summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2019-03-15 04:01:19 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-03-19 15:28:52 +0000
commit2f7749c12f7394be81433577220688034eaafab8 (patch)
tree20316204ba0cf08cb1edaa17c908b07ecccd5c9b /meta/recipes-devtools
parenta9b2f3561ee0fbe9db08ebbba63e69699cdd049a (diff)
downloadpoky-2f7749c12f7394be81433577220688034eaafab8.tar.gz
qemu: backport patches to fix cves
CVE: CVE-2018-16872 CVE: CVE-2018-20124 CVE: CVE-2018-20125 CVE: CVE-2018-20126 CVE: CVE-2018-20191 CVE: CVE-2018-20216 Patches 0015-fix-CVE-2018-20124.patch and 0017-fix-CVE-2018-20126.patch are rebased on current source code. Others are not modified. (From OE-Core rev: 489ece1aa90d8f76b4c1f009d837f82e38e11ba9) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch54
-rw-r--r--meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch113
-rw-r--r--meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch85
7 files changed, 450 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 985289f542..2babfe4c6f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -23,6 +23,12 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ 23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
24 file://0001-Add-a-missing-X11-include.patch \ 24 file://0001-Add-a-missing-X11-include.patch \
25 file://0001-egl-headless-add-egl_create_context.patch \ 25 file://0001-egl-headless-add-egl_create_context.patch \
26 file://0014-fix-CVE-2018-16872.patch \
27 file://0015-fix-CVE-2018-20124.patch \
28 file://0016-fix-CVE-2018-20125.patch \
29 file://0017-fix-CVE-2018-20126.patch \
30 file://0018-fix-CVE-2018-20191.patch \
31 file://0019-fix-CVE-2018-20216.patch \
26 " 32 "
27UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 33UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
28 34
diff --git a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
new file mode 100644
index 0000000000..412aa16046
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
@@ -0,0 +1,85 @@
1CVE: CVE-2018-16872
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001
7From: Gerd Hoffmann <kraxel@redhat.com>
8Date: Thu, 13 Dec 2018 13:25:11 +0100
9Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
10
11Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
12While being at it also add O_CLOEXEC.
13
14usb-mtp only handles regular files and directories and ignores
15everything else, so users should not see a difference.
16
17Because qemu ignores symlinks, carrying out a successful symlink attack
18requires swapping an existing file or directory below rootdir for a
19symlink and winning the race against the inotify notification to qemu.
20
21Fixes: CVE-2018-16872
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Cc: Bandan Das <bsd@redhat.com>
24Reported-by: Michael Hanselmann <public@hansmi.ch>
25Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26Reviewed-by: Michael Hanselmann <public@hansmi.ch>
27Message-id: 20181213122511.13853-1-kraxel@redhat.com
28---
29 hw/usb/dev-mtp.c | 13 +++++++++----
30 1 file changed, 9 insertions(+), 4 deletions(-)
31
32diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
33index 100b7171f4..36c43b8c20 100644
34--- a/hw/usb/dev-mtp.c
35+++ b/hw/usb/dev-mtp.c
36@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
37 {
38 struct dirent *entry;
39 DIR *dir;
40+ int fd;
41
42 if (o->have_children) {
43 return;
44 }
45 o->have_children = true;
46
47- dir = opendir(o->path);
48+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
49+ if (fd < 0) {
50+ return;
51+ }
52+ dir = fdopendir(fd);
53 if (!dir) {
54 return;
55 }
56@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
57
58 trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
59
60- d->fd = open(o->path, O_RDONLY);
61+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
62 if (d->fd == -1) {
63 usb_mtp_data_free(d);
64 return NULL;
65@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
66 c->argv[1], c->argv[2]);
67
68 d = usb_mtp_data_alloc(c);
69- d->fd = open(o->path, O_RDONLY);
70+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
71 if (d->fd == -1) {
72 usb_mtp_data_free(d);
73 return NULL;
74@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
75 0, 0, 0, 0);
76 goto done;
77 }
78- d->fd = open(path, O_CREAT | O_WRONLY, mask);
79+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
80 if (d->fd == -1) {
81 usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
82 0, 0, 0, 0);
83--
842.20.1
85
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
new file mode 100644
index 0000000000..ad846958a7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
@@ -0,0 +1,60 @@
1CVE: CVE-2018-20124
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373]
3
4Backport patch to fix CVE-2018-20124. Update context and stay with current
5function comp_handler() which has been replaced with complete_work() in latest
6git repo.
7
8Signed-off-by: Kai Kang <kai.kang@windriver.com>
9
10From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001
11From: Prasad J Pandit <pjp@fedoraproject.org>
12Date: Thu, 13 Dec 2018 01:00:34 +0530
13Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE
14
15rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
16to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
17with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
18Add check to avoid it.
19
20Reported-by: Saar Amar <saaramar5@gmail.com>
21Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
22Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
23Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
24---
25 hw/rdma/rdma_backend.c | 12 ++++++------
26 1 file changed, 6 insertions(+), 6 deletions(-)
27
28diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
29index d7a4bbd9..7f8028f8 100644
30--- a/hw/rdma/rdma_backend.c
31+++ b/hw/rdma/rdma_backend.c
32@@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
33 }
34
35 pr_dbg("num_sge=%d\n", num_sge);
36- if (!num_sge) {
37- pr_dbg("num_sge=0\n");
38- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
39+ if (!num_sge || num_sge > MAX_SGE) {
40+ pr_dbg("invalid num_sge=%d\n", num_sge);
41+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx);
42 return;
43 }
44
45@@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
46 }
47
48 pr_dbg("num_sge=%d\n", num_sge);
49- if (!num_sge) {
50- pr_dbg("num_sge=0\n");
51- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
52+ if (!num_sge || num_sge > MAX_SGE) {
53+ pr_dbg("invalid num_sge=%d\n", num_sge);
54+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_INV_NUM_SGE, ctx);
55 return;
56 }
57
58--
592.20.1
60
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
new file mode 100644
index 0000000000..56559c8388
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
@@ -0,0 +1,54 @@
1CVE: CVE-2018-20125
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:36 +0530
9Subject: [PATCH] pvrdma: check number of pages when creating rings
10
11When creating CQ/QP rings, an object can have up to
12PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
13to avoid excessive memory allocation or a null dereference.
14
15Reported-by: Li Qiang <liq3ea@163.com>
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19---
20 hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
21 1 file changed, 11 insertions(+)
22
23diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
24index 3b94545761..f236ac4795 100644
25--- a/hw/rdma/vmw/pvrdma_cmd.c
26+++ b/hw/rdma/vmw/pvrdma_cmd.c
27@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
28 int rc = -EINVAL;
29 char ring_name[MAX_RING_NAME_SZ];
30
31+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
32+ pr_dbg("invalid nchunks: %d\n", nchunks);
33+ return rc;
34+ }
35+
36 pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
37 dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
38 if (!dir) {
39@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
40 char ring_name[MAX_RING_NAME_SZ];
41 uint32_t wqe_sz;
42
43+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
44+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
45+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
46+ return rc;
47+ }
48+
49 pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
50 dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
51 if (!dir) {
52--
532.20.1
54
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
new file mode 100644
index 0000000000..8329f2cfd0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
@@ -0,0 +1,113 @@
1CVE: CVE-2018-20126
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c]
3
4Backport and rebase patch to fix CVE-2018-20126.
5
6Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001
9From: Prasad J Pandit <pjp@fedoraproject.org>
10Date: Thu, 13 Dec 2018 01:00:37 +0530
11Subject: [PATCH] pvrdma: release ring object in case of an error
12
13create_cq and create_qp routines allocate ring object, but it's
14not released in case of an error, leading to memory leakage.
15
16Reported-by: Li Qiang <liq3ea@163.com>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
19Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
20---
21 hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++-----------
22 1 file changed, 30 insertions(+), 11 deletions(-)
23
24diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
25index 4faeb21..9b6796f 100644
26--- a/hw/rdma/vmw/pvrdma_cmd.c
27+++ b/hw/rdma/vmw/pvrdma_cmd.c
28@@ -310,6 +310,14 @@ out:
29 return rc;
30 }
31
32+static void destroy_cq_ring(PvrdmaRing *ring)
33+{
34+ pvrdma_ring_free(ring);
35+ /* ring_state was in slot 1, not 0 so need to jump back */
36+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
37+ g_free(ring);
38+}
39+
40 static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
41 union pvrdma_cmd_resp *rsp)
42 {
43@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
44
45 resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
46 cmd->cqe, &resp->cq_handle, ring);
47+ if (resp->hdr.err) {
48+ destroy_cq_ring(ring);
49+ }
50+
51 resp->cqe = cmd->cqe;
52
53 out:
54@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
55 }
56
57 ring = (PvrdmaRing *)cq->opaque;
58- pvrdma_ring_free(ring);
59- /* ring_state was in slot 1, not 0 so need to jump back */
60- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
61- g_free(ring);
62+ destroy_cq_ring(ring);
63
64 rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
65
66@@ -451,6 +460,17 @@ out:
67 return rc;
68 }
69
70+static void destroy_qp_rings(PvrdmaRing *ring)
71+{
72+ pr_dbg("sring=%p\n", &ring[0]);
73+ pvrdma_ring_free(&ring[0]);
74+ pr_dbg("rring=%p\n", &ring[1]);
75+ pvrdma_ring_free(&ring[1]);
76+
77+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
78+ g_free(ring);
79+}
80+
81 static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
82 union pvrdma_cmd_resp *rsp)
83 {
84@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
85 cmd->max_recv_wr, cmd->max_recv_sge,
86 cmd->recv_cq_handle, rings, &resp->qpn);
87
88+ if (resp->hdr.err) {
89+ destroy_qp_rings(rings);
90+ return resp->hdr.err;
91+ }
92+
93 resp->max_send_wr = cmd->max_send_wr;
94 resp->max_recv_wr = cmd->max_recv_wr;
95 resp->max_send_sge = cmd->max_send_sge;
96@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
97 rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
98
99 ring = (PvrdmaRing *)qp->opaque;
100- pr_dbg("sring=%p\n", &ring[0]);
101- pvrdma_ring_free(&ring[0]);
102- pr_dbg("rring=%p\n", &ring[1]);
103- pvrdma_ring_free(&ring[1]);
104-
105- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
106- g_free(ring);
107+ destroy_qp_rings(ring);
108
109 return 0;
110 }
111--
1122.20.1
113
diff --git a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
new file mode 100644
index 0000000000..8f8ff0567a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
@@ -0,0 +1,47 @@
1CVE: CVE-2018-20191
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2aa8645]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From 2aa86456fb938a11f2b7bd57c8643c213218681c Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:35 +0530
9Subject: [PATCH] pvrdma: add uar_read routine
10
11Define skeleton 'uar_read' routine. Avoid NULL dereference.
12
13Reported-by: Li Qiang <liq3ea@163.com>
14Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
16Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
17---
18 hw/rdma/vmw/pvrdma_main.c | 6 ++++++
19 1 file changed, 6 insertions(+)
20
21diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
22index 64de16fb52..838ad8a949 100644
23--- a/hw/rdma/vmw/pvrdma_main.c
24+++ b/hw/rdma/vmw/pvrdma_main.c
25@@ -448,6 +448,11 @@ static const MemoryRegionOps regs_ops = {
26 },
27 };
28
29+static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
30+{
31+ return 0xffffffff;
32+}
33+
34 static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
35 {
36 PVRDMADev *dev = opaque;
37@@ -489,6 +494,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
38 }
39
40 static const MemoryRegionOps uar_ops = {
41+ .read = uar_read,
42 .write = uar_write,
43 .endianness = DEVICE_LITTLE_ENDIAN,
44 .impl = {
45--
462.20.1
47
diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
new file mode 100644
index 0000000000..c02bad3bb9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
@@ -0,0 +1,85 @@
1CVE: CVE-2018-20216
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:39 +0530
9Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines
10
11pvrdma_idx_ring_has_[data/space] routines also return invalid
12index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
13return value from these routines to avoid plausible infinite loops.
14
15Reported-by: Li Qiang <liq3ea@163.com>
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19---
20 hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
21 1 file changed, 11 insertions(+), 18 deletions(-)
22
23diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
24index 01247fc041..e8e5b502f6 100644
25--- a/hw/rdma/vmw/pvrdma_dev_ring.c
26+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
27@@ -73,23 +73,16 @@ out:
28
29 void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
30 {
31+ int e;
32 unsigned int idx = 0, offset;
33
34- /*
35- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
36- ring->ring_state->cons_head);
37- */
38-
39- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
40+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
41+ if (e <= 0) {
42 pr_dbg("No more data in ring\n");
43 return NULL;
44 }
45
46 offset = idx * ring->elem_sz;
47- /*
48- pr_dbg("idx=%d\n", idx);
49- pr_dbg("offset=%d\n", offset);
50- */
51 return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
52 }
53
54@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
55
56 void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
57 {
58- unsigned int idx, offset, tail;
59+ int idx;
60+ unsigned int offset, tail;
61
62- /*
63- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
64- ring->ring_state->cons_head);
65- */
66-
67- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
68+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
69+ if (idx <= 0) {
70 pr_dbg("CQ is full\n");
71 return NULL;
72 }
73
74 idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
75- /* TODO: tail == idx */
76+ if (idx < 0 || tail != idx) {
77+ pr_dbg("invalid idx\n");
78+ return NULL;
79+ }
80
81 offset = idx * ring->elem_sz;
82 return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
83--
842.20.1
85