https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6 https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4 https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621 https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74 https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5 https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2 Add patches to fix CVE-2021-3611 Link: https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40 https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511 Signed-off-by: Bhabu Bindu Signed-off-by: virendra thakur Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 24 + ...32t-for-reply-queue-head-tail-values.patch | 83 + ...id_function_take_MemTxAttrs_argument.patch | 60 + ...et_function_take_MemTxAttrs_argument.patch | 98 ++ ...ed_function_take_MemTxAttrs_argument.patch | 78 + ...rw_function_take_MemTxAttrs_argument.patch | 158 ++ ...te_function_take_MemTxAttrs_argument.patch | 1453 +++++++++++++++++ ...ap_function_take_MemTxAttrs_argument.patch | 227 +++ ..._buf_rw_function_take_a_void_pointer.patch | 41 + ..._dma_buf_write_functions_take_a_void.patch | 167 ++ ...rw_function_take_MemTxAttrs_argument.patch | 91 ++ ...rw_function_take_MemTxAttrs_argument.patch | 65 + ...te_function_take_MemTxAttrs_argument.patch | 129 ++ ...ad_function_take_MemTxAttrs_argument.patch | 222 +++ ...uf_rw_function_propagate_MemTxResult.patch | 91 ++ ...ma_function_take_MemTxAttrs_argument.patch | 120 ++ ...ma_function_take_MemTxAttrs_argument.patch | 151 ++ ...r_dma_function_propagate_MemTxResult.patch | 65 + ...r_dma_function_propagate_MemTxResult.patch | 175 ++ ...ma_function_take_MemTxAttrs_argument.patch | 303 ++++ ...ma_function_take_MemTxAttrs_argument.patch | 271 +++ ...i_dma_function_propagate_MemTxResult.patch | 47 + ...i_dma_function_propagate_MemTxResult.patch | 296 ++++ .../qemu/qemu/CVE-2021-3611_1.patch | 74 + .../qemu/qemu/CVE-2021-3611_2.patch | 43 + 25 files changed, 4532 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 816f9a7eac..cb5f9358da 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -46,6 +46,30 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3750-1.patch \ file://CVE-2021-3750-2.patch \ file://CVE-2021-3750-3.patch \ + file://0001-use-uint32t-for-reply-queue-head-tail-values.patch \ + file://0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch \ + file://0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch \ + file://0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch \ + file://0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch \ + file://0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch \ + file://0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch \ + file://0008_have_dma_buf_rw_function_take_a_void_pointer.patch \ + file://0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch \ + file://0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch \ + file://0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch \ + file://0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch \ + file://0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch \ + file://0014_let_dma_buf_rw_function_propagate_MemTxResult.patch \ + file://0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch \ + file://0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch \ + file://0017_let_st_pointer_dma_function_propagate_MemTxResult.patch \ + file://0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch \ + file://0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \ + file://0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \ + file://0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch \ + file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \ + file://CVE-2021-3611_1.patch \ + file://CVE-2021-3611_2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch new file mode 100644 index 0000000000..37e122f781 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch @@ -0,0 +1,83 @@ +From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:43:05 +0100 +Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While the reply queue values fit in 16-bit, they are accessed +as 32-bit: + + 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); + 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES; + 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); + 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + +Having: + + 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */ + +In order to update the ld/st*_pci_dma() API to pass the address +of the value to access, it is simpler to have the head/tail declared +as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in +the MegasasState structure. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997] + +Acked-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-20-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/scsi/megasas.c | 4 ++-- + hw/scsi/trace-events | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 8f35784..14ec6d6 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -109,8 +109,8 @@ struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + uint16_t reply_queue_len; +- uint16_t reply_queue_head; +- uint16_t reply_queue_tail; ++ uint32_t reply_queue_head; ++ uint32_t reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 92d5b40..ae8551f 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_ + + # megasas.c + megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " " +-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x" ++megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x" + megasas_initq_map_failed(int frame) "scmd %d: failed to map queue" + megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64 + megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d" + megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x" + megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64 + megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx" +-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" +-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d" ++megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" ++megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu" + megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " " +-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" ++megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy" + megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x" + megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu" +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..04a655315f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,60 @@ +From 7ccb391ccd594b3f33de8deb293ff8d47bb4e219 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 09:28:49 +0200 +Subject: [PATCH] dma: Let dma_memory_valid() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_valid(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219] + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-2-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + include/hw/ppc/spapr_vio.h | 2 +- + include/sysemu/dma.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4bea87f..4c45f15 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -91,7 +91,7 @@ static inline void spapr_vio_irq_pulse(SpaprVioDevice *dev) + static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + uint32_t size, DMADirection dir) + { +- return dma_memory_valid(&dev->as, taddr, size, dir); ++ return dma_memory_valid(&dev->as, taddr, size, dir, MEMTXATTRS_UNSPECIFIED); + } + + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3201e79..296f3b5 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -73,11 +73,11 @@ static inline void dma_barrier(AddressSpace *as, DMADirection dir) + * dma_memory_{read,write}() and check for errors */ + static inline bool dma_memory_valid(AddressSpace *as, + dma_addr_t addr, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return address_space_access_valid(as, addr, len, + dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + } + + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..f13707a407 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,98 @@ +From 7a36e42d9114474278ce30ba36945cc62292eb60 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 10:28:32 +0200 +Subject: [PATCH] dma: Let dma_memory_set() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_set(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60] + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-3-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/nvram/fw_cfg.c | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 3 ++- + softmmu/dma-helpers.c | 5 ++--- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c06b30d..f7803fe 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -399,7 +399,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + * tested before. + */ + if (read) { +- if (dma_memory_set(s->dma_as, dma.address, 0, len)) { ++ if (dma_memory_set(s->dma_as, dma.address, 0, len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4c45f15..c90e74a 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -111,7 +111,8 @@ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + uint8_t c, uint32_t size) + { +- return (dma_memory_set(&dev->as, taddr, c, size) != 0) ? ++ return (dma_memory_set(&dev->as, taddr, ++ c, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 296f3b5..d23516f 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -175,9 +175,10 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @c: constant byte to fill the memory + * @len: the number of bytes to fill with the constant byte ++ * @attrs: memory transaction attributes + */ + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len); ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs); + + /** + * address_space_map: Map a physical memory region into a host virtual address. +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7d766a5..1f07217 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -19,7 +19,7 @@ + /* #define DEBUG_IOMMU */ + + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len) ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs) + { + dma_barrier(as, DMA_DIRECTION_FROM_DEVICE); + +@@ -31,8 +31,7 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + memset(fillbuf, c, FILLBUF_SIZE); + while (len > 0) { + l = len < FILLBUF_SIZE ? len : FILLBUF_SIZE; +- error |= address_space_write(as, addr, MEMTXATTRS_UNSPECIFIED, +- fillbuf, l); ++ error |= address_space_write(as, addr, attrs, fillbuf, l); + len -= l; + addr += l; + } +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..cacb12909c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,78 @@ +From 4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 09:30:10 +0200 +Subject: [PATCH] dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +We will add the MemTxAttrs argument to dma_memory_rw() in +the next commit. Since dma_memory_rw_relaxed() is only used +by dma_memory_rw(), modify it first in a separate commit to +keep the next commit easier to review. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7] + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-4-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + include/sysemu/dma.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d23516f..3be803c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -83,9 +83,10 @@ static inline bool dma_memory_valid(AddressSpace *as, + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, ++ MemTxAttrs attrs) + { +- return address_space_rw(as, addr, MEMTXATTRS_UNSPECIFIED, ++ return address_space_rw(as, addr, attrs, + buf, len, dir == DMA_DIRECTION_FROM_DEVICE); + } + +@@ -93,7 +94,9 @@ static inline MemTxResult dma_memory_read_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw_relaxed(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw_relaxed(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, +@@ -102,7 +105,8 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + dma_addr_t len) + { + return dma_memory_rw_relaxed(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -124,7 +128,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..e5daf966d5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,158 @@ +From 23faf5694ff8054b847e9733297727be4a641132 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 09:37:43 +0200 +Subject: [PATCH] dma: Let dma_memory_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_rw(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132] + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-5-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/intc/spapr_xive.c | 3 ++- + hw/usb/hcd-ohci.c | 10 ++++++---- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + softmmu/dma-helpers.c | 3 ++- + 5 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c +index 4ec659b..eae95c7 100644 +--- a/hw/intc/spapr_xive.c ++++ b/hw/intc/spapr_xive.c +@@ -1684,7 +1684,8 @@ static target_ulong h_int_esb(PowerPCCPU *cpu, + mmio_addr = xive->vc_base + xive_source_esb_mgmt(xsrc, lisn) + offset; + + if (dma_memory_rw(&address_space_memory, mmio_addr, &data, 8, +- (flags & SPAPR_XIVE_ESB_STORE))) { ++ (flags & SPAPR_XIVE_ESB_STORE), ++ MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to access ESB @0x%" + HWADDR_PRIx "\n", mmio_addr); + return H_HARDWARE; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 1cf2816..56e2315 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -586,7 +586,8 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -595,7 +596,7 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + ptr = td->be & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +@@ -613,7 +614,8 @@ static int ohci_copy_iso_td(OHCIState *ohci, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -622,7 +624,7 @@ static int ohci_copy_iso_td(OHCIState *ohci, + ptr = end_addr & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index e7cdf2d..4383f1c 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -808,7 +808,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, + DMADirection dir) + { +- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, dir); ++ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, ++ dir, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3be803c..e8ad422 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -121,15 +121,15 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + * @buf: buffer with the data transferred + * @len: the number of bytes to read or write + * @dir: indicates the transfer direction ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs); + } + + /** +@@ -147,7 +147,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -166,7 +167,7 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + const void *buf, dma_addr_t len) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 1f07217..5bf76ff 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -305,7 +305,8 @@ static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, ++ MEMTXATTRS_UNSPECIFIED); + ptr += xfer; + len -= xfer; + resid -= xfer; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..1973e477f3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,1453 @@ +From ba06fe8add5b788956a7317246c6280dfc157040 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 10:08:29 +0200 +Subject: [PATCH] dma: Let dma_memory_read/write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_read() or dma_memory_write(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + ( + - dma_memory_read(E1, E2, E3, E4) + + dma_memory_read(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + | + - dma_memory_write(E1, E2, E3, E4) + + dma_memory_write(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + ) + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040] + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-6-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/arm/musicpal.c | 13 +++++++------ + hw/arm/smmu-common.c | 3 ++- + hw/arm/smmuv3.c | 14 +++++++++----- + hw/core/generic-loader.c | 3 ++- + hw/dma/pl330.c | 12 ++++++++---- + hw/dma/sparc32_dma.c | 16 ++++++++++------ + hw/dma/xlnx-zynq-devcfg.c | 6 ++++-- + hw/dma/xlnx_dpdma.c | 10 ++++++---- + hw/i386/amd_iommu.c | 16 +++++++++------- + hw/i386/intel_iommu.c | 28 +++++++++++++++++----------- + hw/ide/macio.c | 2 +- + hw/intc/xive.c | 7 ++++--- + hw/misc/bcm2835_property.c | 3 ++- + hw/misc/macio/mac_dbdma.c | 10 ++++++---- + hw/net/allwinner-sun8i-emac.c | 18 ++++++++++++------ + hw/net/ftgmac100.c | 25 ++++++++++++++++--------- + hw/net/imx_fec.c | 32 ++++++++++++++++++++------------ + hw/net/npcm7xx_emc.c | 20 ++++++++++++-------- + hw/nvram/fw_cfg.c | 9 ++++++--- + hw/pci-host/pnv_phb3.c | 5 +++-- + hw/pci-host/pnv_phb3_msi.c | 9 ++++++--- + hw/pci-host/pnv_phb4.c | 5 +++-- + hw/sd/allwinner-sdhost.c | 14 ++++++++------ + hw/sd/sdhci.c | 35 ++++++++++++++++++++++------------- + hw/usb/hcd-dwc2.c | 8 ++++---- + hw/usb/hcd-ehci.c | 6 ++++-- + hw/usb/hcd-ohci.c | 18 +++++++++++------- + hw/usb/hcd-xhci.c | 18 +++++++++++------- + include/hw/ppc/spapr_vio.h | 6 ++++-- + include/sysemu/dma.h | 20 ++++++++++++-------- + 30 files changed, 241 insertions(+), 150 deletions(-) + +diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c +index 2d612cc..2680ec5 100644 +--- a/hw/arm/musicpal.c ++++ b/hw/arm/musicpal.c +@@ -185,13 +185,13 @@ static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr, + cpu_to_le16s(&desc->buffer_size); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_rx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->bytes); + le16_to_cpus(&desc->buffer_size); +@@ -215,7 +215,7 @@ static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size) + eth_rx_desc_get(&s->dma_as, desc_addr, &desc); + if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) { + dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header, +- buf, size); ++ buf, size, MEMTXATTRS_UNSPECIFIED); + desc.bytes = size + s->vlan_header; + desc.cmdstat &= ~MP_ETH_RX_OWN; + s->cur_rx[i] = desc.next; +@@ -241,13 +241,13 @@ static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr, + cpu_to_le16s(&desc->bytes); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_tx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->res); + le16_to_cpus(&desc->bytes); +@@ -269,7 +269,8 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index) + if (desc.cmdstat & MP_ETH_TX_OWN) { + len = desc.bytes; + if (len < 2048) { +- dma_memory_read(&s->dma_as, desc.buffer, buf, len); ++ dma_memory_read(&s->dma_as, desc.buffer, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + qemu_send_packet(qemu_get_queue(s->nic), buf, len); + } + desc.cmdstat &= ~MP_ETH_TX_OWN; +diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c +index 0459850..e09b9c1 100644 +--- a/hw/arm/smmu-common.c ++++ b/hw/arm/smmu-common.c +@@ -193,7 +193,8 @@ static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte, + dma_addr_t addr = baseaddr + index * sizeof(*pte); + + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte)); ++ ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte), ++ MEMTXATTRS_UNSPECIFIED); + + if (ret != MEMTX_OK) { + info->type = SMMU_PTW_ERR_WALK_EABT; +diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c +index 01b60be..3b43368 100644 +--- a/hw/arm/smmuv3.c ++++ b/hw/arm/smmuv3.c +@@ -102,7 +102,8 @@ static inline MemTxResult queue_read(SMMUQueue *q, void *data) + { + dma_addr_t addr = Q_CONS_ENTRY(q); + +- return dma_memory_read(&address_space_memory, addr, data, q->entry_size); ++ return dma_memory_read(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + } + + static MemTxResult queue_write(SMMUQueue *q, void *data) +@@ -110,7 +111,8 @@ static MemTxResult queue_write(SMMUQueue *q, void *data) + dma_addr_t addr = Q_PROD_ENTRY(q); + MemTxResult ret; + +- ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size); ++ ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + return ret; + } +@@ -285,7 +287,8 @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf, + + trace_smmuv3_get_ste(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -306,7 +309,8 @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid, + + trace_smmuv3_get_cd(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -411,7 +415,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, + l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std)); + /* TODO: guarantee 64-bit single-copy atomicity */ + ret = dma_memory_read(&address_space_memory, l1ptr, &l1std, +- sizeof(l1std)); ++ sizeof(l1std), MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr); +diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c +index d14f932..9a24ffb 100644 +--- a/hw/core/generic-loader.c ++++ b/hw/core/generic-loader.c +@@ -57,7 +57,8 @@ static void generic_loader_reset(void *opaque) + + if (s->data_len) { + assert(s->data_len < sizeof(s->data)); +- dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len); ++ dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len, ++ MEMTXATTRS_UNSPECIFIED); + } + } + +diff --git a/hw/dma/pl330.c b/hw/dma/pl330.c +index 0cb4619..31ce01b 100644 +--- a/hw/dma/pl330.c ++++ b/hw/dma/pl330.c +@@ -1111,7 +1111,8 @@ static inline const PL330InsnDesc *pl330_fetch_insn(PL330Chan *ch) + uint8_t opcode; + int i; + +- dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1); ++ dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1, ++ MEMTXATTRS_UNSPECIFIED); + for (i = 0; insn_desc[i].size; i++) { + if ((opcode & insn_desc[i].opmask) == insn_desc[i].opcode) { + return &insn_desc[i]; +@@ -1125,7 +1126,8 @@ static inline void pl330_exec_insn(PL330Chan *ch, const PL330InsnDesc *insn) + uint8_t buf[PL330_INSN_MAXSIZE]; + + assert(insn->size <= PL330_INSN_MAXSIZE); +- dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size); ++ dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size, ++ MEMTXATTRS_UNSPECIFIED); + insn->exec(ch, buf[0], &buf[1], insn->size - 1); + } + +@@ -1189,7 +1191,8 @@ static int pl330_exec_cycle(PL330Chan *channel) + if (q != NULL && q->len <= pl330_fifo_num_free(&s->fifo)) { + int len = q->len - (q->addr & (q->len - 1)); + +- dma_memory_read(s->mem_as, q->addr, buf, len); ++ dma_memory_read(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +@@ -1220,7 +1223,8 @@ static int pl330_exec_cycle(PL330Chan *channel) + fifo_res = pl330_fifo_get(&s->fifo, buf, len, q->tag); + } + if (fifo_res == PL330_FIFO_OK || q->z) { +- dma_memory_write(s->mem_as, q->addr, buf, len); ++ dma_memory_write(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +diff --git a/hw/dma/sparc32_dma.c b/hw/dma/sparc32_dma.c +index 03bc500..0ef13c5 100644 +--- a/hw/dma/sparc32_dma.c ++++ b/hw/dma/sparc32_dma.c +@@ -81,11 +81,11 @@ void ledma_memory_read(void *opaque, hwaddr addr, + addr |= s->dmaregs[3]; + trace_ledma_memory_read(addr, len); + if (do_bswap) { +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + for(i = 0; i < len; i += 2) { + bswap16s((uint16_t *)(buf + i)); + } +@@ -103,7 +103,8 @@ void ledma_memory_write(void *opaque, hwaddr addr, + addr |= s->dmaregs[3]; + trace_ledma_memory_write(addr, len); + if (do_bswap) { +- dma_memory_write(&is->iommu_as, addr, buf, len); ++ dma_memory_write(&is->iommu_as, addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +@@ -114,7 +115,8 @@ void ledma_memory_write(void *opaque, hwaddr addr, + for(i = 0; i < l; i += 2) { + tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i)); + } +- dma_memory_write(&is->iommu_as, addr, tmp_buf, l); ++ dma_memory_write(&is->iommu_as, addr, tmp_buf, l, ++ MEMTXATTRS_UNSPECIFIED); + len -= l; + buf += l; + addr += l; +@@ -148,7 +150,8 @@ void espdma_memory_read(void *opaque, uint8_t *buf, int len) + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_read(s->dmaregs[1], len); +- dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +@@ -158,7 +161,8 @@ void espdma_memory_write(void *opaque, uint8_t *buf, int len) + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_write(s->dmaregs[1], len); +- dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +diff --git a/hw/dma/xlnx-zynq-devcfg.c b/hw/dma/xlnx-zynq-devcfg.c +index e33112b..f5ad1a0 100644 +--- a/hw/dma/xlnx-zynq-devcfg.c ++++ b/hw/dma/xlnx-zynq-devcfg.c +@@ -161,12 +161,14 @@ static void xlnx_zynq_devcfg_dma_go(XlnxZynqDevcfg *s) + btt = MIN(btt, dmah->dest_len); + } + DB_PRINT("reading %x bytes from %x\n", btt, dmah->src_addr); +- dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt); ++ dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->src_len -= btt; + dmah->src_addr += btt; + if (loopback && (dmah->src_len || dmah->dest_len)) { + DB_PRINT("writing %x bytes from %x\n", btt, dmah->dest_addr); +- dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt); ++ dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->dest_len -= btt; + dmah->dest_addr += btt; + } +diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c +index 967548a..2d7eae7 100644 +--- a/hw/dma/xlnx_dpdma.c ++++ b/hw/dma/xlnx_dpdma.c +@@ -652,7 +652,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + } + + if (dma_memory_read(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor))) { ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_EISR] |= ((1 << 1) << channel); + xlnx_dpdma_update_irq(s); + s->operation_finished[channel] = true; +@@ -708,7 +708,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + if (dma_memory_read(&address_space_memory, + source_addr[0], + &s->data[channel][ptr], +- line_size)) { ++ line_size, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -736,7 +737,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + if (dma_memory_read(&address_space_memory, + source_addr[frag], + &(s->data[channel][ptr]), +- fragment_len)) { ++ fragment_len, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -754,7 +756,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + DPRINTF("update the descriptor with the done flag set.\n"); + xlnx_dpdma_desc_set_done(&desc); + dma_memory_write(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor)); ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); + } + + if (xlnx_dpdma_desc_completion_interrupt(&desc)) { +diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c +index 91fe34a..4d13d8e 100644 +--- a/hw/i386/amd_iommu.c ++++ b/hw/i386/amd_iommu.c +@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt) + } + + if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail, +- evt, AMDVI_EVENT_LEN)) { ++ evt, AMDVI_EVENT_LEN, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail); + } + +@@ -376,7 +376,8 @@ static void amdvi_completion_wait(AMDVIState *s, uint64_t *cmd) + } + if (extract64(cmd[0], 0, 1)) { + if (dma_memory_write(&address_space_memory, addr, &data, +- AMDVI_COMPLETION_DATA_SIZE)) { ++ AMDVI_COMPLETION_DATA_SIZE, ++ MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_completion_wait_fail(addr); + } + } +@@ -502,7 +503,7 @@ static void amdvi_cmdbuf_exec(AMDVIState *s) + uint64_t cmd[2]; + + if (dma_memory_read(&address_space_memory, s->cmdbuf + s->cmdbuf_head, +- cmd, AMDVI_COMMAND_SIZE)) { ++ cmd, AMDVI_COMMAND_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_command_read_fail(s->cmdbuf, s->cmdbuf_head); + amdvi_log_command_error(s, s->cmdbuf + s->cmdbuf_head); + return; +@@ -836,7 +837,7 @@ static bool amdvi_get_dte(AMDVIState *s, int devid, uint64_t *entry) + uint32_t offset = devid * AMDVI_DEVTAB_ENTRY_SIZE; + + if (dma_memory_read(&address_space_memory, s->devtab + offset, entry, +- AMDVI_DEVTAB_ENTRY_SIZE)) { ++ AMDVI_DEVTAB_ENTRY_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_dte_get_fail(s->devtab, offset); + /* log error accessing dte */ + amdvi_log_devtab_error(s, devid, s->devtab + offset, 0); +@@ -881,7 +882,8 @@ static inline uint64_t amdvi_get_pte_entry(AMDVIState *s, uint64_t pte_addr, + { + uint64_t pte; + +- if (dma_memory_read(&address_space_memory, pte_addr, &pte, sizeof(pte))) { ++ if (dma_memory_read(&address_space_memory, pte_addr, ++ &pte, sizeof(pte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_get_pte_hwerror(pte_addr); + amdvi_log_pagetab_error(s, devid, pte_addr, 0); + pte = 0; +@@ -1048,7 +1050,7 @@ static int amdvi_get_irte(AMDVIState *s, MSIMessage *origin, uint64_t *dte, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte"); + return -AMDVI_IR_GET_IRTE; + } +@@ -1108,7 +1110,7 @@ static int amdvi_get_irte_ga(AMDVIState *s, MSIMessage *origin, uint64_t *dte, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte_ga"); + return -AMDVI_IR_GET_IRTE; + } +diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c +index f584449..5b865ac 100644 +--- a/hw/i386/intel_iommu.c ++++ b/hw/i386/intel_iommu.c +@@ -569,7 +569,8 @@ static int vtd_get_root_entry(IntelIOMMUState *s, uint8_t index, + dma_addr_t addr; + + addr = s->root + index * sizeof(*re); +- if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ re, sizeof(*re), MEMTXATTRS_UNSPECIFIED)) { + re->lo = 0; + return -VTD_FR_ROOT_TABLE_INV; + } +@@ -602,7 +603,8 @@ static int vtd_get_context_entry_from_root(IntelIOMMUState *s, + } + + addr = addr + index * ce_size; +- if (dma_memory_read(&address_space_memory, addr, ce, ce_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ ce, ce_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_CONTEXT_TABLE_INV; + } + +@@ -639,8 +641,8 @@ static uint64_t vtd_get_slpte(dma_addr_t base_addr, uint32_t index) + assert(index < VTD_SL_PT_ENTRY_NR); + + if (dma_memory_read(&address_space_memory, +- base_addr + index * sizeof(slpte), &slpte, +- sizeof(slpte))) { ++ base_addr + index * sizeof(slpte), ++ &slpte, sizeof(slpte), MEMTXATTRS_UNSPECIFIED)) { + slpte = (uint64_t)-1; + return slpte; + } +@@ -704,7 +706,8 @@ static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base, + index = VTD_PASID_DIR_INDEX(pasid); + entry_size = VTD_PASID_DIR_ENTRY_SIZE; + addr = pasid_dir_base + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pdire, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pdire, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -728,7 +731,8 @@ static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s, + index = VTD_PASID_TABLE_INDEX(pasid); + entry_size = VTD_PASID_ENTRY_SIZE; + addr = addr + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pe, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -2275,7 +2279,8 @@ static bool vtd_get_inv_desc(IntelIOMMUState *s, + uint32_t dw = s->iq_dw ? 32 : 16; + dma_addr_t addr = base_addr + offset * dw; + +- if (dma_memory_read(&address_space_memory, addr, inv_desc, dw)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ inv_desc, dw, MEMTXATTRS_UNSPECIFIED)) { + error_report_once("Read INV DESC failed."); + return false; + } +@@ -2308,8 +2313,9 @@ static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc) + dma_addr_t status_addr = inv_desc->hi; + trace_vtd_inv_desc_wait_sw(status_addr, status_data); + status_data = cpu_to_le32(status_data); +- if (dma_memory_write(&address_space_memory, status_addr, &status_data, +- sizeof(status_data))) { ++ if (dma_memory_write(&address_space_memory, status_addr, ++ &status_data, sizeof(status_data), ++ MEMTXATTRS_UNSPECIFIED)) { + trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo); + return false; + } +@@ -3120,8 +3126,8 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index, + } + + addr = iommu->intr_root + index * sizeof(*entry); +- if (dma_memory_read(&address_space_memory, addr, entry, +- sizeof(*entry))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ entry, sizeof(*entry), MEMTXATTRS_UNSPECIFIED)) { + error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64, + __func__, index, addr); + return -VTD_FR_IR_ROOT_INVAL; +diff --git a/hw/ide/macio.c b/hw/ide/macio.c +index b03d401..f08318c 100644 +--- a/hw/ide/macio.c ++++ b/hw/ide/macio.c +@@ -97,7 +97,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret) + /* Non-block ATAPI transfer - just copy to RAM */ + s->io_buffer_size = MIN(s->io_buffer_size, io->len); + dma_memory_write(&address_space_memory, io->addr, s->io_buffer, +- s->io_buffer_size); ++ s->io_buffer_size, MEMTXATTRS_UNSPECIFIED); + io->len = 0; + ide_atapi_cmd_ok(s); + m->dma_active = false; +diff --git a/hw/intc/xive.c b/hw/intc/xive.c +index 190194d..f15f985 100644 +--- a/hw/intc/xive.c ++++ b/hw/intc/xive.c +@@ -1246,8 +1246,8 @@ void xive_end_queue_pic_print_info(XiveEND *end, uint32_t width, Monitor *mon) + uint64_t qaddr = qaddr_base + (qindex << 2); + uint32_t qdata = -1; + +- if (dma_memory_read(&address_space_memory, qaddr, &qdata, +- sizeof(qdata))) { ++ if (dma_memory_read(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to read EQ @0x%" + HWADDR_PRIx "\n", qaddr); + return; +@@ -1311,7 +1311,8 @@ static void xive_end_enqueue(XiveEND *end, uint32_t data) + uint32_t qdata = cpu_to_be32((qgen << 31) | (data & 0x7fffffff)); + uint32_t qentries = 1 << (qsize + 10); + +- if (dma_memory_write(&address_space_memory, qaddr, &qdata, sizeof(qdata))) { ++ if (dma_memory_write(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to write END data @0x%" + HWADDR_PRIx "\n", qaddr); + return; +diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c +index 73941bd..76ea511 100644 +--- a/hw/misc/bcm2835_property.c ++++ b/hw/misc/bcm2835_property.c +@@ -69,7 +69,8 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value) + break; + case 0x00010003: /* Get board MAC address */ + resplen = sizeof(s->macaddr.a); +- dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen); ++ dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen, ++ MEMTXATTRS_UNSPECIFIED); + break; + case 0x00010004: /* Get board serial */ + qemu_log_mask(LOG_UNIMP, +diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c +index e220f1a..efcc026 100644 +--- a/hw/misc/macio/mac_dbdma.c ++++ b/hw/misc/macio/mac_dbdma.c +@@ -94,7 +94,7 @@ static void dbdma_cmdptr_load(DBDMA_channel *ch) + DBDMA_DPRINTFCH(ch, "dbdma_cmdptr_load 0x%08x\n", + ch->regs[DBDMA_CMDPTR_LO]); + dma_memory_read(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void dbdma_cmdptr_save(DBDMA_channel *ch) +@@ -104,7 +104,7 @@ static void dbdma_cmdptr_save(DBDMA_channel *ch) + le16_to_cpu(ch->current.xfer_status), + le16_to_cpu(ch->current.res_count)); + dma_memory_write(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void kill_channel(DBDMA_channel *ch) +@@ -371,7 +371,8 @@ static void load_word(DBDMA_channel *ch, int key, uint32_t addr, + return; + } + +- dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +@@ -403,7 +404,8 @@ static void store_word(DBDMA_channel *ch, int key, uint32_t addr, + return; + } + +- dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c +index ff611f1..ecc0245 100644 +--- a/hw/net/allwinner-sun8i-emac.c ++++ b/hw/net/allwinner-sun8i-emac.c +@@ -350,7 +350,8 @@ static void allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s, + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s, +@@ -402,7 +403,8 @@ static void allwinner_sun8i_emac_flush_desc(AwSun8iEmacState *s, + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool allwinner_sun8i_emac_can_receive(NetClientState *nc) +@@ -460,7 +462,8 @@ static ssize_t allwinner_sun8i_emac_receive(NetClientState *nc, + << RX_DESC_STATUS_FRM_LEN_SHIFT; + } + +- dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes); ++ dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes, ++ MEMTXATTRS_UNSPECIFIED); + allwinner_sun8i_emac_flush_desc(s, &desc, s->rx_desc_curr); + trace_allwinner_sun8i_emac_receive(s->rx_desc_curr, desc.addr, + desc_bytes); +@@ -512,7 +515,8 @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s) + desc.status |= TX_DESC_STATUS_LENGTH_ERR; + break; + } +- dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, bytes); ++ dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, ++ bytes, MEMTXATTRS_UNSPECIFIED); + packet_bytes += bytes; + desc.status &= ~DESC_STATUS_CTL; + allwinner_sun8i_emac_flush_desc(s, &desc, s->tx_desc_curr); +@@ -634,7 +638,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, + break; + case REG_TX_CUR_BUF: /* Transmit Current Buffer */ + if (s->tx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +@@ -647,7 +652,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, + break; + case REG_RX_CUR_BUF: /* Receive Current Buffer */ + if (s->rx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c +index 25685ba..83ef0a7 100644 +--- a/hw/net/ftgmac100.c ++++ b/hw/net/ftgmac100.c +@@ -453,7 +453,8 @@ static void do_phy_ctl(FTGMAC100State *s) + + static int ftgmac100_read_bd(FTGMAC100Desc *bd, dma_addr_t addr) + { +- if (dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ bd, sizeof(*bd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -473,7 +474,8 @@ static int ftgmac100_write_bd(FTGMAC100Desc *bd, dma_addr_t addr) + lebd.des1 = cpu_to_le32(bd->des1); + lebd.des2 = cpu_to_le32(bd->des2); + lebd.des3 = cpu_to_le32(bd->des3); +- if (dma_memory_write(&address_space_memory, addr, &lebd, sizeof(lebd))) { ++ if (dma_memory_write(&address_space_memory, addr, ++ &lebd, sizeof(lebd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -554,7 +556,8 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring, + len = sizeof(s->frame) - frame_size; + } + +- if (dma_memory_read(&address_space_memory, bd.des3, ptr, len)) { ++ if (dma_memory_read(&address_space_memory, bd.des3, ++ ptr, len, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read packet @ 0x%x\n", + __func__, bd.des3); + s->isr |= FTGMAC100_INT_AHB_ERR; +@@ -1030,20 +1033,24 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf, + bd.des1 = lduw_be_p(buf + 14) | FTGMAC100_RXDES1_VLANTAG_AVAIL; + + if (s->maccr & FTGMAC100_MACCR_RM_VLAN) { +- dma_memory_write(&address_space_memory, buf_addr, buf, 12); +- dma_memory_write(&address_space_memory, buf_addr + 12, buf + 16, +- buf_len - 16); ++ dma_memory_write(&address_space_memory, buf_addr, buf, 12, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(&address_space_memory, buf_addr + 12, ++ buf + 16, buf_len - 16, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, ++ buf_len, MEMTXATTRS_UNSPECIFIED); + } + } else { + bd.des1 = 0; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + } + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + +diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c +index 9c7035b..0db9aaf 100644 +--- a/hw/net/imx_fec.c ++++ b/hw/net/imx_fec.c +@@ -387,19 +387,22 @@ static void imx_phy_write(IMXFECState *s, int reg, uint32_t val) + + static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data); + } + + static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data, + bd->option, bd->status); +@@ -407,7 +410,8 @@ static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + + static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_eth_update(IMXFECState *s) +@@ -474,7 +478,8 @@ static void imx_fec_do_tx(IMXFECState *s) + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -555,7 +560,8 @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index) + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -1103,11 +1109,12 @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf, + buf_len += size - 4; + } + buf_addr = bd.data; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +@@ -1210,8 +1217,8 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, + */ + const uint8_t zeros[2] = { 0 }; + +- dma_memory_write(&address_space_memory, buf_addr, +- zeros, sizeof(zeros)); ++ dma_memory_write(&address_space_memory, buf_addr, zeros, ++ sizeof(zeros), MEMTXATTRS_UNSPECIFIED); + + buf_addr += sizeof(zeros); + buf_len -= sizeof(zeros); +@@ -1220,11 +1227,12 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, + shift16 = false; + } + +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c +index 545b2b7..9a23289 100644 +--- a/hw/net/npcm7xx_emc.c ++++ b/hw/net/npcm7xx_emc.c +@@ -200,7 +200,8 @@ static void emc_update_irq_from_reg_change(NPCM7xxEMCState *emc) + + static int emc_read_tx_desc(dma_addr_t addr, NPCM7xxEMCTxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -221,7 +222,7 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr) + le_desc.status_and_length = cpu_to_le32(desc->status_and_length); + le_desc.ntxdsa = cpu_to_le32(desc->ntxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -231,7 +232,8 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr) + + static int emc_read_rx_desc(dma_addr_t addr, NPCM7xxEMCRxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -252,7 +254,7 @@ static int emc_write_rx_desc(const NPCM7xxEMCRxDesc *desc, dma_addr_t addr) + le_desc.reserved = cpu_to_le32(desc->reserved); + le_desc.nrxdsa = cpu_to_le32(desc->nrxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -366,7 +368,8 @@ static void emc_try_send_next_packet(NPCM7xxEMCState *emc) + buf = malloced_buf; + } + +- if (dma_memory_read(&address_space_memory, next_buf_addr, buf, length)) { ++ if (dma_memory_read(&address_space_memory, next_buf_addr, buf, ++ length, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read packet @ 0x%x\n", + __func__, next_buf_addr); + emc_set_mista(emc, REG_MISTA_TXBERR); +@@ -551,10 +554,11 @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1) + + buf_addr = rx_desc.rxbsa; + emc->regs[REG_CRXBSA] = buf_addr; +- if (dma_memory_write(&address_space_memory, buf_addr, buf, len) || ++ if (dma_memory_write(&address_space_memory, buf_addr, buf, ++ len, MEMTXATTRS_UNSPECIFIED) || + (!(emc->regs[REG_MCMDR] & REG_MCMDR_SPCRC) && +- dma_memory_write(&address_space_memory, buf_addr + len, crc_ptr, +- 4))) { ++ dma_memory_write(&address_space_memory, buf_addr + len, ++ crc_ptr, 4, MEMTXATTRS_UNSPECIFIED))) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bus error writing packet\n", + __func__); + emc_set_mista(emc, REG_MISTA_RXBERR); +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index f7803fe..9b91b15 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -357,7 +357,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + dma_addr = s->dma_addr; + s->dma_addr = 0; + +- if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) { ++ if (dma_memory_read(s->dma_as, dma_addr, ++ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), + FW_CFG_DMA_CTL_ERROR); + return; +@@ -419,7 +420,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + */ + if (read) { + if (dma_memory_write(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +@@ -427,7 +429,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (!e->allow_write || + len != dma.length || + dma_memory_read(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } else if (e->write_cb) { + e->write_cb(e->callback_opaque, s->cur_offset, len); +diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c +index 9c4451c..c6e7871 100644 +--- a/hw/pci-host/pnv_phb3.c ++++ b/hw/pci-host/pnv_phb3.c +@@ -715,7 +715,8 @@ static bool pnv_phb3_resolve_pe(PnvPhb3DMASpace *ds) + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * ((bus_num << 8) | ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -794,7 +795,7 @@ static void pnv_phb3_translate_tve(PnvPhb3DMASpace *ds, hwaddr addr, + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +diff --git a/hw/pci-host/pnv_phb3_msi.c b/hw/pci-host/pnv_phb3_msi.c +index 099d209..8bcbc2c 100644 +--- a/hw/pci-host/pnv_phb3_msi.c ++++ b/hw/pci-host/pnv_phb3_msi.c +@@ -53,7 +53,8 @@ static bool phb3_msi_read_ive(PnvPHB3 *phb, int srcno, uint64_t *out_ive) + return false; + } + +- if (dma_memory_read(&address_space_memory, ive_addr, &ive, sizeof(ive))) { ++ if (dma_memory_read(&address_space_memory, ive_addr, ++ &ive, sizeof(ive), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "Failed to read IVE at 0x%" PRIx64, + ive_addr); + return false; +@@ -73,7 +74,8 @@ static void phb3_msi_set_p(Phb3MsiState *msi, int srcno, uint8_t gen) + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 4, &p, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 4, ++ &p, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set P) at 0x%" PRIx64, ive_addr); + } +@@ -89,7 +91,8 @@ static void phb3_msi_set_q(Phb3MsiState *msi, int srcno) + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 5, &q, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 5, ++ &q, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set Q) at 0x%" PRIx64, ive_addr); + } +diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c +index 40b7932..1fbf732 100644 +--- a/hw/pci-host/pnv_phb4.c ++++ b/hw/pci-host/pnv_phb4.c +@@ -891,7 +891,8 @@ static bool pnv_phb4_resolve_pe(PnvPhb4DMASpace *ds) + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * PCI_BUILD_BDF(bus_num, ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -961,7 +962,7 @@ static void pnv_phb4_translate_tve(PnvPhb4DMASpace *ds, hwaddr addr, + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c +index 9166d66..de5bc49 100644 +--- a/hw/sd/allwinner-sdhost.c ++++ b/hw/sd/allwinner-sdhost.c +@@ -311,7 +311,8 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s, + uint8_t buf[1024]; + + /* Read descriptor */ +- dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + if (desc->size == 0) { + desc->size = klass->max_desc_size; + } else if (desc->size > klass->max_desc_size) { +@@ -337,23 +338,24 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s, + /* Write to SD bus */ + if (is_write) { + dma_memory_read(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, buf, buf_bytes); + + /* Read from SD bus */ + } else { + sdbus_read_data(&s->sdbus, buf, buf_bytes); + dma_memory_write(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + } + num_done += buf_bytes; + } + + /* Clear hold flag and flush descriptor */ + desc->status &= ~DESC_STATUS_HOLD; +- dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + + return num_done; + } +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index c9dc065..e0bbc90 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -616,8 +616,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->blkcnt--; + } + } +- dma_memory_write(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_write(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -637,8 +637,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->data_count = block_size; + boundary_count -= block_size - begin; + } +- dma_memory_read(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_read(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -670,9 +670,11 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s) + + if (s->trnmod & SDHC_TRNS_READ) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, datacnt); +- dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, s->fifo_buffer, datacnt); + } + s->blkcnt--; +@@ -694,7 +696,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + hwaddr entry_addr = (hwaddr)s->admasysaddr; + switch (SDHC_DMA_TYPE(s->hostctl1)) { + case SDHC_CTRL_ADMA2_32: +- dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2)); ++ dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2), ++ MEMTXATTRS_UNSPECIFIED); + adma2 = le64_to_cpu(adma2); + /* The spec does not specify endianness of descriptor table. + * We currently assume that it is LE. +@@ -705,7 +708,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + dscr->incr = 8; + break; + case SDHC_CTRL_ADMA1_32: +- dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1)); ++ dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1), ++ MEMTXATTRS_UNSPECIFIED); + adma1 = le32_to_cpu(adma1); + dscr->addr = (hwaddr)(adma1 & 0xFFFFF000); + dscr->attr = (uint8_t)extract32(adma1, 0, 7); +@@ -717,10 +721,13 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + } + break; + case SDHC_CTRL_ADMA2_64: +- dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1); +- dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2); ++ dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2, ++ MEMTXATTRS_UNSPECIFIED); + dscr->length = le16_to_cpu(dscr->length); +- dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8); ++ dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8, ++ MEMTXATTRS_UNSPECIFIED); + dscr->addr = le64_to_cpu(dscr->addr); + dscr->attr &= (uint8_t) ~0xC0; + dscr->incr = 12; +@@ -785,7 +792,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_write(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -810,7 +818,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_read(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c +index e1d96ac..8755e9c 100644 +--- a/hw/usb/hcd-dwc2.c ++++ b/hw/usb/hcd-dwc2.c +@@ -272,8 +272,8 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev, + + if (pid != USB_TOKEN_IN) { + trace_usb_dwc2_memory_read(hcdma, tlen); +- if (dma_memory_read(&s->dma_as, hcdma, +- s->usb_buf[chan], tlen) != MEMTX_OK) { ++ if (dma_memory_read(&s->dma_as, hcdma, s->usb_buf[chan], tlen, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_read failed\n", + __func__); + } +@@ -328,8 +328,8 @@ babble: + + if (pid == USB_TOKEN_IN) { + trace_usb_dwc2_memory_write(hcdma, actual); +- if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], +- actual) != MEMTX_OK) { ++ if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], actual, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_write failed\n", + __func__); + } +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 6caa7ac..33a8a37 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -383,7 +383,8 @@ static inline int get_dwords(EHCIState *ehci, uint32_t addr, + } + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); ++ dma_memory_read(ehci->as, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + *buf = le32_to_cpu(*buf); + } + +@@ -405,7 +406,8 @@ static inline int put_dwords(EHCIState *ehci, uint32_t addr, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); ++ dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp), ++ MEMTXATTRS_UNSPECIFIED); + } + + return num; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 56e2315..a93d6b2 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -452,7 +452,8 @@ static inline int get_dwords(OHCIState *ohci, + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le32_to_cpu(*buf); +@@ -471,7 +472,8 @@ static inline int put_dwords(OHCIState *ohci, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -488,7 +490,8 @@ static inline int get_words(OHCIState *ohci, + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le16_to_cpu(*buf); +@@ -507,7 +510,8 @@ static inline int put_words(OHCIState *ohci, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint16_t tmp = cpu_to_le16(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -537,8 +541,8 @@ static inline int ohci_read_iso_td(OHCIState *ohci, + static inline int ohci_read_hcca(OHCIState *ohci, + dma_addr_t addr, struct ohci_hcca *hcca) + { +- return dma_memory_read(ohci->as, addr + ohci->localmem_base, +- hcca, sizeof(*hcca)); ++ return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca, ++ sizeof(*hcca), MEMTXATTRS_UNSPECIFIED); + } + + static inline int ohci_put_ed(OHCIState *ohci, +@@ -572,7 +576,7 @@ static inline int ohci_put_hcca(OHCIState *ohci, + return dma_memory_write(ohci->as, + addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET, + (char *)hcca + HCCA_WRITEBACK_OFFSET, +- HCCA_WRITEBACK_SIZE); ++ HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED); + } + + /* Read/Write the contents of a TD from/to main memory. */ +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index e017000..ed2b9ea 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -487,7 +487,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr, + + assert((len % sizeof(uint32_t)) == 0); + +- dma_memory_read(xhci->as, addr, buf, len); ++ dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + + for (i = 0; i < (len / sizeof(uint32_t)); i++) { + buf[i] = le32_to_cpu(buf[i]); +@@ -507,7 +507,7 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr, + for (i = 0; i < n; i++) { + tmp[i] = cpu_to_le32(buf[i]); + } +- dma_memory_write(xhci->as, addr, tmp, len); ++ dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED); + } + + static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport) +@@ -618,7 +618,7 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v) + ev_trb.status, ev_trb.control); + + addr = intr->er_start + TRB_SIZE*intr->er_ep_idx; +- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE); ++ dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED); + + intr->er_ep_idx++; + if (intr->er_ep_idx >= intr->er_size) { +@@ -679,7 +679,8 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE); ++ dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + trb->addr = ring->dequeue; + trb->ccs = ring->ccs; + le64_to_cpus(&trb->parameter); +@@ -726,7 +727,8 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE); ++ dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + le64_to_cpus(&trb.parameter); + le32_to_cpus(&trb.status); + le32_to_cpus(&trb.control); +@@ -781,7 +783,8 @@ static void xhci_er_reset(XHCIState *xhci, int v) + xhci_die(xhci); + return; + } +- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg)); ++ dma_memory_read(xhci->as, erstba, &seg, sizeof(seg), ++ MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&seg.addr_low); + le32_to_cpus(&seg.addr_high); + le32_to_cpus(&seg.size); +@@ -2397,7 +2400,8 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx) + /* TODO: actually implement real values here */ + bw_ctx[0] = 0; + memset(&bw_ctx[1], 80, xhci->numports); /* 80% */ +- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx)); ++ dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx), ++ MEMTXATTRS_UNSPECIFIED); + + return CC_SUCCESS; + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index c90e74a..5d2ea8e 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -97,14 +97,16 @@ static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, + void *buf, uint32_t size) + { +- return (dma_memory_read(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_read(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + + static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + const void *buf, uint32_t size) + { +- return (dma_memory_write(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_write(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index e8ad422..522682b 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -143,12 +143,14 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: length of the data transferred ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, +- void *buf, dma_addr_t len) ++ void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, buf, len, +- DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_TO_DEVICE, attrs); + } + + /** +@@ -162,12 +164,14 @@ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: the number of bytes to write ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, +- const void *buf, dma_addr_t len) ++ const void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_FROM_DEVICE, attrs); + } + + /** +@@ -239,7 +243,7 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_addr_t addr) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -247,20 +251,20 @@ static inline void dma_memory_unmap(AddressSpace *as, + uint##_bits##_t val) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1); ++ dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + return val; + } + + static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) + { +- dma_memory_write(as, addr, &val, 1); ++ dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..8dd0476953 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,227 @@ +From a1d4b0a3051b3079c8db607f519bc0fcb30e17ec Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 11:00:47 +0200 +Subject: [PATCH] dma: Let dma_memory_map() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_map(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + - dma_memory_map(E1, E2, E3, E4) + + dma_memory_map(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec] + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-7-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/display/virtio-gpu.c | 10 ++++++---- + hw/hyperv/vmbus.c | 8 +++++--- + hw/ide/ahci.c | 8 +++++--- + hw/usb/libhw.c | 3 ++- + hw/virtio/virtio.c | 6 ++++-- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 5 +++-- + softmmu/dma-helpers.c | 3 ++- + 8 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index d78b970..c6dc818 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -814,8 +814,9 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + + do { + len = l; +- map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- a, &len, DMA_DIRECTION_TO_DEVICE); ++ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, a, &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!map) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for" + " element %d\n", __func__, e); +@@ -1252,8 +1253,9 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, + for (i = 0; i < res->iov_cnt; i++) { + hwaddr len = res->iov[i].iov_len; + res->iov[i].iov_base = +- dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- res->addrs[i], &len, DMA_DIRECTION_TO_DEVICE); ++ dma_memory_map(VIRTIO_DEVICE(g)->dma_as, res->addrs[i], &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + + if (!res->iov[i].iov_base || len != res->iov[i].iov_len) { + /* Clean up the half-a-mapping we just created... */ +diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c +index dbce3b3..8aad29f 100644 +--- a/hw/hyperv/vmbus.c ++++ b/hw/hyperv/vmbus.c +@@ -373,7 +373,8 @@ static ssize_t gpadl_iter_io(GpadlIter *iter, void *buf, uint32_t len) + + maddr = (iter->gpadl->gfns[idx] << TARGET_PAGE_BITS) | off_in_page; + +- iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir); ++ iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir, ++ MEMTXATTRS_UNSPECIFIED); + if (mlen != pgleft) { + dma_memory_unmap(iter->as, iter->map, mlen, iter->dir, 0); + iter->map = NULL; +@@ -490,7 +491,8 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, + goto err; + } + +- iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir); ++ iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!l) { + ret = -EFAULT; + goto err; +@@ -566,7 +568,7 @@ static vmbus_ring_buffer *ringbuf_map_hdr(VMBusRingBufCommon *ringbuf) + dma_addr_t mlen = sizeof(*rb); + + rb = dma_memory_map(ringbuf->as, ringbuf->rb_addr, &mlen, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (mlen != sizeof(*rb)) { + dma_memory_unmap(ringbuf->as, rb, mlen, + DMA_DIRECTION_FROM_DEVICE, 0); +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index a94c6e2..8e77ddb 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -249,7 +249,8 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr, + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + } + +- *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE); ++ *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (len < wanted && *ptr) { + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + *ptr = NULL; +@@ -939,7 +940,8 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, + + /* map PRDT */ + if (!(prdt = dma_memory_map(ad->hba->as, prdt_addr, &prdt_len, +- DMA_DIRECTION_TO_DEVICE))){ ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED))){ + trace_ahci_populate_sglist_no_map(ad->hba, ad->port_no); + return -1; + } +@@ -1301,7 +1303,7 @@ static int handle_cmd(AHCIState *s, int port, uint8_t slot) + tbl_addr = le64_to_cpu(cmd->tbl_addr); + cmd_len = 0x80; + cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len, +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (!cmd_fis) { + trace_handle_cmd_badfis(s, port); + return -1; +diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c +index 9c33a16..f350eae 100644 +--- a/hw/usb/libhw.c ++++ b/hw/usb/libhw.c +@@ -36,7 +36,8 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl) + + while (len) { + dma_addr_t xlen = len; +- mem = dma_memory_map(sgl->as, base, &xlen, dir); ++ mem = dma_memory_map(sgl->as, base, &xlen, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!mem) { + goto err; + } +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index ea7c079..e11a8a0d 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1306,7 +1306,8 @@ static bool virtqueue_map_desc(VirtIODevice *vdev, unsigned int *p_num_sg, + iov[num_sg].iov_base = dma_memory_map(vdev->dma_as, pa, &len, + is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!iov[num_sg].iov_base) { + virtio_error(vdev, "virtio: bogus descriptor or out of resources"); + goto out; +@@ -1355,7 +1356,8 @@ static void virtqueue_map_iovec(VirtIODevice *vdev, struct iovec *sg, + sg[i].iov_base = dma_memory_map(vdev->dma_as, + addr[i], &len, is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!sg[i].iov_base) { + error_report("virtio: error trying to map MMIO memory"); + exit(1); +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 4383f1c..1acefc2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -875,7 +875,8 @@ static inline void *pci_dma_map(PCIDevice *dev, dma_addr_t addr, + { + void *buf; + +- buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir); ++ buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir, ++ MEMTXATTRS_UNSPECIFIED); + return buf; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 522682b..97ff6f2 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -202,16 +202,17 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @len: pointer to length of buffer; updated on return + * @dir: indicates the transfer direction ++ * @attrs: memory attributes + */ + static inline void *dma_memory_map(AddressSpace *as, + dma_addr_t addr, dma_addr_t *len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + hwaddr xlen = *len; + void *p; + + p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + *len = xlen; + return p; + } +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 5bf76ff..3c06a2f 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -143,7 +143,8 @@ static void dma_blk_cb(void *opaque, int ret) + while (dbs->sg_cur_index < dbs->sg->nsg) { + cur_addr = dbs->sg->sg[dbs->sg_cur_index].base + dbs->sg_cur_byte; + cur_len = dbs->sg->sg[dbs->sg_cur_index].len - dbs->sg_cur_byte; +- mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir); ++ mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir, ++ MEMTXATTRS_UNSPECIFIED); + /* + * Make reads deterministic in icount mode. Windows sometimes issues + * disk read requests with overlapping SGs. It leads +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch new file mode 100644 index 0000000000..0876ef184d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch @@ -0,0 +1,41 @@ +From c0ee1527358474c75067993d1bb233ad3a4ee081 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 16 Dec 2021 11:24:56 +0100 +Subject: [PATCH] dma: Have dma_buf_rw() take a void pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_rw() to take a void pointer argument +to save us pointless casts to uint8_t *. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-8-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + softmmu/dma-helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 3c06a2f..09e2999 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,9 +294,10 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, ++static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + DMADirection dir) + { ++ uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; + +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch new file mode 100644 index 0000000000..d65e0b4305 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch @@ -0,0 +1,167 @@ +From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 16 Dec 2021 11:27:23 +0100 +Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void + pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_read/dma_buf_write functions to take +a void pointer argument and save us pointless casts to uint8_t *. + +Remove this pointless casts in the megasas device model. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-9-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/scsi/megasas.c | 22 +++++++++++----------- + include/sysemu/dma.h | 4 ++-- + softmmu/dma-helpers.c | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 14ec6d6..2dae33f 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd) + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd) + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd) + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd) + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd) + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd) + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd) + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd) + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 97ff6f2..0d5b836 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk, + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 09e2999..7f37548 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + return resid; + } + +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); + } + +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); + } +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..8207058aca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,91 @@ +From e2d784b67dc724a9b0854b49255ba0ee8ca46543 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 22:18:19 +0100 +Subject: [PATCH] pci: Let pci_dma_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling pci_dma_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-10-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/audio/intel-hda.c | 3 ++- + hw/scsi/esp-pci.c | 2 +- + include/hw/pci/pci.h | 10 ++++++---- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 8ce9df6..fb3d34a 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -427,7 +427,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n", + st->be, st->bp, st->bpl[st->be].len, copy); + +- pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output); ++ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, ++ MEMTXATTRS_UNSPECIFIED); + st->lpib += copy; + st->bp += copy; + buf += copy; +diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c +index dac054a..1792f84 100644 +--- a/hw/scsi/esp-pci.c ++++ b/hw/scsi/esp-pci.c +@@ -280,7 +280,7 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len, + len = pci->dma_regs[DMA_WBC]; + } + +- pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir); ++ pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir, MEMTXATTRS_UNSPECIFIED); + + /* update status registers */ + pci->dma_regs[DMA_WBC] -= len; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 1acefc2..a751ab5 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -806,10 +806,10 @@ static inline AddressSpace *pci_get_address_space(PCIDevice *dev) + */ + static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, +- dir, MEMTXATTRS_UNSPECIFIED); ++ dir, attrs); + } + + /** +@@ -827,7 +827,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return pci_dma_rw(dev, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -845,7 +846,8 @@ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + const void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, (void *) buf, len, DMA_DIRECTION_FROM_DEVICE); ++ return pci_dma_rw(dev, addr, (void *) buf, len, ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..4f7276ef8b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,65 @@ +From 959384e74e1b508acc3af6e806b3d7b87335fc2a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 22:59:46 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling dma_buf_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the 2 callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-11-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + softmmu/dma-helpers.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7f37548..fa81d2b 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -295,7 +295,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + + + static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; +@@ -307,8 +307,7 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, +- MEMTXATTRS_UNSPECIFIED); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; +@@ -319,12 +318,14 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..9837516422 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,129 @@ +From 392e48af3468d7f8e49db33fdc9e28b5f99276ce Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 23:02:21 +0100 +Subject: [PATCH] dma: Let dma_buf_write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_write(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-12-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/ide/ahci.c | 6 ++++-- + hw/nvme/ctrl.c | 3 ++- + hw/scsi/megasas.c | 2 +- + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 8e77ddb..079d297 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1381,8 +1381,10 @@ static void ahci_pio_transfer(const IDEDMA *dma) + has_sglist ? "" : "o"); + + if (has_sglist && size) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (is_write) { +- dma_buf_write(s->data_ptr, size, &s->sg); ++ dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { + dma_buf_read(s->data_ptr, size, &s->sg); + } +@@ -1479,7 +1481,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write) + if (is_write) { + dma_buf_read(p, l, &s->sg); + } else { +- dma_buf_write(p, l, &s->sg); ++ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } + + /* free sglist, update byte count */ +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c4..e1a531d 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1146,10 +1146,11 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len, + assert(sg->flags & NVME_SG_ALLOC); + + if (sg->flags & NVME_SG_DMA) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint64_t residual; + + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { +- residual = dma_buf_write(ptr, len, &sg->qsg); ++ residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { + residual = dma_buf_read(ptr, len, &sg->qsg); + } +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 2dae33f..79fd14c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write(&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c +index 77325d8..64a506a 100644 +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1423,7 +1423,7 @@ void scsi_req_data(SCSIRequest *req, int len) + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { + req->resid = dma_buf_read(buf, len, req->sg); + } else { +- req->resid = dma_buf_write(buf, len, req->sg); ++ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } + scsi_req_continue(req); + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 0d5b836..e3dd74a 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -303,7 +303,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index fa81d2b..2f1a241 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -322,10 +322,9 @@ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + MEMTXATTRS_UNSPECIFIED); + } + +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..4057caa8b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,222 @@ +From 1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 23:29:52 +0100 +Subject: [PATCH] dma: Let dma_buf_read() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_read(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-13-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/ide/ahci.c | 4 ++-- + hw/nvme/ctrl.c | 2 +- + hw/scsi/megasas.c | 24 ++++++++++++------------ + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 079d297..205dfdc 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1386,7 +1386,7 @@ static void ahci_pio_transfer(const IDEDMA *dma) + if (is_write) { + dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { +- dma_buf_read(s->data_ptr, size, &s->sg); ++ dma_buf_read(s->data_ptr, size, &s->sg, attrs); + } + } + +@@ -1479,7 +1479,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write) + } + + if (is_write) { +- dma_buf_read(p, l, &s->sg); ++ dma_buf_read(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } else { + dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index e1a531d..462f79a 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1152,7 +1152,7 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len, + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { + residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { +- residual = dma_buf_read(ptr, len, &sg->qsg); ++ residual = dma_buf_read(ptr, len, &sg->qsg, attrs); + } + + if (unlikely(residual)) { +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 79fd14c..091a350 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd) + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd) + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd) + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd) + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd) + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1100,7 +1100,7 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + info->connected_port_bitmap = 0x1; + info->device_speed = 1; + info->link_speed = 1; +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd) + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd) + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1271,7 +1271,7 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + info->ld_config.span[0].num_blocks = info->size; + info->ld_config.span[0].array_ref = cpu_to_le16(sdev_id); + +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd) + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c +index 64a506a..2b5e9dc 100644 +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1421,7 +1421,7 @@ void scsi_req_data(SCSIRequest *req, int len) + + buf = scsi_req_get_buf(req); + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { +- req->resid = dma_buf_read(buf, len, req->sg); ++ req->resid = dma_buf_read(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } else { + req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index e3dd74a..fd8f160 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,7 +302,7 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk, + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 2f1a241..a391773 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -316,10 +316,9 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + return resid; + } + +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..571ce9cc9b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch @@ -0,0 +1,91 @@ +From 292e13142d277c15bdd68331abc607e46628b7e1 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 23:38:52 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_rw() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Since dma_buf_rw() was previously returning the QEMUSGList +size not consumed, add an extra argument where this size +can be stored. + +Update the 2 callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1] + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-14-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + softmmu/dma-helpers.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index a391773..b0be156 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,12 +294,14 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir, MemTxAttrs attrs) ++static MemTxResult dma_buf_rw(void *buf, int32_t len, uint64_t *residp, ++ QEMUSGList *sg, DMADirection dir, ++ MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; ++ MemTxResult res = MEMTX_OK; + + resid = sg->size; + sg_cur_index = 0; +@@ -307,23 +309,34 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); ++ res |= dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; + } + +- return resid; ++ if (residp) { ++ *residp = resid; ++ } ++ return res; + } + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ ++ return resid; + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ ++ return resid; + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..7f56dcb6eb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,120 @@ +From 2280c27afc65bb2af95dd44a88e3b7117bfe240a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:53:34 +0100 +Subject: [PATCH] dma: Let st*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a] + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-16-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/nvram/fw_cfg.c | 4 ++-- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 12 ++++++++---- + include/sysemu/dma.h | 10 ++++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index 9b91b15..e5f3c981 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -360,7 +360,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (dma_memory_read(s->dma_as, dma_addr, + &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- FW_CFG_DMA_CTL_ERROR); ++ FW_CFG_DMA_CTL_ERROR, MEMTXATTRS_UNSPECIFIED); + return; + } + +@@ -446,7 +446,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- dma.control); ++ dma.control, MEMTXATTRS_UNSPECIFIED); + + trace_fw_cfg_read(s, 0); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index a751ab5..d07e970 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,7 +859,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val); \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 5d2ea8e..e87f8e6 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -118,10 +118,14 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + H_DEST_PARM : H_SUCCESS; + } + +-#define vio_stb(_dev, _addr, _val) (stb_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_sth(_dev, _addr, _val) (stw_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stl(_dev, _addr, _val) (stl_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stq(_dev, _addr, _val) (stq_be_dma(&(_dev)->as, (_addr), (_val))) ++#define vio_stb(_dev, _addr, _val) \ ++ (stb_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_sth(_dev, _addr, _val) \ ++ (stw_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stl(_dev, _addr, _val) \ ++ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stq(_dev, _addr, _val) \ ++ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index fd8f160..009dd3c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -249,10 +249,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ +- uint##_bits##_t val) \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) +@@ -263,9 +264,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) ++static inline void stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..a51451d343 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,151 @@ +From 34cdea1db600540a5261dc474e986f28b637c8e6 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:18:07 +0100 +Subject: [PATCH] dma: Let ld*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6] + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-17-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/intc/pnv_xive.c | 7 ++++--- + hw/usb/hcd-xhci.c | 6 +++--- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + 5 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c +index ad43483..d9249bb 100644 +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,7 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -542,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index ed2b9ea..d960b81 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid); ++ poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3437,8 +3437,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) + if (!slot->addressed) { + continue; + } +- slot->ctx = +- xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid)); ++ slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, ++ MEMTXATTRS_UNSPECIFIED)); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index d07e970..0613308 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,7 +854,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr); \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index e87f8e6..d2ec9b0 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -126,7 +126,8 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) +-#define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) ++#define vio_ldq(_dev, _addr) \ ++ (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 009dd3c..d1635f5 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -241,10 +241,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ + static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -253,14 +254,14 @@ static inline void dma_memory_unmap(AddressSpace *as, + MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) ++static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(as, addr, &val, 1, attrs); + return val; + } + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..3fc7b631a4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,65 @@ +From 24aed6bcb6b6d266149591f955c2460c28759eb4 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:56:14 +0100 +Subject: [PATCH] dma: Let st*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_write() returns a MemTxResult type. Do not discard +it, return it to the caller. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4] + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-18-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + include/sysemu/dma.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d1635f5..895044d 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -248,13 +248,13 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ +- static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ +- { \ +- val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ val = cpu_to_##_end##_bits(val); \ ++ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) +@@ -265,10 +265,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs att + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, +- uint8_t val, MemTxAttrs attrs) ++static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, attrs); ++ return dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..d8a136c47f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,175 @@ +From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:31:11 +0100 +Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_read() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621] + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-19-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/intc/pnv_xive.c | 8 ++++---- + hw/usb/hcd-xhci.c | 7 ++++--- + include/hw/pci/pci.h | 6 ++++-- + include/hw/ppc/spapr_vio.h | 6 +++++- + include/sysemu/dma.h | 25 ++++++++++++------------- + 5 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c +index d9249bb..bb20751 100644 +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index d960b81..da5a407 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3429,6 +3429,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) + uint32_t slot_ctx[4]; + uint32_t ep_ctx[5]; + int slotid, epid, state; ++ uint64_t addr; + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); + +@@ -3437,8 +3438,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) + if (!slot->addressed) { + continue; + } +- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, +- MEMTXATTRS_UNSPECIFIED)); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); ++ slot->ctx = xhci_mask64(addr); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 0613308..8c5f2ed 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ uint##_bits##_t val; \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ ++ MEMTXATTRS_UNSPECIFIED); \ ++ return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index d2ec9b0..7eae1a4 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) \ +- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) ++ ({ \ ++ uint64_t _val; \ ++ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \ ++ _val; \ ++ }) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 895044d..b3faef4 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(AddressSpace *as, + } + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ +- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ +- return _end##_bits##_to_cpu(val); \ +- } \ ++ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *pval, \ ++ MemTxAttrs attrs) \ ++ { \ ++ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \ ++ _end##_bits##_to_cpus(pval); \ ++ return res; \ ++ } \ + static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(AddressSpace *as, + return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) ++static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t *val, MemTxAttrs attrs) + { +- uint8_t val; +- +- dma_memory_read(as, addr, &val, 1, attrs); +- return val; ++ return dma_memory_read(as, addr, val, 1, attrs); + } + + static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..69101f308d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,303 @@ +From a423a1b523296f8798a5851aaaba64dd166c0a74 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:39:42 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74] + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-21-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/audio/intel-hda.c | 10 ++++++---- + hw/net/eepro100.c | 29 ++++++++++++++++++----------- + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 15 ++++++++++----- + hw/scsi/vmw_pvscsi.c | 3 ++- + include/hw/pci/pci.h | 11 ++++++----- + 6 files changed, 52 insertions(+), 34 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index fb3d34a..3309ae0 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,6 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -367,8 +368,8 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*wp, response); +- stl_le_pci_dma(&d->pci, addr + 8*wp + 4, ex); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +@@ -394,6 +395,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + uint8_t *buf, uint32_t len) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -428,7 +430,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + st->be, st->bp, st->bpl[st->be].len, copy); + + pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + st->lpib += copy; + st->bp += copy; + buf += copy; +@@ -451,7 +453,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + if (d->dp_lbase & 0x01) { + s = st - d->st; + addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*s, st->lpib); ++ stl_le_pci_dma(&d->pci, addr + 8 * s, st->lpib, attrs); + } + dprint(d, 3, "dma: --\n"); + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 16e95ef..83c4431 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -700,6 +700,8 @@ static void set_ru_state(EEPRO100State * s, ru_state_t state) + + static void dump_statistics(EEPRO100State * s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + /* Dump statistical data. Most data is never changed by the emulation + * and always 0, so we first just copy the whole block and then those + * values which really matter. +@@ -707,16 +709,18 @@ static void dump_statistics(EEPRO100State * s) + */ + pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size); + stl_le_pci_dma(&s->dev, s->statsaddr + 0, +- s->statistics.tx_good_frames); ++ s->statistics.tx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 36, +- s->statistics.rx_good_frames); ++ s->statistics.rx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 48, +- s->statistics.rx_resource_errors); ++ s->statistics.rx_resource_errors, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 60, +- s->statistics.rx_short_frame_errors); ++ s->statistics.rx_short_frame_errors, attrs); + #if 0 +- stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames); +- stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 76, ++ s->statistics.xmt_tco_frames, attrs); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 78, ++ s->statistics.rcv_tco_frames, attrs); + missing("CU dump statistical counters"); + #endif + } +@@ -833,6 +837,7 @@ static void set_multicast_list(EEPRO100State *s) + + static void action_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + /* The loop below won't stop if it gets special handcrafted data. + Therefore we limit the number of iterations. */ + unsigned max_loop_count = 16; +@@ -911,7 +916,7 @@ static void action_command(EEPRO100State *s) + } + /* Write new status. */ + stw_le_pci_dma(&s->dev, s->cb_address, +- s->tx.status | ok_status | STATUS_C); ++ s->tx.status | ok_status | STATUS_C, attrs); + if (bit_i) { + /* CU completed action. */ + eepro100_cx_interrupt(s); +@@ -937,6 +942,7 @@ static void action_command(EEPRO100State *s) + + static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + cu_state_t cu_state; + switch (val) { + case CU_NOP: +@@ -986,7 +992,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + /* Dump statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs); + break; + case CU_CMD_BASE: + /* Load CU base. */ +@@ -997,7 +1003,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + /* Dump and reset statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs); + memset(&s->statistics, 0, sizeof(s->statistics)); + break; + case CU_SRESUME: +@@ -1612,6 +1618,7 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size) + * - Magic packets should set bit 30 in power management driver register. + * - Interesting packets should set bit 29 in power management driver register. + */ ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + EEPRO100State *s = qemu_get_nic_opaque(nc); + uint16_t rfd_status = 0xa000; + #if defined(CONFIG_PAD_RECEIVED_FRAMES) +@@ -1726,9 +1733,9 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size) + TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n", + rfd_command, rx.link, rx.rx_buf_addr, rfd_size)); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, status), rfd_status); ++ offsetof(eepro100_rx_t, status), rfd_status, attrs); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, count), size); ++ offsetof(eepro100_rx_t, count), size, attrs); + /* Early receive interrupt not supported. */ + #if 0 + eepro100_er_interrupt(s); +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index ca69f7e..1f2c79d 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -86,16 +86,18 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- stl_be_pci_dma(&s->dev, p, desc->status); +- stl_be_pci_dma(&s->dev, p + 4, desc->control); +- stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_be_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_be_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } else { +- stl_le_pci_dma(&s->dev, p, desc->status); +- stl_le_pci_dma(&s->dev, p + 4, desc->control); +- stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_le_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_le_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 091a350..b5e8b14 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -168,14 +168,16 @@ static void megasas_frame_set_cmd_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static void megasas_frame_set_scsi_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static inline const char *mfi_frame_desc(unsigned int cmd) +@@ -542,6 +544,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + + static void megasas_complete_frame(MegasasState *s, uint64_t context) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci_dev = PCI_DEVICE(s); + int tail, queue_offset; + +@@ -555,10 +558,12 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + */ + if (megasas_use_queue64(s)) { + queue_offset = s->reply_queue_head * sizeof(uint64_t); +- stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } else { + queue_offset = s->reply_queue_head * sizeof(uint32_t); +- stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } + s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); + trace_megasas_qf_complete(context, s->reply_queue_head, +@@ -572,7 +577,7 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, + s->busy); +- stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head); ++ stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head, attrs); + /* Notify HBA */ + if (msix_enabled(pci_dev)) { + trace_megasas_msix_raise(0); +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index cd76bd6..59c3e8b 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -55,7 +55,8 @@ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val)) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ ++ MEMTXATTRS_UNSPECIFIED)) + + struct PVSCSIClass { + PCIDeviceClass parent_class; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 8c5f2ed..9f51ef2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,11 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + MEMTXATTRS_UNSPECIFIED); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, uint##_bits##_t val) \ +- { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ static inline void st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..7f9de244be --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,271 @@ +From 398f9a84ac7132e38caf7b066273734b3bf619ff Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:45:06 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff] + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-22-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 19 +++++++++++++------ + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 16 ++++++++++------ + hw/scsi/mptsas.c | 10 ++++++---- + hw/scsi/vmw_pvscsi.c | 3 ++- + hw/usb/hcd-xhci.c | 1 + + include/hw/pci/pci.h | 6 +++--- + 8 files changed, 46 insertions(+), 29 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 3309ae0..e34b7ab 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4*rp); ++ verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 83c4431..eb82e9c 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -737,6 +737,7 @@ static void read_cb(EEPRO100State *s) + + static void tx_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint32_t tbd_array = s->tx.tbd_array_addr; + uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff; + /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */ +@@ -772,11 +773,14 @@ static void tx_command(EEPRO100State *s) + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { + uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address); ++ tbd_address, ++ attrs); + uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4); ++ tbd_address + 4, ++ attrs); + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6); ++ tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -792,9 +796,12 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); ++ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, ++ attrs); ++ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, ++ attrs); ++ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 1f2c79d..c76e486 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,16 +70,18 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_be_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_le_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index b5e8b14..98b1370 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,7 +202,9 @@ static uint64_t megasas_frame_get_context(MegasasState *s, + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context)); ++ return ldq_le_pci_dma(pci, ++ frame + offsetof(struct mfi_frame_header, context), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -534,7 +536,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -565,14 +568,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -637,6 +640,7 @@ static void megasas_abort_command(MegasasCmd *cmd) + + static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pcid = PCI_DEVICE(s); + uint32_t pa_hi, pa_lo; + hwaddr iq_pa, initq_size = sizeof(struct mfi_init_qinfo); +@@ -675,9 +679,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index f6c7765..ac9f4df 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -172,14 +172,15 @@ static const int mpi_request_sizes[] = { + static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t *sgaddr) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci = (PCIDevice *) s; + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 8; + } + return addr; +@@ -203,7 +204,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr); ++ flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -234,7 +235,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr); ++ flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 59c3e8b..33e16f9 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -52,7 +52,8 @@ + + #define RS_GET_FIELD(m, field) \ + (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ ++ MEMTXATTRS_UNSPECIFIED)) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index da5a407..14bdb89 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3440,6 +3440,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) + } + ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); + slot->ctx = xhci_mask64(addr); ++ + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 9f51ef2..7a46c1f 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -852,11 +852,11 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..e52a45b90f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,47 @@ +From 6bebb270731758fae3114b7d24c2b12b7c325cc5 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:47:30 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +st*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5] + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-23-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + include/hw/pci/pci.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 7a46c1f..c90cecc 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,12 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ ++ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ return st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..6bd6350f44 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,296 @@ +From 4a63054bce23982b99f4d3c65528e47e614086b2 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:49:30 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +ld*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2] + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-24-philmd@redhat.com> +Signed-off-by: Bhabu Bindu +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 25 ++++++++++--------------- + hw/net/tulip.c | 16 ++++++++-------- + hw/scsi/megasas.c | 21 ++++++++++++--------- + hw/scsi/mptsas.c | 16 +++++++++++----- + hw/scsi/vmw_pvscsi.c | 16 ++++++++++------ + include/hw/pci/pci.h | 17 ++++++++--------- + 7 files changed, 60 insertions(+), 53 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index e34b7ab..2b55d52 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(&d->pci, addr + 4 * rp, &verb, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index eb82e9c..679f52f 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -769,18 +769,16 @@ static void tx_command(EEPRO100State *s) + } else { + /* Flexible mode. */ + uint8_t tbd_count = 0; ++ uint32_t tx_buffer_address; ++ uint16_t tx_buffer_size; ++ uint16_t tx_buffer_el; ++ + if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) { + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -796,12 +794,9 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index c76e486..d5b6cc5 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -73,15 +73,15 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); ++ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_be_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_be_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_be_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); ++ ldl_le_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_le_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_le_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_le_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 98b1370..dc9bbdb 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,9 +202,12 @@ static uint64_t megasas_frame_get_context(MegasasState *s, + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, +- frame + offsetof(struct mfi_frame_header, context), +- MEMTXATTRS_UNSPECIFIED); ++ uint64_t val; ++ ++ ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context), ++ &val, MEMTXATTRS_UNSPECIFIED); ++ ++ return val; + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -536,8 +539,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -568,14 +571,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -679,9 +682,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->producer_pa, &s->reply_queue_head, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index ac9f4df..5181b0c 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -177,10 +177,16 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint64_t addr64; ++ ++ ldq_le_pci_dma(pci, *sgaddr + 4, &addr64, attrs); ++ addr = addr64; + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint32_t addr32; ++ ++ ldl_le_pci_dma(pci, *sgaddr + 4, &addr32, attrs); ++ addr = addr32; + *sgaddr += 8; + } + return addr; +@@ -204,7 +210,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, sgaddr, &flags_and_length, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -235,8 +241,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, next_chain_addr, &flags_and_length, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 33e16f9..4d9969f 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -50,10 +50,10 @@ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +-#define RS_GET_FIELD(m, field) \ +- (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ ++#define RS_GET_FIELD(pval, m, field) \ ++ ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ +- MEMTXATTRS_UNSPECIFIED)) ++ pval, MEMTXATTRS_UNSPECIFIED) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +@@ -249,10 +249,11 @@ pvscsi_ring_cleanup(PVSCSIRingInfo *mgr) + static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { +- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ready_ptr; + uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING + * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + ++ RS_GET_FIELD(&ready_ptr, mgr, reqProdIdx); + if (ready_ptr != mgr->consumed_ptr + && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = +@@ -323,8 +324,11 @@ pvscsi_ring_flush_cmp(PVSCSIRingInfo *mgr) + static bool + pvscsi_ring_msg_has_room(PVSCSIRingInfo *mgr) + { +- uint32_t prodIdx = RS_GET_FIELD(mgr, msgProdIdx); +- uint32_t consIdx = RS_GET_FIELD(mgr, msgConsIdx); ++ uint32_t prodIdx; ++ uint32_t consIdx; ++ ++ RS_GET_FIELD(&prodIdx, mgr, msgProdIdx); ++ RS_GET_FIELD(&consIdx, mgr, msgConsIdx); + + return (prodIdx - consIdx) < (mgr->msg_len_mask + 1); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index c90cecc..5b36334 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -850,15 +850,14 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + +-#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +- static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ +- return val; \ +- } \ ++#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ ++ static inline MemTxResult ld##_l##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ } \ + static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch new file mode 100644 index 0000000000..dc7990d1b7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch @@ -0,0 +1,74 @@ +From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Sat, 18 Dec 2021 17:09:10 +0100 +Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Per the "High Definition Audio Specification" manual (rev. 1.0a), +section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": + + Response Overrun Interrupt Status (RIRBOIS): + + Hardware sets this bit to a 1 when an overrun occurs in the RIRB. + An interrupt may be generated if the Response Overrun Interrupt + Control bit is set. + + This bit will be set if the RIRB DMA engine is not able to write + the incoming responses to memory before additional incoming + responses overrun the internal FIFO. + + When hardware detects an overrun, it will drop the responses which + overrun the buffer and set the RIRBOIS status bit to indicate the + error condition. Optionally, if the RIRBOIC is set, the hardware + will also generate an error to alert software to the problem. + +QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This +function returns a MemTxResult indicating whether the DMA access +was successful. +Handle any MemTxResult error as "DMA engine is not able to write the +incoming responses to memory" and raise the Overrun Interrupt flag +when this case occurs. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40] + +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211218160912.1591633-2-philmd@redhat.com> +Signed-off-by: Thomas Huth +Signed-off-by: Bhabu Bindu +--- + hw/audio/intel-hda.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 5f8a878..47a36ac 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; + uint32_t wp, ex; ++ MemTxResult res = MEMTX_OK; + + if (d->ics & ICH6_IRS_BUSY) { + dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", +@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); +- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { ++ d->rirb_sts |= ICH6_RBSTS_OVERRUN; ++ intel_hda_update_irq(d); ++ } + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch new file mode 100644 index 0000000000..b79fadf3f6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch @@ -0,0 +1,43 @@ +From 79fa99831debc9782087e834382c577215f2f511 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Sat, 18 Dec 2021 17:09:11 +0100 +Subject: [PATCH] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO + devices) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Issue #542 reports a reentrancy problem when the DMA engine accesses +the HDA controller I/O registers. Fix by restricting the DMA engine +to memories regions (forbidding MMIO devices such the HDA controller). + +Reported-by: OSS-Fuzz (Issue 28435) +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Thomas Huth +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511] + +Message-Id: <20211218160912.1591633-3-philmd@redhat.com> +Signed-off-by: Thomas Huth +Signed-off-by: Bhabu Bindu +--- + hw/audio/intel-hda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 47a36ac..78a47bc 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +-- +1.8.3.1 From patchwork Mon Oct 17 23:08:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13939 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 640D1C4332F for ; Mon, 17 Oct 2022 23:08:56 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.640.1666048135657173706 for ; Mon, 17 Oct 2022 16:08:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=hSuK9l9j; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id i6so12126795pli.12 for ; Mon, 17 Oct 2022 16:08:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZRQb9HgCxwEgQebdBw3bkNTUYeu67UsGrQ7IB0hzytQ=; b=hSuK9l9joAugEb7TnGobhOJUKBg09wTliW8KdSgh+X4AXkm9yBJS36hCZUXaLIG0jV Wkxa24rD3SPSmFnr+ieIw3H3B2awV593Yuo5uFC6MYKwjOr4UYV7aeoCg0xBM0+mhrLQ MUTorvG3m+NqpscgmWO4KBU4gtrzcN+H+7EZf/jV9m3mazIFW7WFs2hTpalESXCFsBTU ZLM7Fgpkf+gaeHmxbGiUIeDK9A+HQ6lU6WYALI9Q6FH6gHZIUki7I9jQIQ3ScGzWx3TD aNyWI3w6feuNhzphyxZYlV9iOX9BEWcLhgkV5SpDmL8brXFewvS7KC8pvyaGRgYeSl3C ckbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZRQb9HgCxwEgQebdBw3bkNTUYeu67UsGrQ7IB0hzytQ=; b=VLu1X1WrRhhYWbC00Ukw0N1QARJNyqGl+9SrE0Vy8+d46wLiJHIi3rcCGzUXcEqBH1 pxtsF/1S3bTUniqpNK2/7ROBmfUDLRuZzxp3Drfp9E5XFPxLMDJ/US+4Q7wefduMPUuz aHkjPzsIFzYBvn31TaaDXSoSv7c3bDP0iYg/YMV6VSUgu5eVeyUvHdf0nhAdjKHHwhVl aF5gcA8h3B8qCsZlJr2zoWzBV6mjB/dMLa+vAyeUAj7Dj83XfV/dier8+l6dZnN1McKs q5UCp7YEcYNYE+T0Rs8QTU66nkUpOFq0h1W9PDyMp5ryp6jaCQhPiqctuB+pqSyJV4Um aR5w== X-Gm-Message-State: ACrzQf0dMYoExB269eGsBnanxXEGoSQoLeJ/MN3W9XENXrcUBc76cKnQ qqwMjCzfnPieAOIuqRYiBgs7WLRq8s85LFCQ X-Google-Smtp-Source: AMsMyM4PtdFO6x1U716NHa56beDHb7Em20ce7MG/vKy6GVvGV0kNVMTehRi1IVDroiuGDl4vkvs7/Q== X-Received: by 2002:a17:90b:1c11:b0:20d:459b:ef0e with SMTP id oc17-20020a17090b1c1100b0020d459bef0emr35825760pjb.129.1666048134588; Mon, 17 Oct 2022 16:08:54 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:54 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/13] qemu: fix CVE-2022-2962 Date: Mon, 17 Oct 2022 13:08:21 -1000 Message-Id: <8ad129d079ea53ca66a91ec9fe36bb95f2648112.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:08:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171923 From: Ross Burton Backport the fix for CVE-2022-2962. (From OE-Core rev: 943d28a3395455fd475cb6c84247d106adf5fca3) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit ddc4258012e0d3fa946c319b601b0e73db7ac5e6) Signed-off-by: Bhabu Bindu Signed-off-by: virendra thakur Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + ...ulip-Restrict-DMA-engine-to-memories.patch | 64 +++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index cb5f9358da..76ae603ee4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -70,6 +70,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \ file://CVE-2021-3611_1.patch \ file://CVE-2021-3611_2.patch \ + file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch new file mode 100644 index 0000000000..6c85a77ba7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch @@ -0,0 +1,64 @@ +CVE: CVE-2022-2962 +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Sun, 21 Aug 2022 20:43:43 +0800 +Subject: [PATCH] net: tulip: Restrict DMA engine to memories + +The DMA engine is started by I/O access and then itself accesses the +I/O registers, triggering a reentrancy bug. + +The following log can reveal it: +==5637==ERROR: AddressSanitizer: stack-overflow + #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673 + #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5 + #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 + #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c + #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23 + #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12 + #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18 + #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12 + #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12 + #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12 + #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1 + #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1 + #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9 + #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9 + #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + +Fix this bug by restricting the DMA engine to memories regions. + +Signed-off-by: Zheyu Ma +Signed-off-by: Jason Wang +--- + hw/net/tulip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 097e905bec..b9e42c322a 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); +@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + stl_be_pci_dma(&s->dev, p, desc->status, attrs); +-- +2.34.1 + From patchwork Mon Oct 17 23:08:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13946 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63CFAC433FE for ; Mon, 17 Oct 2022 23:09:06 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web09.677.1666048139626889648 for ; Mon, 17 Oct 2022 16:09:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=lwa8gD1Q; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id l1so12128178pld.13 for ; Mon, 17 Oct 2022 16:08:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hTDDUTNfLdbfV77W/sBMcnKw9c5GeTYk8061bRgSqOk=; b=lwa8gD1QX+D5hkbw/EsoTnMyIVTFPIlI7RfuEroo80PJAr2oah9EwIV2lzHQrHmicO aJEr4gqAz8kwoVjdjUMwVh03n42grdrvsR7eE3fLJq1YFkyeOJBrM3kab7V0j/3yQC7g pNbibV0xgkgBvusQm2uxpKbLrqx+nH0UtvV8V/iTv8v4FC+RTgPbPzjzAyRZAPmp2nOY b0/d549LnQsmkSJCQaIIk37gTrX3ed2K5wRS2N8kPlsb0B3a9K4hnDVPJrX/736czdrO RqzTK7jbtE/Kx4WEMoi+t2ijY0vt+Y5w62nHlGsjpWP2B2PYuL1G5r/m0bND7d6fPi7R tL9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hTDDUTNfLdbfV77W/sBMcnKw9c5GeTYk8061bRgSqOk=; b=FiTFd06eCSe/e1qRIBFS/UR5t66qsrMOpsqP969x+5t/sXk3pxD3AU4x8vD1jih9jy gdVm+DBmpg1dIR/8J6zR8/xfceHA1GKxhDNb5Lsbz2jz53CvG+EyeGTCr6DCEOZgO5fy 30IH98MnkBnWay9M6yVmxZx5d33UBUeT596YSbHT+H/CTp5VAByeUmv34XtyJvjidOcA ndTPaDrMf9HqzZOR60ZMYPaGAe/YbfT3fVjAimqntg7refPNmXa9NPGICIbPkqV1MJM0 gjLaa5kO9omJwkp/cvboX59t2/ovbAnXsB3l2Gn5bjmJNpjlHXeImqHeTBIgyPB7tHWd 7HZA== X-Gm-Message-State: ACrzQf2gLIUmKD7cEI3SujTHGo6gK0wbv7IdxC6sXew6hydTevJJQcfj oB040QthIK+NM6woUOwOZOpVJJu4T0Em1+/U X-Google-Smtp-Source: AMsMyM5DkNxfbN+Si+dGCHAVS8CgswpF0dGONMH67dbUNi2JxbZ7+4Bl8H0A/NVc7VfM76/NHOV+Uw== X-Received: by 2002:a17:90a:c7cc:b0:20a:c595:16de with SMTP id gf12-20020a17090ac7cc00b0020ac59516demr134116pjb.201.1666048136925; Mon, 17 Oct 2022 16:08:56 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:56 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/13] qemu: Backport patches from upstream to support float128 on qemu-ppc64 Date: Mon, 17 Oct 2022 13:08:22 -1000 Message-Id: <5ed94b1d155a7d5597358a93c65dfe98ac07ea15.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171924 From: Xiangyu Chen Background: Due to current qemu 6.2 doesn't support float128, this cause some POSIX APIs(e.g. double difftime()..) return a wrong value, this issue can be reproduced by open_posix_testsuit difftime case[1]. The qemu upstream has already supported ppc64 float128, but need to update to qemu 7.0 or later. We backport the commits[2] from upstream to support that in qemu-ppc64 6.2.0. [1] difftime test case: https://github.com/linux-test-project/ltp/tree/master/testcases/open_posix_testsuite/conformance/interfaces/difftime [2] commits link: LINK: https://git.qemu.org/?p=qemu.git;a=commit;h=149a48f6e6ccedfa01307d45884aa480f5bf77c5 https://git.qemu.org/?p=qemu.git;a=commit;h=ba11446c40903b9d97fb75a078d43fee6444d3b6 https://git.qemu.org/?p=qemu.git;a=commit;h=bead3c9b0ff8efd652afb27923d8ab4458b3bbd9 https://git.qemu.org/?p=qemu.git;a=commit;h=10cc964030fca459591d9353571f3b1b4e1b5aec https://git.qemu.org/?p=qemu.git;a=commit;h=e706d4455b8d54252b11fc504c56df060151cb89 https://git.qemu.org/?p=qemu.git;a=commit;h=941298ecd7e3103d3789d2dd87dd0f119e81c69e https://git.qemu.org/?p=qemu.git;a=commit;h=4edf55698fc2ea30903657c63ed95db0d5548943 https://git.qemu.org/?p=qemu.git;a=commit;h=c07f82416cb7973c64d1e21c09957182b4b033dc https://git.qemu.org/?p=qemu.git;a=commit;h=e4052bb773cc829a27786d68caa22f28cff19d39 https://git.qemu.org/?p=qemu.git;a=commit;h=ffdaff8e9c698061f57a6b1827570562c5a1c909 https://git.qemu.org/?p=qemu.git;a=commit;h=201fc774e0e1cc76ec23b595968004a7b14fb6e8 https://git.qemu.org/?p=qemu.git;a=commit;h=c5df1898a147c232f0502cda5dac8df6074070fc https://git.qemu.org/?p=qemu.git;a=commit;h=38d4914c5065e14f0969161274793ded448f067f https://git.qemu.org/?p=qemu.git;a=commit;h=caf6f9b568479bea6f6d97798be670f21641a006 https://git.qemu.org/?p=qemu.git;a=commit;h=25ee608d79c1890c0f4e8c495ec8629d5712de45 https://git.qemu.org/?p=qemu.git;a=commit;h=19f0862dd8fa6510b2f5b3aff4859363602cd0cf https://git.qemu.org/?p=qemu.git;a=commit;h=5f1470b091007f24035d6d33149df49a6dd61682 https://git.qemu.org/?p=qemu.git;a=commit;h=17868d81e0074905b2c1e414af6618570e8059eb https://git.qemu.org/?p=qemu.git;a=commit;h=9193eaa901c54dbff4a91ea0b12a99e0135dbca1 https://git.qemu.org/?p=qemu.git;a=commit;h=e4318ab2e423c4caf9a88a4e99b5e234096b81a9 https://git.qemu.org/?p=qemu.git;a=commit;h=3bb1aed246d7b59ceee625a82628f7369d492a8f Signed-off-by: Xiangyu Chen Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 21 ++ ...end-float_exception_flags-to-16-bits.patch | 75 +++++ ...ftfloat-Add-flag-specific-to-Inf-Inf.patch | 59 ++++ ...softfloat-Add-flag-specific-to-Inf-0.patch | 126 +++++++++ ...dd-flags-specific-to-Inf-Inf-and-0-0.patch | 73 +++++ ...-Add-flag-specific-to-signaling-nans.patch | 121 ++++++++ ...e-float_invalid_op_addsub-for-new-fl.patch | 114 ++++++++ ...e-float_invalid_op_mul-for-new-flags.patch | 86 ++++++ ...e-float_invalid_op_div-for-new-flags.patch | 99 +++++++ ...arget-ppc-Update-fmadd-for-new-flags.patch | 102 +++++++ .../0010-target-ppc-Split-out-do_fmadd.patch | 71 +++++ ...s-max-min-cj-dp-to-use-VSX-registers.patch | 93 +++++++ ...-Move-xs-max-min-cj-dp-to-decodetree.patch | 121 ++++++++ ...get-ppc-fix-xscvqpdp-register-access.patch | 41 +++ ...rget-ppc-move-xscvqpdp-to-decodetree.patch | 130 +++++++++ ...tore_fpscr-doesn-t-update-bits-0-to-.patch | 70 +++++ ...get-ppc-Introduce-TRANS-FLAGS-macros.patch | 133 +++++++++ ...get-ppc-Implement-Vector-Expand-Mask.patch | 105 +++++++ ...et-ppc-Implement-Vector-Extract-Mask.patch | 141 ++++++++++ ...ppc-Implement-Vector-Mask-Move-insns.patch | 187 +++++++++++++ ...xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch | 258 ++++++++++++++++++ ...mplement-xs-n-maddqp-o-xs-n-msubqp-o.patch | 174 ++++++++++++ 22 files changed, 2400 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 76ae603ee4..14feb4f1e0 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -71,6 +71,27 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3611_1.patch \ file://CVE-2021-3611_2.patch \ file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \ + file://0001-softfloat-Extend-float_exception_flags-to-16-bits.patch \ + file://0002-softfloat-Add-flag-specific-to-Inf-Inf.patch \ + file://0003-softfloat-Add-flag-specific-to-Inf-0.patch \ + file://0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch \ + file://0005-softfloat-Add-flag-specific-to-signaling-nans.patch \ + file://0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch \ + file://0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch \ + file://0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch \ + file://0009-target-ppc-Update-fmadd-for-new-flags.patch \ + file://0010-target-ppc-Split-out-do_fmadd.patch \ + file://0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch \ + file://0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch \ + file://0013-target-ppc-fix-xscvqpdp-register-access.patch \ + file://0014-target-ppc-move-xscvqpdp-to-decodetree.patch \ + file://0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch \ + file://0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch \ + file://0017-target-ppc-Implement-Vector-Expand-Mask.patch \ + file://0018-target-ppc-Implement-Vector-Extract-Mask.patch \ + file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \ + file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \ + file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch b/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch new file mode 100644 index 0000000000..e9c47f6901 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch @@ -0,0 +1,75 @@ +From 0bec1ded33a857f59cf5f3ceca2f72694256e710 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 01/21] softfloat: Extend float_exception_flags to 16 bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will shortly have more than 8 bits of exceptions. +Repack the existing flags into low bits and reformat to hex. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=149a48f6e6ccedfa01307d45884aa480f5bf77c5] + +Signed-off-by: Richard Henderson +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20211119160502.17432-2-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + include/fpu/softfloat-types.h | 16 ++++++++-------- + include/fpu/softfloat.h | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 5bcbd041f7..65a43aff59 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -145,13 +145,13 @@ typedef enum __attribute__((__packed__)) { + */ + + enum { +- float_flag_invalid = 1, +- float_flag_divbyzero = 4, +- float_flag_overflow = 8, +- float_flag_underflow = 16, +- float_flag_inexact = 32, +- float_flag_input_denormal = 64, +- float_flag_output_denormal = 128 ++ float_flag_invalid = 0x0001, ++ float_flag_divbyzero = 0x0002, ++ float_flag_overflow = 0x0004, ++ float_flag_underflow = 0x0008, ++ float_flag_inexact = 0x0010, ++ float_flag_input_denormal = 0x0020, ++ float_flag_output_denormal = 0x0040, + }; + + /* +@@ -171,8 +171,8 @@ typedef enum __attribute__((__packed__)) { + */ + + typedef struct float_status { ++ uint16_t float_exception_flags; + FloatRoundMode float_rounding_mode; +- uint8_t float_exception_flags; + FloatX80RoundPrec floatx80_rounding_precision; + bool tininess_before_rounding; + /* should denormalised results go to zero and set the inexact flag? */ +diff --git a/include/fpu/softfloat.h b/include/fpu/softfloat.h +index a249991e61..0d3b407807 100644 +--- a/include/fpu/softfloat.h ++++ b/include/fpu/softfloat.h +@@ -100,7 +100,7 @@ typedef enum { + | Routine to raise any or all of the software IEC/IEEE floating-point + | exception flags. + *----------------------------------------------------------------------------*/ +-static inline void float_raise(uint8_t flags, float_status *status) ++static inline void float_raise(uint16_t flags, float_status *status) + { + status->float_exception_flags |= flags; + } +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch b/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch new file mode 100644 index 0000000000..2713ff370d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch @@ -0,0 +1,59 @@ +From 9b0737858b2b68c3a4d1e0611f2732679c997c6d Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 02/21] softfloat: Add flag specific to Inf - Inf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ba11446c40903b9d97fb75a078d43fee6444d3b6] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-3-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + fpu/softfloat-parts.c.inc | 3 ++- + include/fpu/softfloat-types.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index 41d4b17e41..eb2b475ca4 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -354,7 +354,7 @@ static FloatPartsN *partsN(addsub)(FloatPartsN *a, FloatPartsN *b, + return a; + } + /* Inf - Inf */ +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_isi, s); + parts_default_nan(a, s); + return a; + } +@@ -494,6 +494,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + + if (ab_mask & float_cmask_inf) { + if (c->cls == float_class_inf && a->sign != c->sign) { ++ float_raise(float_flag_invalid | float_flag_invalid_isi, s); + goto d_nan; + } + goto return_inf; +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 65a43aff59..eaa12e1e00 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -152,6 +152,7 @@ enum { + float_flag_inexact = 0x0010, + float_flag_input_denormal = 0x0020, + float_flag_output_denormal = 0x0040, ++ float_flag_invalid_isi = 0x0080, /* inf - inf */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch b/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch new file mode 100644 index 0000000000..1b21e3cfeb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch @@ -0,0 +1,126 @@ +From 613f373f0b652ab2fb2572633e7a23807096790b Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 03/21] softfloat: Add flag specific to Inf * 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=bead3c9b0ff8efd652afb27923d8ab4458b3bbd9] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-4-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + fpu/softfloat-parts.c.inc | 4 ++-- + fpu/softfloat-specialize.c.inc | 12 ++++++------ + include/fpu/softfloat-types.h | 1 + + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index eb2b475ca4..3ed793347b 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -423,7 +423,7 @@ static FloatPartsN *partsN(mul)(FloatPartsN *a, FloatPartsN *b, + + /* Inf * Zero == NaN */ + if (unlikely(ab_mask == float_cmask_infzero)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, s); + parts_default_nan(a, s); + return a; + } +@@ -489,6 +489,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + + if (unlikely(ab_mask != float_cmask_normal)) { + if (unlikely(ab_mask == float_cmask_infzero)) { ++ float_raise(float_flag_invalid | float_flag_invalid_imz, s); + goto d_nan; + } + +@@ -567,7 +568,6 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + goto finish_sign; + + d_nan: +- float_raise(float_flag_invalid, s); + parts_default_nan(a, s); + return a; + } +diff --git a/fpu/softfloat-specialize.c.inc b/fpu/softfloat-specialize.c.inc +index f2ad0f335e..943e3301d2 100644 +--- a/fpu/softfloat-specialize.c.inc ++++ b/fpu/softfloat-specialize.c.inc +@@ -506,7 +506,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * the default NaN + */ + if (infzero && is_qnan(c_cls)) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 3; + } + +@@ -533,7 +533,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * case sets InvalidOp and returns the default NaN + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 3; + } + /* Prefer sNaN over qNaN, in the a, b, c order. */ +@@ -556,7 +556,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * case sets InvalidOp and returns the input value 'c' + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + /* Prefer sNaN over qNaN, in the c, a, b order. */ +@@ -580,7 +580,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * a default NaN + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + +@@ -597,7 +597,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + #elif defined(TARGET_RISCV) + /* For RISC-V, InvalidOp is set when multiplicands are Inf and zero */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + } + return 3; /* default NaN */ + #elif defined(TARGET_XTENSA) +@@ -606,7 +606,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * an input NaN if we have one (ie c). + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + if (status->use_first_nan) { +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index eaa12e1e00..56b4cf7835 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -153,6 +153,7 @@ enum { + float_flag_input_denormal = 0x0020, + float_flag_output_denormal = 0x0040, + float_flag_invalid_isi = 0x0080, /* inf - inf */ ++ float_flag_invalid_imz = 0x0100, /* inf * 0 */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch b/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch new file mode 100644 index 0000000000..c5377fbe70 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch @@ -0,0 +1,73 @@ +From 52f1760d2d65e1a61028cb9d8610c8a38aa44cfc Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 04/21] softfloat: Add flags specific to Inf / Inf and 0 / 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has these flags, and it's easier to compute them here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=10cc964030fca459591d9353571f3b1b4e1b5aec] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-5-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + fpu/softfloat-parts.c.inc | 16 +++++++++++----- + include/fpu/softfloat-types.h | 2 ++ + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index 3ed793347b..b8563cd2df 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -590,11 +590,13 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b, + } + + /* 0/0 or Inf/Inf => NaN */ +- if (unlikely(ab_mask == float_cmask_zero) || +- unlikely(ab_mask == float_cmask_inf)) { +- float_raise(float_flag_invalid, s); +- parts_default_nan(a, s); +- return a; ++ if (unlikely(ab_mask == float_cmask_zero)) { ++ float_raise(float_flag_invalid | float_flag_invalid_zdz, s); ++ goto d_nan; ++ } ++ if (unlikely(ab_mask == float_cmask_inf)) { ++ float_raise(float_flag_invalid | float_flag_invalid_idi, s); ++ goto d_nan; + } + + /* All the NaN cases */ +@@ -625,6 +627,10 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b, + float_raise(float_flag_divbyzero, s); + a->cls = float_class_inf; + return a; ++ ++ d_nan: ++ parts_default_nan(a, s); ++ return a; + } + + /* +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 56b4cf7835..5a9671e564 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -154,6 +154,8 @@ enum { + float_flag_output_denormal = 0x0040, + float_flag_invalid_isi = 0x0080, /* inf - inf */ + float_flag_invalid_imz = 0x0100, /* inf * 0 */ ++ float_flag_invalid_idi = 0x0200, /* inf / inf */ ++ float_flag_invalid_zdz = 0x0400, /* 0 / 0 */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch b/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch new file mode 100644 index 0000000000..e4ecb496ae --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch @@ -0,0 +1,121 @@ +From 6bc0b2cffab0ee280ae9730262f162f25c16f6c2 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 05/21] softfloat: Add flag specific to signaling nans +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e706d4455b8d54252b11fc504c56df060151cb89] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-8-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + fpu/softfloat-parts.c.inc | 18 ++++++++++++------ + fpu/softfloat.c | 4 +++- + include/fpu/softfloat-types.h | 1 + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index b8563cd2df..9518f3dc61 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -19,7 +19,7 @@ static void partsN(return_nan)(FloatPartsN *a, float_status *s) + { + switch (a->cls) { + case float_class_snan: +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + if (s->default_nan_mode) { + parts_default_nan(a, s); + } else { +@@ -40,7 +40,7 @@ static FloatPartsN *partsN(pick_nan)(FloatPartsN *a, FloatPartsN *b, + float_status *s) + { + if (is_snan(a->cls) || is_snan(b->cls)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + } + + if (s->default_nan_mode) { +@@ -68,7 +68,7 @@ static FloatPartsN *partsN(pick_nan_muladd)(FloatPartsN *a, FloatPartsN *b, + int which; + + if (unlikely(abc_mask & float_cmask_snan)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + } + + which = pickNaNMulAdd(a->cls, b->cls, c->cls, +@@ -1049,8 +1049,10 @@ static int64_t partsN(float_to_sint)(FloatPartsN *p, FloatRoundMode rmode, + + switch (p->cls) { + case float_class_snan: ++ flags |= float_flag_invalid_snan; ++ /* fall through */ + case float_class_qnan: +- flags = float_flag_invalid; ++ flags |= float_flag_invalid; + r = max; + break; + +@@ -1114,8 +1116,10 @@ static uint64_t partsN(float_to_uint)(FloatPartsN *p, FloatRoundMode rmode, + + switch (p->cls) { + case float_class_snan: ++ flags |= float_flag_invalid_snan; ++ /* fall through */ + case float_class_qnan: +- flags = float_flag_invalid; ++ flags |= float_flag_invalid; + r = max; + break; + +@@ -1341,7 +1345,9 @@ static FloatRelation partsN(compare)(FloatPartsN *a, FloatPartsN *b, + } + + if (unlikely(ab_mask & float_cmask_anynan)) { +- if (!is_quiet || (ab_mask & float_cmask_snan)) { ++ if (ab_mask & float_cmask_snan) { ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); ++ } else if (!is_quiet) { + float_raise(float_flag_invalid, s); + } + return float_relation_unordered; +diff --git a/fpu/softfloat.c b/fpu/softfloat.c +index 9a28720d82..834ed3a054 100644 +--- a/fpu/softfloat.c ++++ b/fpu/softfloat.c +@@ -2543,8 +2543,10 @@ floatx80 floatx80_mod(floatx80 a, floatx80 b, float_status *status) + static void parts_float_to_ahp(FloatParts64 *a, float_status *s) + { + switch (a->cls) { +- case float_class_qnan: + case float_class_snan: ++ float_raise(float_flag_invalid_snan, s); ++ /* fall through */ ++ case float_class_qnan: + /* + * There is no NaN in the destination format. Raise Invalid + * and return a zero with the sign of the input NaN. +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 5a9671e564..e557b9126b 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -156,6 +156,7 @@ enum { + float_flag_invalid_imz = 0x0100, /* inf * 0 */ + float_flag_invalid_idi = 0x0200, /* inf / inf */ + float_flag_invalid_zdz = 0x0400, /* 0 / 0 */ ++ float_flag_invalid_snan = 0x2000, /* any operand was snan */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch b/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch new file mode 100644 index 0000000000..5f38c7265f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch @@ -0,0 +1,114 @@ +From ba4a60dd5df31b9fff8b7b8006bf9f15140cc6c5 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 06/21] target/ppc: Update float_invalid_op_addsub for new + flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vxisi and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=941298ecd7e3103d3789d2dd87dd0f119e81c69e] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-9-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------ + 1 file changed, 14 insertions(+), 24 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index c4896cecc8..f0deada84b 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -450,13 +450,12 @@ void helper_reset_fpstatus(CPUPPCState *env) + set_float_exception_flags(0, &env->fp_status); + } + +-static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_addsub(CPUPPCState *env, int flags, ++ bool set_fpcc, uintptr_t retaddr) + { +- if ((classes & ~is_neg) == is_inf) { +- /* Magnitude subtraction of infinities */ ++ if (flags & float_flag_invalid_isi) { + float_invalid_op_vxisi(env, set_fpcc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -465,12 +464,10 @@ static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc, + float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_add(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_addsub(env, flags, 1, GETPC()); + } + + return ret; +@@ -480,12 +477,10 @@ float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2) + float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_sub(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_addsub(env, flags, 1, GETPC()); + } + + return ret; +@@ -1616,9 +1611,8 @@ void helper_##name(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_addsub(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_addsub(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +@@ -1660,9 +1654,7 @@ void helper_xsaddqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC()); + } + + helper_compute_fprf_float128(env, t.f128); +@@ -3278,9 +3270,7 @@ void helper_xssubqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC()); + } + + helper_compute_fprf_float128(env, t.f128); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch new file mode 100644 index 0000000000..1cc4e9e35c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch @@ -0,0 +1,86 @@ +From ee8ba2dbb046f48457566b64ad95bf0440d2513e Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 07/21] target/ppc: Update float_invalid_op_mul for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vximz and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=4edf55698fc2ea30903657c63ed95db0d5548943] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-10-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index f0deada84b..23264e6528 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -486,13 +486,12 @@ float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2) + return ret; + } + +-static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_mul(CPUPPCState *env, int flags, ++ bool set_fprc, uintptr_t retaddr) + { +- if ((classes & (is_zero | is_inf)) == (is_zero | is_inf)) { +- /* Multiplication of zero by infinity */ ++ if (flags & float_flag_invalid_imz) { + float_invalid_op_vximz(env, set_fprc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -501,12 +500,10 @@ static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc, + float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_mul(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_mul(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_mul(env, flags, 1, GETPC()); + } + + return ret; +@@ -1687,9 +1684,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_mul(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_mul(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +@@ -1727,9 +1723,7 @@ void helper_xsmulqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_mul(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_mul(env, tstat.float_exception_flags, 1, GETPC()); + } + helper_compute_fprf_float128(env, t.f128); + +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch new file mode 100644 index 0000000000..cb657eefd5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch @@ -0,0 +1,99 @@ +From a13c0819ef14120a0e30077fcc6a7470409fa732 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 08/21] target/ppc: Update float_invalid_op_div for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vxidi, vxzdz, and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=c07f82416cb7973c64d1e21c09957182b4b033dc] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-11-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------ + 1 file changed, 14 insertions(+), 24 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 23264e6528..2ab34236a3 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -509,17 +509,14 @@ float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2) + return ret; + } + +-static void float_invalid_op_div(CPUPPCState *env, bool set_fprc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_div(CPUPPCState *env, int flags, ++ bool set_fprc, uintptr_t retaddr) + { +- classes &= ~is_neg; +- if (classes == is_inf) { +- /* Division of infinity by infinity */ ++ if (flags & float_flag_invalid_idi) { + float_invalid_op_vxidi(env, set_fprc, retaddr); +- } else if (classes == is_zero) { +- /* Division of zero by zero */ ++ } else if (flags & float_flag_invalid_zdz) { + float_invalid_op_vxzdz(env, set_fprc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -528,17 +525,13 @@ static void float_invalid_op_div(CPUPPCState *env, bool set_fprc, + float64 helper_fdiv(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_div(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status)) { +- if (status & float_flag_invalid) { +- float_invalid_op_div(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); +- } +- if (status & float_flag_divbyzero) { +- float_zero_divide_excp(env, GETPC()); +- } ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_div(env, flags, 1, GETPC()); ++ } ++ if (unlikely(flags & float_flag_divbyzero)) { ++ float_zero_divide_excp(env, GETPC()); + } + + return ret; +@@ -1755,9 +1748,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_div(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_div(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { \ + float_zero_divide_excp(env, GETPC()); \ +@@ -1798,9 +1790,7 @@ void helper_xsdivqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_div(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_div(env, tstat.float_exception_flags, 1, GETPC()); + } + if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { + float_zero_divide_excp(env, GETPC()); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch new file mode 100644 index 0000000000..2e723582b7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch @@ -0,0 +1,102 @@ +From ce768160ee1ee9673d60e800389c41b3c707411a Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:15 +0100 +Subject: [PATCH 09/21] target/ppc: Update fmadd for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vximz, vxisi, and vxsnan are computed directly by +softfloat, we don't need to recompute it. This replaces the +separate float{32,64}_maddsub_update_excp functions with a +single float_invalid_op_madd function. + +Fix VSX_MADD by passing sfprf to float_invalid_op_madd, +whereas the previous *_maddsub_update_excp assumed it true. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e4052bb773cc829a27786d68caa22f28cff19d39] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-19-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 46 ++++++++++------------------------------- + 1 file changed, 11 insertions(+), 35 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 2ab34236a3..3b1cb25666 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -639,38 +639,15 @@ uint64_t helper_frim(CPUPPCState *env, uint64_t arg) + return do_fri(env, arg, float_round_down); + } + +-#define FPU_MADDSUB_UPDATE(NAME, TP) \ +-static void NAME(CPUPPCState *env, TP arg1, TP arg2, TP arg3, \ +- unsigned int madd_flags, uintptr_t retaddr) \ +-{ \ +- if (TP##_is_signaling_nan(arg1, &env->fp_status) || \ +- TP##_is_signaling_nan(arg2, &env->fp_status) || \ +- TP##_is_signaling_nan(arg3, &env->fp_status)) { \ +- /* sNaN operation */ \ +- float_invalid_op_vxsnan(env, retaddr); \ +- } \ +- if ((TP##_is_infinity(arg1) && TP##_is_zero(arg2)) || \ +- (TP##_is_zero(arg1) && TP##_is_infinity(arg2))) { \ +- /* Multiplication of zero by infinity */ \ +- float_invalid_op_vximz(env, 1, retaddr); \ +- } \ +- if ((TP##_is_infinity(arg1) || TP##_is_infinity(arg2)) && \ +- TP##_is_infinity(arg3)) { \ +- uint8_t aSign, bSign, cSign; \ +- \ +- aSign = TP##_is_neg(arg1); \ +- bSign = TP##_is_neg(arg2); \ +- cSign = TP##_is_neg(arg3); \ +- if (madd_flags & float_muladd_negate_c) { \ +- cSign ^= 1; \ +- } \ +- if (aSign ^ bSign ^ cSign) { \ +- float_invalid_op_vxisi(env, 1, retaddr); \ +- } \ +- } \ ++static void float_invalid_op_madd(CPUPPCState *env, int flags, ++ bool set_fpcc, uintptr_t retaddr) ++{ ++ if (flags & float_flag_invalid_imz) { ++ float_invalid_op_vximz(env, set_fpcc, retaddr); ++ } else { ++ float_invalid_op_addsub(env, flags, set_fpcc, retaddr); ++ } + } +-FPU_MADDSUB_UPDATE(float32_maddsub_update_excp, float32) +-FPU_MADDSUB_UPDATE(float64_maddsub_update_excp, float64) + + #define FPU_FMADD(op, madd_flags) \ + uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ +@@ -682,8 +659,7 @@ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ + flags = get_float_exception_flags(&env->fp_status); \ + if (flags) { \ + if (flags & float_flag_invalid) { \ +- float64_maddsub_update_excp(env, arg1, arg2, arg3, \ +- madd_flags, GETPC()); \ ++ float_invalid_op_madd(env, flags, 1, GETPC()); \ + } \ + do_float_check_status(env, GETPC()); \ + } \ +@@ -2087,8 +2063,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- tp##_maddsub_update_excp(env, xa->fld, b->fld, \ +- c->fld, maddflgs, GETPC()); \ ++ float_invalid_op_madd(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch b/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch new file mode 100644 index 0000000000..4d19773200 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch @@ -0,0 +1,71 @@ +From f024b8937d8b614994b94e86d2240fafcc7d2d73 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 17 Dec 2021 17:57:15 +0100 +Subject: [PATCH 10/21] target/ppc: Split out do_fmadd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Create a common function for all of the madd helpers. +Let the compiler tail call or inline as it chooses. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ffdaff8e9c698061f57a6b1827570562c5a1c909] + +Signed-off-by: Richard Henderson +Message-Id: <20211119160502.17432-20-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 3b1cb25666..9a1e7e6244 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -649,23 +649,26 @@ static void float_invalid_op_madd(CPUPPCState *env, int flags, + } + } + +-#define FPU_FMADD(op, madd_flags) \ +-uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ +- uint64_t arg2, uint64_t arg3) \ +-{ \ +- uint32_t flags; \ +- float64 ret = float64_muladd(arg1, arg2, arg3, madd_flags, \ +- &env->fp_status); \ +- flags = get_float_exception_flags(&env->fp_status); \ +- if (flags) { \ +- if (flags & float_flag_invalid) { \ +- float_invalid_op_madd(env, flags, 1, GETPC()); \ +- } \ +- do_float_check_status(env, GETPC()); \ +- } \ +- return ret; \ ++static float64 do_fmadd(CPUPPCState *env, float64 a, float64 b, ++ float64 c, int madd_flags, uintptr_t retaddr) ++{ ++ float64 ret = float64_muladd(a, b, c, madd_flags, &env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); ++ ++ if (flags) { ++ if (flags & float_flag_invalid) { ++ float_invalid_op_madd(env, flags, 1, retaddr); ++ } ++ do_float_check_status(env, retaddr); ++ } ++ return ret; + } + ++#define FPU_FMADD(op, madd_flags) \ ++ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ ++ uint64_t arg2, uint64_t arg3) \ ++ { return do_fmadd(env, arg1, arg2, arg3, madd_flags, GETPC()); } ++ + #define MADD_FLGS 0 + #define MSUB_FLGS float_muladd_negate_c + #define NMADD_FLGS float_muladd_negate_result +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch b/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch new file mode 100644 index 0000000000..0daae55b99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch @@ -0,0 +1,93 @@ +From a1821ad612994b95cb6597efd15e0a888676386c Mon Sep 17 00:00:00 2001 +From: Victor Colombo +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 11/21] target/ppc: Fix xs{max, min}[cj]dp to use VSX registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PPC instruction xsmaxcdp, xsmincdp, xsmaxjdp, and xsminjdp are using +vector registers when they should be using VSX ones. This happens +because the instructions are using GEN_VSX_HELPER_R3, which adds 32 +to the register numbers, effectively making them vector registers. + +This patch fixes it by changing these instructions to use +GEN_VSX_HELPER_X3. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=201fc774e0e1cc76ec23b595968004a7b14fb6e8] + +Reviewed-by: Richard Henderson +Signed-off-by: Victor Colombo +Message-Id: <20211213120958.24443-2-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 4 ++-- + target/ppc/helper.h | 8 ++++---- + target/ppc/translate/vsx-impl.c.inc | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 9a1e7e6244..ecdcd36a11 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2375,7 +2375,7 @@ VSX_MAX_MIN(xvmindp, minnum, 2, float64, VsrD(i)) + VSX_MAX_MIN(xvminsp, minnum, 4, float32, VsrW(i)) + + #define VSX_MAX_MINC(name, max) \ +-void helper_##name(CPUPPCState *env, uint32_t opcode, \ ++void helper_##name(CPUPPCState *env, \ + ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \ + { \ + ppc_vsr_t t = *xt; \ +@@ -2410,7 +2410,7 @@ VSX_MAX_MINC(xsmaxcdp, 1); + VSX_MAX_MINC(xsmincdp, 0); + + #define VSX_MAX_MINJ(name, max) \ +-void helper_##name(CPUPPCState *env, uint32_t opcode, \ ++void helper_##name(CPUPPCState *env, \ + ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \ + { \ + ppc_vsr_t t = *xt; \ +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index 627811cefc..12a3d5f269 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -392,10 +392,10 @@ DEF_HELPER_4(xscmpoqp, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscmpuqp, void, env, i32, vsr, vsr) + DEF_HELPER_4(xsmaxdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xsmindp, void, env, vsr, vsr, vsr) +-DEF_HELPER_5(xsmaxcdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsmincdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsmaxjdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsminjdp, void, env, i32, vsr, vsr, vsr) ++DEF_HELPER_4(xsmaxcdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsmincdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsmaxjdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsminjdp, void, env, vsr, vsr, vsr) + DEF_HELPER_3(xscvdphp, void, env, vsr, vsr) + DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr) +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index c0e38060b4..02df75339e 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1098,10 +1098,10 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX) + GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_R3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX) + GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300) +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch b/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch new file mode 100644 index 0000000000..e9b99c9b4e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch @@ -0,0 +1,121 @@ +From 1cbb2622de34ee034f1dd7196567673c52c84805 Mon Sep 17 00:00:00 2001 +From: Victor Colombo +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 12/21] target/ppc: Move xs{max,min}[cj]dp to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=c5df1898a147c232f0502cda5dac8df6074070fc] + +Reviewed-by: Richard Henderson +Signed-off-by: Victor Colombo +Message-Id: <20211213120958.24443-3-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/insn32.decode | 17 +++++++++++++--- + target/ppc/translate/vsx-impl.c.inc | 30 +++++++++++++++++++++++++---- + target/ppc/translate/vsx-ops.c.inc | 4 ---- + 3 files changed, 40 insertions(+), 11 deletions(-) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index e135b8aba4..759b2a9aa5 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -123,10 +123,14 @@ + &X_vrt_frbp vrt frbp + @X_vrt_frbp ...... vrt:5 ..... ....0 .......... . &X_vrt_frbp frbp=%x_frbp + ++%xx_xt 0:1 21:5 ++%xx_xb 1:1 11:5 ++%xx_xa 2:1 16:5 + &XX2 xt xb uim:uint8_t +-%xx2_xt 0:1 21:5 +-%xx2_xb 1:1 11:5 +-@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx2_xt xb=%xx2_xb ++@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx_xt xb=%xx_xb ++ ++&XX3 xt xa xb ++@XX3 ...... ..... ..... ..... ........ ... &XX3 xt=%xx_xt xa=%xx_xa xb=%xx_xb + + &Z22_bf_fra bf fra dm + @Z22_bf_fra ...... bf:3 .. fra:5 dm:6 ......... . &Z22_bf_fra +@@ -427,3 +431,10 @@ XXSPLTW 111100 ..... ---.. ..... 010100100 . . @XX2 + ## VSX Vector Load Special Value Instruction + + LXVKQ 111100 ..... 11111 ..... 0101101000 . @X_uim5 ++ ++## VSX Comparison Instructions ++ ++XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3 ++XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3 ++XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3 ++XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3 +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 02df75339e..e2447750dd 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1098,10 +1098,6 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX) + GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX) + GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300) +@@ -2185,6 +2181,32 @@ TRANS(XXBLENDVH, do_xxblendv, MO_16) + TRANS(XXBLENDVW, do_xxblendv, MO_32) + TRANS(XXBLENDVD, do_xxblendv, MO_64) + ++static bool do_xsmaxmincjdp(DisasContext *ctx, arg_XX3 *a, ++ void (*helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ TCGv_ptr xt, xa, xb; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ xt = gen_vsr_ptr(a->xt); ++ xa = gen_vsr_ptr(a->xa); ++ xb = gen_vsr_ptr(a->xb); ++ ++ helper(cpu_env, xt, xa, xb); ++ ++ tcg_temp_free_ptr(xt); ++ tcg_temp_free_ptr(xa); ++ tcg_temp_free_ptr(xb); ++ ++ return true; ++} ++ ++TRANS(XSMAXCDP, do_xsmaxmincjdp, gen_helper_xsmaxcdp) ++TRANS(XSMINCDP, do_xsmaxmincjdp, gen_helper_xsmincdp) ++TRANS(XSMAXJDP, do_xsmaxmincjdp, gen_helper_xsmaxjdp) ++TRANS(XSMINJDP, do_xsmaxmincjdp, gen_helper_xsminjdp) ++ + #undef GEN_XX2FORM + #undef GEN_XX3FORM + #undef GEN_XX2IFORM +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index 152d1e5c3b..f980bc1bae 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -207,10 +207,6 @@ GEN_VSX_XFORM_300(xscmpoqp, 0x04, 0x04, 0x00600001), + GEN_VSX_XFORM_300(xscmpuqp, 0x04, 0x14, 0x00600001), + GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), + GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), +-GEN_XX3FORM(xsmaxcdp, 0x00, 0x10, PPC2_ISA300), +-GEN_XX3FORM(xsmincdp, 0x00, 0x11, PPC2_ISA300), +-GEN_XX3FORM(xsmaxjdp, 0x00, 0x12, PPC2_ISA300), +-GEN_XX3FORM(xsminjdp, 0x00, 0x13, PPC2_ISA300), + GEN_XX2FORM_EO(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300), + GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), + GEN_XX2FORM(xscvdpspn, 0x16, 0x10, PPC2_VSX207), +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch b/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch new file mode 100644 index 0000000000..100dcd25bc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch @@ -0,0 +1,41 @@ +From 98ff271a4d1a1d60ae53b1f742df7c188b163375 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 13/21] target/ppc: fix xscvqpdp register access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This instruction has VRT and VRB fields instead of T/TX and B/BX. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=38d4914c5065e14f0969161274793ded448f067f] + +Reviewed-by: Richard Henderson +Signed-off-by: Matheus Ferst +Message-Id: <20211213120958.24443-4-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/translate/vsx-impl.c.inc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index e2447750dd..ab5cb21f13 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -913,8 +913,9 @@ static void gen_xscvqpdp(DisasContext *ctx) + return; + } + opc = tcg_const_i32(ctx->opcode); +- xt = gen_vsr_ptr(xT(ctx->opcode)); +- xb = gen_vsr_ptr(xB(ctx->opcode)); ++ ++ xt = gen_vsr_ptr(rD(ctx->opcode) + 32); ++ xb = gen_vsr_ptr(rB(ctx->opcode) + 32); + gen_helper_xscvqpdp(cpu_env, opc, xt, xb); + tcg_temp_free_i32(opc); + tcg_temp_free_ptr(xt); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch b/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch new file mode 100644 index 0000000000..345a49c90c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch @@ -0,0 +1,130 @@ +From c76ea6322bd70c36c9b396cf356167b36928e811 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 14/21] target/ppc: move xscvqpdp to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=caf6f9b568479bea6f6d97798be670f21641a006] + +Reviewed-by: Richard Henderson +Signed-off-by: Matheus Ferst +Message-Id: <20211213120958.24443-5-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 10 +++------- + target/ppc/helper.h | 2 +- + target/ppc/insn32.decode | 4 ++++ + target/ppc/translate/vsx-impl.c.inc | 24 +++++++++++++----------- + target/ppc/translate/vsx-ops.c.inc | 1 - + 5 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index ecdcd36a11..5cc7fb1dcb 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2631,18 +2631,14 @@ VSX_CVT_FP_TO_FP_HP(xscvhpdp, 1, float16, float64, VsrH(3), VsrD(0), 1) + VSX_CVT_FP_TO_FP_HP(xvcvsphp, 4, float32, float16, VsrW(i), VsrH(2 * i + 1), 0) + VSX_CVT_FP_TO_FP_HP(xvcvhpsp, 4, float16, float32, VsrH(2 * i + 1), VsrW(i), 0) + +-/* +- * xscvqpdp isn't using VSX_CVT_FP_TO_FP() because xscvqpdpo will be +- * added to this later. +- */ +-void helper_xscvqpdp(CPUPPCState *env, uint32_t opcode, +- ppc_vsr_t *xt, ppc_vsr_t *xb) ++void helper_XSCVQPDP(CPUPPCState *env, uint32_t ro, ppc_vsr_t *xt, ++ ppc_vsr_t *xb) + { + ppc_vsr_t t = { }; + float_status tstat; + + tstat = env->fp_status; +- if (unlikely(Rc(opcode) != 0)) { ++ if (ro != 0) { + tstat.float_rounding_mode = float_round_to_odd; + } + +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index 12a3d5f269..ef5bdd38a7 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -400,7 +400,7 @@ DEF_HELPER_3(xscvdphp, void, env, vsr, vsr) + DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr) + DEF_HELPER_2(xscvdpspn, i64, env, i64) +-DEF_HELPER_4(xscvqpdp, void, env, i32, vsr, vsr) ++DEF_HELPER_4(XSCVQPDP, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpsdz, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpswz, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpudz, void, env, i32, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 759b2a9aa5..fd6bb13fa0 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -438,3 +438,7 @@ XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3 + XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3 + XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3 + XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3 ++ ++## VSX Binary Floating-Point Convert Instructions ++ ++XSCVQPDP 111111 ..... 10100 ..... 1101000100 . @X_tb_rc +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index ab5cb21f13..c08185e857 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -904,22 +904,24 @@ VSX_CMP(xvcmpgesp, 0x0C, 0x0A, 0, PPC2_VSX) + VSX_CMP(xvcmpgtsp, 0x0C, 0x09, 0, PPC2_VSX) + VSX_CMP(xvcmpnesp, 0x0C, 0x0B, 0, PPC2_VSX) + +-static void gen_xscvqpdp(DisasContext *ctx) ++static bool trans_XSCVQPDP(DisasContext *ctx, arg_X_tb_rc *a) + { +- TCGv_i32 opc; ++ TCGv_i32 ro; + TCGv_ptr xt, xb; +- if (unlikely(!ctx->vsx_enabled)) { +- gen_exception(ctx, POWERPC_EXCP_VSXU); +- return; +- } +- opc = tcg_const_i32(ctx->opcode); + +- xt = gen_vsr_ptr(rD(ctx->opcode) + 32); +- xb = gen_vsr_ptr(rB(ctx->opcode) + 32); +- gen_helper_xscvqpdp(cpu_env, opc, xt, xb); +- tcg_temp_free_i32(opc); ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ ro = tcg_const_i32(a->rc); ++ ++ xt = gen_avr_ptr(a->rt); ++ xb = gen_avr_ptr(a->rb); ++ gen_helper_XSCVQPDP(cpu_env, ro, xt, xb); ++ tcg_temp_free_i32(ro); + tcg_temp_free_ptr(xt); + tcg_temp_free_ptr(xb); ++ ++ return true; + } + + #define GEN_VSX_HELPER_2(name, op1, op2, inval, type) \ +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index f980bc1bae..c974324c4c 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -133,7 +133,6 @@ GEN_VSX_XFORM_300_EO(xsnabsqp, 0x04, 0x19, 0x08, 0x00000001), + GEN_VSX_XFORM_300_EO(xsnegqp, 0x04, 0x19, 0x10, 0x00000001), + GEN_VSX_XFORM_300(xscpsgnqp, 0x04, 0x03, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvdpqp, 0x04, 0x1A, 0x16, 0x00000001), +-GEN_VSX_XFORM_300_EO(xscvqpdp, 0x04, 0x1A, 0x14, 0x0), + GEN_VSX_XFORM_300_EO(xscvqpsdz, 0x04, 0x1A, 0x19, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvqpswz, 0x04, 0x1A, 0x09, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvqpudz, 0x04, 0x1A, 0x11, 0x00000001), +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch b/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch new file mode 100644 index 0000000000..5c5f972961 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch @@ -0,0 +1,70 @@ +From 7448ee811d86b18a7f7f59e20853bd852e548f59 Mon Sep 17 00:00:00 2001 +From: "Lucas Mateus Castro (alqotel)" +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 15/21] target/ppc: ppc_store_fpscr doesn't update bits 0 to 28 + and 52 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit fixes the difference reported in the bug in the reserved +bit 52, it does this by adding this bit to the mask of bits to not be +directly altered in the ppc_store_fpscr function (the hardware used to +compare to QEMU was a Power9). + +The bits 0 to 27 were also added to the mask, as they are marked as +reserved in the PowerISA and bit 28 is a reserved extension of the DRN +field (bits 29:31) but can't be set using mtfsfi, while the other DRN +bits may be set using mtfsfi instruction, so bit 28 was also added to +the mask. + +Although this is a difference reported in the bug, since it's a reserved +bit it may be a "don't care" case, as put in the bug report. Looking at +the ISA it doesn't explicitly mention this bit can't be set, like it +does for FEX and VX, so I'm unsure if this is necessary. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/266 + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=25ee608d79c1890c0f4e8c495ec8629d5712de45] + +Signed-off-by: Lucas Mateus Castro (alqotel) +Message-Id: <20211201163808.440385-4-lucas.araujo@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/cpu.c | 2 +- + target/ppc/cpu.h | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/target/ppc/cpu.c b/target/ppc/cpu.c +index f933d9f2bd..d7b42bae52 100644 +--- a/target/ppc/cpu.c ++++ b/target/ppc/cpu.c +@@ -112,7 +112,7 @@ static inline void fpscr_set_rounding_mode(CPUPPCState *env) + + void ppc_store_fpscr(CPUPPCState *env, target_ulong val) + { +- val &= ~(FP_VX | FP_FEX); ++ val &= FPSCR_MTFS_MASK; + if (val & FPSCR_IX) { + val |= FP_VX; + } +diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h +index e946da5f3a..441d3dce19 100644 +--- a/target/ppc/cpu.h ++++ b/target/ppc/cpu.h +@@ -759,6 +759,10 @@ enum { + FP_VXZDZ | FP_VXIMZ | FP_VXVC | FP_VXSOFT | \ + FP_VXSQRT | FP_VXCVI) + ++/* FPSCR bits that can be set by mtfsf, mtfsfi and mtfsb1 */ ++#define FPSCR_MTFS_MASK (~(MAKE_64BIT_MASK(36, 28) | PPC_BIT(28) | \ ++ FP_FEX | FP_VX | PPC_BIT(52))) ++ + /*****************************************************************************/ + /* Vector status and control register */ + #define VSCR_NJ 16 /* Vector non-java */ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch b/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch new file mode 100644 index 0000000000..3b651c0b3e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch @@ -0,0 +1,133 @@ +From 232f979babccd6dfac40a54ee33521e652a0577c Mon Sep 17 00:00:00 2001 +From: Luis Pires +Date: Wed, 2 Mar 2022 06:51:36 +0100 +Subject: [PATCH 16/21] target/ppc: Introduce TRANS*FLAGS macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +New macros that add FLAGS and FLAGS2 checking were added for +both TRANS and TRANS64. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=19f0862dd8fa6510b2f5b3aff4859363602cd0cf] + +Reviewed-by: Richard Henderson +Signed-off-by: Luis Pires +[ferst: - TRANS_FLAGS2 instead of TRANS_FLAGS_E + - Use the new macros in load/store vector insns ] +Signed-off-by: Matheus Ferst +Message-Id: <20220225210936.1749575-2-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/translate.c | 19 +++++++++++++++ + target/ppc/translate/vsx-impl.c.inc | 37 ++++++++++------------------- + 2 files changed, 31 insertions(+), 25 deletions(-) + +diff --git a/target/ppc/translate.c b/target/ppc/translate.c +index 9960df6e18..c12abc32f6 100644 +--- a/target/ppc/translate.c ++++ b/target/ppc/translate.c +@@ -7377,10 +7377,29 @@ static int times_16(DisasContext *ctx, int x) + #define TRANS(NAME, FUNC, ...) \ + static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ + { return FUNC(ctx, a, __VA_ARGS__); } ++#define TRANS_FLAGS(FLAGS, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_INSNS_FLAGS(ctx, FLAGS); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } ++#define TRANS_FLAGS2(FLAGS2, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } + + #define TRANS64(NAME, FUNC, ...) \ + static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ + { REQUIRE_64BIT(ctx); return FUNC(ctx, a, __VA_ARGS__); } ++#define TRANS64_FLAGS2(FLAGS2, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_64BIT(ctx); \ ++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } + + /* TODO: More TRANS* helpers for extra insn_flags checks. */ + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index c08185e857..99c8a57e50 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -2070,12 +2070,6 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ, + + static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired) + { +- if (paired) { +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); +- } else { +- REQUIRE_INSNS_FLAGS2(ctx, ISA300); +- } +- + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { +@@ -2089,7 +2083,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + bool store, bool paired) + { + arg_D d; +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); + REQUIRE_VSX(ctx); + + if (!resolve_PLS_D(ctx, &d, a)) { +@@ -2101,12 +2094,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + + static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + { +- if (paired) { +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); +- } else { +- REQUIRE_INSNS_FLAGS2(ctx, ISA300); +- } +- + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { +@@ -2116,18 +2103,18 @@ static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + return do_lstxv(ctx, a->ra, cpu_gpr[a->rb], a->rt, store, paired); + } + +-TRANS(STXV, do_lstxv_D, true, false) +-TRANS(LXV, do_lstxv_D, false, false) +-TRANS(STXVP, do_lstxv_D, true, true) +-TRANS(LXVP, do_lstxv_D, false, true) +-TRANS(STXVX, do_lstxv_X, true, false) +-TRANS(LXVX, do_lstxv_X, false, false) +-TRANS(STXVPX, do_lstxv_X, true, true) +-TRANS(LXVPX, do_lstxv_X, false, true) +-TRANS64(PSTXV, do_lstxv_PLS_D, true, false) +-TRANS64(PLXV, do_lstxv_PLS_D, false, false) +-TRANS64(PSTXVP, do_lstxv_PLS_D, true, true) +-TRANS64(PLXVP, do_lstxv_PLS_D, false, true) ++TRANS_FLAGS2(ISA300, STXV, do_lstxv_D, true, false) ++TRANS_FLAGS2(ISA300, LXV, do_lstxv_D, false, false) ++TRANS_FLAGS2(ISA310, STXVP, do_lstxv_D, true, true) ++TRANS_FLAGS2(ISA310, LXVP, do_lstxv_D, false, true) ++TRANS_FLAGS2(ISA300, STXVX, do_lstxv_X, true, false) ++TRANS_FLAGS2(ISA300, LXVX, do_lstxv_X, false, false) ++TRANS_FLAGS2(ISA310, STXVPX, do_lstxv_X, true, true) ++TRANS_FLAGS2(ISA310, LXVPX, do_lstxv_X, false, true) ++TRANS64_FLAGS2(ISA310, PSTXV, do_lstxv_PLS_D, true, false) ++TRANS64_FLAGS2(ISA310, PLXV, do_lstxv_PLS_D, false, false) ++TRANS64_FLAGS2(ISA310, PSTXVP, do_lstxv_PLS_D, true, true) ++TRANS64_FLAGS2(ISA310, PLXVP, do_lstxv_PLS_D, false, true) + + static void gen_xxblendv_vec(unsigned vece, TCGv_vec t, TCGv_vec a, TCGv_vec b, + TCGv_vec c) +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch b/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch new file mode 100644 index 0000000000..6d6d6b86ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch @@ -0,0 +1,105 @@ +From 4c6a16c2bcdd14249eef876d3d029c445716fb13 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 17/21] target/ppc: Implement Vector Expand Mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +vexpandbm: Vector Expand Byte Mask +vexpandhm: Vector Expand Halfword Mask +vexpandwm: Vector Expand Word Mask +vexpanddm: Vector Expand Doubleword Mask +vexpandqm: Vector Expand Quadword Mask + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=5f1470b091007f24035d6d33149df49a6dd61682] + +Reviewed-by: Richard Henderson +Signed-off-by: Matheus Ferst +Message-Id: <20211203194229.746275-2-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/insn32.decode | 11 ++++++++++ + target/ppc/translate/vmx-impl.c.inc | 34 +++++++++++++++++++++++++++++ + 2 files changed, 45 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index fd6bb13fa0..e032251c74 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -56,6 +56,9 @@ + &VX_uim4 vrt uim vrb + @VX_uim4 ...... vrt:5 . uim:4 vrb:5 ........... &VX_uim4 + ++&VX_tb vrt vrb ++@VX_tb ...... vrt:5 ..... vrb:5 ........... &VX_tb ++ + &X rt ra rb + @X ...... rt:5 ra:5 rb:5 .......... . &X + +@@ -412,6 +415,14 @@ VINSWVRX 000100 ..... ..... ..... 00110001111 @VX + VSLDBI 000100 ..... ..... ..... 00 ... 010110 @VN + VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN + ++## Vector Mask Manipulation Instructions ++ ++VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb ++VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb ++VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb ++VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb ++VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb ++ + # VSX Load/Store Instructions + + LXV 111101 ..... ..... ............ . 001 @DQ_TSX +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index 8eb8d3a067..ebb0484323 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1491,6 +1491,40 @@ static bool trans_VSRDBI(DisasContext *ctx, arg_VN *a) + return true; + } + ++static bool do_vexpand(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tcg_gen_gvec_sari(vece, avr_full_offset(a->vrt), avr_full_offset(a->vrb), ++ (8 << vece) - 1, 16, 16); ++ ++ return true; ++} ++ ++TRANS(VEXPANDBM, do_vexpand, MO_8) ++TRANS(VEXPANDHM, do_vexpand, MO_16) ++TRANS(VEXPANDWM, do_vexpand, MO_32) ++TRANS(VEXPANDDM, do_vexpand, MO_64) ++ ++static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ get_avr64(tmp, a->vrb, true); ++ tcg_gen_sari_i64(tmp, tmp, 63); ++ set_avr64(a->vrt, tmp, false); ++ set_avr64(a->vrt, tmp, true); ++ ++ tcg_temp_free_i64(tmp); ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch b/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch new file mode 100644 index 0000000000..57450c6fb7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch @@ -0,0 +1,141 @@ +From 2dc8450e80b82c481904570dce789843b031db13 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 18/21] target/ppc: Implement Vector Extract Mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +vextractbm: Vector Extract Byte Mask +vextracthm: Vector Extract Halfword Mask +vextractwm: Vector Extract Word Mask +vextractdm: Vector Extract Doubleword Mask +vextractqm: Vector Extract Quadword Mask + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=17868d81e0074905b2c1e414af6618570e8059eb] + +Signed-off-by: Matheus Ferst +Reviewed-by: Richard Henderson +Message-Id: <20211203194229.746275-3-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/insn32.decode | 6 +++ + target/ppc/translate/vmx-impl.c.inc | 82 +++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index e032251c74..b0568b1356 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -423,6 +423,12 @@ VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb + VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb + VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb + ++VEXTRACTBM 000100 ..... 01000 ..... 11001000010 @VX_tb ++VEXTRACTHM 000100 ..... 01001 ..... 11001000010 @VX_tb ++VEXTRACTWM 000100 ..... 01010 ..... 11001000010 @VX_tb ++VEXTRACTDM 000100 ..... 01011 ..... 11001000010 @VX_tb ++VEXTRACTQM 000100 ..... 01100 ..... 11001000010 @VX_tb ++ + # VSX Load/Store Instructions + + LXV 111101 ..... ..... ............ . 001 @DQ_TSX +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index ebb0484323..96c97bf6e7 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1525,6 +1525,88 @@ static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a) + return true; + } + ++static bool do_vextractm(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece, ++ mask = dup_const(vece, 1 << (elem_width - 1)); ++ uint64_t i, j; ++ TCGv_i64 lo, hi, t0, t1; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = tcg_temp_new_i64(); ++ lo = tcg_temp_new_i64(); ++ t0 = tcg_temp_new_i64(); ++ t1 = tcg_temp_new_i64(); ++ ++ get_avr64(lo, a->vrb, false); ++ get_avr64(hi, a->vrb, true); ++ ++ tcg_gen_andi_i64(lo, lo, mask); ++ tcg_gen_andi_i64(hi, hi, mask); ++ ++ /* ++ * Gather the most significant bit of each element in the highest element ++ * element. E.g. for bytes: ++ * aXXXXXXXbXXXXXXXcXXXXXXXdXXXXXXXeXXXXXXXfXXXXXXXgXXXXXXXhXXXXXXX ++ * & dup(1 << (elem_width - 1)) ++ * a0000000b0000000c0000000d0000000e0000000f0000000g0000000h0000000 ++ * << 32 - 4 ++ * 0000e0000000f0000000g0000000h00000000000000000000000000000000000 ++ * | ++ * a000e000b000f000c000g000d000h000e0000000f0000000g0000000h0000000 ++ * << 16 - 2 ++ * 00c000g000d000h000e0000000f0000000g0000000h000000000000000000000 ++ * | ++ * a0c0e0g0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h0000000 ++ * << 8 - 1 ++ * 0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h00000000000000 ++ * | ++ * abcdefghbcdefgh0cdefgh00defgh000efgh0000fgh00000gh000000h0000000 ++ */ ++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) { ++ tcg_gen_shli_i64(t0, hi, j - i); ++ tcg_gen_shli_i64(t1, lo, j - i); ++ tcg_gen_or_i64(hi, hi, t0); ++ tcg_gen_or_i64(lo, lo, t1); ++ } ++ ++ tcg_gen_shri_i64(hi, hi, 64 - elem_count_half); ++ tcg_gen_extract2_i64(lo, lo, hi, 64 - elem_count_half); ++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], lo); ++ ++ tcg_temp_free_i64(hi); ++ tcg_temp_free_i64(lo); ++ tcg_temp_free_i64(t0); ++ tcg_temp_free_i64(t1); ++ ++ return true; ++} ++ ++TRANS(VEXTRACTBM, do_vextractm, MO_8) ++TRANS(VEXTRACTHM, do_vextractm, MO_16) ++TRANS(VEXTRACTWM, do_vextractm, MO_32) ++TRANS(VEXTRACTDM, do_vextractm, MO_64) ++ ++static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ get_avr64(tmp, a->vrb, true); ++ tcg_gen_shri_i64(tmp, tmp, 63); ++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], tmp); ++ ++ tcg_temp_free_i64(tmp); ++ ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch b/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch new file mode 100644 index 0000000000..96fda98771 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch @@ -0,0 +1,187 @@ +From 4d5202aad706fd338646d19aafbf255c3864333c Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 19/21] target/ppc: Implement Vector Mask Move insns +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +mtvsrbm: Move to VSR Byte Mask +mtvsrhm: Move to VSR Halfword Mask +mtvsrwm: Move to VSR Word Mask +mtvsrdm: Move to VSR Doubleword Mask +mtvsrqm: Move to VSR Quadword Mask +mtvsrbmi: Move to VSR Byte Mask Immediate + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=9193eaa901c54dbff4a91ea0b12a99e0135dbca1] + +Reviewed-by: Richard Henderson +Signed-off-by: Matheus Ferst +Message-Id: <20211203194229.746275-4-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/insn32.decode | 11 +++ + target/ppc/translate/vmx-impl.c.inc | 115 ++++++++++++++++++++++++++++ + 2 files changed, 126 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index b0568b1356..8bdc059a4c 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -40,6 +40,10 @@ + %ds_rtp 22:4 !function=times_2 + @DS_rtp ...... ....0 ra:5 .............. .. &D rt=%ds_rtp si=%ds_si + ++&DX_b vrt b ++%dx_b 6:10 16:5 0:1 ++@DX_b ...... vrt:5 ..... .......... ..... . &DX_b b=%dx_b ++ + &DX rt d + %dx_d 6:s10 16:5 0:1 + @DX ...... rt:5 ..... .......... ..... . &DX d=%dx_d +@@ -417,6 +421,13 @@ VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN + + ## Vector Mask Manipulation Instructions + ++MTVSRBM 000100 ..... 10000 ..... 11001000010 @VX_tb ++MTVSRHM 000100 ..... 10001 ..... 11001000010 @VX_tb ++MTVSRWM 000100 ..... 10010 ..... 11001000010 @VX_tb ++MTVSRDM 000100 ..... 10011 ..... 11001000010 @VX_tb ++MTVSRQM 000100 ..... 10100 ..... 11001000010 @VX_tb ++MTVSRBMI 000100 ..... ..... .......... 01010 . @DX_b ++ + VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb + VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb + VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index 96c97bf6e7..d5e02fd7f2 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1607,6 +1607,121 @@ static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a) + return true; + } + ++static bool do_mtvsrm(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece; ++ uint64_t c; ++ int i, j; ++ TCGv_i64 hi, lo, t0, t1; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = tcg_temp_new_i64(); ++ lo = tcg_temp_new_i64(); ++ t0 = tcg_temp_new_i64(); ++ t1 = tcg_temp_new_i64(); ++ ++ tcg_gen_extu_tl_i64(t0, cpu_gpr[a->vrb]); ++ tcg_gen_extract_i64(hi, t0, elem_count_half, elem_count_half); ++ tcg_gen_extract_i64(lo, t0, 0, elem_count_half); ++ ++ /* ++ * Spread the bits into their respective elements. ++ * E.g. for bytes: ++ * 00000000000000000000000000000000000000000000000000000000abcdefgh ++ * << 32 - 4 ++ * 0000000000000000000000000000abcdefgh0000000000000000000000000000 ++ * | ++ * 0000000000000000000000000000abcdefgh00000000000000000000abcdefgh ++ * << 16 - 2 ++ * 00000000000000abcdefgh00000000000000000000abcdefgh00000000000000 ++ * | ++ * 00000000000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh ++ * << 8 - 1 ++ * 0000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh0000000 ++ * | ++ * 0000000abcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgh ++ * & dup(1) ++ * 0000000a0000000b0000000c0000000d0000000e0000000f0000000g0000000h ++ * * 0xff ++ * aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhh ++ */ ++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) { ++ tcg_gen_shli_i64(t0, hi, j - i); ++ tcg_gen_shli_i64(t1, lo, j - i); ++ tcg_gen_or_i64(hi, hi, t0); ++ tcg_gen_or_i64(lo, lo, t1); ++ } ++ ++ c = dup_const(vece, 1); ++ tcg_gen_andi_i64(hi, hi, c); ++ tcg_gen_andi_i64(lo, lo, c); ++ ++ c = MAKE_64BIT_MASK(0, elem_width); ++ tcg_gen_muli_i64(hi, hi, c); ++ tcg_gen_muli_i64(lo, lo, c); ++ ++ set_avr64(a->vrt, lo, false); ++ set_avr64(a->vrt, hi, true); ++ ++ tcg_temp_free_i64(hi); ++ tcg_temp_free_i64(lo); ++ tcg_temp_free_i64(t0); ++ tcg_temp_free_i64(t1); ++ ++ return true; ++} ++ ++TRANS(MTVSRBM, do_mtvsrm, MO_8) ++TRANS(MTVSRHM, do_mtvsrm, MO_16) ++TRANS(MTVSRWM, do_mtvsrm, MO_32) ++TRANS(MTVSRDM, do_mtvsrm, MO_64) ++ ++static bool trans_MTVSRQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ tcg_gen_ext_tl_i64(tmp, cpu_gpr[a->vrb]); ++ tcg_gen_sextract_i64(tmp, tmp, 0, 1); ++ set_avr64(a->vrt, tmp, false); ++ set_avr64(a->vrt, tmp, true); ++ ++ tcg_temp_free_i64(tmp); ++ ++ return true; ++} ++ ++static bool trans_MTVSRBMI(DisasContext *ctx, arg_DX_b *a) ++{ ++ const uint64_t mask = dup_const(MO_8, 1); ++ uint64_t hi, lo; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = extract16(a->b, 8, 8); ++ lo = extract16(a->b, 0, 8); ++ ++ for (int i = 4, j = 32; i > 0; i >>= 1, j >>= 1) { ++ hi |= hi << (j - i); ++ lo |= lo << (j - i); ++ } ++ ++ hi = (hi & mask) * 0xFF; ++ lo = (lo & mask) * 0xFF; ++ ++ set_avr64(a->vrt, tcg_constant_i64(hi), true); ++ set_avr64(a->vrt, tcg_constant_i64(lo), false); ++ ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch b/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch new file mode 100644 index 0000000000..7e747298a9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch @@ -0,0 +1,258 @@ +From a3c7553efdec661a8f7d7dfc0c0618a35fab005c Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Wed, 2 Mar 2022 06:51:38 +0100 +Subject: [PATCH 20/21] target/ppc: move xs[n]madd[am][ds]p/xs[n]msub[am][ds]p + to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e4318ab2e423c4caf9a88a4e99b5e234096b81a9] + +Reviewed-by: Richard Henderson +Signed-off-by: Matheus Ferst +Message-Id: <20220225210936.1749575-37-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 23 ++++++------ + target/ppc/helper.h | 16 ++++----- + target/ppc/insn32.decode | 22 ++++++++++++ + target/ppc/translate/vsx-impl.c.inc | 56 ++++++++++++++++++++++++----- + target/ppc/translate/vsx-ops.c.inc | 16 --------- + 5 files changed, 90 insertions(+), 43 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 5cc7fb1dcb..853e5f6029 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2036,10 +2036,11 @@ VSX_TSQRT(xvtsqrtsp, 4, float32, VsrW(i), -126, 23) + * maddflgs - flags for the float*muladd routine that control the + * various forms (madd, msub, nmadd, nmsub) + * sfprf - set FPRF ++ * r2sp - round intermediate double precision result to single precision + */ + #define VSX_MADD(op, nels, tp, fld, maddflgs, sfprf, r2sp) \ + void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ +- ppc_vsr_t *xa, ppc_vsr_t *b, ppc_vsr_t *c) \ ++ ppc_vsr_t *s1, ppc_vsr_t *s2, ppc_vsr_t *s3) \ + { \ + ppc_vsr_t t = *xt; \ + int i; \ +@@ -2055,12 +2056,12 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + * result to odd. \ + */ \ + set_float_rounding_mode(float_round_to_zero, &tstat); \ +- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \ ++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \ + maddflgs, &tstat); \ + t.fld |= (get_float_exception_flags(&tstat) & \ + float_flag_inexact) != 0; \ + } else { \ +- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \ ++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \ + maddflgs, &tstat); \ + } \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ +@@ -2082,14 +2083,14 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + do_float_check_status(env, GETPC()); \ + } + +-VSX_MADD(xsmadddp, 1, float64, VsrD(0), MADD_FLGS, 1, 0) +-VSX_MADD(xsmsubdp, 1, float64, VsrD(0), MSUB_FLGS, 1, 0) +-VSX_MADD(xsnmadddp, 1, float64, VsrD(0), NMADD_FLGS, 1, 0) +-VSX_MADD(xsnmsubdp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0) +-VSX_MADD(xsmaddsp, 1, float64, VsrD(0), MADD_FLGS, 1, 1) +-VSX_MADD(xsmsubsp, 1, float64, VsrD(0), MSUB_FLGS, 1, 1) +-VSX_MADD(xsnmaddsp, 1, float64, VsrD(0), NMADD_FLGS, 1, 1) +-VSX_MADD(xsnmsubsp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1) ++VSX_MADD(XSMADDDP, 1, float64, VsrD(0), MADD_FLGS, 1, 0) ++VSX_MADD(XSMSUBDP, 1, float64, VsrD(0), MSUB_FLGS, 1, 0) ++VSX_MADD(XSNMADDDP, 1, float64, VsrD(0), NMADD_FLGS, 1, 0) ++VSX_MADD(XSNMSUBDP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0) ++VSX_MADD(XSMADDSP, 1, float64, VsrD(0), MADD_FLGS, 1, 1) ++VSX_MADD(XSMSUBSP, 1, float64, VsrD(0), MSUB_FLGS, 1, 1) ++VSX_MADD(XSNMADDSP, 1, float64, VsrD(0), NMADD_FLGS, 1, 1) ++VSX_MADD(XSNMSUBSP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1) + + VSX_MADD(xvmadddp, 2, float64, VsrD(i), MADD_FLGS, 0, 0) + VSX_MADD(xvmsubdp, 2, float64, VsrD(i), MSUB_FLGS, 0, 0) +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index ef5bdd38a7..e147b37644 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -376,10 +376,10 @@ DEF_HELPER_3(xssqrtdp, void, env, vsr, vsr) + DEF_HELPER_3(xsrsqrtedp, void, env, vsr, vsr) + DEF_HELPER_4(xstdivdp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xstsqrtdp, void, env, i32, vsr) +-DEF_HELPER_5(xsmadddp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsmsubdp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmadddp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmsubdp, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBDP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_4(xscmpeqdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xscmpgtdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xscmpgedp, void, env, vsr, vsr, vsr) +@@ -439,10 +439,10 @@ DEF_HELPER_3(xsresp, void, env, vsr, vsr) + DEF_HELPER_2(xsrsp, i64, env, i64) + DEF_HELPER_3(xssqrtsp, void, env, vsr, vsr) + DEF_HELPER_3(xsrsqrtesp, void, env, vsr, vsr) +-DEF_HELPER_5(xsmaddsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsmsubsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmaddsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmsubsp, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr) + + DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 8bdc059a4c..0ff8818084 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -451,6 +451,28 @@ STXVX 011111 ..... ..... ..... 0110001100 . @X_TSX + LXVPX 011111 ..... ..... ..... 0101001101 - @X_TSXP + STXVPX 011111 ..... ..... ..... 0111001101 - @X_TSXP + ++## VSX Scalar Multiply-Add Instructions ++ ++XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3 ++XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3 ++XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3 ++XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3 ++ ++XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3 ++XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3 ++XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3 ++XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3 ++ ++XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3 ++XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3 ++XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3 ++XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3 ++ ++XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3 ++XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3 ++XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3 ++XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3 ++ + ## VSX splat instruction + + XXSPLTIB 111100 ..... 00 ........ 0101101000 . @X_imm8 +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 99c8a57e50..90d3ac665b 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1201,6 +1201,54 @@ GEN_VSX_HELPER_2(xvtstdcdp, 0x14, 0x1E, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xxperm, 0x08, 0x03, 0, PPC2_ISA300) + GEN_VSX_HELPER_X3(xxpermr, 0x08, 0x07, 0, PPC2_ISA300) + ++static bool do_xsmadd(DisasContext *ctx, int tgt, int src1, int src2, int src3, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ TCGv_ptr t, s1, s2, s3; ++ ++ t = gen_vsr_ptr(tgt); ++ s1 = gen_vsr_ptr(src1); ++ s2 = gen_vsr_ptr(src2); ++ s3 = gen_vsr_ptr(src3); ++ ++ gen_helper(cpu_env, t, s1, s2, s3); ++ ++ tcg_temp_free_ptr(t); ++ tcg_temp_free_ptr(s1); ++ tcg_temp_free_ptr(s2); ++ tcg_temp_free_ptr(s3); ++ ++ return true; ++} ++ ++static bool do_xsmadd_XX3(DisasContext *ctx, arg_XX3 *a, bool type_a, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ REQUIRE_VSX(ctx); ++ ++ if (type_a) { ++ return do_xsmadd(ctx, a->xt, a->xa, a->xt, a->xb, gen_helper); ++ } ++ return do_xsmadd(ctx, a->xt, a->xa, a->xb, a->xt, gen_helper); ++} ++ ++TRANS_FLAGS2(VSX, XSMADDADP, do_xsmadd_XX3, true, gen_helper_XSMADDDP) ++TRANS_FLAGS2(VSX, XSMADDMDP, do_xsmadd_XX3, false, gen_helper_XSMADDDP) ++TRANS_FLAGS2(VSX, XSMSUBADP, do_xsmadd_XX3, true, gen_helper_XSMSUBDP) ++TRANS_FLAGS2(VSX, XSMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSMSUBDP) ++TRANS_FLAGS2(VSX, XSNMADDADP, do_xsmadd_XX3, true, gen_helper_XSNMADDDP) ++TRANS_FLAGS2(VSX, XSNMADDMDP, do_xsmadd_XX3, false, gen_helper_XSNMADDDP) ++TRANS_FLAGS2(VSX, XSNMSUBADP, do_xsmadd_XX3, true, gen_helper_XSNMSUBDP) ++TRANS_FLAGS2(VSX, XSNMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSNMSUBDP) ++TRANS_FLAGS2(VSX207, XSMADDASP, do_xsmadd_XX3, true, gen_helper_XSMADDSP) ++TRANS_FLAGS2(VSX207, XSMADDMSP, do_xsmadd_XX3, false, gen_helper_XSMADDSP) ++TRANS_FLAGS2(VSX207, XSMSUBASP, do_xsmadd_XX3, true, gen_helper_XSMSUBSP) ++TRANS_FLAGS2(VSX207, XSMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSMSUBSP) ++TRANS_FLAGS2(VSX207, XSNMADDASP, do_xsmadd_XX3, true, gen_helper_XSNMADDSP) ++TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP) ++TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP) ++TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP) ++ + #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \ + static void gen_##name(DisasContext *ctx) \ + { \ +@@ -1231,14 +1279,6 @@ static void gen_##name(DisasContext *ctx) \ + tcg_temp_free_ptr(c); \ + } + +-GEN_VSX_HELPER_VSX_MADD(xsmadddp, 0x04, 0x04, 0x05, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsmsubdp, 0x04, 0x06, 0x07, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsnmadddp, 0x04, 0x14, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsnmsubdp, 0x04, 0x16, 0x17, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsmaddsp, 0x04, 0x00, 0x01, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsmsubsp, 0x04, 0x02, 0x03, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsnmaddsp, 0x04, 0x10, 0x11, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsnmsubsp, 0x04, 0x12, 0x13, 0, PPC2_VSX207) + GEN_VSX_HELPER_VSX_MADD(xvmadddp, 0x04, 0x0C, 0x0D, 0, PPC2_VSX) + GEN_VSX_HELPER_VSX_MADD(xvmsubdp, 0x04, 0x0E, 0x0F, 0, PPC2_VSX) + GEN_VSX_HELPER_VSX_MADD(xvnmadddp, 0x04, 0x1C, 0x1D, 0, PPC2_VSX) +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index c974324c4c..ef0200eead 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -186,14 +186,6 @@ GEN_XX2FORM(xssqrtdp, 0x16, 0x04, PPC2_VSX), + GEN_XX2FORM(xsrsqrtedp, 0x14, 0x04, PPC2_VSX), + GEN_XX3FORM(xstdivdp, 0x14, 0x07, PPC2_VSX), + GEN_XX2FORM(xstsqrtdp, 0x14, 0x06, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmadddp, "xsmaddadp", 0x04, 0x04, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmadddp, "xsmaddmdp", 0x04, 0x05, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubadp", 0x04, 0x06, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubmdp", 0x04, 0x07, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddadp", 0x04, 0x14, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddmdp", 0x04, 0x15, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubadp", 0x04, 0x16, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubmdp", 0x04, 0x17, PPC2_VSX), + GEN_XX3FORM(xscmpeqdp, 0x0C, 0x00, PPC2_ISA300), + GEN_XX3FORM(xscmpgtdp, 0x0C, 0x01, PPC2_ISA300), + GEN_XX3FORM(xscmpgedp, 0x0C, 0x02, PPC2_ISA300), +@@ -235,14 +227,6 @@ GEN_XX2FORM(xsresp, 0x14, 0x01, PPC2_VSX207), + GEN_XX2FORM(xsrsp, 0x12, 0x11, PPC2_VSX207), + GEN_XX2FORM(xssqrtsp, 0x16, 0x00, PPC2_VSX207), + GEN_XX2FORM(xsrsqrtesp, 0x14, 0x00, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddasp", 0x04, 0x00, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddmsp", 0x04, 0x01, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubasp", 0x04, 0x02, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubmsp", 0x04, 0x03, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddasp", 0x04, 0x10, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddmsp", 0x04, 0x11, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubasp", 0x04, 0x12, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubmsp", 0x04, 0x13, PPC2_VSX207), + GEN_XX2FORM(xscvsxdsp, 0x10, 0x13, PPC2_VSX207), + GEN_XX2FORM(xscvuxdsp, 0x10, 0x12, PPC2_VSX207), + +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch b/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch new file mode 100644 index 0000000000..11d732ac13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch @@ -0,0 +1,174 @@ +From 1c1f82fbf0a434948b041eb35c671137628d5538 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst +Date: Wed, 2 Mar 2022 06:51:38 +0100 +Subject: [PATCH 21/21] target/ppc: implement xs[n]maddqp[o]/xs[n]msubqp[o] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.0 instuctions: +xsmaddqp[o]: VSX Scalar Multiply-Add Quad-Precision [using round to Odd] +xsmsubqp[o]: VSX Scalar Multiply-Subtract Quad-Precision [using round + to Odd] +xsnmaddqp[o]: VSX Scalar Negative Multiply-Add Quad-Precision [using + round to Odd] +xsnmsubqp[o]: VSX Scalar Negative Multiply-Subtract Quad-Precision + [using round to Odd] + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=3bb1aed246d7b59ceee625a82628f7369d492a8f] + +Reviewed-by: Richard Henderson +Signed-off-by: Matheus Ferst +Message-Id: <20220225210936.1749575-38-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater +Signed-off-by: Xiangyu Chen +--- + target/ppc/fpu_helper.c | 42 +++++++++++++++++++++++++++++ + target/ppc/helper.h | 9 +++++++ + target/ppc/insn32.decode | 4 +++ + target/ppc/translate/vsx-impl.c.inc | 25 +++++++++++++++++ + 4 files changed, 80 insertions(+) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 853e5f6029..bdbbdb3b11 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2102,6 +2102,48 @@ VSX_MADD(xvmsubsp, 4, float32, VsrW(i), MSUB_FLGS, 0, 0) + VSX_MADD(xvnmaddsp, 4, float32, VsrW(i), NMADD_FLGS, 0, 0) + VSX_MADD(xvnmsubsp, 4, float32, VsrW(i), NMSUB_FLGS, 0, 0) + ++/* ++ * VSX_MADDQ - VSX floating point quad-precision muliply/add ++ * op - instruction mnemonic ++ * maddflgs - flags for the float*muladd routine that control the ++ * various forms (madd, msub, nmadd, nmsub) ++ * ro - round to odd ++ */ ++#define VSX_MADDQ(op, maddflgs, ro) \ ++void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, ppc_vsr_t *s1, ppc_vsr_t *s2,\ ++ ppc_vsr_t *s3) \ ++{ \ ++ ppc_vsr_t t = *xt; \ ++ \ ++ helper_reset_fpstatus(env); \ ++ \ ++ float_status tstat = env->fp_status; \ ++ set_float_exception_flags(0, &tstat); \ ++ if (ro) { \ ++ tstat.float_rounding_mode = float_round_to_odd; \ ++ } \ ++ t.f128 = float128_muladd(s1->f128, s3->f128, s2->f128, maddflgs, &tstat); \ ++ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ ++ \ ++ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ ++ float_invalid_op_madd(env, tstat.float_exception_flags, \ ++ false, GETPC()); \ ++ } \ ++ \ ++ helper_compute_fprf_float128(env, t.f128); \ ++ *xt = t; \ ++ do_float_check_status(env, GETPC()); \ ++} ++ ++VSX_MADDQ(XSMADDQP, MADD_FLGS, 0) ++VSX_MADDQ(XSMADDQPO, MADD_FLGS, 1) ++VSX_MADDQ(XSMSUBQP, MSUB_FLGS, 0) ++VSX_MADDQ(XSMSUBQPO, MSUB_FLGS, 1) ++VSX_MADDQ(XSNMADDQP, NMADD_FLGS, 0) ++VSX_MADDQ(XSNMADDQPO, NMADD_FLGS, 1) ++VSX_MADDQ(XSNMSUBQP, NMSUB_FLGS, 0) ++VSX_MADDQ(XSNMSUBQPO, NMSUB_FLGS, 0) ++ + /* + * VSX_SCALAR_CMP_DP - VSX scalar floating point compare double precision + * op - instruction mnemonic +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index e147b37644..b5080c4955 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -444,6 +444,15 @@ DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr) + ++DEF_HELPER_5(XSMADDQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBQPO, void, env, vsr, vsr, vsr, vsr) ++ + DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvmuldp, void, env, vsr, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 0ff8818084..6bcb1e6804 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -457,21 +457,25 @@ XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3 + XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3 + XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3 + XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3 ++XSMADDQP 111111 ..... ..... ..... 0110000100 . @X_rc + + XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3 + XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3 + XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3 + XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3 ++XSMSUBQP 111111 ..... ..... ..... 0110100100 . @X_rc + + XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3 + XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3 + XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3 + XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3 ++XSNMADDQP 111111 ..... ..... ..... 0111000100 . @X_rc + + XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3 + XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3 + XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3 + XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3 ++XSNMSUBQP 111111 ..... ..... ..... 0111100100 . @X_rc + + ## VSX splat instruction + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 90d3ac665b..4253f01319 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1249,6 +1249,31 @@ TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP) + TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP) + TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP) + ++static bool do_xsmadd_X(DisasContext *ctx, arg_X_rc *a, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr), ++ void (*gen_helper_ro)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ int vrt, vra, vrb; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ vrt = a->rt + 32; ++ vra = a->ra + 32; ++ vrb = a->rb + 32; ++ ++ if (a->rc) { ++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper_ro); ++ } ++ ++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper); ++} ++ ++TRANS(XSMADDQP, do_xsmadd_X, gen_helper_XSMADDQP, gen_helper_XSMADDQPO) ++TRANS(XSMSUBQP, do_xsmadd_X, gen_helper_XSMSUBQP, gen_helper_XSMSUBQPO) ++TRANS(XSNMADDQP, do_xsmadd_X, gen_helper_XSNMADDQP, gen_helper_XSNMADDQPO) ++TRANS(XSNMSUBQP, do_xsmadd_X, gen_helper_XSNMSUBQP, gen_helper_XSNMSUBQPO) ++ + #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \ + static void gen_##name(DisasContext *ctx) \ + { \ +-- +2.17.1 + From patchwork Mon Oct 17 23:08:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13945 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 641E9C4167B for ; Mon, 17 Oct 2022 23:09:06 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web08.697.1666048140234676041 for ; Mon, 17 Oct 2022 16:09:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=UvuAKf/E; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id x31-20020a17090a38a200b0020d2afec803so12358262pjb.2 for ; Mon, 17 Oct 2022 16:09:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=e/BO04HmkRGwaghvLsuOHVMnEffZXBxES06DN9iH2/M=; b=UvuAKf/EmaFK488+fIWEVBST+dce9fPigkDzJYrPldI6LoRIzX+JiV8a1c6myWbCtY pcltxsL1pUZl5iQ2qfi+R7i2PAiZ/MRHm4TXV4nRovOo5TJjP96dr4y86xy7ev2KCCob f6EacAxuF2NHgtY3e0qgRo09dtOhqbw6QhWwpcYdFTIjzZN4/d8POg2nOiQCkZaLylgU 6NnoyOroLZsICwPYSVrbkVvFNBzJhwnkqwX/pTYgPlKX/TDUoaRQyHmArJLUWsYSWFZe F94VpUpnN+lsi5lTd+r1d1q2yJXPFOwyTOboOEYVAugNnzEgm8/GHkE+FRiNw19GRS+o FYvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e/BO04HmkRGwaghvLsuOHVMnEffZXBxES06DN9iH2/M=; b=W5prLuP6Aq1AX731+8pPenrK+LNeXyYhoAwQsZCb8Q+zTVY2bo8p0Mrc3YAtTFJIaV HRWFMGjrJMO6eDw9OOMf0hVH7urHtgleJ2qsJeO08lX3ESyNryDeCBqgKHQvQ3ci0YK9 0si+HoBbsU98L1OtfJSbzqE5z5NMSB7ixJYOD4xJsau+DC3by6m0NBRDXtpvynBZeDAz s7hYgH2P4HhNhtzi4B+6iGFrKvTx3pli7oTqpk+Eu0S0aI+lYUxkbDYE1BU1Q3HglysC 9Hvn4IdRhZD2iCvYmFuqE4DYWmp30SArIzoV6vSVDD+Y4MgDUg66E81r+7jK0WOdqCq6 nhwg== X-Gm-Message-State: ACrzQf0Pw/s81xT0D94IAQ5OmlgBRsiYXqzCa6/bu60KnCvebgPc2OAW SIyW9gKt1ByCBbs1vsf/4fb94lrv5fR8r8A9 X-Google-Smtp-Source: AMsMyM6h8MMRm98BJDRsnVzdQjm07Vx+P55QhzuAAw2aNS4pC9TtRnWmH5PW4+/Djyq5guUsGzxZfA== X-Received: by 2002:a17:90b:2686:b0:20a:d838:25d2 with SMTP id pl6-20020a17090b268600b0020ad83825d2mr158213pjb.35.1666048139128; Mon, 17 Oct 2022 16:08:59 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.08.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:08:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/13] python3: upgrade 3.10.4 -> 3.10.7 Date: Mon, 17 Oct 2022 13:08:23 -1000 Message-Id: <3efae85283b19fa1b30af7fed7fa89d7a50337db.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171925 From: Tim Orling Security and bug fixes. Drop patch for gh-92036 which was merged in 3.10.5 Refresh 0017-setup.py-do-not-report-missing-dependencies-for-disa.pathc Fixes: * CVE-2020-10735 https://nvd.nist.gov/vuln/detail/CVE-2020-10735 * CVE-2021-28861 https://nvd.nist.gov/vuln/detail/CVE-2021-28861 * CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032 For a list of changes see: https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-7-final https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-6-final https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-6-final Signed-off-by: Tim Orling Signed-off-by: Steve Sakoman --- ...h-92036-Fix-gc_fini_untrack-GH-92037.patch | 54 ------------------- ...report-missing-dependencies-for-disa.patch | 8 +-- .../{python3_3.10.4.bb => python3_3.10.7.bb} | 3 +- 3 files changed, 6 insertions(+), 59 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch rename meta/recipes-devtools/python/{python3_3.10.4.bb => python3_3.10.7.bb} (99%) diff --git a/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch b/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch deleted file mode 100644 index 6a58c35cc6..0000000000 --- a/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 178a238f25ab8aff7689d7a09d66dc1583ecd6cb Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Wed, 4 May 2022 03:23:29 -0700 -Subject: [PATCH 01/40] gh-92036: Fix gc_fini_untrack() (GH-92037) - -Fix a crash in subinterpreters related to the garbage collector. When -a subinterpreter is deleted, untrack all objects tracked by its GC. -To prevent a crash in deallocator functions expecting objects to be -tracked by the GC, leak a strong reference to these objects on -purpose, so they are never deleted and their deallocator functions -are not called. -(cherry picked from commit 14243369b5f80613628a565c224bba7fb3fcacd8) - -Co-authored-by: Victor Stinner - -Upstream-Status: Backport ---- - .../2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst | 5 +++++ - Modules/gcmodule.c | 6 ++++++ - 2 files changed, 11 insertions(+) - create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst - -diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst -new file mode 100644 -index 0000000000..78094c5e4f ---- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst -@@ -0,0 +1,5 @@ -+Fix a crash in subinterpreters related to the garbage collector. When a -+subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a -+crash in deallocator functions expecting objects to be tracked by the GC, leak -+a strong reference to these objects on purpose, so they are never deleted and -+their deallocator functions are not called. Patch by Victor Stinner. -diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c -index 805a159d53..43ae6fa98b 100644 ---- a/Modules/gcmodule.c -+++ b/Modules/gcmodule.c -@@ -2170,6 +2170,12 @@ gc_fini_untrack(PyGC_Head *list) - for (gc = GC_NEXT(list); gc != list; gc = GC_NEXT(list)) { - PyObject *op = FROM_GC(gc); - _PyObject_GC_UNTRACK(op); -+ // gh-92036: If a deallocator function expect the object to be tracked -+ // by the GC (ex: func_dealloc()), it can crash if called on an object -+ // which is no longer tracked by the GC. Leak one strong reference on -+ // purpose so the object is never deleted and its deallocator is not -+ // called. -+ Py_INCREF(op); - } - } - --- -2.25.1 - diff --git a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch index 0ead57e465..8c554feb4b 100644 --- a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch +++ b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch @@ -12,16 +12,18 @@ Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin Signed-off-by: Martin Jansa Signed-off-by: Alejandro Hernandez Samaniego +Refresh for 3.10.7: +Signed-off-by: Tim Orling --- setup.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/setup.py b/setup.py -index 2be4738..62f0e18 100644 +index 85a2b26357..7605347bf5 100644 --- a/setup.py +++ b/setup.py -@@ -517,6 +517,14 @@ class PyBuildExt(build_ext): +@@ -517,6 +517,14 @@ def print_three_column(lst): print("%-*s %-*s %-*s" % (longest, e, longest, f, longest, g)) @@ -35,4 +37,4 @@ index 2be4738..62f0e18 100644 + if self.missing: print() - print("Python build finished successfully!") + print("The necessary bits to build these optional modules were not " diff --git a/meta/recipes-devtools/python/python3_3.10.4.bb b/meta/recipes-devtools/python/python3_3.10.7.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.10.4.bb rename to meta/recipes-devtools/python/python3_3.10.7.bb index 34fd2895a3..404a582135 100644 --- a/meta/recipes-devtools/python/python3_3.10.4.bb +++ b/meta/recipes-devtools/python/python3_3.10.7.bb @@ -35,7 +35,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ - file://0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch \ " SRC_URI:append:class-native = " \ @@ -44,7 +43,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "80bf925f571da436b35210886cf79f6eb5fa5d6c571316b73568343451f77a19" +SRC_URI[sha256sum] = "6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Mon Oct 17 23:08:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13942 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54FC7C43219 for ; Mon, 17 Oct 2022 23:09:06 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web12.657.1666048142297886719 for ; Mon, 17 Oct 2022 16:09:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=4/egzNI5; spf=softfail (domain: sakoman.com, ip: 209.85.215.169, mailfrom: steve@sakoman.com) Received: by mail-pg1-f169.google.com with SMTP id 128so11787010pga.1 for ; Mon, 17 Oct 2022 16:09:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KHlM6YvB6UREnT7oLEk46s2vVBG6fviBQUvddikA8hQ=; b=4/egzNI5YdE00wca61QK6Lrid1Qmj0NmmLhw5dJSL2Xjl2PZ30uiWAK7HUKrbx+OXS dUsz292rYA2oeXMjpwgMAUN0G9F/8Bmp/vPZVMbZ2Wq1wZogLkliMutmg2QxaLHvBn9z ScvMPkz65ckAlXRRTrKsNShgE7CVV1nMW8HlRAETnOSzL5fYAqJcugCn34MAMWU/qqdV Lddi8Y8+/omjPimIUNYQGG9NrdV6ErhdaP7564zOY8y0pHs2qjvPK5oAyBdzRxkNHxE7 k4IQqKsQAJMD+HOo/DJKeNV3DL4bkfRC2ED1ltIAQwyBsKJZJMPQyAGGaDmXLx9PLH+4 OfBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KHlM6YvB6UREnT7oLEk46s2vVBG6fviBQUvddikA8hQ=; b=2cg+GDhllUFesIEKwkiGuk78WtuC6hcEalfiS7IP/wrAf7+4m9rN7Hxtf06Cnrs7n5 J4+wEb67j1Py/XJEg6TyCp/7lF/PuTj4M44xSGQ1QYG9GBFoOxwQ0wJoX4+wLZ/e2OVi Z3EBp4P5SqIot99FBIXW+9nbsNLvrOmnYSIFwIFaU9XIXvcUqFTnfzH5PyMjTFqkXeDh WhlrLc4GBRR76AE1Xyvgy3T1Cm0XWGG8NhFZCydoaYR2puhTRhFi5xzwn15KBdt50HpX RBvMCMzZv3hPgQ5iYgGb2gZOSsYSPgo/d0SAofpooDLFHFJR5clt9tQ7Wf8OVnKX1dD3 QlGQ== X-Gm-Message-State: ACrzQf0/OKwpgSNAlvjyS3XTG8ShjEphmt0VS7dWmsRZFVb0BR1/AsE4 ip/EVUslw09KRfOvEUpGp6WcdFOzPnpsv25F X-Google-Smtp-Source: AMsMyM56qs2fWdoZgJHuPN3hXkHbeW+YCBumkSECbfZgrOg4pCZhUFlEU3C8IG3jgrMj/H2jk6Vu7g== X-Received: by 2002:a05:6a00:1304:b0:555:6d3f:1223 with SMTP id j4-20020a056a00130400b005556d3f1223mr154338pfu.60.1666048141270; Mon, 17 Oct 2022 16:09:01 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.09.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:09:00 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/13] lttng-tools: Upgrade 2.13.4 -> 2.13.8 Date: Mon, 17 Oct 2022 13:08:24 -1000 Message-Id: <17d18936d201a61b16bbc24c9f10af6ef54620fc.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171926 From: He Zhe Signed-off-by: He Zhe Signed-off-by: Steve Sakoman --- .../lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-kernel/lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} (98%) diff --git a/meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb b/meta/recipes-kernel/lttng/lttng-tools_2.13.8.bb similarity index 98% rename from meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb rename to meta/recipes-kernel/lttng/lttng-tools_2.13.8.bb index 0ea4da05ce..0b6dfa48a4 100644 --- a/meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb +++ b/meta/recipes-kernel/lttng/lttng-tools_2.13.8.bb @@ -39,7 +39,7 @@ SRC_URI = "https://lttng.org/files/lttng-tools/lttng-tools-${PV}.tar.bz2 \ file://disable-tests.patch \ " -SRC_URI[sha256sum] = "565f3102410a53d484f4c8ff517978f1dc59f67f9d16f872f4357f3ca12200f6" +SRC_URI[sha256sum] = "b1e959579b260790930b20f3c7aa7cefb8a40e0de80d4a777c2bf78c6b353dc1" inherit autotools ptest pkgconfig useradd python3-dir manpages systemd From patchwork Mon Oct 17 23:08:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13943 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51DF6C4332F for ; Mon, 17 Oct 2022 23:09:06 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web10.643.1666048144202412891 for ; Mon, 17 Oct 2022 16:09:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=EPaBPTcl; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id y191so12479918pfb.2 for ; Mon, 17 Oct 2022 16:09:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/sQFI7zHg3r9Cygft81jQbjxjdmuJgNKsH6y+ID50nw=; b=EPaBPTclZ54CJcBQZQavnEB/KdRZGw3CD/DPyF99YskiZ3/uR7hU3TMY7Jbt1uNB8P Hoegu3+y1LM1MOl2U8dObQXdN6teIV+1SH6s20SUv/vpxG5qrOg22JPok8MHzZGZ3x+y w5uznEy2+3hWuheh6VC+oFO9EqOAwCmeZo0K7OR/60HPHvAGX0N/iHqHsFr4LMUcNgMs ovCsPMJCVBclNCDAk5/TjgRe5rQ5qlG/MndFc2XmvCmmhdKq7ykXfl7lZrpFRk2D9gi4 2XhBo69uAvQG+3n/V2HwWMWvuIcbZ+UUYqgRwbtqFtAY5dPSk6yOLvJHq4bjaUtUJG0v 2YOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/sQFI7zHg3r9Cygft81jQbjxjdmuJgNKsH6y+ID50nw=; b=VaTPP4i5II1hLlzA1194TVCV2RinKFXs+91o4Rw6yoZ4cIjwPElmDFXDYbkQkEUoyL PvGtpcq8SMM1Uk4OYPtcKRe5ClD2srv1NDWhHoCEnRNLG3y6MT4/FkDtw1ud8J+7SrXc nH+PNhv92njF0dUTjXZGNVNGp7fTa4T+jfjuFdo+D+4MMcPYIM35qCvZWRx1iOY4buCe EfNGm/bGZNb83D0KebxYHg83r4zxOMnvCuJ08R5Ee8Cho08GU05afzO12+QfRnCCd9Hc vvBYKi3PGYwpS+DqMhcSUhg4Ag8+KBKPL27XBb266NMFYHNc4n4zdURaB42SOU24lM70 K3TQ== X-Gm-Message-State: ACrzQf2MTM6gCgYyQC4m6BlYamI0i6QUdsGyCCP01nAdMNXRRKeBhPTM tS2BlpQhySdB/gxaBdNE2E19x0/iDbpr02qz X-Google-Smtp-Source: AMsMyM69YTHAEDQ0afsbADjF87dEFFpWE5H+0cPWDJSRrabS1+fQJaU64JrlhqAEKSP9TVzeJDyhGg== X-Received: by 2002:aa7:9614:0:b0:562:b07b:ad62 with SMTP id q20-20020aa79614000000b00562b07bad62mr118917pfg.79.1666048143173; Mon, 17 Oct 2022 16:09:03 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.09.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:09:02 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/13] uninative: Upgrade to 3.7 to work with glibc 2.36 Date: Mon, 17 Oct 2022 13:08:25 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171927 From: Michael Halstead Update uninative to work with the new glibc 2.36 version Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit 410226b053e14e32add1f9b4b811f84a1c445a7c) Signed-off-by: Steve Sakoman --- meta/conf/distro/include/yocto-uninative.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 411fe45a24..7012db441b 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,10 +6,10 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.35" -UNINATIVE_VERSION = "3.6" +UNINATIVE_MAXGLIBCVERSION = "2.36" +UNINATIVE_VERSION = "3.7" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "d64831cf2792c8e470c2e42230660e1a8e5de56a579cdd59978791f663c2f3ed" -UNINATIVE_CHECKSUM[i686] ?= "2f0ee9b66b1bb2c85e2b592fb3c9c7f5d77399fa638d74961330cdb8de34ca3b" -UNINATIVE_CHECKSUM[x86_64] ?= "9bfc4c970495b3716b2f9e52c4df9f968c02463a9a95000f6657fbc3fde1f098" +UNINATIVE_CHECKSUM[aarch64] ?= "6a29bcae4b5b716d2d520e18800b33943b65f8a835eac1ff8793fc5ee65b4be6" +UNINATIVE_CHECKSUM[i686] ?= "3f6d52e64996570c716108d49f8108baccf499a283bbefae438c7266b7a93305" +UNINATIVE_CHECKSUM[x86_64] ?= "b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570" From patchwork Mon Oct 17 23:08:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13949 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BDB8C433FE for ; Mon, 17 Oct 2022 23:09:16 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web09.680.1666048146183578598 for ; Mon, 17 Oct 2022 16:09:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=O1YU+g8W; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id fw14so12332589pjb.3 for ; Mon, 17 Oct 2022 16:09:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xzWdHUJK3B3PlAXTU1kU9KfC/3Lmg93Xg3pMLpICqXg=; b=O1YU+g8WoIwOd8T7B1LELD0bKfBkPIuDoqTcW0koMoo9vIiHT8zt1pOiTiEzLYpU9x I9a9MQWOzgObqvuplPs+9WfyyywTaC7WkC9OvvO3/kb+tiD84I5vSwUsbCpaabij0+Nc PyBNF8jSQTutVnuhbxhm3vkWJ6W7G9bLlogkK/wjqrwSHRj3Zz/O/VsF29Cf/DRkYSxb gmSZHddRh4obRxM9ZB5xUGs9rm85HnM6BND+zw2voy06ZLjhGhKfllxfufkXwjQXNAIb acjIqpVDMMr2sY2A4tBHhCgDNr9s0vmT9grStXmretgcWT1cHVR802h3NE3HB330KCOD DF3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xzWdHUJK3B3PlAXTU1kU9KfC/3Lmg93Xg3pMLpICqXg=; b=JwBYWRCIrTgHf/e2YF9FXheRYZmRh681Hwa3slm1xBsynq7QfwnG3so2x8gblvSC8X 9jdfUXiixV1p7pITRSJg4GUNThY7aOYAnSVZ+TXxhtNVDcif3uZcTgKxSnJZh0WeU0AA bZAFJhgGiXncqkKGMIdzS6Id4xzX4ikRQTrCz/sPDaHy+KBlTmGLw+x6Axd3UnFUmdjI 1r8t3FZF0OqbP/gf5256bKpcl/1lVUQAHL3hlkEfY/RTKSlIyzGZOULc7eGMX5NnWJg0 67ufV2HpOUXunK1xscV94C6dLYAKZVdLpNu6TZ3Q+EHhg1xGNbHxtERpgjsgE1L8bpEL 9auQ== X-Gm-Message-State: ACrzQf17imhCHBc4eNTYlMAfNfxesY5n3gGcPRQ9tfBrLbSpeXrJ2ClY HotMyhqGUg7dVF94LmEV3TCgGtg6IQ9PP09k X-Google-Smtp-Source: AMsMyM7s17ONPolWqINhRvPkbL9KSp4SakLBazRzOsF4oBitRqJM51nJuQhixt6M+GK87QSmzOFz6g== X-Received: by 2002:a17:903:18c:b0:185:51cb:3619 with SMTP id z12-20020a170903018c00b0018551cb3619mr88173plg.6.1666048145271; Mon, 17 Oct 2022 16:09:05 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.09.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:09:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/13] image_types_wic.bbclass: fix cross binutils dependency Date: Mon, 17 Oct 2022 13:08:26 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171928 From: Chen Qi Enable multilib and wic at the same time and we'll meet the following error. ERROR: Nothing PROVIDES 'virtual/i686-wrsmllib32-linux-binutils' Adjust the dependency to take multilib into consideration. Signed-off-by: Chen Qi Signed-off-by: Luca Ceresoli (cherry picked from commit 958ee0eede859bdba659e3343856b1c226207854) Signed-off-by: Steve Sakoman --- meta/classes/image_types_wic.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/image_types_wic.bbclass b/meta/classes/image_types_wic.bbclass index 5374d6125e..6453dd1b74 100644 --- a/meta/classes/image_types_wic.bbclass +++ b/meta/classes/image_types_wic.bbclass @@ -85,7 +85,7 @@ do_image_wic[deptask] += "do_image_complete" WKS_FILE_DEPENDS_DEFAULT = '${@bb.utils.contains_any("BUILD_ARCH", [ 'x86_64', 'i686' ], "syslinux-native", "",d)}' WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native btrfs-tools-native squashfs-tools-native e2fsprogs-native" # Unified kernel images need objcopy -WKS_FILE_DEPENDS_DEFAULT += "virtual/${TARGET_PREFIX}binutils" +WKS_FILE_DEPENDS_DEFAULT += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils" WKS_FILE_DEPENDS_BOOTLOADERS = "" WKS_FILE_DEPENDS_BOOTLOADERS:x86 = "syslinux grub-efi systemd-boot os-release" WKS_FILE_DEPENDS_BOOTLOADERS:x86-64 = "syslinux grub-efi systemd-boot os-release" From patchwork Mon Oct 17 23:08:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13947 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63B63C43219 for ; Mon, 17 Oct 2022 23:09:16 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web10.643.1666048144202412891 for ; Mon, 17 Oct 2022 16:09:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=q0gdQ+Oo; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id y191so12480057pfb.2 for ; Mon, 17 Oct 2022 16:09:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=yrZAeB6z661kGVB/hiSWIMK0MaKOH9d4VSHF1zvhIsQ=; b=q0gdQ+OoqG06MsHMOJM0YgVweX1YPjJ9YtKieKfbfOV7xw8rA5A5q9OoVm3KFXvzar +i9m3a/pCCXSkxHLC0MMdLGDk3iKvc8vpZ4crD1Hd/zNujO7eDLF1OY0mW109yYksNro Y/6LSf92D43AT4qg4TqdpE0dCnmK+EovT2DjpbjRPwyTH/L576gt2H79yA/shm64GMCi V61FO/H9ZQPM8my9BzsFB+WMKXIE/WBI+kqHZeyJ7V/KGLhWhgHpMPgO24eulkqEIf5O +hlA5NNiRabO5lPk6AV+gZd8pklxZ/ADZItTlRhRIjnc2XdAWT60Ng9w93E82Yiqewuw /Ejg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yrZAeB6z661kGVB/hiSWIMK0MaKOH9d4VSHF1zvhIsQ=; b=ug1cHizIOR4UhDx7thRxGEY360i3I6xbsSIGjplckSpYzm5uhuhBlydaqDpUEi7Ak6 HwubohGFhVXpEFCeLpbw6b2lIkHOWAhDuIj8S+vWf9Gs3t7SJT6JDer5R5qSo08bvxnE J/Iosh5PFzkzFuBlvNdVCUB1tISz/bpmW5wCIA5Ibnpde2xtWzKplG6Hv7wVIjpsrROy Zl+SdzZToC3Qqbx4aAyiFjTX8WdqdHhmZ3iZMe6tZftOO/7Hc4y5YeMC6a48/JHbenTL A6PfUiePJdl48wCQ0b0TYo3zDI9EKiu976rwUFz8/YbhfD2tWR4qqLD8eCm5wQqbUh/E CCUQ== X-Gm-Message-State: ACrzQf03FoqW0Yr23rKXICcEmxazgSFe/lJsrrYUPzU24KPzq5h3DL1H L/939GYBZdRsmjZZkk/OiacZrKn48UuamnpB X-Google-Smtp-Source: AMsMyM7Lwt0WRl3l5+vHpO1l0lZ6KZpBUTd+YgNCKZmjSHuNV9mt/g2NOvdhMRlh+o5Brl2ETuBWrg== X-Received: by 2002:a63:6b09:0:b0:453:88a9:1d18 with SMTP id g9-20020a636b09000000b0045388a91d18mr113966pgc.41.1666048147142; Mon, 17 Oct 2022 16:09:07 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.09.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:09:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/13] linux-yocto-dev: add qemuarm64 Date: Mon, 17 Oct 2022 13:08:27 -1000 Message-Id: <793c2639431ca0d29fcf12d08bba1288de9ca7db.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171929 From: Xiangyu Chen Mark the qemuarm64 as compatible Signed-off-by: Xiangyu Chen Signed-off-by: Steve Sakoman --- meta/recipes-kernel/linux/linux-yocto-dev.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-dev.bb b/meta/recipes-kernel/linux/linux-yocto-dev.bb index 75b1cb2a49..403993486b 100644 --- a/meta/recipes-kernel/linux/linux-yocto-dev.bb +++ b/meta/recipes-kernel/linux/linux-yocto-dev.bb @@ -50,7 +50,7 @@ PACKAGECONFIG[dt-validation] = ",,python3-dtschema-native" # we need the wrappers if validation isn't in the packageconfig DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'dt-validation', '', 'python3-dtschema-wrapper-native', d)}" -COMPATIBLE_MACHINE = "^(qemuarm|qemux86|qemuppc|qemumips|qemumips64|qemux86-64|qemuriscv32|qemuriscv64)$" +COMPATIBLE_MACHINE = "^(qemuarm|qemuarm64|qemux86|qemuppc|qemumips|qemumips64|qemux86-64|qemuriscv32|qemuriscv64)$" KERNEL_DEVICETREE:qemuarmv5 = "versatile-pb.dtb" From patchwork Mon Oct 17 23:08:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13948 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 578ECC4332F for ; Mon, 17 Oct 2022 23:09:16 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web09.677.1666048139626889648 for ; Mon, 17 Oct 2022 16:09:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=0cjQzr6X; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id l1so12128477pld.13 for ; Mon, 17 Oct 2022 16:09:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5rA436JMOmgqPSe4kyGugStqAMDHlgPuOYBEZm6rapM=; b=0cjQzr6X8abAHa+cg4rm2tDmaXSbpoxLehcBADt6t7TxJnEg+75KlF5k6Hj7GXcanT Aj7E3QfrSSJ2AimmBWxNZQFUxJ8BTEpTJ4PcvciMJqS5YyPd6eWq2LqHsxvba7CNrZ4h eiUUDSClx/FtaBaXE3w7LS6bkTYKb2RwJIERY5xX6ryZzhzy2wQUUUEn2Wvb4NJGIaAC ZjZ0IfGUJZmiHqVXoZghjlFpTxoOaxO4A/hZLRk7/3Tv/qMkGEFuVJdpnP5gVVcXPY3t XbCjtlNFJdA7A4tJ8tf/rfM/aCYjTF9oUFUUDXFj0XfxbQCKqumcMynK/pDYVs0/r9jU FmkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5rA436JMOmgqPSe4kyGugStqAMDHlgPuOYBEZm6rapM=; b=fB7WN918qlCjx3CjmJo/2xCzsUOS5oceuR+fSUMUMKZ7VpXdEfrOLqnab8ggwz6c5J XRrGvdGju0kYhgNr+DG/LZ04nlTpgXUD3fmCZlstrYrjpje0+X/sVyg/pTzCLCXbLhbQ /oK3ISwVMH7Nq5PdVK3X4jtiGBpT7apoz134E6ozQpud6A4KH26T3qgHWwRg6Aypctt/ tcsXUkx6deoI5OHJX/HdrDj2CWpq2V5ZusV51K0DnC3bl+Y7FROUWj769mBhj2cR7m37 MU1m60LePjymXEEUj5N5e42Iat1PYIQCknOhBSnt6BDSTmYZ16+ifbbX1oDYa+u65IGR S6fw== X-Gm-Message-State: ACrzQf0ALHjVuIJCoqJfE7rn9UtAa0EyRzrH0fu6Wiw4t+UZbApa2UEM sPJZ6whLS3ZO8nUl+UizLVrZD9NjckaLkrZW X-Google-Smtp-Source: AMsMyM4kyy0y3vu2NKLbhK5ETsoCf7fwwrMr6IZvve3Q27Erk4T5yl953MzWMv4Ld6bIWqEMpmPU0w== X-Received: by 2002:a17:90b:3b47:b0:20d:a991:3f24 with SMTP id ot7-20020a17090b3b4700b0020da9913f24mr26548515pjb.108.1666048149160; Mon, 17 Oct 2022 16:09:09 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.09.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:09:08 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/13] own-mirrors: add crate Date: Mon, 17 Oct 2022 13:08:28 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171930 From: Adrian Freihofer Support downloading crate files from a mirror at SOURCE_MIRROR_URL. Signed-off-by: Adrian Freihofer Signed-off-by: Steve Sakoman --- meta/classes/own-mirrors.bbclass | 1 + meta/classes/sanity.bbclass | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes/own-mirrors.bbclass b/meta/classes/own-mirrors.bbclass index ef972740ce..30c7ccd8e7 100644 --- a/meta/classes/own-mirrors.bbclass +++ b/meta/classes/own-mirrors.bbclass @@ -11,4 +11,5 @@ https?://.*/.* ${SOURCE_MIRROR_URL} \ ftp://.*/.* ${SOURCE_MIRROR_URL} \ npm://.*/?.* ${SOURCE_MIRROR_URL} \ s3://.*/.* ${SOURCE_MIRROR_URL} \ +crate://.*/.* ${SOURCE_MIRROR_URL} \ " diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index a79e36b594..5c97effb96 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass @@ -859,7 +859,7 @@ def check_sanity_everybuild(status, d): mirror_vars = ['MIRRORS', 'PREMIRRORS', 'SSTATE_MIRRORS'] protocols = ['http', 'ftp', 'file', 'https', \ 'git', 'gitsm', 'hg', 'osc', 'p4', 'svn', \ - 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps'] + 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps', 'crate'] for mirror_var in mirror_vars: mirrors = (d.getVar(mirror_var) or '').replace('\\n', ' ').split() From patchwork Mon Oct 17 23:08:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13950 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57915C43217 for ; Mon, 17 Oct 2022 23:09:16 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web12.660.1666048152213734220 for ; Mon, 17 Oct 2022 16:09:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=m4AndS+p; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id f140so12468229pfa.1 for ; Mon, 17 Oct 2022 16:09:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=O8UjWGrxrxOCuFq6Pumfg8zqaz8j1haSIWBONS2fQw4=; b=m4AndS+pFNZD0NCvNryD8UfWjywnPSU8bFhlTmpy1rkhMYiXVUQzMH026EZS4DmEgC DbqzZy+xCUJYUu6pzxSnJyqx/+Z79NbeMUPV5Wgyvysl76ZyZ7+s163ujptNn5eWAD+u Bhl/awJhdd54krDMvT5jC6uV+dJAkmw3f9MpVt34v3OIbuvsjT1ei7w9/wjn7IVQZbJs TYxBgupMbxwoIac9+JB8WM+F524GLgQRZEwhH3CIHl3wEdxBTejg2cqMO1gZqNb58cX7 AXT43QcmlA9VSIakwkA61Mr0VEowNDxsuEiSzq0CLBNMtUeL+MK7c+VmcCgmWRIO4iU0 YXnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=O8UjWGrxrxOCuFq6Pumfg8zqaz8j1haSIWBONS2fQw4=; b=PtjbIEgikud1FQRniQnk1wL03GWk7e2740vhoLVbKpeRkmHjCUlFT8oIhtAvbd24+F gCsc4+8DsbUsOxkEmaTSwlt2gMWLDvsrfKyG40UDOHTH4QudK/zk3hy9cHo4v+Df8AhC Ti1aUqMkzcFNtOjE4g4ajCMiqpdtJPq/6IITXEznbPfe1yWlueyQYYta2YRlYamLUcDR apDnoUOvuzShXQX5uATN/bty3hqKNVEdiQ1sZ0YhHiwDtz6jlE49QEY8cGk6Q7bIAF7p g5R4wwhc37bzn20AAtyMHRtmhOJ+Lbfe0Gu1o1RDMXCWlwWHRzaH7N6VTS4R490kYTRO C+0g== X-Gm-Message-State: ACrzQf1NJKeOsuzS7dkdeFWkknkg2enjNf7BTe8SEUSEfxQ+xVD37bCA MeLPGJA008Y75/1h9TlLPPSs/TeOD2W9HT5Y X-Google-Smtp-Source: AMsMyM6GT+eNuF4Ebqx78ggR+0/igr+wMHZIHLbdZpToJPwxOq60YTaSr3IEcVy1vy3wrAdbUSZg4Q== X-Received: by 2002:a63:1718:0:b0:447:9ff3:66c0 with SMTP id x24-20020a631718000000b004479ff366c0mr92072pgl.521.1666048151086; Mon, 17 Oct 2022 16:09:11 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id j6-20020a17090a694600b0020aacde1964sm10119479pjm.32.2022.10.17.16.09.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Oct 2022 16:09:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/13] lttng-modules: Fix crash on powerpc64 Date: Mon, 17 Oct 2022 13:08:29 -1000 Message-Id: <4781fee6aea9512b7cb390b76e6f9f0a86a5bd11.1666047986.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 17 Oct 2022 23:09:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/171931 From: He Zhe Backport a patch to fix the following on powerpc64 ABIv2. root@qemuppc64:~# lttng create trace_session --live -U net://127.0.0.1 Spawning a session daemon lttng_kretprobes: loading out-of-tree module taints kernel. BUG: Unable to handle kernel data access on read at 0xfffffffffffffff8 Faulting instruction address: 0xc0000000001f6fd0 Oops: Kernel access of bad area, sig: 11 [#1] Signed-off-by: He Zhe Signed-off-by: Steve Sakoman --- ...4-fix-kernel-crash-caused-by-do_get_.patch | 94 +++++++++++++++++++ .../lttng/lttng-modules_2.13.4.bb | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch new file mode 100644 index 0000000000..b3b191c7ac --- /dev/null +++ b/meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch @@ -0,0 +1,94 @@ +From 480cce4315ce5bf59a509e8a53a52545f393de68 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Tue, 27 Sep 2022 15:59:42 +0800 +Subject: [PATCH] wrapper: powerpc64: fix kernel crash caused by + do_get_kallsyms + +Kernel crashes on powerpc64 ABIv2 as follow when lttng_tracer initializes, +since do_get_kallsyms in lttng_wrapper fails to return a proper address of +kallsyms_lookup_name. + +root@qemuppc64:~# lttng create trace_session --live -U net://127.0.0.1 +Spawning a session daemon +lttng_kretprobes: loading out-of-tree module taints kernel. +BUG: Unable to handle kernel data access on read at 0xfffffffffffffff8 +Faulting instruction address: 0xc0000000001f6fd0 +Oops: Kernel access of bad area, sig: 11 [#1] + +NIP [c0000000001f6fd0] module_kallsyms_lookup_name+0xf0/0x180 +LR [c0000000001f6f28] module_kallsyms_lookup_name+0x48/0x180 +Call Trace: +module_kallsyms_lookup_name+0x34/0x180 (unreliable) +kallsyms_lookup_name+0x258/0x2b0 +wrapper_kallsyms_lookup_name+0x4c/0xd0 [lttng_wrapper] +wrapper_get_pfnblock_flags_mask_init+0x28/0x60 [lttng_wrapper] +lttng_events_init+0x40/0x344 [lttng_tracer] +do_one_initcall+0x78/0x340 +do_init_module+0x6c/0x2f0 +__do_sys_finit_module+0xd0/0x120 +system_call_exception+0x194/0x2f0 +system_call_vectored_common+0xe8/0x278 + + +do_get_kallsyms makes use of kprobe_register and in turn kprobe_lookup_name +to get the address of the kernel function kallsyms_lookup_name. In case of +PPC64_ELF_ABI_v2, when kprobes are placed at function entry, +kprobe_lookup_name adjusts the global entry point of the function returned +by kallsyms_lookup_name to the local entry point(at some fixed offset of +global one). This adjustment is all for kprobes to be able to work properly. +Global and local entry point are defined in powerpc64 ABIv2. + +When the local entry point is given, some instructions at the beginning of +the function are skipped and thus causes the above kernel crash. We just +want to make a simple function call which needs global entry point. + +This patch adds 4 bytes which is the length of one instruction to +kallsyms_lookup_name so that it will not trigger the global to local +adjustment, and then substracts 4 bytes from the returned address. See the +following kernel change for more details. + +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290e3070762ac80e5fc4087d8c4de7e3f1d90aca + +Upstream-Status: Backport + +Signed-off-by: He Zhe +Signed-off-by: Mathieu Desnoyers +Change-Id: I34e68e886b97e3976d0b5e25be295a8bb866c1a4 +--- + src/wrapper/kallsyms.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/wrapper/kallsyms.c b/src/wrapper/kallsyms.c +index d2848764..93017adc 100644 +--- a/src/wrapper/kallsyms.c ++++ b/src/wrapper/kallsyms.c +@@ -39,10 +39,26 @@ unsigned long do_get_kallsyms(void) + memset(&probe, 0, sizeof(probe)); + probe.pre_handler = dummy_kprobe_handler; + probe.symbol_name = "kallsyms_lookup_name"; ++#ifdef PPC64_ELF_ABI_v2 ++ /* ++ * With powerpc64 ABIv2, we need the global entry point of ++ * kallsyms_lookup_name to call it later, while kprobe_register would ++ * automatically adjust the global entry point to the local entry point, ++ * when a kprobe was registered at a function entry. So we add 4 bytes ++ * which is the length of one instruction to kallsyms_lookup_name to ++ * avoid the adjustment. ++ */ ++ probe.offset = 4; ++#endif + ret = register_kprobe(&probe); + if (ret) + return 0; ++#ifdef PPC64_ELF_ABI_v2 ++ /* Substract 4 bytes to get what we originally want */ ++ addr = (unsigned long)(((char *)probe.addr) - 4); ++#else + addr = (unsigned long)probe.addr; ++#endif + #ifdef CONFIG_ARM + #ifdef CONFIG_THUMB2_KERNEL + if (addr) +-- +2.17.1 + diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb b/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb index 80b9ceec3f..ad4063bed3 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb @@ -17,6 +17,7 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch \ file://0001-fix-compaction.patch \ file://0001-fix-adjust-range-v5.10.137-in-block-probe.patch \ + file://0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch \ " # Use :append here so that the patch is applied also when using devupstream