diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 14 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch | 91 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch | 69 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch | 65 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch | 39 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch | 67 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch | 124 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch | 53 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | 89 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch | 43 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch | 42 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch | 52 |
12 files changed, 748 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a773068499..c1db723e90 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
100 | file://CVE-2020-13791.patch \ | 100 | file://CVE-2020-13791.patch \ |
101 | file://CVE-2022-35414.patch \ | 101 | file://CVE-2022-35414.patch \ |
102 | file://CVE-2020-27821.patch \ | 102 | file://CVE-2020-27821.patch \ |
103 | file://CVE-2020-13754-1.patch \ | ||
104 | file://CVE-2020-13754-2.patch \ | ||
105 | file://CVE-2020-13754-3.patch \ | ||
106 | file://CVE-2020-13754-4.patch \ | ||
107 | file://CVE-2021-3713.patch \ | ||
108 | file://CVE-2021-3748.patch \ | ||
109 | file://CVE-2021-3930.patch \ | ||
110 | file://CVE-2021-4206.patch \ | ||
111 | file://CVE-2021-4207.patch \ | ||
112 | file://CVE-2022-0216-1.patch \ | ||
113 | file://CVE-2022-0216-2.patch \ | ||
103 | " | 114 | " |
104 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 115 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
105 | 116 | ||
@@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" | |||
117 | # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 | 128 | # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 |
118 | CVE_CHECK_WHITELIST += "CVE-2018-18438" | 129 | CVE_CHECK_WHITELIST += "CVE-2018-18438" |
119 | 130 | ||
131 | # the issue introduced in v5.1.0-rc0 | ||
132 | CVE_CHECK_WHITELIST += "CVE-2020-27661" | ||
133 | |||
120 | COMPATIBLE_HOST_mipsarchn32 = "null" | 134 | COMPATIBLE_HOST_mipsarchn32 = "null" |
121 | COMPATIBLE_HOST_mipsarchn64 = "null" | 135 | COMPATIBLE_HOST_mipsarchn64 = "null" |
122 | 136 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 10 Jun 2020 09:47:49 -0400 | ||
4 | Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in | ||
5 | memory_region_access_valid" | ||
6 | |||
7 | Memory API documentation documents valid .min_access_size and .max_access_size | ||
8 | fields and explains that any access outside these boundaries is blocked. | ||
9 | |||
10 | This is what devices seem to assume. | ||
11 | |||
12 | However this is not what the implementation does: it simply | ||
13 | ignores the boundaries unless there's an "accepts" callback. | ||
14 | |||
15 | Naturally, this breaks a bunch of devices. | ||
16 | |||
17 | Revert to the documented behaviour. | ||
18 | |||
19 | Devices that want to allow any access can just drop the valid field, | ||
20 | or add the impl field to have accesses converted to appropriate | ||
21 | length. | ||
22 | |||
23 | Cc: qemu-stable@nongnu.org | ||
24 | Reviewed-by: Richard Henderson <rth@twiddle.net> | ||
25 | Fixes: CVE-2020-13754 | ||
26 | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 | ||
27 | Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") | ||
28 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
29 | Message-Id: <20200610134731.1514409-1-mst@redhat.com> | ||
30 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
31 | |||
32 | https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 | ||
33 | CVE: CVE-2020-13754 | ||
34 | Upstream-Status: Backport | ||
35 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
36 | --- | ||
37 | memory.c | 29 +++++++++-------------------- | ||
38 | 1 file changed, 9 insertions(+), 20 deletions(-) | ||
39 | |||
40 | diff --git a/memory.c b/memory.c | ||
41 | index 2f15a4b..9200b20 100644 | ||
42 | --- a/memory.c | ||
43 | +++ b/memory.c | ||
44 | @@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, | ||
45 | bool is_write, | ||
46 | MemTxAttrs attrs) | ||
47 | { | ||
48 | - int access_size_min, access_size_max; | ||
49 | - int access_size, i; | ||
50 | - | ||
51 | - if (!mr->ops->valid.unaligned && (addr & (size - 1))) { | ||
52 | + if (mr->ops->valid.accepts | ||
53 | + && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { | ||
54 | return false; | ||
55 | } | ||
56 | |||
57 | - if (!mr->ops->valid.accepts) { | ||
58 | - return true; | ||
59 | - } | ||
60 | - | ||
61 | - access_size_min = mr->ops->valid.min_access_size; | ||
62 | - if (!mr->ops->valid.min_access_size) { | ||
63 | - access_size_min = 1; | ||
64 | + if (!mr->ops->valid.unaligned && (addr & (size - 1))) { | ||
65 | + return false; | ||
66 | } | ||
67 | |||
68 | - access_size_max = mr->ops->valid.max_access_size; | ||
69 | + /* Treat zero as compatibility all valid */ | ||
70 | if (!mr->ops->valid.max_access_size) { | ||
71 | - access_size_max = 4; | ||
72 | + return true; | ||
73 | } | ||
74 | |||
75 | - access_size = MAX(MIN(size, access_size_max), access_size_min); | ||
76 | - for (i = 0; i < size; i += access_size) { | ||
77 | - if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, | ||
78 | - is_write, attrs)) { | ||
79 | - return false; | ||
80 | - } | ||
81 | + if (size > mr->ops->valid.max_access_size | ||
82 | + || size < mr->ops->valid.min_access_size) { | ||
83 | + return false; | ||
84 | } | ||
85 | - | ||
86 | return true; | ||
87 | } | ||
88 | |||
89 | -- | ||
90 | 1.8.3.1 | ||
91 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Tokarev <mjt@tls.msk.ru> | ||
3 | Date: Mon, 20 Jul 2020 19:06:27 +0300 | ||
4 | Subject: [PATCH] acpi: accept byte and word access to core ACPI registers | ||
5 | |||
6 | All ISA registers should be accessible as bytes, words or dwords | ||
7 | (if wide enough). Fix the access constraints for acpi-pm-evt, | ||
8 | acpi-pm-tmr & acpi-cnt registers. | ||
9 | |||
10 | Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") | ||
11 | Fixes: afafe4bbe0 (apci: switch cnt to memory api) | ||
12 | Fixes: 77d58b1e47 (apci: switch timer to memory api) | ||
13 | Fixes: b5a7c024d2 (apci: switch evt to memory api) | ||
14 | Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ | ||
15 | Buglink: https://bugs.debian.org/964793 | ||
16 | BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 | ||
17 | BugLink: https://bugs.launchpad.net/bugs/1886318 | ||
18 | Reported-By: Simon John <git@the-jedi.co.uk> | ||
19 | Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> | ||
20 | Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> | ||
21 | Cc: qemu-stable@nongnu.org | ||
22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
24 | |||
25 | https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb | ||
26 | CVE: CVE-2020-13754 | ||
27 | Upstream-Status: Backport | ||
28 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | hw/acpi/core.c | 9 ++++++--- | ||
31 | 1 file changed, 6 insertions(+), 3 deletions(-) | ||
32 | |||
33 | diff --git a/hw/acpi/core.c b/hw/acpi/core.c | ||
34 | index f6d9ec4..ac06db3 100644 | ||
35 | --- a/hw/acpi/core.c | ||
36 | +++ b/hw/acpi/core.c | ||
37 | @@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, | ||
38 | static const MemoryRegionOps acpi_pm_evt_ops = { | ||
39 | .read = acpi_pm_evt_read, | ||
40 | .write = acpi_pm_evt_write, | ||
41 | - .valid.min_access_size = 2, | ||
42 | + .impl.min_access_size = 2, | ||
43 | + .valid.min_access_size = 1, | ||
44 | .valid.max_access_size = 2, | ||
45 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
46 | }; | ||
47 | @@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, | ||
48 | static const MemoryRegionOps acpi_pm_tmr_ops = { | ||
49 | .read = acpi_pm_tmr_read, | ||
50 | .write = acpi_pm_tmr_write, | ||
51 | - .valid.min_access_size = 4, | ||
52 | + .impl.min_access_size = 4, | ||
53 | + .valid.min_access_size = 1, | ||
54 | .valid.max_access_size = 4, | ||
55 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
56 | }; | ||
57 | @@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, | ||
58 | static const MemoryRegionOps acpi_pm_cnt_ops = { | ||
59 | .read = acpi_pm_cnt_read, | ||
60 | .write = acpi_pm_cnt_write, | ||
61 | - .valid.min_access_size = 2, | ||
62 | + .impl.min_access_size = 2, | ||
63 | + .valid.min_access_size = 1, | ||
64 | .valid.max_access_size = 2, | ||
65 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
66 | }; | ||
67 | -- | ||
68 | 1.8.3.1 | ||
69 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Laurent Vivier <lvivier@redhat.com> | ||
3 | Date: Tue, 21 Jul 2020 10:33:22 +0200 | ||
4 | Subject: [PATCH] xhci: fix valid.max_access_size to access address registers | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=utf8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow | ||
10 | 64-bit mode access in "runtime" and "operational" MemoryRegionOps. | ||
11 | |||
12 | Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. | ||
13 | |||
14 | XHCI specs: | ||
15 | "If the xHC supports 64-bit addressing (AC64 = Ă¢1Ă¢), then software | ||
16 | should write 64-bit registers using only Qword accesses. If a | ||
17 | system is incapable of issuing Qword accesses, then writes to the | ||
18 | 64-bit address fields shall be performed using 2 Dword accesses; | ||
19 | low Dword-first, high-Dword second. If the xHC supports 32-bit | ||
20 | addressing (AC64 = Ă¢0Ă¢), then the high Dword of registers containing | ||
21 | 64-bit address fields are unused and software should write addresses | ||
22 | using only Dword accesses" | ||
23 | |||
24 | The problem has been detected with SLOF, as linux kernel always accesses | ||
25 | registers using 32-bit access even if AC64 is set and revealed by | ||
26 | 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") | ||
27 | |||
28 | Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com> | ||
29 | Signed-off-by: Laurent Vivier <lvivier@redhat.com> | ||
30 | Message-id: 20200721083322.90651-1-lvivier@redhat.com | ||
31 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
32 | |||
33 | https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 | ||
34 | CVE: CVE-2020-13754 | ||
35 | Upstream-Status: Backport | ||
36 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
37 | --- | ||
38 | hw/usb/hcd-xhci.c | 4 ++-- | ||
39 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
40 | |||
41 | diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c | ||
42 | index b330e36..67a18fe 100644 | ||
43 | --- a/hw/usb/hcd-xhci.c | ||
44 | +++ b/hw/usb/hcd-xhci.c | ||
45 | @@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { | ||
46 | .read = xhci_oper_read, | ||
47 | .write = xhci_oper_write, | ||
48 | .valid.min_access_size = 4, | ||
49 | - .valid.max_access_size = 4, | ||
50 | + .valid.max_access_size = sizeof(dma_addr_t), | ||
51 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
52 | }; | ||
53 | |||
54 | @@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { | ||
55 | .read = xhci_runtime_read, | ||
56 | .write = xhci_runtime_write, | ||
57 | .valid.min_access_size = 4, | ||
58 | - .valid.max_access_size = 4, | ||
59 | + .valid.max_access_size = sizeof(dma_addr_t), | ||
60 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
61 | }; | ||
62 | |||
63 | -- | ||
64 | 1.8.3.1 | ||
65 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch new file mode 100644 index 0000000000..6bad07d03f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alistair Francis <alistair.francis@wdc.com> | ||
3 | Date: Tue, 30 Jun 2020 13:12:11 -0700 | ||
4 | Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT | ||
5 | |||
6 | Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 | ||
7 | "memory: Revert "memory: accept mismatching sizes in | ||
8 | memory_region_access_valid"" broke most RISC-V boards as they do 64 bit | ||
9 | accesses to the CLINT and QEMU would trigger a fault. Fix this failure | ||
10 | by allowing 8 byte accesses. | ||
11 | |||
12 | Signed-off-by: Alistair Francis <alistair.francis@wdc.com> | ||
13 | Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com> | ||
14 | Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> | ||
15 | |||
16 | https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 | ||
17 | CVE: CVE-2020-13754 | ||
18 | Upstream-Status: Backport | ||
19 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
20 | --- | ||
21 | hw/riscv/sifive_clint.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c | ||
25 | index b11ffa0..669c21a 100644 | ||
26 | --- a/hw/riscv/sifive_clint.c | ||
27 | +++ b/hw/riscv/sifive_clint.c | ||
28 | @@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { | ||
29 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
30 | .valid = { | ||
31 | .min_access_size = 4, | ||
32 | - .max_access_size = 4 | ||
33 | + .max_access_size = 8 | ||
34 | } | ||
35 | }; | ||
36 | |||
37 | -- | ||
38 | 1.8.3.1 | ||
39 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Wed, 18 Aug 2021 14:05:05 +0200 | ||
4 | Subject: [PATCH] uas: add stream number sanity checks. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | MIME-Version: 1.0 | ||
10 | Content-Type: text/plain; charset=UTF-8 | ||
11 | Content-Transfer-Encoding: 8bit | ||
12 | |||
13 | The device uses the guest-supplied stream number unchecked, which can | ||
14 | lead to guest-triggered out-of-band access to the UASDevice->data3 and | ||
15 | UASDevice->status3 fields. Add the missing checks. | ||
16 | |||
17 | Fixes: CVE-2021-3713 | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | Reported-by: Chen Zhe <chenzhe@huawei.com> | ||
20 | Reported-by: Tan Jingguo <tanjingguo@huawei.com> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> | ||
23 | |||
24 | https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a | ||
25 | CVE: CVE-2021-3713 | ||
26 | Upstream-Status: Backport | ||
27 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
28 | --- | ||
29 | hw/usb/dev-uas.c | 11 +++++++++++ | ||
30 | 1 file changed, 11 insertions(+) | ||
31 | |||
32 | diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c | ||
33 | index 6d6d1073..0b8cd4dd 100644 | ||
34 | --- a/hw/usb/dev-uas.c | ||
35 | +++ b/hw/usb/dev-uas.c | ||
36 | @@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
37 | } | ||
38 | break; | ||
39 | case UAS_PIPE_ID_STATUS: | ||
40 | + if (p->stream > UAS_MAX_STREAMS) { | ||
41 | + goto err_stream; | ||
42 | + } | ||
43 | if (p->stream) { | ||
44 | QTAILQ_FOREACH(st, &uas->results, next) { | ||
45 | if (st->stream == p->stream) { | ||
46 | @@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
47 | break; | ||
48 | case UAS_PIPE_ID_DATA_IN: | ||
49 | case UAS_PIPE_ID_DATA_OUT: | ||
50 | + if (p->stream > UAS_MAX_STREAMS) { | ||
51 | + goto err_stream; | ||
52 | + } | ||
53 | if (p->stream) { | ||
54 | req = usb_uas_find_request(uas, p->stream); | ||
55 | } else { | ||
56 | @@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) | ||
57 | p->status = USB_RET_STALL; | ||
58 | break; | ||
59 | } | ||
60 | + | ||
61 | +err_stream: | ||
62 | + error_report("%s: invalid stream %d", __func__, p->stream); | ||
63 | + p->status = USB_RET_STALL; | ||
64 | + return; | ||
65 | } | ||
66 | |||
67 | static void usb_uas_unrealize(USBDevice *dev, Error **errp) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..b291ade4e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Thu, 2 Sep 2021 13:44:12 +0800 | ||
4 | Subject: [PATCH] virtio-net: fix use after unmap/free for sg | ||
5 | |||
6 | When mergeable buffer is enabled, we try to set the num_buffers after | ||
7 | the virtqueue elem has been unmapped. This will lead several issues, | ||
8 | E.g a use after free when the descriptor has an address which belongs | ||
9 | to the non direct access region. In this case we use bounce buffer | ||
10 | that is allocated during address_space_map() and freed during | ||
11 | address_space_unmap(). | ||
12 | |||
13 | Fixing this by storing the elems temporarily in an array and delay the | ||
14 | unmap after we set the the num_buffers. | ||
15 | |||
16 | This addresses CVE-2021-3748. | ||
17 | |||
18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Fixes: fbe78f4f55c6 ("virtio-net support") | ||
20 | Cc: qemu-stable@nongnu.org | ||
21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
22 | |||
23 | https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 | ||
24 | CVE: CVE-2021-3748 | ||
25 | Upstream-Status: Backport | ||
26 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
27 | --- | ||
28 | hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- | ||
29 | 1 file changed, 32 insertions(+), 7 deletions(-) | ||
30 | |||
31 | diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c | ||
32 | index 16d20cdee52a..f205331dcf8c 100644 | ||
33 | --- a/hw/net/virtio-net.c | ||
34 | +++ b/hw/net/virtio-net.c | ||
35 | @@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
36 | VirtIONet *n = qemu_get_nic_opaque(nc); | ||
37 | VirtIONetQueue *q = virtio_net_get_subqueue(nc); | ||
38 | VirtIODevice *vdev = VIRTIO_DEVICE(n); | ||
39 | + VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; | ||
40 | + size_t lens[VIRTQUEUE_MAX_SIZE]; | ||
41 | struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; | ||
42 | struct virtio_net_hdr_mrg_rxbuf mhdr; | ||
43 | unsigned mhdr_cnt = 0; | ||
44 | - size_t offset, i, guest_offset; | ||
45 | + size_t offset, i, guest_offset, j; | ||
46 | + ssize_t err; | ||
47 | |||
48 | if (!virtio_net_can_receive(nc)) { | ||
49 | return -1; | ||
50 | @@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
51 | |||
52 | total = 0; | ||
53 | |||
54 | + if (i == VIRTQUEUE_MAX_SIZE) { | ||
55 | + virtio_error(vdev, "virtio-net unexpected long buffer chain"); | ||
56 | + err = size; | ||
57 | + goto err; | ||
58 | + } | ||
59 | + | ||
60 | elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); | ||
61 | if (!elem) { | ||
62 | if (i) { | ||
63 | @@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
64 | n->guest_hdr_len, n->host_hdr_len, | ||
65 | vdev->guest_features); | ||
66 | } | ||
67 | - return -1; | ||
68 | + err = -1; | ||
69 | + goto err; | ||
70 | } | ||
71 | |||
72 | if (elem->in_num < 1) { | ||
73 | @@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
74 | "virtio-net receive queue contains no in buffers"); | ||
75 | virtqueue_detach_element(q->rx_vq, elem, 0); | ||
76 | g_free(elem); | ||
77 | - return -1; | ||
78 | + err = -1; | ||
79 | + goto err; | ||
80 | } | ||
81 | |||
82 | sg = elem->in_sg; | ||
83 | @@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
84 | if (!n->mergeable_rx_bufs && offset < size) { | ||
85 | virtqueue_unpop(q->rx_vq, elem, total); | ||
86 | g_free(elem); | ||
87 | - return size; | ||
88 | + err = size; | ||
89 | + goto err; | ||
90 | } | ||
91 | |||
92 | - /* signal other side */ | ||
93 | - virtqueue_fill(q->rx_vq, elem, total, i++); | ||
94 | - g_free(elem); | ||
95 | + elems[i] = elem; | ||
96 | + lens[i] = total; | ||
97 | + i++; | ||
98 | } | ||
99 | |||
100 | if (mhdr_cnt) { | ||
101 | @@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, | ||
102 | &mhdr.num_buffers, sizeof mhdr.num_buffers); | ||
103 | } | ||
104 | |||
105 | + for (j = 0; j < i; j++) { | ||
106 | + /* signal other side */ | ||
107 | + virtqueue_fill(q->rx_vq, elems[j], lens[j], j); | ||
108 | + g_free(elems[j]); | ||
109 | + } | ||
110 | + | ||
111 | virtqueue_flush(q->rx_vq, i); | ||
112 | virtio_notify(vdev, q->rx_vq); | ||
113 | |||
114 | return size; | ||
115 | + | ||
116 | +err: | ||
117 | + for (j = 0; j < i; j++) { | ||
118 | + g_free(elems[j]); | ||
119 | + } | ||
120 | + | ||
121 | + return err; | ||
122 | } | ||
123 | |||
124 | static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..b1b5558647 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 4 Nov 2021 17:31:38 +0100 | ||
4 | Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT | ||
5 | commands | ||
6 | |||
7 | This avoids an off-by-one read of 'mode_sense_valid' buffer in | ||
8 | hw/scsi/scsi-disk.c:mode_sense_page(). | ||
9 | |||
10 | Fixes: CVE-2021-3930 | ||
11 | Cc: qemu-stable@nongnu.org | ||
12 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
13 | Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") | ||
14 | Fixes: #546 | ||
15 | Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> | ||
16 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
17 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
18 | |||
19 | https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 | ||
20 | CVE: CVE-2021-3930 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
23 | --- | ||
24 | hw/scsi/scsi-disk.c | 6 ++++++ | ||
25 | 1 file changed, 6 insertions(+) | ||
26 | |||
27 | diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c | ||
28 | index e8a547dbb7..d4914178ea 100644 | ||
29 | --- a/hw/scsi/scsi-disk.c | ||
30 | +++ b/hw/scsi/scsi-disk.c | ||
31 | @@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, | ||
32 | uint8_t *p = *p_outbuf + 2; | ||
33 | int length; | ||
34 | |||
35 | + assert(page < ARRAY_SIZE(mode_sense_valid)); | ||
36 | if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { | ||
37 | return -1; | ||
38 | } | ||
39 | @@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, | ||
40 | return -1; | ||
41 | } | ||
42 | |||
43 | + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ | ||
44 | + if (page == MODE_PAGE_ALLS) { | ||
45 | + return -1; | ||
46 | + } | ||
47 | + | ||
48 | p = mode_current; | ||
49 | memset(mode_current, 0, inlen + 2); | ||
50 | len = mode_sense_page(s, page, &p, 0); | ||
51 | -- | ||
52 | GitLab | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 10:17:12 +0200 | ||
4 | Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc | ||
5 | (CVE-2021-4206) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Prevent potential integer overflow by limiting 'width' and 'height' to | ||
11 | 512x512. Also change 'datasize' type to size_t. Refer to security | ||
12 | advisory https://starlabs.sg/advisories/22-4206/ for more information. | ||
13 | |||
14 | Fixes: CVE-2021-4206 | ||
15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20220407081712.345609-1-mcascell@redhat.com> | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | |||
20 | https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a | ||
21 | CVE: CVE-2021-4206 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/display/qxl-render.c | 7 +++++++ | ||
26 | hw/display/vmware_vga.c | 2 ++ | ||
27 | ui/cursor.c | 8 +++++++- | ||
28 | 3 files changed, 16 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
31 | index 237ed293ba..ca217004bf 100644 | ||
32 | --- a/hw/display/qxl-render.c | ||
33 | +++ b/hw/display/qxl-render.c | ||
34 | @@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
35 | size_t size; | ||
36 | |||
37 | c = cursor_alloc(cursor->header.width, cursor->header.height); | ||
38 | + | ||
39 | + if (!c) { | ||
40 | + qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, | ||
41 | + cursor->header.width, cursor->header.height); | ||
42 | + goto fail; | ||
43 | + } | ||
44 | + | ||
45 | c->hot_x = cursor->header.hot_spot_x; | ||
46 | c->hot_y = cursor->header.hot_spot_y; | ||
47 | switch (cursor->header.type) { | ||
48 | diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c | ||
49 | index 98c83474ad..45d06cbe25 100644 | ||
50 | --- a/hw/display/vmware_vga.c | ||
51 | +++ b/hw/display/vmware_vga.c | ||
52 | @@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, | ||
53 | int i, pixels; | ||
54 | |||
55 | qc = cursor_alloc(c->width, c->height); | ||
56 | + assert(qc != NULL); | ||
57 | + | ||
58 | qc->hot_x = c->hot_x; | ||
59 | qc->hot_y = c->hot_y; | ||
60 | switch (c->bpp) { | ||
61 | diff --git a/ui/cursor.c b/ui/cursor.c | ||
62 | index 1d62ddd4d0..835f0802f9 100644 | ||
63 | --- a/ui/cursor.c | ||
64 | +++ b/ui/cursor.c | ||
65 | @@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) | ||
66 | |||
67 | /* parse pixel data */ | ||
68 | c = cursor_alloc(width, height); | ||
69 | + assert(c != NULL); | ||
70 | + | ||
71 | for (pixel = 0, y = 0; y < height; y++, line++) { | ||
72 | for (x = 0; x < height; x++, pixel++) { | ||
73 | idx = xpm[line][x]; | ||
74 | @@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) | ||
75 | QEMUCursor *cursor_alloc(int width, int height) | ||
76 | { | ||
77 | QEMUCursor *c; | ||
78 | - int datasize = width * height * sizeof(uint32_t); | ||
79 | + size_t datasize = width * height * sizeof(uint32_t); | ||
80 | + | ||
81 | + if (width > 512 || height > 512) { | ||
82 | + return NULL; | ||
83 | + } | ||
84 | |||
85 | c = g_malloc0(sizeof(QEMUCursor) + datasize); | ||
86 | c->width = width; | ||
87 | -- | ||
88 | GitLab | ||
89 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..8418246247 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Thu, 7 Apr 2022 10:11:06 +0200 | ||
4 | Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor | ||
5 | (CVE-2021-4207) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Avoid fetching 'width' and 'height' a second time to prevent possible | ||
11 | race condition. Refer to security advisory | ||
12 | https://starlabs.sg/advisories/22-4207/ for more information. | ||
13 | |||
14 | Fixes: CVE-2021-4207 | ||
15 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
16 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
17 | Message-Id: <20220407081106.343235-1-mcascell@redhat.com> | ||
18 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
19 | |||
20 | https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb | ||
21 | CVE: CVE-2021-4207 | ||
22 | Upstream-Status: Backport | ||
23 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | hw/display/qxl-render.c | 2 +- | ||
26 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c | ||
29 | index d28849b121..237ed293ba 100644 | ||
30 | --- a/hw/display/qxl-render.c | ||
31 | +++ b/hw/display/qxl-render.c | ||
32 | @@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, | ||
33 | } | ||
34 | break; | ||
35 | case SPICE_CURSOR_TYPE_ALPHA: | ||
36 | - size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; | ||
37 | + size = sizeof(uint32_t) * c->width * c->height; | ||
38 | qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); | ||
39 | if (qxl->debug > 2) { | ||
40 | cursor_print_ascii_art(c, "qxl/alpha"); | ||
41 | -- | ||
42 | GitLab | ||
43 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch new file mode 100644 index 0000000000..6a7ce0e26c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Tue, 5 Jul 2022 22:05:43 +0200 | ||
4 | Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout | ||
5 | (CVE-2022-0216) | ||
6 | |||
7 | Set current_req->req to NULL to prevent reusing a free'd buffer in case of | ||
8 | repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. | ||
9 | |||
10 | Fixes: CVE-2022-0216 | ||
11 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 | ||
12 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
13 | Reviewed-by: Thomas Huth <thuth@redhat.com> | ||
14 | Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> | ||
15 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | |||
17 | https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 | ||
18 | CVE: CVE-2022-0216 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
21 | --- | ||
22 | hw/scsi/lsi53c895a.c | 3 ++- | ||
23 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c | ||
26 | index c8773f73f7..99ea42d49b 100644 | ||
27 | --- a/hw/scsi/lsi53c895a.c | ||
28 | +++ b/hw/scsi/lsi53c895a.c | ||
29 | @@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) | ||
30 | case 0x0d: | ||
31 | /* The ABORT TAG message clears the current I/O process only. */ | ||
32 | trace_lsi_do_msgout_abort(current_tag); | ||
33 | - if (current_req) { | ||
34 | + if (current_req && current_req->req) { | ||
35 | scsi_req_cancel(current_req->req); | ||
36 | + current_req->req = NULL; | ||
37 | } | ||
38 | lsi_disconnect(s); | ||
39 | break; | ||
40 | -- | ||
41 | GitLab | ||
42 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Mon, 11 Jul 2022 14:33:16 +0200 | ||
4 | Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout | ||
5 | (CVE-2022-0216) | ||
6 | |||
7 | Set current_req to NULL, not current_req->req, to prevent reusing a free'd | ||
8 | buffer in case of repeated SCSI cancel requests. Also apply the fix to | ||
9 | CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel | ||
10 | the request. | ||
11 | |||
12 | Thanks to Alexander Bulekov for providing a reproducer. | ||
13 | |||
14 | Fixes: CVE-2022-0216 | ||
15 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 | ||
16 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
17 | Tested-by: Alexander Bulekov <alxndr@bu.edu> | ||
18 | Message-Id: <20220711123316.421279-1-mcascell@redhat.com> | ||
19 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
20 | |||
21 | https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 | ||
22 | CVE: CVE-2022-0216 | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | hw/scsi/lsi53c895a.c | 3 +- | ||
27 | 1 files changed, 2 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c | ||
30 | index 99ea42d49b..ad5f5e5f39 100644 | ||
31 | --- a/hw/scsi/lsi53c895a.c | ||
32 | +++ b/hw/scsi/lsi53c895a.c | ||
33 | @@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) | ||
34 | trace_lsi_do_msgout_abort(current_tag); | ||
35 | if (current_req && current_req->req) { | ||
36 | scsi_req_cancel(current_req->req); | ||
37 | - current_req->req = NULL; | ||
38 | + current_req = NULL; | ||
39 | } | ||
40 | lsi_disconnect(s); | ||
41 | break; | ||
42 | @@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) | ||
43 | /* clear the current I/O process */ | ||
44 | if (s->current) { | ||
45 | scsi_req_cancel(s->current->req); | ||
46 | + current_req = NULL; | ||
47 | } | ||
48 | |||
49 | /* As the current implemented devices scsi_disk and scsi_generic | ||
50 | -- | ||
51 | GitLab | ||
52 | |||