summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc24
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch83
-rw-r--r--meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch98
-rw-r--r--meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch78
-rw-r--r--meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch158
-rw-r--r--meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch1453
-rw-r--r--meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch227
-rw-r--r--meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch167
-rw-r--r--meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch91
-rw-r--r--meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch65
-rw-r--r--meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch129
-rw-r--r--meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch222
-rw-r--r--meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch91
-rw-r--r--meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch120
-rw-r--r--meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch151
-rw-r--r--meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch65
-rw-r--r--meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch175
-rw-r--r--meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch303
-rw-r--r--meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch271
-rw-r--r--meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch296
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch74
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch43
25 files changed, 4532 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 816f9a7eac..cb5f9358da 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -46,6 +46,30 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
46 file://CVE-2021-3750-1.patch \ 46 file://CVE-2021-3750-1.patch \
47 file://CVE-2021-3750-2.patch \ 47 file://CVE-2021-3750-2.patch \
48 file://CVE-2021-3750-3.patch \ 48 file://CVE-2021-3750-3.patch \
49 file://0001-use-uint32t-for-reply-queue-head-tail-values.patch \
50 file://0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch \
51 file://0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch \
52 file://0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch \
53 file://0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch \
54 file://0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch \
55 file://0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch \
56 file://0008_have_dma_buf_rw_function_take_a_void_pointer.patch \
57 file://0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch \
58 file://0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch \
59 file://0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch \
60 file://0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch \
61 file://0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch \
62 file://0014_let_dma_buf_rw_function_propagate_MemTxResult.patch \
63 file://0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch \
64 file://0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch \
65 file://0017_let_st_pointer_dma_function_propagate_MemTxResult.patch \
66 file://0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch \
67 file://0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \
68 file://0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \
69 file://0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch \
70 file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \
71 file://CVE-2021-3611_1.patch \
72 file://CVE-2021-3611_2.patch \
49 " 73 "
50UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 74UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
51 75
diff --git a/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
new file mode 100644
index 0000000000..37e122f781
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
@@ -0,0 +1,83 @@
1From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 22:43:05 +0100
4Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail
5 values
6MIME-Version: 1.0
7Content-Type: text/plain; charset=utf8
8Content-Transfer-Encoding: 8bit
9
10While the reply queue values fit in 16-bit, they are accessed
11as 32-bit:
12
13 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
14 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES;
15 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
16 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
17
18Having:
19
20 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */
21
22In order to update the ld/st*_pci_dma() API to pass the address
23of the value to access, it is simpler to have the head/tail declared
24as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in
25the MegasasState structure.
26
27CVE: CVE-2021-3611
28Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997]
29
30Acked-by: Richard Henderson <richard.henderson@linaro.org>
31Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
32Message-Id: <20211223115554.3155328-20-philmd@redhat.com>
33Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
34---
35 hw/scsi/megasas.c | 4 ++--
36 hw/scsi/trace-events | 8 ++++----
37 2 files changed, 6 insertions(+), 6 deletions(-)
38
39diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
40index 8f35784..14ec6d6 100644
41--- a/hw/scsi/megasas.c
42+++ b/hw/scsi/megasas.c
43@@ -109,8 +109,8 @@ struct MegasasState {
44 uint64_t reply_queue_pa;
45 void *reply_queue;
46 uint16_t reply_queue_len;
47- uint16_t reply_queue_head;
48- uint16_t reply_queue_tail;
49+ uint32_t reply_queue_head;
50+ uint32_t reply_queue_tail;
51 uint64_t consumer_pa;
52 uint64_t producer_pa;
53
54diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
55index 92d5b40..ae8551f 100644
56--- a/hw/scsi/trace-events
57+++ b/hw/scsi/trace-events
58@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_
59
60 # megasas.c
61 megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " "
62-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x"
63+megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x"
64 megasas_initq_map_failed(int frame) "scmd %d: failed to map queue"
65 megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64
66 megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d"
67 megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x"
68 megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64
69 megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx"
70-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d"
71-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d"
72+megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u"
73+megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u"
74 megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu"
75 megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " "
76-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d"
77+megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u"
78 megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy"
79 megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x"
80 megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu"
81--
821.8.3.1
83
diff --git a/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..04a655315f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,60 @@
1From 7ccb391ccd594b3f33de8deb293ff8d47bb4e219 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 3 Sep 2020 09:28:49 +0200
4Subject: [PATCH] dma: Let dma_memory_valid() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_memory_valid().
11
12CVE: CVE-2021-3611
13Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219]
14
15Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
16Reviewed-by: Li Qiang <liq3ea@gmail.com>
17Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
20Message-Id: <20211223115554.3155328-2-philmd@redhat.com>
21Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
22---
23 include/hw/ppc/spapr_vio.h | 2 +-
24 include/sysemu/dma.h | 4 ++--
25 2 files changed, 3 insertions(+), 3 deletions(-)
26
27diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
28index 4bea87f..4c45f15 100644
29--- a/include/hw/ppc/spapr_vio.h
30+++ b/include/hw/ppc/spapr_vio.h
31@@ -91,7 +91,7 @@ static inline void spapr_vio_irq_pulse(SpaprVioDevice *dev)
32 static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr,
33 uint32_t size, DMADirection dir)
34 {
35- return dma_memory_valid(&dev->as, taddr, size, dir);
36+ return dma_memory_valid(&dev->as, taddr, size, dir, MEMTXATTRS_UNSPECIFIED);
37 }
38
39 static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr,
40diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
41index 3201e79..296f3b5 100644
42--- a/include/sysemu/dma.h
43+++ b/include/sysemu/dma.h
44@@ -73,11 +73,11 @@ static inline void dma_barrier(AddressSpace *as, DMADirection dir)
45 * dma_memory_{read,write}() and check for errors */
46 static inline bool dma_memory_valid(AddressSpace *as,
47 dma_addr_t addr, dma_addr_t len,
48- DMADirection dir)
49+ DMADirection dir, MemTxAttrs attrs)
50 {
51 return address_space_access_valid(as, addr, len,
52 dir == DMA_DIRECTION_FROM_DEVICE,
53- MEMTXATTRS_UNSPECIFIED);
54+ attrs);
55 }
56
57 static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as,
58--
591.8.3.1
60
diff --git a/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..f13707a407
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,98 @@
1From 7a36e42d9114474278ce30ba36945cc62292eb60 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 3 Sep 2020 10:28:32 +0200
4Subject: [PATCH] dma: Let dma_memory_set() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_memory_set().
11
12CVE: CVE-2021-3611
13Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60]
14
15Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
16Reviewed-by: Li Qiang <liq3ea@gmail.com>
17Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
20Message-Id: <20211223115554.3155328-3-philmd@redhat.com>
21Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
22---
23 hw/nvram/fw_cfg.c | 3 ++-
24 include/hw/ppc/spapr_vio.h | 3 ++-
25 include/sysemu/dma.h | 3 ++-
26 softmmu/dma-helpers.c | 5 ++---
27 4 files changed, 8 insertions(+), 6 deletions(-)
28
29diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
30index c06b30d..f7803fe 100644
31--- a/hw/nvram/fw_cfg.c
32+++ b/hw/nvram/fw_cfg.c
33@@ -399,7 +399,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
34 * tested before.
35 */
36 if (read) {
37- if (dma_memory_set(s->dma_as, dma.address, 0, len)) {
38+ if (dma_memory_set(s->dma_as, dma.address, 0, len,
39+ MEMTXATTRS_UNSPECIFIED)) {
40 dma.control |= FW_CFG_DMA_CTL_ERROR;
41 }
42 }
43diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
44index 4c45f15..c90e74a 100644
45--- a/include/hw/ppc/spapr_vio.h
46+++ b/include/hw/ppc/spapr_vio.h
47@@ -111,7 +111,8 @@ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr,
48 static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
49 uint8_t c, uint32_t size)
50 {
51- return (dma_memory_set(&dev->as, taddr, c, size) != 0) ?
52+ return (dma_memory_set(&dev->as, taddr,
53+ c, size, MEMTXATTRS_UNSPECIFIED) != 0) ?
54 H_DEST_PARM : H_SUCCESS;
55 }
56
57diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
58index 296f3b5..d23516f 100644
59--- a/include/sysemu/dma.h
60+++ b/include/sysemu/dma.h
61@@ -175,9 +175,10 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr,
62 * @addr: address within that address space
63 * @c: constant byte to fill the memory
64 * @len: the number of bytes to fill with the constant byte
65+ * @attrs: memory transaction attributes
66 */
67 MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
68- uint8_t c, dma_addr_t len);
69+ uint8_t c, dma_addr_t len, MemTxAttrs attrs);
70
71 /**
72 * address_space_map: Map a physical memory region into a host virtual address.
73diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
74index 7d766a5..1f07217 100644
75--- a/softmmu/dma-helpers.c
76+++ b/softmmu/dma-helpers.c
77@@ -19,7 +19,7 @@
78 /* #define DEBUG_IOMMU */
79
80 MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
81- uint8_t c, dma_addr_t len)
82+ uint8_t c, dma_addr_t len, MemTxAttrs attrs)
83 {
84 dma_barrier(as, DMA_DIRECTION_FROM_DEVICE);
85
86@@ -31,8 +31,7 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
87 memset(fillbuf, c, FILLBUF_SIZE);
88 while (len > 0) {
89 l = len < FILLBUF_SIZE ? len : FILLBUF_SIZE;
90- error |= address_space_write(as, addr, MEMTXATTRS_UNSPECIFIED,
91- fillbuf, l);
92+ error |= address_space_write(as, addr, attrs, fillbuf, l);
93 len -= l;
94 addr += l;
95 }
96--
971.8.3.1
98
diff --git a/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..cacb12909c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,78 @@
1From 4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 3 Sep 2020 09:30:10 +0200
4Subject: [PATCH] dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9We will add the MemTxAttrs argument to dma_memory_rw() in
10the next commit. Since dma_memory_rw_relaxed() is only used
11by dma_memory_rw(), modify it first in a separate commit to
12keep the next commit easier to review.
13
14CVE: CVE-2021-3611
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7]
16
17Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
18Reviewed-by: Li Qiang <liq3ea@gmail.com>
19Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
20Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
21Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
22Message-Id: <20211223115554.3155328-4-philmd@redhat.com>
23Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
24---
25 include/sysemu/dma.h | 15 ++++++++++-----
26 1 file changed, 10 insertions(+), 5 deletions(-)
27
28diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
29index d23516f..3be803c 100644
30--- a/include/sysemu/dma.h
31+++ b/include/sysemu/dma.h
32@@ -83,9 +83,10 @@ static inline bool dma_memory_valid(AddressSpace *as,
33 static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as,
34 dma_addr_t addr,
35 void *buf, dma_addr_t len,
36- DMADirection dir)
37+ DMADirection dir,
38+ MemTxAttrs attrs)
39 {
40- return address_space_rw(as, addr, MEMTXATTRS_UNSPECIFIED,
41+ return address_space_rw(as, addr, attrs,
42 buf, len, dir == DMA_DIRECTION_FROM_DEVICE);
43 }
44
45@@ -93,7 +94,9 @@ static inline MemTxResult dma_memory_read_relaxed(AddressSpace *as,
46 dma_addr_t addr,
47 void *buf, dma_addr_t len)
48 {
49- return dma_memory_rw_relaxed(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE);
50+ return dma_memory_rw_relaxed(as, addr, buf, len,
51+ DMA_DIRECTION_TO_DEVICE,
52+ MEMTXATTRS_UNSPECIFIED);
53 }
54
55 static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as,
56@@ -102,7 +105,8 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as,
57 dma_addr_t len)
58 {
59 return dma_memory_rw_relaxed(as, addr, (void *)buf, len,
60- DMA_DIRECTION_FROM_DEVICE);
61+ DMA_DIRECTION_FROM_DEVICE,
62+ MEMTXATTRS_UNSPECIFIED);
63 }
64
65 /**
66@@ -124,7 +128,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
67 {
68 dma_barrier(as, dir);
69
70- return dma_memory_rw_relaxed(as, addr, buf, len, dir);
71+ return dma_memory_rw_relaxed(as, addr, buf, len, dir,
72+ MEMTXATTRS_UNSPECIFIED);
73 }
74
75 /**
76--
771.8.3.1
78
diff --git a/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..e5daf966d5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,158 @@
1From 23faf5694ff8054b847e9733297727be4a641132 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 3 Sep 2020 09:37:43 +0200
4Subject: [PATCH] dma: Let dma_memory_rw() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_memory_rw().
11
12CVE: CVE-2021-3611
13Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132]
14
15Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
16Reviewed-by: Li Qiang <liq3ea@gmail.com>
17Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
20Message-Id: <20211223115554.3155328-5-philmd@redhat.com>
21Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
22---
23 hw/intc/spapr_xive.c | 3 ++-
24 hw/usb/hcd-ohci.c | 10 ++++++----
25 include/hw/pci/pci.h | 3 ++-
26 include/sysemu/dma.h | 11 ++++++-----
27 softmmu/dma-helpers.c | 3 ++-
28 5 files changed, 18 insertions(+), 12 deletions(-)
29
30diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c
31index 4ec659b..eae95c7 100644
32--- a/hw/intc/spapr_xive.c
33+++ b/hw/intc/spapr_xive.c
34@@ -1684,7 +1684,8 @@ static target_ulong h_int_esb(PowerPCCPU *cpu,
35 mmio_addr = xive->vc_base + xive_source_esb_mgmt(xsrc, lisn) + offset;
36
37 if (dma_memory_rw(&address_space_memory, mmio_addr, &data, 8,
38- (flags & SPAPR_XIVE_ESB_STORE))) {
39+ (flags & SPAPR_XIVE_ESB_STORE),
40+ MEMTXATTRS_UNSPECIFIED)) {
41 qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to access ESB @0x%"
42 HWADDR_PRIx "\n", mmio_addr);
43 return H_HARDWARE;
44diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
45index 1cf2816..56e2315 100644
46--- a/hw/usb/hcd-ohci.c
47+++ b/hw/usb/hcd-ohci.c
48@@ -586,7 +586,8 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
49 if (n > len)
50 n = len;
51
52- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
53+ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
54+ n, dir, MEMTXATTRS_UNSPECIFIED)) {
55 return -1;
56 }
57 if (n == len) {
58@@ -595,7 +596,7 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td,
59 ptr = td->be & ~0xfffu;
60 buf += n;
61 if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
62- len - n, dir)) {
63+ len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
64 return -1;
65 }
66 return 0;
67@@ -613,7 +614,8 @@ static int ohci_copy_iso_td(OHCIState *ohci,
68 if (n > len)
69 n = len;
70
71- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) {
72+ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
73+ n, dir, MEMTXATTRS_UNSPECIFIED)) {
74 return -1;
75 }
76 if (n == len) {
77@@ -622,7 +624,7 @@ static int ohci_copy_iso_td(OHCIState *ohci,
78 ptr = end_addr & ~0xfffu;
79 buf += n;
80 if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf,
81- len - n, dir)) {
82+ len - n, dir, MEMTXATTRS_UNSPECIFIED)) {
83 return -1;
84 }
85 return 0;
86diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
87index e7cdf2d..4383f1c 100644
88--- a/include/hw/pci/pci.h
89+++ b/include/hw/pci/pci.h
90@@ -808,7 +808,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
91 void *buf, dma_addr_t len,
92 DMADirection dir)
93 {
94- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, dir);
95+ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
96+ dir, MEMTXATTRS_UNSPECIFIED);
97 }
98
99 /**
100diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
101index 3be803c..e8ad422 100644
102--- a/include/sysemu/dma.h
103+++ b/include/sysemu/dma.h
104@@ -121,15 +121,15 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as,
105 * @buf: buffer with the data transferred
106 * @len: the number of bytes to read or write
107 * @dir: indicates the transfer direction
108+ * @attrs: memory transaction attributes
109 */
110 static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
111 void *buf, dma_addr_t len,
112- DMADirection dir)
113+ DMADirection dir, MemTxAttrs attrs)
114 {
115 dma_barrier(as, dir);
116
117- return dma_memory_rw_relaxed(as, addr, buf, len, dir,
118- MEMTXATTRS_UNSPECIFIED);
119+ return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs);
120 }
121
122 /**
123@@ -147,7 +147,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
124 static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr,
125 void *buf, dma_addr_t len)
126 {
127- return dma_memory_rw(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE);
128+ return dma_memory_rw(as, addr, buf, len,
129+ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
130 }
131
132 /**
133@@ -166,7 +167,7 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr,
134 const void *buf, dma_addr_t len)
135 {
136 return dma_memory_rw(as, addr, (void *)buf, len,
137- DMA_DIRECTION_FROM_DEVICE);
138+ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
139 }
140
141 /**
142diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
143index 1f07217..5bf76ff 100644
144--- a/softmmu/dma-helpers.c
145+++ b/softmmu/dma-helpers.c
146@@ -305,7 +305,8 @@ static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg,
147 while (len > 0) {
148 ScatterGatherEntry entry = sg->sg[sg_cur_index++];
149 int32_t xfer = MIN(len, entry.len);
150- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir);
151+ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir,
152+ MEMTXATTRS_UNSPECIFIED);
153 ptr += xfer;
154 len -= xfer;
155 resid -= xfer;
156--
1571.8.3.1
158
diff --git a/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..1973e477f3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,1453 @@
1From ba06fe8add5b788956a7317246c6280dfc157040 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 3 Sep 2020 10:08:29 +0200
4Subject: [PATCH] dma: Let dma_memory_read/write() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_memory_read() or dma_memory_write().
11
12Patch created mechanically using spatch with this script:
13
14 @@
15 expression E1, E2, E3, E4;
16 @@
17 (
18 - dma_memory_read(E1, E2, E3, E4)
19 + dma_memory_read(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED)
20 |
21 - dma_memory_write(E1, E2, E3, E4)
22 + dma_memory_write(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED)
23 )
24
25CVE: CVE-2021-3611
26Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040]
27
28Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
29Reviewed-by: Li Qiang <liq3ea@gmail.com>
30Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
31Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
32Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
33Message-Id: <20211223115554.3155328-6-philmd@redhat.com>
34Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
35---
36 hw/arm/musicpal.c | 13 +++++++------
37 hw/arm/smmu-common.c | 3 ++-
38 hw/arm/smmuv3.c | 14 +++++++++-----
39 hw/core/generic-loader.c | 3 ++-
40 hw/dma/pl330.c | 12 ++++++++----
41 hw/dma/sparc32_dma.c | 16 ++++++++++------
42 hw/dma/xlnx-zynq-devcfg.c | 6 ++++--
43 hw/dma/xlnx_dpdma.c | 10 ++++++----
44 hw/i386/amd_iommu.c | 16 +++++++++-------
45 hw/i386/intel_iommu.c | 28 +++++++++++++++++-----------
46 hw/ide/macio.c | 2 +-
47 hw/intc/xive.c | 7 ++++---
48 hw/misc/bcm2835_property.c | 3 ++-
49 hw/misc/macio/mac_dbdma.c | 10 ++++++----
50 hw/net/allwinner-sun8i-emac.c | 18 ++++++++++++------
51 hw/net/ftgmac100.c | 25 ++++++++++++++++---------
52 hw/net/imx_fec.c | 32 ++++++++++++++++++++------------
53 hw/net/npcm7xx_emc.c | 20 ++++++++++++--------
54 hw/nvram/fw_cfg.c | 9 ++++++---
55 hw/pci-host/pnv_phb3.c | 5 +++--
56 hw/pci-host/pnv_phb3_msi.c | 9 ++++++---
57 hw/pci-host/pnv_phb4.c | 5 +++--
58 hw/sd/allwinner-sdhost.c | 14 ++++++++------
59 hw/sd/sdhci.c | 35 ++++++++++++++++++++++-------------
60 hw/usb/hcd-dwc2.c | 8 ++++----
61 hw/usb/hcd-ehci.c | 6 ++++--
62 hw/usb/hcd-ohci.c | 18 +++++++++++-------
63 hw/usb/hcd-xhci.c | 18 +++++++++++-------
64 include/hw/ppc/spapr_vio.h | 6 ++++--
65 include/sysemu/dma.h | 20 ++++++++++++--------
66 30 files changed, 241 insertions(+), 150 deletions(-)
67
68diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
69index 2d612cc..2680ec5 100644
70--- a/hw/arm/musicpal.c
71+++ b/hw/arm/musicpal.c
72@@ -185,13 +185,13 @@ static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr,
73 cpu_to_le16s(&desc->buffer_size);
74 cpu_to_le32s(&desc->buffer);
75 cpu_to_le32s(&desc->next);
76- dma_memory_write(dma_as, addr, desc, sizeof(*desc));
77+ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
78 }
79
80 static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr,
81 mv88w8618_rx_desc *desc)
82 {
83- dma_memory_read(dma_as, addr, desc, sizeof(*desc));
84+ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
85 le32_to_cpus(&desc->cmdstat);
86 le16_to_cpus(&desc->bytes);
87 le16_to_cpus(&desc->buffer_size);
88@@ -215,7 +215,7 @@ static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
89 eth_rx_desc_get(&s->dma_as, desc_addr, &desc);
90 if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
91 dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header,
92- buf, size);
93+ buf, size, MEMTXATTRS_UNSPECIFIED);
94 desc.bytes = size + s->vlan_header;
95 desc.cmdstat &= ~MP_ETH_RX_OWN;
96 s->cur_rx[i] = desc.next;
97@@ -241,13 +241,13 @@ static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr,
98 cpu_to_le16s(&desc->bytes);
99 cpu_to_le32s(&desc->buffer);
100 cpu_to_le32s(&desc->next);
101- dma_memory_write(dma_as, addr, desc, sizeof(*desc));
102+ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
103 }
104
105 static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr,
106 mv88w8618_tx_desc *desc)
107 {
108- dma_memory_read(dma_as, addr, desc, sizeof(*desc));
109+ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED);
110 le32_to_cpus(&desc->cmdstat);
111 le16_to_cpus(&desc->res);
112 le16_to_cpus(&desc->bytes);
113@@ -269,7 +269,8 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index)
114 if (desc.cmdstat & MP_ETH_TX_OWN) {
115 len = desc.bytes;
116 if (len < 2048) {
117- dma_memory_read(&s->dma_as, desc.buffer, buf, len);
118+ dma_memory_read(&s->dma_as, desc.buffer, buf, len,
119+ MEMTXATTRS_UNSPECIFIED);
120 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
121 }
122 desc.cmdstat &= ~MP_ETH_TX_OWN;
123diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
124index 0459850..e09b9c1 100644
125--- a/hw/arm/smmu-common.c
126+++ b/hw/arm/smmu-common.c
127@@ -193,7 +193,8 @@ static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
128 dma_addr_t addr = baseaddr + index * sizeof(*pte);
129
130 /* TODO: guarantee 64-bit single-copy atomicity */
131- ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte));
132+ ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte),
133+ MEMTXATTRS_UNSPECIFIED);
134
135 if (ret != MEMTX_OK) {
136 info->type = SMMU_PTW_ERR_WALK_EABT;
137diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
138index 01b60be..3b43368 100644
139--- a/hw/arm/smmuv3.c
140+++ b/hw/arm/smmuv3.c
141@@ -102,7 +102,8 @@ static inline MemTxResult queue_read(SMMUQueue *q, void *data)
142 {
143 dma_addr_t addr = Q_CONS_ENTRY(q);
144
145- return dma_memory_read(&address_space_memory, addr, data, q->entry_size);
146+ return dma_memory_read(&address_space_memory, addr, data, q->entry_size,
147+ MEMTXATTRS_UNSPECIFIED);
148 }
149
150 static MemTxResult queue_write(SMMUQueue *q, void *data)
151@@ -110,7 +111,8 @@ static MemTxResult queue_write(SMMUQueue *q, void *data)
152 dma_addr_t addr = Q_PROD_ENTRY(q);
153 MemTxResult ret;
154
155- ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size);
156+ ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size,
157+ MEMTXATTRS_UNSPECIFIED);
158 if (ret != MEMTX_OK) {
159 return ret;
160 }
161@@ -285,7 +287,8 @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
162
163 trace_smmuv3_get_ste(addr);
164 /* TODO: guarantee 64-bit single-copy atomicity */
165- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf));
166+ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf),
167+ MEMTXATTRS_UNSPECIFIED);
168 if (ret != MEMTX_OK) {
169 qemu_log_mask(LOG_GUEST_ERROR,
170 "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
171@@ -306,7 +309,8 @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
172
173 trace_smmuv3_get_cd(addr);
174 /* TODO: guarantee 64-bit single-copy atomicity */
175- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf));
176+ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf),
177+ MEMTXATTRS_UNSPECIFIED);
178 if (ret != MEMTX_OK) {
179 qemu_log_mask(LOG_GUEST_ERROR,
180 "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
181@@ -411,7 +415,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
182 l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
183 /* TODO: guarantee 64-bit single-copy atomicity */
184 ret = dma_memory_read(&address_space_memory, l1ptr, &l1std,
185- sizeof(l1std));
186+ sizeof(l1std), MEMTXATTRS_UNSPECIFIED);
187 if (ret != MEMTX_OK) {
188 qemu_log_mask(LOG_GUEST_ERROR,
189 "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr);
190diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c
191index d14f932..9a24ffb 100644
192--- a/hw/core/generic-loader.c
193+++ b/hw/core/generic-loader.c
194@@ -57,7 +57,8 @@ static void generic_loader_reset(void *opaque)
195
196 if (s->data_len) {
197 assert(s->data_len < sizeof(s->data));
198- dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len);
199+ dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len,
200+ MEMTXATTRS_UNSPECIFIED);
201 }
202 }
203
204diff --git a/hw/dma/pl330.c b/hw/dma/pl330.c
205index 0cb4619..31ce01b 100644
206--- a/hw/dma/pl330.c
207+++ b/hw/dma/pl330.c
208@@ -1111,7 +1111,8 @@ static inline const PL330InsnDesc *pl330_fetch_insn(PL330Chan *ch)
209 uint8_t opcode;
210 int i;
211
212- dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1);
213+ dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1,
214+ MEMTXATTRS_UNSPECIFIED);
215 for (i = 0; insn_desc[i].size; i++) {
216 if ((opcode & insn_desc[i].opmask) == insn_desc[i].opcode) {
217 return &insn_desc[i];
218@@ -1125,7 +1126,8 @@ static inline void pl330_exec_insn(PL330Chan *ch, const PL330InsnDesc *insn)
219 uint8_t buf[PL330_INSN_MAXSIZE];
220
221 assert(insn->size <= PL330_INSN_MAXSIZE);
222- dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size);
223+ dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size,
224+ MEMTXATTRS_UNSPECIFIED);
225 insn->exec(ch, buf[0], &buf[1], insn->size - 1);
226 }
227
228@@ -1189,7 +1191,8 @@ static int pl330_exec_cycle(PL330Chan *channel)
229 if (q != NULL && q->len <= pl330_fifo_num_free(&s->fifo)) {
230 int len = q->len - (q->addr & (q->len - 1));
231
232- dma_memory_read(s->mem_as, q->addr, buf, len);
233+ dma_memory_read(s->mem_as, q->addr, buf, len,
234+ MEMTXATTRS_UNSPECIFIED);
235 trace_pl330_exec_cycle(q->addr, len);
236 if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) {
237 pl330_hexdump(buf, len);
238@@ -1220,7 +1223,8 @@ static int pl330_exec_cycle(PL330Chan *channel)
239 fifo_res = pl330_fifo_get(&s->fifo, buf, len, q->tag);
240 }
241 if (fifo_res == PL330_FIFO_OK || q->z) {
242- dma_memory_write(s->mem_as, q->addr, buf, len);
243+ dma_memory_write(s->mem_as, q->addr, buf, len,
244+ MEMTXATTRS_UNSPECIFIED);
245 trace_pl330_exec_cycle(q->addr, len);
246 if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) {
247 pl330_hexdump(buf, len);
248diff --git a/hw/dma/sparc32_dma.c b/hw/dma/sparc32_dma.c
249index 03bc500..0ef13c5 100644
250--- a/hw/dma/sparc32_dma.c
251+++ b/hw/dma/sparc32_dma.c
252@@ -81,11 +81,11 @@ void ledma_memory_read(void *opaque, hwaddr addr,
253 addr |= s->dmaregs[3];
254 trace_ledma_memory_read(addr, len);
255 if (do_bswap) {
256- dma_memory_read(&is->iommu_as, addr, buf, len);
257+ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
258 } else {
259 addr &= ~1;
260 len &= ~1;
261- dma_memory_read(&is->iommu_as, addr, buf, len);
262+ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
263 for(i = 0; i < len; i += 2) {
264 bswap16s((uint16_t *)(buf + i));
265 }
266@@ -103,7 +103,8 @@ void ledma_memory_write(void *opaque, hwaddr addr,
267 addr |= s->dmaregs[3];
268 trace_ledma_memory_write(addr, len);
269 if (do_bswap) {
270- dma_memory_write(&is->iommu_as, addr, buf, len);
271+ dma_memory_write(&is->iommu_as, addr, buf, len,
272+ MEMTXATTRS_UNSPECIFIED);
273 } else {
274 addr &= ~1;
275 len &= ~1;
276@@ -114,7 +115,8 @@ void ledma_memory_write(void *opaque, hwaddr addr,
277 for(i = 0; i < l; i += 2) {
278 tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i));
279 }
280- dma_memory_write(&is->iommu_as, addr, tmp_buf, l);
281+ dma_memory_write(&is->iommu_as, addr, tmp_buf, l,
282+ MEMTXATTRS_UNSPECIFIED);
283 len -= l;
284 buf += l;
285 addr += l;
286@@ -148,7 +150,8 @@ void espdma_memory_read(void *opaque, uint8_t *buf, int len)
287 IOMMUState *is = (IOMMUState *)s->iommu;
288
289 trace_espdma_memory_read(s->dmaregs[1], len);
290- dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len);
291+ dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len,
292+ MEMTXATTRS_UNSPECIFIED);
293 s->dmaregs[1] += len;
294 }
295
296@@ -158,7 +161,8 @@ void espdma_memory_write(void *opaque, uint8_t *buf, int len)
297 IOMMUState *is = (IOMMUState *)s->iommu;
298
299 trace_espdma_memory_write(s->dmaregs[1], len);
300- dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len);
301+ dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len,
302+ MEMTXATTRS_UNSPECIFIED);
303 s->dmaregs[1] += len;
304 }
305
306diff --git a/hw/dma/xlnx-zynq-devcfg.c b/hw/dma/xlnx-zynq-devcfg.c
307index e33112b..f5ad1a0 100644
308--- a/hw/dma/xlnx-zynq-devcfg.c
309+++ b/hw/dma/xlnx-zynq-devcfg.c
310@@ -161,12 +161,14 @@ static void xlnx_zynq_devcfg_dma_go(XlnxZynqDevcfg *s)
311 btt = MIN(btt, dmah->dest_len);
312 }
313 DB_PRINT("reading %x bytes from %x\n", btt, dmah->src_addr);
314- dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt);
315+ dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt,
316+ MEMTXATTRS_UNSPECIFIED);
317 dmah->src_len -= btt;
318 dmah->src_addr += btt;
319 if (loopback && (dmah->src_len || dmah->dest_len)) {
320 DB_PRINT("writing %x bytes from %x\n", btt, dmah->dest_addr);
321- dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt);
322+ dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt,
323+ MEMTXATTRS_UNSPECIFIED);
324 dmah->dest_len -= btt;
325 dmah->dest_addr += btt;
326 }
327diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
328index 967548a..2d7eae7 100644
329--- a/hw/dma/xlnx_dpdma.c
330+++ b/hw/dma/xlnx_dpdma.c
331@@ -652,7 +652,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
332 }
333
334 if (dma_memory_read(&address_space_memory, desc_addr, &desc,
335- sizeof(DPDMADescriptor))) {
336+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) {
337 s->registers[DPDMA_EISR] |= ((1 << 1) << channel);
338 xlnx_dpdma_update_irq(s);
339 s->operation_finished[channel] = true;
340@@ -708,7 +708,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
341 if (dma_memory_read(&address_space_memory,
342 source_addr[0],
343 &s->data[channel][ptr],
344- line_size)) {
345+ line_size,
346+ MEMTXATTRS_UNSPECIFIED)) {
347 s->registers[DPDMA_ISR] |= ((1 << 12) << channel);
348 xlnx_dpdma_update_irq(s);
349 DPRINTF("Can't get data.\n");
350@@ -736,7 +737,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
351 if (dma_memory_read(&address_space_memory,
352 source_addr[frag],
353 &(s->data[channel][ptr]),
354- fragment_len)) {
355+ fragment_len,
356+ MEMTXATTRS_UNSPECIFIED)) {
357 s->registers[DPDMA_ISR] |= ((1 << 12) << channel);
358 xlnx_dpdma_update_irq(s);
359 DPRINTF("Can't get data.\n");
360@@ -754,7 +756,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel,
361 DPRINTF("update the descriptor with the done flag set.\n");
362 xlnx_dpdma_desc_set_done(&desc);
363 dma_memory_write(&address_space_memory, desc_addr, &desc,
364- sizeof(DPDMADescriptor));
365+ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED);
366 }
367
368 if (xlnx_dpdma_desc_completion_interrupt(&desc)) {
369diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
370index 91fe34a..4d13d8e 100644
371--- a/hw/i386/amd_iommu.c
372+++ b/hw/i386/amd_iommu.c
373@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
374 }
375
376 if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
377- evt, AMDVI_EVENT_LEN)) {
378+ evt, AMDVI_EVENT_LEN, MEMTXATTRS_UNSPECIFIED)) {
379 trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
380 }
381
382@@ -376,7 +376,8 @@ static void amdvi_completion_wait(AMDVIState *s, uint64_t *cmd)
383 }
384 if (extract64(cmd[0], 0, 1)) {
385 if (dma_memory_write(&address_space_memory, addr, &data,
386- AMDVI_COMPLETION_DATA_SIZE)) {
387+ AMDVI_COMPLETION_DATA_SIZE,
388+ MEMTXATTRS_UNSPECIFIED)) {
389 trace_amdvi_completion_wait_fail(addr);
390 }
391 }
392@@ -502,7 +503,7 @@ static void amdvi_cmdbuf_exec(AMDVIState *s)
393 uint64_t cmd[2];
394
395 if (dma_memory_read(&address_space_memory, s->cmdbuf + s->cmdbuf_head,
396- cmd, AMDVI_COMMAND_SIZE)) {
397+ cmd, AMDVI_COMMAND_SIZE, MEMTXATTRS_UNSPECIFIED)) {
398 trace_amdvi_command_read_fail(s->cmdbuf, s->cmdbuf_head);
399 amdvi_log_command_error(s, s->cmdbuf + s->cmdbuf_head);
400 return;
401@@ -836,7 +837,7 @@ static bool amdvi_get_dte(AMDVIState *s, int devid, uint64_t *entry)
402 uint32_t offset = devid * AMDVI_DEVTAB_ENTRY_SIZE;
403
404 if (dma_memory_read(&address_space_memory, s->devtab + offset, entry,
405- AMDVI_DEVTAB_ENTRY_SIZE)) {
406+ AMDVI_DEVTAB_ENTRY_SIZE, MEMTXATTRS_UNSPECIFIED)) {
407 trace_amdvi_dte_get_fail(s->devtab, offset);
408 /* log error accessing dte */
409 amdvi_log_devtab_error(s, devid, s->devtab + offset, 0);
410@@ -881,7 +882,8 @@ static inline uint64_t amdvi_get_pte_entry(AMDVIState *s, uint64_t pte_addr,
411 {
412 uint64_t pte;
413
414- if (dma_memory_read(&address_space_memory, pte_addr, &pte, sizeof(pte))) {
415+ if (dma_memory_read(&address_space_memory, pte_addr,
416+ &pte, sizeof(pte), MEMTXATTRS_UNSPECIFIED)) {
417 trace_amdvi_get_pte_hwerror(pte_addr);
418 amdvi_log_pagetab_error(s, devid, pte_addr, 0);
419 pte = 0;
420@@ -1048,7 +1050,7 @@ static int amdvi_get_irte(AMDVIState *s, MSIMessage *origin, uint64_t *dte,
421 trace_amdvi_ir_irte(irte_root, offset);
422
423 if (dma_memory_read(&address_space_memory, irte_root + offset,
424- irte, sizeof(*irte))) {
425+ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) {
426 trace_amdvi_ir_err("failed to get irte");
427 return -AMDVI_IR_GET_IRTE;
428 }
429@@ -1108,7 +1110,7 @@ static int amdvi_get_irte_ga(AMDVIState *s, MSIMessage *origin, uint64_t *dte,
430 trace_amdvi_ir_irte(irte_root, offset);
431
432 if (dma_memory_read(&address_space_memory, irte_root + offset,
433- irte, sizeof(*irte))) {
434+ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) {
435 trace_amdvi_ir_err("failed to get irte_ga");
436 return -AMDVI_IR_GET_IRTE;
437 }
438diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
439index f584449..5b865ac 100644
440--- a/hw/i386/intel_iommu.c
441+++ b/hw/i386/intel_iommu.c
442@@ -569,7 +569,8 @@ static int vtd_get_root_entry(IntelIOMMUState *s, uint8_t index,
443 dma_addr_t addr;
444
445 addr = s->root + index * sizeof(*re);
446- if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) {
447+ if (dma_memory_read(&address_space_memory, addr,
448+ re, sizeof(*re), MEMTXATTRS_UNSPECIFIED)) {
449 re->lo = 0;
450 return -VTD_FR_ROOT_TABLE_INV;
451 }
452@@ -602,7 +603,8 @@ static int vtd_get_context_entry_from_root(IntelIOMMUState *s,
453 }
454
455 addr = addr + index * ce_size;
456- if (dma_memory_read(&address_space_memory, addr, ce, ce_size)) {
457+ if (dma_memory_read(&address_space_memory, addr,
458+ ce, ce_size, MEMTXATTRS_UNSPECIFIED)) {
459 return -VTD_FR_CONTEXT_TABLE_INV;
460 }
461
462@@ -639,8 +641,8 @@ static uint64_t vtd_get_slpte(dma_addr_t base_addr, uint32_t index)
463 assert(index < VTD_SL_PT_ENTRY_NR);
464
465 if (dma_memory_read(&address_space_memory,
466- base_addr + index * sizeof(slpte), &slpte,
467- sizeof(slpte))) {
468+ base_addr + index * sizeof(slpte),
469+ &slpte, sizeof(slpte), MEMTXATTRS_UNSPECIFIED)) {
470 slpte = (uint64_t)-1;
471 return slpte;
472 }
473@@ -704,7 +706,8 @@ static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base,
474 index = VTD_PASID_DIR_INDEX(pasid);
475 entry_size = VTD_PASID_DIR_ENTRY_SIZE;
476 addr = pasid_dir_base + index * entry_size;
477- if (dma_memory_read(&address_space_memory, addr, pdire, entry_size)) {
478+ if (dma_memory_read(&address_space_memory, addr,
479+ pdire, entry_size, MEMTXATTRS_UNSPECIFIED)) {
480 return -VTD_FR_PASID_TABLE_INV;
481 }
482
483@@ -728,7 +731,8 @@ static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s,
484 index = VTD_PASID_TABLE_INDEX(pasid);
485 entry_size = VTD_PASID_ENTRY_SIZE;
486 addr = addr + index * entry_size;
487- if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) {
488+ if (dma_memory_read(&address_space_memory, addr,
489+ pe, entry_size, MEMTXATTRS_UNSPECIFIED)) {
490 return -VTD_FR_PASID_TABLE_INV;
491 }
492
493@@ -2275,7 +2279,8 @@ static bool vtd_get_inv_desc(IntelIOMMUState *s,
494 uint32_t dw = s->iq_dw ? 32 : 16;
495 dma_addr_t addr = base_addr + offset * dw;
496
497- if (dma_memory_read(&address_space_memory, addr, inv_desc, dw)) {
498+ if (dma_memory_read(&address_space_memory, addr,
499+ inv_desc, dw, MEMTXATTRS_UNSPECIFIED)) {
500 error_report_once("Read INV DESC failed.");
501 return false;
502 }
503@@ -2308,8 +2313,9 @@ static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc)
504 dma_addr_t status_addr = inv_desc->hi;
505 trace_vtd_inv_desc_wait_sw(status_addr, status_data);
506 status_data = cpu_to_le32(status_data);
507- if (dma_memory_write(&address_space_memory, status_addr, &status_data,
508- sizeof(status_data))) {
509+ if (dma_memory_write(&address_space_memory, status_addr,
510+ &status_data, sizeof(status_data),
511+ MEMTXATTRS_UNSPECIFIED)) {
512 trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo);
513 return false;
514 }
515@@ -3120,8 +3126,8 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index,
516 }
517
518 addr = iommu->intr_root + index * sizeof(*entry);
519- if (dma_memory_read(&address_space_memory, addr, entry,
520- sizeof(*entry))) {
521+ if (dma_memory_read(&address_space_memory, addr,
522+ entry, sizeof(*entry), MEMTXATTRS_UNSPECIFIED)) {
523 error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64,
524 __func__, index, addr);
525 return -VTD_FR_IR_ROOT_INVAL;
526diff --git a/hw/ide/macio.c b/hw/ide/macio.c
527index b03d401..f08318c 100644
528--- a/hw/ide/macio.c
529+++ b/hw/ide/macio.c
530@@ -97,7 +97,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret)
531 /* Non-block ATAPI transfer - just copy to RAM */
532 s->io_buffer_size = MIN(s->io_buffer_size, io->len);
533 dma_memory_write(&address_space_memory, io->addr, s->io_buffer,
534- s->io_buffer_size);
535+ s->io_buffer_size, MEMTXATTRS_UNSPECIFIED);
536 io->len = 0;
537 ide_atapi_cmd_ok(s);
538 m->dma_active = false;
539diff --git a/hw/intc/xive.c b/hw/intc/xive.c
540index 190194d..f15f985 100644
541--- a/hw/intc/xive.c
542+++ b/hw/intc/xive.c
543@@ -1246,8 +1246,8 @@ void xive_end_queue_pic_print_info(XiveEND *end, uint32_t width, Monitor *mon)
544 uint64_t qaddr = qaddr_base + (qindex << 2);
545 uint32_t qdata = -1;
546
547- if (dma_memory_read(&address_space_memory, qaddr, &qdata,
548- sizeof(qdata))) {
549+ if (dma_memory_read(&address_space_memory, qaddr,
550+ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) {
551 qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to read EQ @0x%"
552 HWADDR_PRIx "\n", qaddr);
553 return;
554@@ -1311,7 +1311,8 @@ static void xive_end_enqueue(XiveEND *end, uint32_t data)
555 uint32_t qdata = cpu_to_be32((qgen << 31) | (data & 0x7fffffff));
556 uint32_t qentries = 1 << (qsize + 10);
557
558- if (dma_memory_write(&address_space_memory, qaddr, &qdata, sizeof(qdata))) {
559+ if (dma_memory_write(&address_space_memory, qaddr,
560+ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) {
561 qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to write END data @0x%"
562 HWADDR_PRIx "\n", qaddr);
563 return;
564diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
565index 73941bd..76ea511 100644
566--- a/hw/misc/bcm2835_property.c
567+++ b/hw/misc/bcm2835_property.c
568@@ -69,7 +69,8 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
569 break;
570 case 0x00010003: /* Get board MAC address */
571 resplen = sizeof(s->macaddr.a);
572- dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen);
573+ dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen,
574+ MEMTXATTRS_UNSPECIFIED);
575 break;
576 case 0x00010004: /* Get board serial */
577 qemu_log_mask(LOG_UNIMP,
578diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c
579index e220f1a..efcc026 100644
580--- a/hw/misc/macio/mac_dbdma.c
581+++ b/hw/misc/macio/mac_dbdma.c
582@@ -94,7 +94,7 @@ static void dbdma_cmdptr_load(DBDMA_channel *ch)
583 DBDMA_DPRINTFCH(ch, "dbdma_cmdptr_load 0x%08x\n",
584 ch->regs[DBDMA_CMDPTR_LO]);
585 dma_memory_read(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO],
586- &ch->current, sizeof(dbdma_cmd));
587+ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED);
588 }
589
590 static void dbdma_cmdptr_save(DBDMA_channel *ch)
591@@ -104,7 +104,7 @@ static void dbdma_cmdptr_save(DBDMA_channel *ch)
592 le16_to_cpu(ch->current.xfer_status),
593 le16_to_cpu(ch->current.res_count));
594 dma_memory_write(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO],
595- &ch->current, sizeof(dbdma_cmd));
596+ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED);
597 }
598
599 static void kill_channel(DBDMA_channel *ch)
600@@ -371,7 +371,8 @@ static void load_word(DBDMA_channel *ch, int key, uint32_t addr,
601 return;
602 }
603
604- dma_memory_read(&address_space_memory, addr, &current->cmd_dep, len);
605+ dma_memory_read(&address_space_memory, addr, &current->cmd_dep, len,
606+ MEMTXATTRS_UNSPECIFIED);
607
608 if (conditional_wait(ch))
609 goto wait;
610@@ -403,7 +404,8 @@ static void store_word(DBDMA_channel *ch, int key, uint32_t addr,
611 return;
612 }
613
614- dma_memory_write(&address_space_memory, addr, &current->cmd_dep, len);
615+ dma_memory_write(&address_space_memory, addr, &current->cmd_dep, len,
616+ MEMTXATTRS_UNSPECIFIED);
617
618 if (conditional_wait(ch))
619 goto wait;
620diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
621index ff611f1..ecc0245 100644
622--- a/hw/net/allwinner-sun8i-emac.c
623+++ b/hw/net/allwinner-sun8i-emac.c
624@@ -350,7 +350,8 @@ static void allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s,
625 FrameDescriptor *desc,
626 uint32_t phys_addr)
627 {
628- dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc));
629+ dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc),
630+ MEMTXATTRS_UNSPECIFIED);
631 }
632
633 static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s,
634@@ -402,7 +403,8 @@ static void allwinner_sun8i_emac_flush_desc(AwSun8iEmacState *s,
635 FrameDescriptor *desc,
636 uint32_t phys_addr)
637 {
638- dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc));
639+ dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc),
640+ MEMTXATTRS_UNSPECIFIED);
641 }
642
643 static bool allwinner_sun8i_emac_can_receive(NetClientState *nc)
644@@ -460,7 +462,8 @@ static ssize_t allwinner_sun8i_emac_receive(NetClientState *nc,
645 << RX_DESC_STATUS_FRM_LEN_SHIFT;
646 }
647
648- dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes);
649+ dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes,
650+ MEMTXATTRS_UNSPECIFIED);
651 allwinner_sun8i_emac_flush_desc(s, &desc, s->rx_desc_curr);
652 trace_allwinner_sun8i_emac_receive(s->rx_desc_curr, desc.addr,
653 desc_bytes);
654@@ -512,7 +515,8 @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s)
655 desc.status |= TX_DESC_STATUS_LENGTH_ERR;
656 break;
657 }
658- dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, bytes);
659+ dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes,
660+ bytes, MEMTXATTRS_UNSPECIFIED);
661 packet_bytes += bytes;
662 desc.status &= ~DESC_STATUS_CTL;
663 allwinner_sun8i_emac_flush_desc(s, &desc, s->tx_desc_curr);
664@@ -634,7 +638,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset,
665 break;
666 case REG_TX_CUR_BUF: /* Transmit Current Buffer */
667 if (s->tx_desc_curr != 0) {
668- dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc));
669+ dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc),
670+ MEMTXATTRS_UNSPECIFIED);
671 value = desc.addr;
672 } else {
673 value = 0;
674@@ -647,7 +652,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset,
675 break;
676 case REG_RX_CUR_BUF: /* Receive Current Buffer */
677 if (s->rx_desc_curr != 0) {
678- dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc));
679+ dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc),
680+ MEMTXATTRS_UNSPECIFIED);
681 value = desc.addr;
682 } else {
683 value = 0;
684diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
685index 25685ba..83ef0a7 100644
686--- a/hw/net/ftgmac100.c
687+++ b/hw/net/ftgmac100.c
688@@ -453,7 +453,8 @@ static void do_phy_ctl(FTGMAC100State *s)
689
690 static int ftgmac100_read_bd(FTGMAC100Desc *bd, dma_addr_t addr)
691 {
692- if (dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd))) {
693+ if (dma_memory_read(&address_space_memory, addr,
694+ bd, sizeof(*bd), MEMTXATTRS_UNSPECIFIED)) {
695 qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read descriptor @ 0x%"
696 HWADDR_PRIx "\n", __func__, addr);
697 return -1;
698@@ -473,7 +474,8 @@ static int ftgmac100_write_bd(FTGMAC100Desc *bd, dma_addr_t addr)
699 lebd.des1 = cpu_to_le32(bd->des1);
700 lebd.des2 = cpu_to_le32(bd->des2);
701 lebd.des3 = cpu_to_le32(bd->des3);
702- if (dma_memory_write(&address_space_memory, addr, &lebd, sizeof(lebd))) {
703+ if (dma_memory_write(&address_space_memory, addr,
704+ &lebd, sizeof(lebd), MEMTXATTRS_UNSPECIFIED)) {
705 qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to write descriptor @ 0x%"
706 HWADDR_PRIx "\n", __func__, addr);
707 return -1;
708@@ -554,7 +556,8 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring,
709 len = sizeof(s->frame) - frame_size;
710 }
711
712- if (dma_memory_read(&address_space_memory, bd.des3, ptr, len)) {
713+ if (dma_memory_read(&address_space_memory, bd.des3,
714+ ptr, len, MEMTXATTRS_UNSPECIFIED)) {
715 qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read packet @ 0x%x\n",
716 __func__, bd.des3);
717 s->isr |= FTGMAC100_INT_AHB_ERR;
718@@ -1030,20 +1033,24 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf,
719 bd.des1 = lduw_be_p(buf + 14) | FTGMAC100_RXDES1_VLANTAG_AVAIL;
720
721 if (s->maccr & FTGMAC100_MACCR_RM_VLAN) {
722- dma_memory_write(&address_space_memory, buf_addr, buf, 12);
723- dma_memory_write(&address_space_memory, buf_addr + 12, buf + 16,
724- buf_len - 16);
725+ dma_memory_write(&address_space_memory, buf_addr, buf, 12,
726+ MEMTXATTRS_UNSPECIFIED);
727+ dma_memory_write(&address_space_memory, buf_addr + 12,
728+ buf + 16, buf_len - 16,
729+ MEMTXATTRS_UNSPECIFIED);
730 } else {
731- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
732+ dma_memory_write(&address_space_memory, buf_addr, buf,
733+ buf_len, MEMTXATTRS_UNSPECIFIED);
734 }
735 } else {
736 bd.des1 = 0;
737- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
738+ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len,
739+ MEMTXATTRS_UNSPECIFIED);
740 }
741 buf += buf_len;
742 if (size < 4) {
743 dma_memory_write(&address_space_memory, buf_addr + buf_len,
744- crc_ptr, 4 - size);
745+ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED);
746 crc_ptr += 4 - size;
747 }
748
749diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
750index 9c7035b..0db9aaf 100644
751--- a/hw/net/imx_fec.c
752+++ b/hw/net/imx_fec.c
753@@ -387,19 +387,22 @@ static void imx_phy_write(IMXFECState *s, int reg, uint32_t val)
754
755 static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr)
756 {
757- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd));
758+ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd),
759+ MEMTXATTRS_UNSPECIFIED);
760
761 trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data);
762 }
763
764 static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr)
765 {
766- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd));
767+ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd),
768+ MEMTXATTRS_UNSPECIFIED);
769 }
770
771 static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr)
772 {
773- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd));
774+ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd),
775+ MEMTXATTRS_UNSPECIFIED);
776
777 trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data,
778 bd->option, bd->status);
779@@ -407,7 +410,8 @@ static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr)
780
781 static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr)
782 {
783- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd));
784+ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd),
785+ MEMTXATTRS_UNSPECIFIED);
786 }
787
788 static void imx_eth_update(IMXFECState *s)
789@@ -474,7 +478,8 @@ static void imx_fec_do_tx(IMXFECState *s)
790 len = ENET_MAX_FRAME_SIZE - frame_size;
791 s->regs[ENET_EIR] |= ENET_INT_BABT;
792 }
793- dma_memory_read(&address_space_memory, bd.data, ptr, len);
794+ dma_memory_read(&address_space_memory, bd.data, ptr, len,
795+ MEMTXATTRS_UNSPECIFIED);
796 ptr += len;
797 frame_size += len;
798 if (bd.flags & ENET_BD_L) {
799@@ -555,7 +560,8 @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
800 len = ENET_MAX_FRAME_SIZE - frame_size;
801 s->regs[ENET_EIR] |= ENET_INT_BABT;
802 }
803- dma_memory_read(&address_space_memory, bd.data, ptr, len);
804+ dma_memory_read(&address_space_memory, bd.data, ptr, len,
805+ MEMTXATTRS_UNSPECIFIED);
806 ptr += len;
807 frame_size += len;
808 if (bd.flags & ENET_BD_L) {
809@@ -1103,11 +1109,12 @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
810 buf_len += size - 4;
811 }
812 buf_addr = bd.data;
813- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
814+ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len,
815+ MEMTXATTRS_UNSPECIFIED);
816 buf += buf_len;
817 if (size < 4) {
818 dma_memory_write(&address_space_memory, buf_addr + buf_len,
819- crc_ptr, 4 - size);
820+ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED);
821 crc_ptr += 4 - size;
822 }
823 bd.flags &= ~ENET_BD_E;
824@@ -1210,8 +1217,8 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
825 */
826 const uint8_t zeros[2] = { 0 };
827
828- dma_memory_write(&address_space_memory, buf_addr,
829- zeros, sizeof(zeros));
830+ dma_memory_write(&address_space_memory, buf_addr, zeros,
831+ sizeof(zeros), MEMTXATTRS_UNSPECIFIED);
832
833 buf_addr += sizeof(zeros);
834 buf_len -= sizeof(zeros);
835@@ -1220,11 +1227,12 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
836 shift16 = false;
837 }
838
839- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
840+ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len,
841+ MEMTXATTRS_UNSPECIFIED);
842 buf += buf_len;
843 if (size < 4) {
844 dma_memory_write(&address_space_memory, buf_addr + buf_len,
845- crc_ptr, 4 - size);
846+ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED);
847 crc_ptr += 4 - size;
848 }
849 bd.flags &= ~ENET_BD_E;
850diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
851index 545b2b7..9a23289 100644
852--- a/hw/net/npcm7xx_emc.c
853+++ b/hw/net/npcm7xx_emc.c
854@@ -200,7 +200,8 @@ static void emc_update_irq_from_reg_change(NPCM7xxEMCState *emc)
855
856 static int emc_read_tx_desc(dma_addr_t addr, NPCM7xxEMCTxDesc *desc)
857 {
858- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) {
859+ if (dma_memory_read(&address_space_memory, addr, desc,
860+ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) {
861 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%"
862 HWADDR_PRIx "\n", __func__, addr);
863 return -1;
864@@ -221,7 +222,7 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr)
865 le_desc.status_and_length = cpu_to_le32(desc->status_and_length);
866 le_desc.ntxdsa = cpu_to_le32(desc->ntxdsa);
867 if (dma_memory_write(&address_space_memory, addr, &le_desc,
868- sizeof(le_desc))) {
869+ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) {
870 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%"
871 HWADDR_PRIx "\n", __func__, addr);
872 return -1;
873@@ -231,7 +232,8 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr)
874
875 static int emc_read_rx_desc(dma_addr_t addr, NPCM7xxEMCRxDesc *desc)
876 {
877- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) {
878+ if (dma_memory_read(&address_space_memory, addr, desc,
879+ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) {
880 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%"
881 HWADDR_PRIx "\n", __func__, addr);
882 return -1;
883@@ -252,7 +254,7 @@ static int emc_write_rx_desc(const NPCM7xxEMCRxDesc *desc, dma_addr_t addr)
884 le_desc.reserved = cpu_to_le32(desc->reserved);
885 le_desc.nrxdsa = cpu_to_le32(desc->nrxdsa);
886 if (dma_memory_write(&address_space_memory, addr, &le_desc,
887- sizeof(le_desc))) {
888+ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) {
889 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%"
890 HWADDR_PRIx "\n", __func__, addr);
891 return -1;
892@@ -366,7 +368,8 @@ static void emc_try_send_next_packet(NPCM7xxEMCState *emc)
893 buf = malloced_buf;
894 }
895
896- if (dma_memory_read(&address_space_memory, next_buf_addr, buf, length)) {
897+ if (dma_memory_read(&address_space_memory, next_buf_addr, buf,
898+ length, MEMTXATTRS_UNSPECIFIED)) {
899 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read packet @ 0x%x\n",
900 __func__, next_buf_addr);
901 emc_set_mista(emc, REG_MISTA_TXBERR);
902@@ -551,10 +554,11 @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
903
904 buf_addr = rx_desc.rxbsa;
905 emc->regs[REG_CRXBSA] = buf_addr;
906- if (dma_memory_write(&address_space_memory, buf_addr, buf, len) ||
907+ if (dma_memory_write(&address_space_memory, buf_addr, buf,
908+ len, MEMTXATTRS_UNSPECIFIED) ||
909 (!(emc->regs[REG_MCMDR] & REG_MCMDR_SPCRC) &&
910- dma_memory_write(&address_space_memory, buf_addr + len, crc_ptr,
911- 4))) {
912+ dma_memory_write(&address_space_memory, buf_addr + len,
913+ crc_ptr, 4, MEMTXATTRS_UNSPECIFIED))) {
914 qemu_log_mask(LOG_GUEST_ERROR, "%s: Bus error writing packet\n",
915 __func__);
916 emc_set_mista(emc, REG_MISTA_RXBERR);
917diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
918index f7803fe..9b91b15 100644
919--- a/hw/nvram/fw_cfg.c
920+++ b/hw/nvram/fw_cfg.c
921@@ -357,7 +357,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
922 dma_addr = s->dma_addr;
923 s->dma_addr = 0;
924
925- if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) {
926+ if (dma_memory_read(s->dma_as, dma_addr,
927+ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) {
928 stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control),
929 FW_CFG_DMA_CTL_ERROR);
930 return;
931@@ -419,7 +420,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
932 */
933 if (read) {
934 if (dma_memory_write(s->dma_as, dma.address,
935- &e->data[s->cur_offset], len)) {
936+ &e->data[s->cur_offset], len,
937+ MEMTXATTRS_UNSPECIFIED)) {
938 dma.control |= FW_CFG_DMA_CTL_ERROR;
939 }
940 }
941@@ -427,7 +429,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
942 if (!e->allow_write ||
943 len != dma.length ||
944 dma_memory_read(s->dma_as, dma.address,
945- &e->data[s->cur_offset], len)) {
946+ &e->data[s->cur_offset], len,
947+ MEMTXATTRS_UNSPECIFIED)) {
948 dma.control |= FW_CFG_DMA_CTL_ERROR;
949 } else if (e->write_cb) {
950 e->write_cb(e->callback_opaque, s->cur_offset, len);
951diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c
952index 9c4451c..c6e7871 100644
953--- a/hw/pci-host/pnv_phb3.c
954+++ b/hw/pci-host/pnv_phb3.c
955@@ -715,7 +715,8 @@ static bool pnv_phb3_resolve_pe(PnvPhb3DMASpace *ds)
956 bus_num = pci_bus_num(ds->bus);
957 addr = rtt & PHB_RTT_BASE_ADDRESS_MASK;
958 addr += 2 * ((bus_num << 8) | ds->devfn);
959- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) {
960+ if (dma_memory_read(&address_space_memory, addr, &rte,
961+ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) {
962 phb3_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr);
963 /* Set error bits ? fence ? ... */
964 return false;
965@@ -794,7 +795,7 @@ static void pnv_phb3_translate_tve(PnvPhb3DMASpace *ds, hwaddr addr,
966 /* Grab the TCE address */
967 taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3);
968 if (dma_memory_read(&address_space_memory, taddr, &tce,
969- sizeof(tce))) {
970+ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) {
971 phb3_error(phb, "Failed to read TCE at 0x%"PRIx64, taddr);
972 return;
973 }
974diff --git a/hw/pci-host/pnv_phb3_msi.c b/hw/pci-host/pnv_phb3_msi.c
975index 099d209..8bcbc2c 100644
976--- a/hw/pci-host/pnv_phb3_msi.c
977+++ b/hw/pci-host/pnv_phb3_msi.c
978@@ -53,7 +53,8 @@ static bool phb3_msi_read_ive(PnvPHB3 *phb, int srcno, uint64_t *out_ive)
979 return false;
980 }
981
982- if (dma_memory_read(&address_space_memory, ive_addr, &ive, sizeof(ive))) {
983+ if (dma_memory_read(&address_space_memory, ive_addr,
984+ &ive, sizeof(ive), MEMTXATTRS_UNSPECIFIED)) {
985 qemu_log_mask(LOG_GUEST_ERROR, "Failed to read IVE at 0x%" PRIx64,
986 ive_addr);
987 return false;
988@@ -73,7 +74,8 @@ static void phb3_msi_set_p(Phb3MsiState *msi, int srcno, uint8_t gen)
989 return;
990 }
991
992- if (dma_memory_write(&address_space_memory, ive_addr + 4, &p, 1)) {
993+ if (dma_memory_write(&address_space_memory, ive_addr + 4,
994+ &p, 1, MEMTXATTRS_UNSPECIFIED)) {
995 qemu_log_mask(LOG_GUEST_ERROR,
996 "Failed to write IVE (set P) at 0x%" PRIx64, ive_addr);
997 }
998@@ -89,7 +91,8 @@ static void phb3_msi_set_q(Phb3MsiState *msi, int srcno)
999 return;
1000 }
1001
1002- if (dma_memory_write(&address_space_memory, ive_addr + 5, &q, 1)) {
1003+ if (dma_memory_write(&address_space_memory, ive_addr + 5,
1004+ &q, 1, MEMTXATTRS_UNSPECIFIED)) {
1005 qemu_log_mask(LOG_GUEST_ERROR,
1006 "Failed to write IVE (set Q) at 0x%" PRIx64, ive_addr);
1007 }
1008diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c
1009index 40b7932..1fbf732 100644
1010--- a/hw/pci-host/pnv_phb4.c
1011+++ b/hw/pci-host/pnv_phb4.c
1012@@ -891,7 +891,8 @@ static bool pnv_phb4_resolve_pe(PnvPhb4DMASpace *ds)
1013 bus_num = pci_bus_num(ds->bus);
1014 addr = rtt & PHB_RTT_BASE_ADDRESS_MASK;
1015 addr += 2 * PCI_BUILD_BDF(bus_num, ds->devfn);
1016- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) {
1017+ if (dma_memory_read(&address_space_memory, addr, &rte,
1018+ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) {
1019 phb_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr);
1020 /* Set error bits ? fence ? ... */
1021 return false;
1022@@ -961,7 +962,7 @@ static void pnv_phb4_translate_tve(PnvPhb4DMASpace *ds, hwaddr addr,
1023 /* Grab the TCE address */
1024 taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3);
1025 if (dma_memory_read(&address_space_memory, taddr, &tce,
1026- sizeof(tce))) {
1027+ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) {
1028 phb_error(ds->phb, "Failed to read TCE at 0x%"PRIx64, taddr);
1029 return;
1030 }
1031diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c
1032index 9166d66..de5bc49 100644
1033--- a/hw/sd/allwinner-sdhost.c
1034+++ b/hw/sd/allwinner-sdhost.c
1035@@ -311,7 +311,8 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s,
1036 uint8_t buf[1024];
1037
1038 /* Read descriptor */
1039- dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc));
1040+ dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc),
1041+ MEMTXATTRS_UNSPECIFIED);
1042 if (desc->size == 0) {
1043 desc->size = klass->max_desc_size;
1044 } else if (desc->size > klass->max_desc_size) {
1045@@ -337,23 +338,24 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s,
1046 /* Write to SD bus */
1047 if (is_write) {
1048 dma_memory_read(&s->dma_as,
1049- (desc->addr & DESC_SIZE_MASK) + num_done,
1050- buf, buf_bytes);
1051+ (desc->addr & DESC_SIZE_MASK) + num_done, buf,
1052+ buf_bytes, MEMTXATTRS_UNSPECIFIED);
1053 sdbus_write_data(&s->sdbus, buf, buf_bytes);
1054
1055 /* Read from SD bus */
1056 } else {
1057 sdbus_read_data(&s->sdbus, buf, buf_bytes);
1058 dma_memory_write(&s->dma_as,
1059- (desc->addr & DESC_SIZE_MASK) + num_done,
1060- buf, buf_bytes);
1061+ (desc->addr & DESC_SIZE_MASK) + num_done, buf,
1062+ buf_bytes, MEMTXATTRS_UNSPECIFIED);
1063 }
1064 num_done += buf_bytes;
1065 }
1066
1067 /* Clear hold flag and flush descriptor */
1068 desc->status &= ~DESC_STATUS_HOLD;
1069- dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc));
1070+ dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc),
1071+ MEMTXATTRS_UNSPECIFIED);
1072
1073 return num_done;
1074 }
1075diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
1076index c9dc065..e0bbc90 100644
1077--- a/hw/sd/sdhci.c
1078+++ b/hw/sd/sdhci.c
1079@@ -616,8 +616,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
1080 s->blkcnt--;
1081 }
1082 }
1083- dma_memory_write(s->dma_as, s->sdmasysad,
1084- &s->fifo_buffer[begin], s->data_count - begin);
1085+ dma_memory_write(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin],
1086+ s->data_count - begin, MEMTXATTRS_UNSPECIFIED);
1087 s->sdmasysad += s->data_count - begin;
1088 if (s->data_count == block_size) {
1089 s->data_count = 0;
1090@@ -637,8 +637,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
1091 s->data_count = block_size;
1092 boundary_count -= block_size - begin;
1093 }
1094- dma_memory_read(s->dma_as, s->sdmasysad,
1095- &s->fifo_buffer[begin], s->data_count - begin);
1096+ dma_memory_read(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin],
1097+ s->data_count - begin, MEMTXATTRS_UNSPECIFIED);
1098 s->sdmasysad += s->data_count - begin;
1099 if (s->data_count == block_size) {
1100 sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size);
1101@@ -670,9 +670,11 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
1102
1103 if (s->trnmod & SDHC_TRNS_READ) {
1104 sdbus_read_data(&s->sdbus, s->fifo_buffer, datacnt);
1105- dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt);
1106+ dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt,
1107+ MEMTXATTRS_UNSPECIFIED);
1108 } else {
1109- dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt);
1110+ dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt,
1111+ MEMTXATTRS_UNSPECIFIED);
1112 sdbus_write_data(&s->sdbus, s->fifo_buffer, datacnt);
1113 }
1114 s->blkcnt--;
1115@@ -694,7 +696,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
1116 hwaddr entry_addr = (hwaddr)s->admasysaddr;
1117 switch (SDHC_DMA_TYPE(s->hostctl1)) {
1118 case SDHC_CTRL_ADMA2_32:
1119- dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2));
1120+ dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2),
1121+ MEMTXATTRS_UNSPECIFIED);
1122 adma2 = le64_to_cpu(adma2);
1123 /* The spec does not specify endianness of descriptor table.
1124 * We currently assume that it is LE.
1125@@ -705,7 +708,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
1126 dscr->incr = 8;
1127 break;
1128 case SDHC_CTRL_ADMA1_32:
1129- dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1));
1130+ dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1),
1131+ MEMTXATTRS_UNSPECIFIED);
1132 adma1 = le32_to_cpu(adma1);
1133 dscr->addr = (hwaddr)(adma1 & 0xFFFFF000);
1134 dscr->attr = (uint8_t)extract32(adma1, 0, 7);
1135@@ -717,10 +721,13 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
1136 }
1137 break;
1138 case SDHC_CTRL_ADMA2_64:
1139- dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1);
1140- dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2);
1141+ dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1,
1142+ MEMTXATTRS_UNSPECIFIED);
1143+ dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2,
1144+ MEMTXATTRS_UNSPECIFIED);
1145 dscr->length = le16_to_cpu(dscr->length);
1146- dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8);
1147+ dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8,
1148+ MEMTXATTRS_UNSPECIFIED);
1149 dscr->addr = le64_to_cpu(dscr->addr);
1150 dscr->attr &= (uint8_t) ~0xC0;
1151 dscr->incr = 12;
1152@@ -785,7 +792,8 @@ static void sdhci_do_adma(SDHCIState *s)
1153 }
1154 dma_memory_write(s->dma_as, dscr.addr,
1155 &s->fifo_buffer[begin],
1156- s->data_count - begin);
1157+ s->data_count - begin,
1158+ MEMTXATTRS_UNSPECIFIED);
1159 dscr.addr += s->data_count - begin;
1160 if (s->data_count == block_size) {
1161 s->data_count = 0;
1162@@ -810,7 +818,8 @@ static void sdhci_do_adma(SDHCIState *s)
1163 }
1164 dma_memory_read(s->dma_as, dscr.addr,
1165 &s->fifo_buffer[begin],
1166- s->data_count - begin);
1167+ s->data_count - begin,
1168+ MEMTXATTRS_UNSPECIFIED);
1169 dscr.addr += s->data_count - begin;
1170 if (s->data_count == block_size) {
1171 sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size);
1172diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
1173index e1d96ac..8755e9c 100644
1174--- a/hw/usb/hcd-dwc2.c
1175+++ b/hw/usb/hcd-dwc2.c
1176@@ -272,8 +272,8 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev,
1177
1178 if (pid != USB_TOKEN_IN) {
1179 trace_usb_dwc2_memory_read(hcdma, tlen);
1180- if (dma_memory_read(&s->dma_as, hcdma,
1181- s->usb_buf[chan], tlen) != MEMTX_OK) {
1182+ if (dma_memory_read(&s->dma_as, hcdma, s->usb_buf[chan], tlen,
1183+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
1184 qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_read failed\n",
1185 __func__);
1186 }
1187@@ -328,8 +328,8 @@ babble:
1188
1189 if (pid == USB_TOKEN_IN) {
1190 trace_usb_dwc2_memory_write(hcdma, actual);
1191- if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan],
1192- actual) != MEMTX_OK) {
1193+ if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], actual,
1194+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
1195 qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_write failed\n",
1196 __func__);
1197 }
1198diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
1199index 6caa7ac..33a8a37 100644
1200--- a/hw/usb/hcd-ehci.c
1201+++ b/hw/usb/hcd-ehci.c
1202@@ -383,7 +383,8 @@ static inline int get_dwords(EHCIState *ehci, uint32_t addr,
1203 }
1204
1205 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
1206- dma_memory_read(ehci->as, addr, buf, sizeof(*buf));
1207+ dma_memory_read(ehci->as, addr, buf, sizeof(*buf),
1208+ MEMTXATTRS_UNSPECIFIED);
1209 *buf = le32_to_cpu(*buf);
1210 }
1211
1212@@ -405,7 +406,8 @@ static inline int put_dwords(EHCIState *ehci, uint32_t addr,
1213
1214 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
1215 uint32_t tmp = cpu_to_le32(*buf);
1216- dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp));
1217+ dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp),
1218+ MEMTXATTRS_UNSPECIFIED);
1219 }
1220
1221 return num;
1222diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
1223index 56e2315..a93d6b2 100644
1224--- a/hw/usb/hcd-ohci.c
1225+++ b/hw/usb/hcd-ohci.c
1226@@ -452,7 +452,8 @@ static inline int get_dwords(OHCIState *ohci,
1227 addr += ohci->localmem_base;
1228
1229 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
1230- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
1231+ if (dma_memory_read(ohci->as, addr,
1232+ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
1233 return -1;
1234 }
1235 *buf = le32_to_cpu(*buf);
1236@@ -471,7 +472,8 @@ static inline int put_dwords(OHCIState *ohci,
1237
1238 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
1239 uint32_t tmp = cpu_to_le32(*buf);
1240- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
1241+ if (dma_memory_write(ohci->as, addr,
1242+ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
1243 return -1;
1244 }
1245 }
1246@@ -488,7 +490,8 @@ static inline int get_words(OHCIState *ohci,
1247 addr += ohci->localmem_base;
1248
1249 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
1250- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) {
1251+ if (dma_memory_read(ohci->as, addr,
1252+ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) {
1253 return -1;
1254 }
1255 *buf = le16_to_cpu(*buf);
1256@@ -507,7 +510,8 @@ static inline int put_words(OHCIState *ohci,
1257
1258 for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) {
1259 uint16_t tmp = cpu_to_le16(*buf);
1260- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) {
1261+ if (dma_memory_write(ohci->as, addr,
1262+ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) {
1263 return -1;
1264 }
1265 }
1266@@ -537,8 +541,8 @@ static inline int ohci_read_iso_td(OHCIState *ohci,
1267 static inline int ohci_read_hcca(OHCIState *ohci,
1268 dma_addr_t addr, struct ohci_hcca *hcca)
1269 {
1270- return dma_memory_read(ohci->as, addr + ohci->localmem_base,
1271- hcca, sizeof(*hcca));
1272+ return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca,
1273+ sizeof(*hcca), MEMTXATTRS_UNSPECIFIED);
1274 }
1275
1276 static inline int ohci_put_ed(OHCIState *ohci,
1277@@ -572,7 +576,7 @@ static inline int ohci_put_hcca(OHCIState *ohci,
1278 return dma_memory_write(ohci->as,
1279 addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET,
1280 (char *)hcca + HCCA_WRITEBACK_OFFSET,
1281- HCCA_WRITEBACK_SIZE);
1282+ HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED);
1283 }
1284
1285 /* Read/Write the contents of a TD from/to main memory. */
1286diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
1287index e017000..ed2b9ea 100644
1288--- a/hw/usb/hcd-xhci.c
1289+++ b/hw/usb/hcd-xhci.c
1290@@ -487,7 +487,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr,
1291
1292 assert((len % sizeof(uint32_t)) == 0);
1293
1294- dma_memory_read(xhci->as, addr, buf, len);
1295+ dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED);
1296
1297 for (i = 0; i < (len / sizeof(uint32_t)); i++) {
1298 buf[i] = le32_to_cpu(buf[i]);
1299@@ -507,7 +507,7 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr,
1300 for (i = 0; i < n; i++) {
1301 tmp[i] = cpu_to_le32(buf[i]);
1302 }
1303- dma_memory_write(xhci->as, addr, tmp, len);
1304+ dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED);
1305 }
1306
1307 static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport)
1308@@ -618,7 +618,7 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v)
1309 ev_trb.status, ev_trb.control);
1310
1311 addr = intr->er_start + TRB_SIZE*intr->er_ep_idx;
1312- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE);
1313+ dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED);
1314
1315 intr->er_ep_idx++;
1316 if (intr->er_ep_idx >= intr->er_size) {
1317@@ -679,7 +679,8 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
1318
1319 while (1) {
1320 TRBType type;
1321- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE);
1322+ dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE,
1323+ MEMTXATTRS_UNSPECIFIED);
1324 trb->addr = ring->dequeue;
1325 trb->ccs = ring->ccs;
1326 le64_to_cpus(&trb->parameter);
1327@@ -726,7 +727,8 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
1328
1329 while (1) {
1330 TRBType type;
1331- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE);
1332+ dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
1333+ MEMTXATTRS_UNSPECIFIED);
1334 le64_to_cpus(&trb.parameter);
1335 le32_to_cpus(&trb.status);
1336 le32_to_cpus(&trb.control);
1337@@ -781,7 +783,8 @@ static void xhci_er_reset(XHCIState *xhci, int v)
1338 xhci_die(xhci);
1339 return;
1340 }
1341- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg));
1342+ dma_memory_read(xhci->as, erstba, &seg, sizeof(seg),
1343+ MEMTXATTRS_UNSPECIFIED);
1344 le32_to_cpus(&seg.addr_low);
1345 le32_to_cpus(&seg.addr_high);
1346 le32_to_cpus(&seg.size);
1347@@ -2397,7 +2400,8 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx)
1348 /* TODO: actually implement real values here */
1349 bw_ctx[0] = 0;
1350 memset(&bw_ctx[1], 80, xhci->numports); /* 80% */
1351- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx));
1352+ dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx),
1353+ MEMTXATTRS_UNSPECIFIED);
1354
1355 return CC_SUCCESS;
1356 }
1357diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
1358index c90e74a..5d2ea8e 100644
1359--- a/include/hw/ppc/spapr_vio.h
1360+++ b/include/hw/ppc/spapr_vio.h
1361@@ -97,14 +97,16 @@ static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr,
1362 static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr,
1363 void *buf, uint32_t size)
1364 {
1365- return (dma_memory_read(&dev->as, taddr, buf, size) != 0) ?
1366+ return (dma_memory_read(&dev->as, taddr,
1367+ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ?
1368 H_DEST_PARM : H_SUCCESS;
1369 }
1370
1371 static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr,
1372 const void *buf, uint32_t size)
1373 {
1374- return (dma_memory_write(&dev->as, taddr, buf, size) != 0) ?
1375+ return (dma_memory_write(&dev->as, taddr,
1376+ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ?
1377 H_DEST_PARM : H_SUCCESS;
1378 }
1379
1380diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
1381index e8ad422..522682b 100644
1382--- a/include/sysemu/dma.h
1383+++ b/include/sysemu/dma.h
1384@@ -143,12 +143,14 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr,
1385 * @addr: address within that address space
1386 * @buf: buffer with the data transferred
1387 * @len: length of the data transferred
1388+ * @attrs: memory transaction attributes
1389 */
1390 static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr,
1391- void *buf, dma_addr_t len)
1392+ void *buf, dma_addr_t len,
1393+ MemTxAttrs attrs)
1394 {
1395 return dma_memory_rw(as, addr, buf, len,
1396- DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
1397+ DMA_DIRECTION_TO_DEVICE, attrs);
1398 }
1399
1400 /**
1401@@ -162,12 +164,14 @@ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr,
1402 * @addr: address within that address space
1403 * @buf: buffer with the data transferred
1404 * @len: the number of bytes to write
1405+ * @attrs: memory transaction attributes
1406 */
1407 static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr,
1408- const void *buf, dma_addr_t len)
1409+ const void *buf, dma_addr_t len,
1410+ MemTxAttrs attrs)
1411 {
1412 return dma_memory_rw(as, addr, (void *)buf, len,
1413- DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
1414+ DMA_DIRECTION_FROM_DEVICE, attrs);
1415 }
1416
1417 /**
1418@@ -239,7 +243,7 @@ static inline void dma_memory_unmap(AddressSpace *as,
1419 dma_addr_t addr) \
1420 { \
1421 uint##_bits##_t val; \
1422- dma_memory_read(as, addr, &val, (_bits) / 8); \
1423+ dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
1424 return _end##_bits##_to_cpu(val); \
1425 } \
1426 static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
1427@@ -247,20 +251,20 @@ static inline void dma_memory_unmap(AddressSpace *as,
1428 uint##_bits##_t val) \
1429 { \
1430 val = cpu_to_##_end##_bits(val); \
1431- dma_memory_write(as, addr, &val, (_bits) / 8); \
1432+ dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
1433 }
1434
1435 static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
1436 {
1437 uint8_t val;
1438
1439- dma_memory_read(as, addr, &val, 1);
1440+ dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
1441 return val;
1442 }
1443
1444 static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val)
1445 {
1446- dma_memory_write(as, addr, &val, 1);
1447+ dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
1448 }
1449
1450 DEFINE_LDST_DMA(uw, w, 16, le);
1451--
14521.8.3.1
1453
diff --git a/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..8dd0476953
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,227 @@
1From a1d4b0a3051b3079c8db607f519bc0fcb30e17ec Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 3 Sep 2020 11:00:47 +0200
4Subject: [PATCH] dma: Let dma_memory_map() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_memory_map().
11
12Patch created mechanically using spatch with this script:
13
14 @@
15 expression E1, E2, E3, E4;
16 @@
17 - dma_memory_map(E1, E2, E3, E4)
18 + dma_memory_map(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED)
19
20CVE: CVE-2021-3611
21Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec]
22
23Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
24Reviewed-by: Li Qiang <liq3ea@gmail.com>
25Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
26Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
27Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
28Message-Id: <20211223115554.3155328-7-philmd@redhat.com>
29Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
30---
31 hw/display/virtio-gpu.c | 10 ++++++----
32 hw/hyperv/vmbus.c | 8 +++++---
33 hw/ide/ahci.c | 8 +++++---
34 hw/usb/libhw.c | 3 ++-
35 hw/virtio/virtio.c | 6 ++++--
36 include/hw/pci/pci.h | 3 ++-
37 include/sysemu/dma.h | 5 +++--
38 softmmu/dma-helpers.c | 3 ++-
39 8 files changed, 29 insertions(+), 17 deletions(-)
40
41diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
42index d78b970..c6dc818 100644
43--- a/hw/display/virtio-gpu.c
44+++ b/hw/display/virtio-gpu.c
45@@ -814,8 +814,9 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g,
46
47 do {
48 len = l;
49- map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as,
50- a, &len, DMA_DIRECTION_TO_DEVICE);
51+ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, a, &len,
52+ DMA_DIRECTION_TO_DEVICE,
53+ MEMTXATTRS_UNSPECIFIED);
54 if (!map) {
55 qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for"
56 " element %d\n", __func__, e);
57@@ -1252,8 +1253,9 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
58 for (i = 0; i < res->iov_cnt; i++) {
59 hwaddr len = res->iov[i].iov_len;
60 res->iov[i].iov_base =
61- dma_memory_map(VIRTIO_DEVICE(g)->dma_as,
62- res->addrs[i], &len, DMA_DIRECTION_TO_DEVICE);
63+ dma_memory_map(VIRTIO_DEVICE(g)->dma_as, res->addrs[i], &len,
64+ DMA_DIRECTION_TO_DEVICE,
65+ MEMTXATTRS_UNSPECIFIED);
66
67 if (!res->iov[i].iov_base || len != res->iov[i].iov_len) {
68 /* Clean up the half-a-mapping we just created... */
69diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c
70index dbce3b3..8aad29f 100644
71--- a/hw/hyperv/vmbus.c
72+++ b/hw/hyperv/vmbus.c
73@@ -373,7 +373,8 @@ static ssize_t gpadl_iter_io(GpadlIter *iter, void *buf, uint32_t len)
74
75 maddr = (iter->gpadl->gfns[idx] << TARGET_PAGE_BITS) | off_in_page;
76
77- iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir);
78+ iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir,
79+ MEMTXATTRS_UNSPECIFIED);
80 if (mlen != pgleft) {
81 dma_memory_unmap(iter->as, iter->map, mlen, iter->dir, 0);
82 iter->map = NULL;
83@@ -490,7 +491,8 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov,
84 goto err;
85 }
86
87- iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir);
88+ iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir,
89+ MEMTXATTRS_UNSPECIFIED);
90 if (!l) {
91 ret = -EFAULT;
92 goto err;
93@@ -566,7 +568,7 @@ static vmbus_ring_buffer *ringbuf_map_hdr(VMBusRingBufCommon *ringbuf)
94 dma_addr_t mlen = sizeof(*rb);
95
96 rb = dma_memory_map(ringbuf->as, ringbuf->rb_addr, &mlen,
97- DMA_DIRECTION_FROM_DEVICE);
98+ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
99 if (mlen != sizeof(*rb)) {
100 dma_memory_unmap(ringbuf->as, rb, mlen,
101 DMA_DIRECTION_FROM_DEVICE, 0);
102diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
103index a94c6e2..8e77ddb 100644
104--- a/hw/ide/ahci.c
105+++ b/hw/ide/ahci.c
106@@ -249,7 +249,8 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr,
107 dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len);
108 }
109
110- *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE);
111+ *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE,
112+ MEMTXATTRS_UNSPECIFIED);
113 if (len < wanted && *ptr) {
114 dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len);
115 *ptr = NULL;
116@@ -939,7 +940,8 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist,
117
118 /* map PRDT */
119 if (!(prdt = dma_memory_map(ad->hba->as, prdt_addr, &prdt_len,
120- DMA_DIRECTION_TO_DEVICE))){
121+ DMA_DIRECTION_TO_DEVICE,
122+ MEMTXATTRS_UNSPECIFIED))){
123 trace_ahci_populate_sglist_no_map(ad->hba, ad->port_no);
124 return -1;
125 }
126@@ -1301,7 +1303,7 @@ static int handle_cmd(AHCIState *s, int port, uint8_t slot)
127 tbl_addr = le64_to_cpu(cmd->tbl_addr);
128 cmd_len = 0x80;
129 cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len,
130- DMA_DIRECTION_TO_DEVICE);
131+ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
132 if (!cmd_fis) {
133 trace_handle_cmd_badfis(s, port);
134 return -1;
135diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c
136index 9c33a16..f350eae 100644
137--- a/hw/usb/libhw.c
138+++ b/hw/usb/libhw.c
139@@ -36,7 +36,8 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl)
140
141 while (len) {
142 dma_addr_t xlen = len;
143- mem = dma_memory_map(sgl->as, base, &xlen, dir);
144+ mem = dma_memory_map(sgl->as, base, &xlen, dir,
145+ MEMTXATTRS_UNSPECIFIED);
146 if (!mem) {
147 goto err;
148 }
149diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
150index ea7c079..e11a8a0d 100644
151--- a/hw/virtio/virtio.c
152+++ b/hw/virtio/virtio.c
153@@ -1306,7 +1306,8 @@ static bool virtqueue_map_desc(VirtIODevice *vdev, unsigned int *p_num_sg,
154 iov[num_sg].iov_base = dma_memory_map(vdev->dma_as, pa, &len,
155 is_write ?
156 DMA_DIRECTION_FROM_DEVICE :
157- DMA_DIRECTION_TO_DEVICE);
158+ DMA_DIRECTION_TO_DEVICE,
159+ MEMTXATTRS_UNSPECIFIED);
160 if (!iov[num_sg].iov_base) {
161 virtio_error(vdev, "virtio: bogus descriptor or out of resources");
162 goto out;
163@@ -1355,7 +1356,8 @@ static void virtqueue_map_iovec(VirtIODevice *vdev, struct iovec *sg,
164 sg[i].iov_base = dma_memory_map(vdev->dma_as,
165 addr[i], &len, is_write ?
166 DMA_DIRECTION_FROM_DEVICE :
167- DMA_DIRECTION_TO_DEVICE);
168+ DMA_DIRECTION_TO_DEVICE,
169+ MEMTXATTRS_UNSPECIFIED);
170 if (!sg[i].iov_base) {
171 error_report("virtio: error trying to map MMIO memory");
172 exit(1);
173diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
174index 4383f1c..1acefc2 100644
175--- a/include/hw/pci/pci.h
176+++ b/include/hw/pci/pci.h
177@@ -875,7 +875,8 @@ static inline void *pci_dma_map(PCIDevice *dev, dma_addr_t addr,
178 {
179 void *buf;
180
181- buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir);
182+ buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir,
183+ MEMTXATTRS_UNSPECIFIED);
184 return buf;
185 }
186
187diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
188index 522682b..97ff6f2 100644
189--- a/include/sysemu/dma.h
190+++ b/include/sysemu/dma.h
191@@ -202,16 +202,17 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr,
192 * @addr: address within that address space
193 * @len: pointer to length of buffer; updated on return
194 * @dir: indicates the transfer direction
195+ * @attrs: memory attributes
196 */
197 static inline void *dma_memory_map(AddressSpace *as,
198 dma_addr_t addr, dma_addr_t *len,
199- DMADirection dir)
200+ DMADirection dir, MemTxAttrs attrs)
201 {
202 hwaddr xlen = *len;
203 void *p;
204
205 p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
206- MEMTXATTRS_UNSPECIFIED);
207+ attrs);
208 *len = xlen;
209 return p;
210 }
211diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
212index 5bf76ff..3c06a2f 100644
213--- a/softmmu/dma-helpers.c
214+++ b/softmmu/dma-helpers.c
215@@ -143,7 +143,8 @@ static void dma_blk_cb(void *opaque, int ret)
216 while (dbs->sg_cur_index < dbs->sg->nsg) {
217 cur_addr = dbs->sg->sg[dbs->sg_cur_index].base + dbs->sg_cur_byte;
218 cur_len = dbs->sg->sg[dbs->sg_cur_index].len - dbs->sg_cur_byte;
219- mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir);
220+ mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir,
221+ MEMTXATTRS_UNSPECIFIED);
222 /*
223 * Make reads deterministic in icount mode. Windows sometimes issues
224 * disk read requests with overlapping SGs. It leads
225--
2261.8.3.1
227
diff --git a/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
new file mode 100644
index 0000000000..0876ef184d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
@@ -0,0 +1,41 @@
1From c0ee1527358474c75067993d1bb233ad3a4ee081 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 16 Dec 2021 11:24:56 +0100
4Subject: [PATCH] dma: Have dma_buf_rw() take a void pointer
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9DMA operations are run on any kind of buffer, not arrays of
10uint8_t. Convert dma_buf_rw() to take a void pointer argument
11to save us pointless casts to uint8_t *.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081]
15
16Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
17Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Message-Id: <20211223115554.3155328-8-philmd@redhat.com>
19Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
20---
21 softmmu/dma-helpers.c | 3 ++-
22 1 file changed, 2 insertions(+), 1 deletion(-)
23
24diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
25index 3c06a2f..09e2999 100644
26--- a/softmmu/dma-helpers.c
27+++ b/softmmu/dma-helpers.c
28@@ -294,9 +294,10 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
29 }
30
31
32-static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg,
33+static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
34 DMADirection dir)
35 {
36+ uint8_t *ptr = buf;
37 uint64_t resid;
38 int sg_cur_index;
39
40--
411.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
new file mode 100644
index 0000000000..d65e0b4305
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
@@ -0,0 +1,167 @@
1From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Thu, 16 Dec 2021 11:27:23 +0100
4Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void
5 pointer
6MIME-Version: 1.0
7Content-Type: text/plain; charset=utf8
8Content-Transfer-Encoding: 8bit
9
10DMA operations are run on any kind of buffer, not arrays of
11uint8_t. Convert dma_buf_read/dma_buf_write functions to take
12a void pointer argument and save us pointless casts to uint8_t *.
13
14Remove this pointless casts in the megasas device model.
15
16CVE: CVE-2021-3611
17Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4]
18
19Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
20Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
21Message-Id: <20211223115554.3155328-9-philmd@redhat.com>
22Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
23---
24 hw/scsi/megasas.c | 22 +++++++++++-----------
25 include/sysemu/dma.h | 4 ++--
26 softmmu/dma-helpers.c | 4 ++--
27 3 files changed, 15 insertions(+), 15 deletions(-)
28
29diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
30index 14ec6d6..2dae33f 100644
31--- a/hw/scsi/megasas.c
32+++ b/hw/scsi/megasas.c
33@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
34 MFI_INFO_PDMIX_SATA |
35 MFI_INFO_PDMIX_LD);
36
37- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
38+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
39 return MFI_STAT_OK;
40 }
41
42@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd)
43 info.disable_preboot_cli = 1;
44 info.cluster_disable = 1;
45
46- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
47+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
48 return MFI_STAT_OK;
49 }
50
51@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd)
52 info.expose_all_drives = 1;
53 }
54
55- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
56+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
57 return MFI_STAT_OK;
58 }
59
60@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd)
61
62 fw_time = cpu_to_le64(megasas_fw_time());
63
64- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg);
65+ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg);
66 return MFI_STAT_OK;
67 }
68
69@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd)
70 info.shutdown_seq_num = cpu_to_le32(s->shutdown_event);
71 info.boot_seq_num = cpu_to_le32(s->boot_event);
72
73- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
74+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
75 return MFI_STAT_OK;
76 }
77
78@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd)
79 info.size = cpu_to_le32(offset);
80 info.count = cpu_to_le32(num_pd_disks);
81
82- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg);
83+ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg);
84 return MFI_STAT_OK;
85 }
86
87@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd)
88 info.ld_count = cpu_to_le32(num_ld_disks);
89 trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
90
91- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
92+ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
93 cmd->iov_size = dcmd_size - resid;
94 return MFI_STAT_OK;
95 }
96@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd)
97 info.size = dcmd_size;
98 trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
99
100- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
101+ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
102 cmd->iov_size = dcmd_size - resid;
103 return MFI_STAT_OK;
104 }
105@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
106 ld_offset += sizeof(struct mfi_ld_config);
107 }
108
109- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg);
110+ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg);
111 return MFI_STAT_OK;
112 }
113
114@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd)
115 info.ecc_bucket_leak_rate = cpu_to_le16(1440);
116 info.expose_encl_devices = 1;
117
118- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg);
119+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
120 return MFI_STAT_OK;
121 }
122
123@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
124 dcmd_size);
125 return MFI_STAT_INVALID_PARAMETER;
126 }
127- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
128+ dma_buf_write(&info, dcmd_size, &cmd->qsg);
129 trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
130 return MFI_STAT_OK;
131 }
132diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
133index 97ff6f2..0d5b836 100644
134--- a/include/sysemu/dma.h
135+++ b/include/sysemu/dma.h
136@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk,
137 BlockAIOCB *dma_blk_write(BlockBackend *blk,
138 QEMUSGList *sg, uint64_t offset, uint32_t align,
139 BlockCompletionFunc *cb, void *opaque);
140-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg);
141-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg);
142+uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
143+uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg);
144
145 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
146 QEMUSGList *sg, enum BlockAcctType type);
147diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
148index 09e2999..7f37548 100644
149--- a/softmmu/dma-helpers.c
150+++ b/softmmu/dma-helpers.c
151@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
152 return resid;
153 }
154
155-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg)
156+uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
157 {
158 return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE);
159 }
160
161-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg)
162+uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
163 {
164 return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE);
165 }
166--
1671.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..8207058aca
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,91 @@
1From e2d784b67dc724a9b0854b49255ba0ee8ca46543 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Wed, 15 Dec 2021 22:18:19 +0100
4Subject: [PATCH] pci: Let pci_dma_rw() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling pci_dma_rw().
10
11Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543]
15
16Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
17Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Message-Id: <20211223115554.3155328-10-philmd@redhat.com>
19Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
20---
21 hw/audio/intel-hda.c | 3 ++-
22 hw/scsi/esp-pci.c | 2 +-
23 include/hw/pci/pci.h | 10 ++++++----
24 3 files changed, 9 insertions(+), 6 deletions(-)
25
26diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
27index 8ce9df6..fb3d34a 100644
28--- a/hw/audio/intel-hda.c
29+++ b/hw/audio/intel-hda.c
30@@ -427,7 +427,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
31 dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n",
32 st->be, st->bp, st->bpl[st->be].len, copy);
33
34- pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output);
35+ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output,
36+ MEMTXATTRS_UNSPECIFIED);
37 st->lpib += copy;
38 st->bp += copy;
39 buf += copy;
40diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c
41index dac054a..1792f84 100644
42--- a/hw/scsi/esp-pci.c
43+++ b/hw/scsi/esp-pci.c
44@@ -280,7 +280,7 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len,
45 len = pci->dma_regs[DMA_WBC];
46 }
47
48- pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir);
49+ pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir, MEMTXATTRS_UNSPECIFIED);
50
51 /* update status registers */
52 pci->dma_regs[DMA_WBC] -= len;
53diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
54index 1acefc2..a751ab5 100644
55--- a/include/hw/pci/pci.h
56+++ b/include/hw/pci/pci.h
57@@ -806,10 +806,10 @@ static inline AddressSpace *pci_get_address_space(PCIDevice *dev)
58 */
59 static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
60 void *buf, dma_addr_t len,
61- DMADirection dir)
62+ DMADirection dir, MemTxAttrs attrs)
63 {
64 return dma_memory_rw(pci_get_address_space(dev), addr, buf, len,
65- dir, MEMTXATTRS_UNSPECIFIED);
66+ dir, attrs);
67 }
68
69 /**
70@@ -827,7 +827,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr,
71 static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr,
72 void *buf, dma_addr_t len)
73 {
74- return pci_dma_rw(dev, addr, buf, len, DMA_DIRECTION_TO_DEVICE);
75+ return pci_dma_rw(dev, addr, buf, len,
76+ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED);
77 }
78
79 /**
80@@ -845,7 +846,8 @@ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr,
81 static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
82 const void *buf, dma_addr_t len)
83 {
84- return pci_dma_rw(dev, addr, (void *) buf, len, DMA_DIRECTION_FROM_DEVICE);
85+ return pci_dma_rw(dev, addr, (void *) buf, len,
86+ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
87 }
88
89 #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
90--
911.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..4f7276ef8b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,65 @@
1From 959384e74e1b508acc3af6e806b3d7b87335fc2a Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Wed, 15 Dec 2021 22:59:46 +0100
4Subject: [PATCH] dma: Let dma_buf_rw() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling dma_buf_rw().
10
11Keep the default MEMTXATTRS_UNSPECIFIED in the 2 callers.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a]
15
16Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
17Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Message-Id: <20211223115554.3155328-11-philmd@redhat.com>
19Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
20---
21 softmmu/dma-helpers.c | 11 ++++++-----
22 1 file changed, 6 insertions(+), 5 deletions(-)
23
24diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
25index 7f37548..fa81d2b 100644
26--- a/softmmu/dma-helpers.c
27+++ b/softmmu/dma-helpers.c
28@@ -295,7 +295,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
29
30
31 static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
32- DMADirection dir)
33+ DMADirection dir, MemTxAttrs attrs)
34 {
35 uint8_t *ptr = buf;
36 uint64_t resid;
37@@ -307,8 +307,7 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
38 while (len > 0) {
39 ScatterGatherEntry entry = sg->sg[sg_cur_index++];
40 int32_t xfer = MIN(len, entry.len);
41- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir,
42- MEMTXATTRS_UNSPECIFIED);
43+ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs);
44 ptr += xfer;
45 len -= xfer;
46 resid -= xfer;
47@@ -319,12 +318,14 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
48
49 uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
50 {
51- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE);
52+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE,
53+ MEMTXATTRS_UNSPECIFIED);
54 }
55
56 uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
57 {
58- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE);
59+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE,
60+ MEMTXATTRS_UNSPECIFIED);
61 }
62
63 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
64--
651.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..9837516422
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,129 @@
1From 392e48af3468d7f8e49db33fdc9e28b5f99276ce Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Wed, 15 Dec 2021 23:02:21 +0100
4Subject: [PATCH] dma: Let dma_buf_write() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_buf_write().
11
12Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
13
14CVE: CVE-2021-3611
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce]
16
17Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Message-Id: <20211223115554.3155328-12-philmd@redhat.com>
20Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
21---
22 hw/ide/ahci.c | 6 ++++--
23 hw/nvme/ctrl.c | 3 ++-
24 hw/scsi/megasas.c | 2 +-
25 hw/scsi/scsi-bus.c | 2 +-
26 include/sysemu/dma.h | 2 +-
27 softmmu/dma-helpers.c | 5 ++---
28 6 files changed, 11 insertions(+), 9 deletions(-)
29
30diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
31index 8e77ddb..079d297 100644
32--- a/hw/ide/ahci.c
33+++ b/hw/ide/ahci.c
34@@ -1381,8 +1381,10 @@ static void ahci_pio_transfer(const IDEDMA *dma)
35 has_sglist ? "" : "o");
36
37 if (has_sglist && size) {
38+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
39+
40 if (is_write) {
41- dma_buf_write(s->data_ptr, size, &s->sg);
42+ dma_buf_write(s->data_ptr, size, &s->sg, attrs);
43 } else {
44 dma_buf_read(s->data_ptr, size, &s->sg);
45 }
46@@ -1479,7 +1481,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write)
47 if (is_write) {
48 dma_buf_read(p, l, &s->sg);
49 } else {
50- dma_buf_write(p, l, &s->sg);
51+ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED);
52 }
53
54 /* free sglist, update byte count */
55diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
56index 5f573c4..e1a531d 100644
57--- a/hw/nvme/ctrl.c
58+++ b/hw/nvme/ctrl.c
59@@ -1146,10 +1146,11 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len,
60 assert(sg->flags & NVME_SG_ALLOC);
61
62 if (sg->flags & NVME_SG_DMA) {
63+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
64 uint64_t residual;
65
66 if (dir == NVME_TX_DIRECTION_TO_DEVICE) {
67- residual = dma_buf_write(ptr, len, &sg->qsg);
68+ residual = dma_buf_write(ptr, len, &sg->qsg, attrs);
69 } else {
70 residual = dma_buf_read(ptr, len, &sg->qsg);
71 }
72diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
73index 2dae33f..79fd14c 100644
74--- a/hw/scsi/megasas.c
75+++ b/hw/scsi/megasas.c
76@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
77 dcmd_size);
78 return MFI_STAT_INVALID_PARAMETER;
79 }
80- dma_buf_write(&info, dcmd_size, &cmd->qsg);
81+ dma_buf_write(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
82 trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
83 return MFI_STAT_OK;
84 }
85diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
86index 77325d8..64a506a 100644
87--- a/hw/scsi/scsi-bus.c
88+++ b/hw/scsi/scsi-bus.c
89@@ -1423,7 +1423,7 @@ void scsi_req_data(SCSIRequest *req, int len)
90 if (req->cmd.mode == SCSI_XFER_FROM_DEV) {
91 req->resid = dma_buf_read(buf, len, req->sg);
92 } else {
93- req->resid = dma_buf_write(buf, len, req->sg);
94+ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED);
95 }
96 scsi_req_continue(req);
97 }
98diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
99index 0d5b836..e3dd74a 100644
100--- a/include/sysemu/dma.h
101+++ b/include/sysemu/dma.h
102@@ -303,7 +303,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
103 QEMUSGList *sg, uint64_t offset, uint32_t align,
104 BlockCompletionFunc *cb, void *opaque);
105 uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
106-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg);
107+uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs);
108
109 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
110 QEMUSGList *sg, enum BlockAcctType type);
111diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
112index fa81d2b..2f1a241 100644
113--- a/softmmu/dma-helpers.c
114+++ b/softmmu/dma-helpers.c
115@@ -322,10 +322,9 @@ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
116 MEMTXATTRS_UNSPECIFIED);
117 }
118
119-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg)
120+uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
121 {
122- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE,
123- MEMTXATTRS_UNSPECIFIED);
124+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs);
125 }
126
127 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
128--
1291.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..4057caa8b0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,222 @@
1From 1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Wed, 15 Dec 2021 23:29:52 +0100
4Subject: [PATCH] dma: Let dma_buf_read() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling
10dma_buf_read().
11
12Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
13
14CVE: CVE-2021-3611
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79]
16
17Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Message-Id: <20211223115554.3155328-13-philmd@redhat.com>
20Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
21---
22 hw/ide/ahci.c | 4 ++--
23 hw/nvme/ctrl.c | 2 +-
24 hw/scsi/megasas.c | 24 ++++++++++++------------
25 hw/scsi/scsi-bus.c | 2 +-
26 include/sysemu/dma.h | 2 +-
27 softmmu/dma-helpers.c | 5 ++---
28 6 files changed, 19 insertions(+), 20 deletions(-)
29
30diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
31index 079d297..205dfdc 100644
32--- a/hw/ide/ahci.c
33+++ b/hw/ide/ahci.c
34@@ -1386,7 +1386,7 @@ static void ahci_pio_transfer(const IDEDMA *dma)
35 if (is_write) {
36 dma_buf_write(s->data_ptr, size, &s->sg, attrs);
37 } else {
38- dma_buf_read(s->data_ptr, size, &s->sg);
39+ dma_buf_read(s->data_ptr, size, &s->sg, attrs);
40 }
41 }
42
43@@ -1479,7 +1479,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write)
44 }
45
46 if (is_write) {
47- dma_buf_read(p, l, &s->sg);
48+ dma_buf_read(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED);
49 } else {
50 dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED);
51 }
52diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
53index e1a531d..462f79a 100644
54--- a/hw/nvme/ctrl.c
55+++ b/hw/nvme/ctrl.c
56@@ -1152,7 +1152,7 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len,
57 if (dir == NVME_TX_DIRECTION_TO_DEVICE) {
58 residual = dma_buf_write(ptr, len, &sg->qsg, attrs);
59 } else {
60- residual = dma_buf_read(ptr, len, &sg->qsg);
61+ residual = dma_buf_read(ptr, len, &sg->qsg, attrs);
62 }
63
64 if (unlikely(residual)) {
65diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
66index 79fd14c..091a350 100644
67--- a/hw/scsi/megasas.c
68+++ b/hw/scsi/megasas.c
69@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
70 MFI_INFO_PDMIX_SATA |
71 MFI_INFO_PDMIX_LD);
72
73- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
74+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
75 return MFI_STAT_OK;
76 }
77
78@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd)
79 info.disable_preboot_cli = 1;
80 info.cluster_disable = 1;
81
82- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
83+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
84 return MFI_STAT_OK;
85 }
86
87@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd)
88 info.expose_all_drives = 1;
89 }
90
91- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
92+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
93 return MFI_STAT_OK;
94 }
95
96@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd)
97
98 fw_time = cpu_to_le64(megasas_fw_time());
99
100- cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg);
101+ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
102 return MFI_STAT_OK;
103 }
104
105@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd)
106 info.shutdown_seq_num = cpu_to_le32(s->shutdown_event);
107 info.boot_seq_num = cpu_to_le32(s->boot_event);
108
109- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
110+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
111 return MFI_STAT_OK;
112 }
113
114@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd)
115 info.size = cpu_to_le32(offset);
116 info.count = cpu_to_le32(num_pd_disks);
117
118- cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg);
119+ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
120 return MFI_STAT_OK;
121 }
122
123@@ -1100,7 +1100,7 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
124 info->connected_port_bitmap = 0x1;
125 info->device_speed = 1;
126 info->link_speed = 1;
127- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg);
128+ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
129 g_free(cmd->iov_buf);
130 cmd->iov_size = dcmd_size - resid;
131 cmd->iov_buf = NULL;
132@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd)
133 info.ld_count = cpu_to_le32(num_ld_disks);
134 trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
135
136- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
137+ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
138 cmd->iov_size = dcmd_size - resid;
139 return MFI_STAT_OK;
140 }
141@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd)
142 info.size = dcmd_size;
143 trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks);
144
145- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg);
146+ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
147 cmd->iov_size = dcmd_size - resid;
148 return MFI_STAT_OK;
149 }
150@@ -1271,7 +1271,7 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
151 info->ld_config.span[0].num_blocks = info->size;
152 info->ld_config.span[0].array_ref = cpu_to_le16(sdev_id);
153
154- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg);
155+ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
156 g_free(cmd->iov_buf);
157 cmd->iov_size = dcmd_size - resid;
158 cmd->iov_buf = NULL;
159@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
160 ld_offset += sizeof(struct mfi_ld_config);
161 }
162
163- cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg);
164+ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
165 return MFI_STAT_OK;
166 }
167
168@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd)
169 info.ecc_bucket_leak_rate = cpu_to_le16(1440);
170 info.expose_encl_devices = 1;
171
172- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg);
173+ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED);
174 return MFI_STAT_OK;
175 }
176
177diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
178index 64a506a..2b5e9dc 100644
179--- a/hw/scsi/scsi-bus.c
180+++ b/hw/scsi/scsi-bus.c
181@@ -1421,7 +1421,7 @@ void scsi_req_data(SCSIRequest *req, int len)
182
183 buf = scsi_req_get_buf(req);
184 if (req->cmd.mode == SCSI_XFER_FROM_DEV) {
185- req->resid = dma_buf_read(buf, len, req->sg);
186+ req->resid = dma_buf_read(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED);
187 } else {
188 req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED);
189 }
190diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
191index e3dd74a..fd8f160 100644
192--- a/include/sysemu/dma.h
193+++ b/include/sysemu/dma.h
194@@ -302,7 +302,7 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk,
195 BlockAIOCB *dma_blk_write(BlockBackend *blk,
196 QEMUSGList *sg, uint64_t offset, uint32_t align,
197 BlockCompletionFunc *cb, void *opaque);
198-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg);
199+uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs);
200 uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs);
201
202 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
203diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
204index 2f1a241..a391773 100644
205--- a/softmmu/dma-helpers.c
206+++ b/softmmu/dma-helpers.c
207@@ -316,10 +316,9 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
208 return resid;
209 }
210
211-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg)
212+uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
213 {
214- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE,
215- MEMTXATTRS_UNSPECIFIED);
216+ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs);
217 }
218
219 uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
220--
2211.8.3.1
222
diff --git a/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..571ce9cc9b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
@@ -0,0 +1,91 @@
1From 292e13142d277c15bdd68331abc607e46628b7e1 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Wed, 15 Dec 2021 23:38:52 +0100
4Subject: [PATCH] dma: Let dma_buf_rw() propagate MemTxResult
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9dma_memory_rw() returns a MemTxResult type. Do not discard
10it, return it to the caller.
11
12Since dma_buf_rw() was previously returning the QEMUSGList
13size not consumed, add an extra argument where this size
14can be stored.
15
16Update the 2 callers.
17
18CVE: CVE-2021-3611
19Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1]
20
21Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
22Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
23Message-Id: <20211223115554.3155328-14-philmd@redhat.com>
24Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
25---
26 softmmu/dma-helpers.c | 25 +++++++++++++++++++------
27 1 file changed, 19 insertions(+), 6 deletions(-)
28
29diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c
30index a391773..b0be156 100644
31--- a/softmmu/dma-helpers.c
32+++ b/softmmu/dma-helpers.c
33@@ -294,12 +294,14 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk,
34 }
35
36
37-static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
38- DMADirection dir, MemTxAttrs attrs)
39+static MemTxResult dma_buf_rw(void *buf, int32_t len, uint64_t *residp,
40+ QEMUSGList *sg, DMADirection dir,
41+ MemTxAttrs attrs)
42 {
43 uint8_t *ptr = buf;
44 uint64_t resid;
45 int sg_cur_index;
46+ MemTxResult res = MEMTX_OK;
47
48 resid = sg->size;
49 sg_cur_index = 0;
50@@ -307,23 +309,34 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg,
51 while (len > 0) {
52 ScatterGatherEntry entry = sg->sg[sg_cur_index++];
53 int32_t xfer = MIN(len, entry.len);
54- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs);
55+ res |= dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs);
56 ptr += xfer;
57 len -= xfer;
58 resid -= xfer;
59 }
60
61- return resid;
62+ if (residp) {
63+ *residp = resid;
64+ }
65+ return res;
66 }
67
68 uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
69 {
70- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs);
71+ uint64_t resid;
72+
73+ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_FROM_DEVICE, attrs);
74+
75+ return resid;
76 }
77
78 uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs)
79 {
80- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs);
81+ uint64_t resid;
82+
83+ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_TO_DEVICE, attrs);
84+
85+ return resid;
86 }
87
88 void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie,
89--
901.8.3.1
91
diff --git a/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..7f56dcb6eb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,120 @@
1From 2280c27afc65bb2af95dd44a88e3b7117bfe240a Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 23:53:34 +0100
4Subject: [PATCH] dma: Let st*_dma() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling st*_dma().
10
11Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a]
15
16Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
17Reviewed-by: Cédric Le Goater <clg@kaod.org>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Message-Id: <20211223115554.3155328-16-philmd@redhat.com>
20Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
21---
22 hw/nvram/fw_cfg.c | 4 ++--
23 include/hw/pci/pci.h | 3 ++-
24 include/hw/ppc/spapr_vio.h | 12 ++++++++----
25 include/sysemu/dma.h | 10 ++++++----
26 4 files changed, 18 insertions(+), 11 deletions(-)
27
28diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
29index 9b91b15..e5f3c981 100644
30--- a/hw/nvram/fw_cfg.c
31+++ b/hw/nvram/fw_cfg.c
32@@ -360,7 +360,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
33 if (dma_memory_read(s->dma_as, dma_addr,
34 &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) {
35 stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control),
36- FW_CFG_DMA_CTL_ERROR);
37+ FW_CFG_DMA_CTL_ERROR, MEMTXATTRS_UNSPECIFIED);
38 return;
39 }
40
41@@ -446,7 +446,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
42 }
43
44 stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control),
45- dma.control);
46+ dma.control, MEMTXATTRS_UNSPECIFIED);
47
48 trace_fw_cfg_read(s, 0);
49 }
50diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
51index a751ab5..d07e970 100644
52--- a/include/hw/pci/pci.h
53+++ b/include/hw/pci/pci.h
54@@ -859,7 +859,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
55 static inline void st##_s##_pci_dma(PCIDevice *dev, \
56 dma_addr_t addr, uint##_bits##_t val) \
57 { \
58- st##_s##_dma(pci_get_address_space(dev), addr, val); \
59+ st##_s##_dma(pci_get_address_space(dev), addr, val, \
60+ MEMTXATTRS_UNSPECIFIED); \
61 }
62
63 PCI_DMA_DEFINE_LDST(ub, b, 8);
64diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
65index 5d2ea8e..e87f8e6 100644
66--- a/include/hw/ppc/spapr_vio.h
67+++ b/include/hw/ppc/spapr_vio.h
68@@ -118,10 +118,14 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
69 H_DEST_PARM : H_SUCCESS;
70 }
71
72-#define vio_stb(_dev, _addr, _val) (stb_dma(&(_dev)->as, (_addr), (_val)))
73-#define vio_sth(_dev, _addr, _val) (stw_be_dma(&(_dev)->as, (_addr), (_val)))
74-#define vio_stl(_dev, _addr, _val) (stl_be_dma(&(_dev)->as, (_addr), (_val)))
75-#define vio_stq(_dev, _addr, _val) (stq_be_dma(&(_dev)->as, (_addr), (_val)))
76+#define vio_stb(_dev, _addr, _val) \
77+ (stb_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
78+#define vio_sth(_dev, _addr, _val) \
79+ (stw_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
80+#define vio_stl(_dev, _addr, _val) \
81+ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
82+#define vio_stq(_dev, _addr, _val) \
83+ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
84 #define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr)))
85
86 int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq);
87diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
88index fd8f160..009dd3c 100644
89--- a/include/sysemu/dma.h
90+++ b/include/sysemu/dma.h
91@@ -249,10 +249,11 @@ static inline void dma_memory_unmap(AddressSpace *as,
92 } \
93 static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
94 dma_addr_t addr, \
95- uint##_bits##_t val) \
96+ uint##_bits##_t val, \
97+ MemTxAttrs attrs) \
98 { \
99 val = cpu_to_##_end##_bits(val); \
100- dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
101+ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
102 }
103
104 static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
105@@ -263,9 +264,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
106 return val;
107 }
108
109-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val)
110+static inline void stb_dma(AddressSpace *as, dma_addr_t addr,
111+ uint8_t val, MemTxAttrs attrs)
112 {
113- dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
114+ dma_memory_write(as, addr, &val, 1, attrs);
115 }
116
117 DEFINE_LDST_DMA(uw, w, 16, le);
118--
1191.8.3.1
120
diff --git a/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..a51451d343
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,151 @@
1From 34cdea1db600540a5261dc474e986f28b637c8e6 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 22:18:07 +0100
4Subject: [PATCH] dma: Let ld*_dma() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling ld*_dma().
10
11Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6]
15
16Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
17Reviewed-by: Cédric Le Goater <clg@kaod.org>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Message-Id: <20211223115554.3155328-17-philmd@redhat.com>
20Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
21---
22 hw/intc/pnv_xive.c | 7 ++++---
23 hw/usb/hcd-xhci.c | 6 +++---
24 include/hw/pci/pci.h | 3 ++-
25 include/hw/ppc/spapr_vio.h | 3 ++-
26 include/sysemu/dma.h | 11 ++++++-----
27 5 files changed, 17 insertions(+), 13 deletions(-)
28
29diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c
30index ad43483..d9249bb 100644
31--- a/hw/intc/pnv_xive.c
32+++ b/hw/intc/pnv_xive.c
33@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
34
35 /* Get the page size of the indirect table. */
36 vsd_addr = vsd & VSD_ADDRESS_MASK;
37- vsd = ldq_be_dma(&address_space_memory, vsd_addr);
38+ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
39
40 if (!(vsd & VSD_ADDRESS_MASK)) {
41 #ifdef XIVE_DEBUG
42@@ -195,7 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
43 /* Load the VSD we are looking for, if not already done */
44 if (vsd_idx) {
45 vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE;
46- vsd = ldq_be_dma(&address_space_memory, vsd_addr);
47+ vsd = ldq_be_dma(&address_space_memory, vsd_addr,
48+ MEMTXATTRS_UNSPECIFIED);
49
50 if (!(vsd & VSD_ADDRESS_MASK)) {
51 #ifdef XIVE_DEBUG
52@@ -542,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type)
53
54 /* Get the page size of the indirect table. */
55 vsd_addr = vsd & VSD_ADDRESS_MASK;
56- vsd = ldq_be_dma(&address_space_memory, vsd_addr);
57+ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
58
59 if (!(vsd & VSD_ADDRESS_MASK)) {
60 #ifdef XIVE_DEBUG
61diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
62index ed2b9ea..d960b81 100644
63--- a/hw/usb/hcd-xhci.c
64+++ b/hw/usb/hcd-xhci.c
65@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid,
66 assert(slotid >= 1 && slotid <= xhci->numslots);
67
68 dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high);
69- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid);
70+ poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED);
71 ictx = xhci_mask64(pictx);
72 octx = xhci_mask64(poctx);
73
74@@ -3437,8 +3437,8 @@ static int usb_xhci_post_load(void *opaque, int version_id)
75 if (!slot->addressed) {
76 continue;
77 }
78- slot->ctx =
79- xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid));
80+ slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid,
81+ MEMTXATTRS_UNSPECIFIED));
82 xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
83 slot->uport = xhci_lookup_uport(xhci, slot_ctx);
84 if (!slot->uport) {
85diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
86index d07e970..0613308 100644
87--- a/include/hw/pci/pci.h
88+++ b/include/hw/pci/pci.h
89@@ -854,7 +854,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
90 static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
91 dma_addr_t addr) \
92 { \
93- return ld##_l##_dma(pci_get_address_space(dev), addr); \
94+ return ld##_l##_dma(pci_get_address_space(dev), addr, \
95+ MEMTXATTRS_UNSPECIFIED); \
96 } \
97 static inline void st##_s##_pci_dma(PCIDevice *dev, \
98 dma_addr_t addr, uint##_bits##_t val) \
99diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
100index e87f8e6..d2ec9b0 100644
101--- a/include/hw/ppc/spapr_vio.h
102+++ b/include/hw/ppc/spapr_vio.h
103@@ -126,7 +126,8 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
104 (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
105 #define vio_stq(_dev, _addr, _val) \
106 (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
107-#define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr)))
108+#define vio_ldq(_dev, _addr) \
109+ (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED))
110
111 int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq);
112
113diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
114index 009dd3c..d1635f5 100644
115--- a/include/sysemu/dma.h
116+++ b/include/sysemu/dma.h
117@@ -241,10 +241,11 @@ static inline void dma_memory_unmap(AddressSpace *as,
118
119 #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \
120 static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \
121- dma_addr_t addr) \
122+ dma_addr_t addr, \
123+ MemTxAttrs attrs) \
124 { \
125 uint##_bits##_t val; \
126- dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \
127+ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \
128 return _end##_bits##_to_cpu(val); \
129 } \
130 static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
131@@ -253,14 +254,14 @@ static inline void dma_memory_unmap(AddressSpace *as,
132 MemTxAttrs attrs) \
133 { \
134 val = cpu_to_##_end##_bits(val); \
135- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
136+ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
137 }
138
139-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr)
140+static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs)
141 {
142 uint8_t val;
143
144- dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED);
145+ dma_memory_read(as, addr, &val, 1, attrs);
146 return val;
147 }
148
149--
1501.8.3.1
151
diff --git a/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..3fc7b631a4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,65 @@
1From 24aed6bcb6b6d266149591f955c2460c28759eb4 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 23:56:14 +0100
4Subject: [PATCH] dma: Let st*_dma() propagate MemTxResult
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9dma_memory_write() returns a MemTxResult type. Do not discard
10it, return it to the caller.
11
12CVE: CVE-2021-3611
13Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4]
14
15Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
16Reviewed-by: Cédric Le Goater <clg@kaod.org>
17Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Message-Id: <20211223115554.3155328-18-philmd@redhat.com>
19Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
20---
21 include/sysemu/dma.h | 20 ++++++++++----------
22 1 file changed, 10 insertions(+), 10 deletions(-)
23
24diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
25index d1635f5..895044d 100644
26--- a/include/sysemu/dma.h
27+++ b/include/sysemu/dma.h
28@@ -248,13 +248,13 @@ static inline void dma_memory_unmap(AddressSpace *as,
29 dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \
30 return _end##_bits##_to_cpu(val); \
31 } \
32- static inline void st##_sname##_##_end##_dma(AddressSpace *as, \
33- dma_addr_t addr, \
34- uint##_bits##_t val, \
35- MemTxAttrs attrs) \
36- { \
37- val = cpu_to_##_end##_bits(val); \
38- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
39+ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \
40+ dma_addr_t addr, \
41+ uint##_bits##_t val, \
42+ MemTxAttrs attrs) \
43+ { \
44+ val = cpu_to_##_end##_bits(val); \
45+ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
46 }
47
48 static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs)
49@@ -265,10 +265,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs att
50 return val;
51 }
52
53-static inline void stb_dma(AddressSpace *as, dma_addr_t addr,
54- uint8_t val, MemTxAttrs attrs)
55+static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr,
56+ uint8_t val, MemTxAttrs attrs)
57 {
58- dma_memory_write(as, addr, &val, 1, attrs);
59+ return dma_memory_write(as, addr, &val, 1, attrs);
60 }
61
62 DEFINE_LDST_DMA(uw, w, 16, le);
63--
641.8.3.1
65
diff --git a/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..d8a136c47f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,175 @@
1From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 22:31:11 +0100
4Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9dma_memory_read() returns a MemTxResult type. Do not discard
10it, return it to the caller.
11
12Update the few callers.
13
14CVE: CVE-2021-3611
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621]
16
17Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
18Reviewed-by: Cédric Le Goater <clg@kaod.org>
19Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
20Message-Id: <20211223115554.3155328-19-philmd@redhat.com>
21Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
22---
23 hw/intc/pnv_xive.c | 8 ++++----
24 hw/usb/hcd-xhci.c | 7 ++++---
25 include/hw/pci/pci.h | 6 ++++--
26 include/hw/ppc/spapr_vio.h | 6 +++++-
27 include/sysemu/dma.h | 25 ++++++++++++-------------
28 5 files changed, 29 insertions(+), 23 deletions(-)
29
30diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c
31index d9249bb..bb20751 100644
32--- a/hw/intc/pnv_xive.c
33+++ b/hw/intc/pnv_xive.c
34@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
35
36 /* Get the page size of the indirect table. */
37 vsd_addr = vsd & VSD_ADDRESS_MASK;
38- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
39+ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED);
40
41 if (!(vsd & VSD_ADDRESS_MASK)) {
42 #ifdef XIVE_DEBUG
43@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type,
44 /* Load the VSD we are looking for, if not already done */
45 if (vsd_idx) {
46 vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE;
47- vsd = ldq_be_dma(&address_space_memory, vsd_addr,
48- MEMTXATTRS_UNSPECIFIED);
49+ ldq_be_dma(&address_space_memory, vsd_addr, &vsd,
50+ MEMTXATTRS_UNSPECIFIED);
51
52 if (!(vsd & VSD_ADDRESS_MASK)) {
53 #ifdef XIVE_DEBUG
54@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type)
55
56 /* Get the page size of the indirect table. */
57 vsd_addr = vsd & VSD_ADDRESS_MASK;
58- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED);
59+ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED);
60
61 if (!(vsd & VSD_ADDRESS_MASK)) {
62 #ifdef XIVE_DEBUG
63diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
64index d960b81..da5a407 100644
65--- a/hw/usb/hcd-xhci.c
66+++ b/hw/usb/hcd-xhci.c
67@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid,
68 assert(slotid >= 1 && slotid <= xhci->numslots);
69
70 dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high);
71- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED);
72+ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED);
73 ictx = xhci_mask64(pictx);
74 octx = xhci_mask64(poctx);
75
76@@ -3429,6 +3429,7 @@ static int usb_xhci_post_load(void *opaque, int version_id)
77 uint32_t slot_ctx[4];
78 uint32_t ep_ctx[5];
79 int slotid, epid, state;
80+ uint64_t addr;
81
82 dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high);
83
84@@ -3437,8 +3438,8 @@ static int usb_xhci_post_load(void *opaque, int version_id)
85 if (!slot->addressed) {
86 continue;
87 }
88- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid,
89- MEMTXATTRS_UNSPECIFIED));
90+ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED);
91+ slot->ctx = xhci_mask64(addr);
92 xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
93 slot->uport = xhci_lookup_uport(xhci, slot_ctx);
94 if (!slot->uport) {
95diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
96index 0613308..8c5f2ed 100644
97--- a/include/hw/pci/pci.h
98+++ b/include/hw/pci/pci.h
99@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
100 static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
101 dma_addr_t addr) \
102 { \
103- return ld##_l##_dma(pci_get_address_space(dev), addr, \
104- MEMTXATTRS_UNSPECIFIED); \
105+ uint##_bits##_t val; \
106+ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \
107+ MEMTXATTRS_UNSPECIFIED); \
108+ return val; \
109 } \
110 static inline void st##_s##_pci_dma(PCIDevice *dev, \
111 dma_addr_t addr, uint##_bits##_t val) \
112diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
113index d2ec9b0..7eae1a4 100644
114--- a/include/hw/ppc/spapr_vio.h
115+++ b/include/hw/ppc/spapr_vio.h
116@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr,
117 #define vio_stq(_dev, _addr, _val) \
118 (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED))
119 #define vio_ldq(_dev, _addr) \
120- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED))
121+ ({ \
122+ uint64_t _val; \
123+ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \
124+ _val; \
125+ })
126
127 int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq);
128
129diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
130index 895044d..b3faef4 100644
131--- a/include/sysemu/dma.h
132+++ b/include/sysemu/dma.h
133@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(AddressSpace *as,
134 }
135
136 #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \
137- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \
138- dma_addr_t addr, \
139- MemTxAttrs attrs) \
140- { \
141- uint##_bits##_t val; \
142- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \
143- return _end##_bits##_to_cpu(val); \
144- } \
145+ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \
146+ dma_addr_t addr, \
147+ uint##_bits##_t *pval, \
148+ MemTxAttrs attrs) \
149+ { \
150+ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \
151+ _end##_bits##_to_cpus(pval); \
152+ return res; \
153+ } \
154 static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \
155 dma_addr_t addr, \
156 uint##_bits##_t val, \
157@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(AddressSpace *as,
158 return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \
159 }
160
161-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs)
162+static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr,
163+ uint8_t *val, MemTxAttrs attrs)
164 {
165- uint8_t val;
166-
167- dma_memory_read(as, addr, &val, 1, attrs);
168- return val;
169+ return dma_memory_read(as, addr, val, 1, attrs);
170 }
171
172 static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr,
173--
1741.8.3.1
175
diff --git a/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..69101f308d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,303 @@
1From a423a1b523296f8798a5851aaaba64dd166c0a74 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 22:39:42 +0100
4Subject: [PATCH] pci: Let st*_pci_dma() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling st*_pci_dma().
10
11Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74]
15
16Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
17Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Message-Id: <20211223115554.3155328-21-philmd@redhat.com>
19Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
20---
21 hw/audio/intel-hda.c | 10 ++++++----
22 hw/net/eepro100.c | 29 ++++++++++++++++++-----------
23 hw/net/tulip.c | 18 ++++++++++--------
24 hw/scsi/megasas.c | 15 ++++++++++-----
25 hw/scsi/vmw_pvscsi.c | 3 ++-
26 include/hw/pci/pci.h | 11 ++++++-----
27 6 files changed, 52 insertions(+), 34 deletions(-)
28
29diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
30index fb3d34a..3309ae0 100644
31--- a/hw/audio/intel-hda.c
32+++ b/hw/audio/intel-hda.c
33@@ -345,6 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
34
35 static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response)
36 {
37+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
38 HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus);
39 IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
40 hwaddr addr;
41@@ -367,8 +368,8 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
42 ex = (solicited ? 0 : (1 << 4)) | dev->cad;
43 wp = (d->rirb_wp + 1) & 0xff;
44 addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase);
45- stl_le_pci_dma(&d->pci, addr + 8*wp, response);
46- stl_le_pci_dma(&d->pci, addr + 8*wp + 4, ex);
47+ stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs);
48+ stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs);
49 d->rirb_wp = wp;
50
51 dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n",
52@@ -394,6 +395,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
53 static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
54 uint8_t *buf, uint32_t len)
55 {
56+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
57 HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus);
58 IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
59 hwaddr addr;
60@@ -428,7 +430,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
61 st->be, st->bp, st->bpl[st->be].len, copy);
62
63 pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output,
64- MEMTXATTRS_UNSPECIFIED);
65+ attrs);
66 st->lpib += copy;
67 st->bp += copy;
68 buf += copy;
69@@ -451,7 +453,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
70 if (d->dp_lbase & 0x01) {
71 s = st - d->st;
72 addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase);
73- stl_le_pci_dma(&d->pci, addr + 8*s, st->lpib);
74+ stl_le_pci_dma(&d->pci, addr + 8 * s, st->lpib, attrs);
75 }
76 dprint(d, 3, "dma: --\n");
77
78diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
79index 16e95ef..83c4431 100644
80--- a/hw/net/eepro100.c
81+++ b/hw/net/eepro100.c
82@@ -700,6 +700,8 @@ static void set_ru_state(EEPRO100State * s, ru_state_t state)
83
84 static void dump_statistics(EEPRO100State * s)
85 {
86+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
87+
88 /* Dump statistical data. Most data is never changed by the emulation
89 * and always 0, so we first just copy the whole block and then those
90 * values which really matter.
91@@ -707,16 +709,18 @@ static void dump_statistics(EEPRO100State * s)
92 */
93 pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size);
94 stl_le_pci_dma(&s->dev, s->statsaddr + 0,
95- s->statistics.tx_good_frames);
96+ s->statistics.tx_good_frames, attrs);
97 stl_le_pci_dma(&s->dev, s->statsaddr + 36,
98- s->statistics.rx_good_frames);
99+ s->statistics.rx_good_frames, attrs);
100 stl_le_pci_dma(&s->dev, s->statsaddr + 48,
101- s->statistics.rx_resource_errors);
102+ s->statistics.rx_resource_errors, attrs);
103 stl_le_pci_dma(&s->dev, s->statsaddr + 60,
104- s->statistics.rx_short_frame_errors);
105+ s->statistics.rx_short_frame_errors, attrs);
106 #if 0
107- stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames);
108- stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames);
109+ stw_le_pci_dma(&s->dev, s->statsaddr + 76,
110+ s->statistics.xmt_tco_frames, attrs);
111+ stw_le_pci_dma(&s->dev, s->statsaddr + 78,
112+ s->statistics.rcv_tco_frames, attrs);
113 missing("CU dump statistical counters");
114 #endif
115 }
116@@ -833,6 +837,7 @@ static void set_multicast_list(EEPRO100State *s)
117
118 static void action_command(EEPRO100State *s)
119 {
120+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
121 /* The loop below won't stop if it gets special handcrafted data.
122 Therefore we limit the number of iterations. */
123 unsigned max_loop_count = 16;
124@@ -911,7 +916,7 @@ static void action_command(EEPRO100State *s)
125 }
126 /* Write new status. */
127 stw_le_pci_dma(&s->dev, s->cb_address,
128- s->tx.status | ok_status | STATUS_C);
129+ s->tx.status | ok_status | STATUS_C, attrs);
130 if (bit_i) {
131 /* CU completed action. */
132 eepro100_cx_interrupt(s);
133@@ -937,6 +942,7 @@ static void action_command(EEPRO100State *s)
134
135 static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
136 {
137+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
138 cu_state_t cu_state;
139 switch (val) {
140 case CU_NOP:
141@@ -986,7 +992,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
142 /* Dump statistical counters. */
143 TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val));
144 dump_statistics(s);
145- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005);
146+ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs);
147 break;
148 case CU_CMD_BASE:
149 /* Load CU base. */
150@@ -997,7 +1003,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
151 /* Dump and reset statistical counters. */
152 TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val));
153 dump_statistics(s);
154- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007);
155+ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs);
156 memset(&s->statistics, 0, sizeof(s->statistics));
157 break;
158 case CU_SRESUME:
159@@ -1612,6 +1618,7 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
160 * - Magic packets should set bit 30 in power management driver register.
161 * - Interesting packets should set bit 29 in power management driver register.
162 */
163+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
164 EEPRO100State *s = qemu_get_nic_opaque(nc);
165 uint16_t rfd_status = 0xa000;
166 #if defined(CONFIG_PAD_RECEIVED_FRAMES)
167@@ -1726,9 +1733,9 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size)
168 TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n",
169 rfd_command, rx.link, rx.rx_buf_addr, rfd_size));
170 stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
171- offsetof(eepro100_rx_t, status), rfd_status);
172+ offsetof(eepro100_rx_t, status), rfd_status, attrs);
173 stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset +
174- offsetof(eepro100_rx_t, count), size);
175+ offsetof(eepro100_rx_t, count), size, attrs);
176 /* Early receive interrupt not supported. */
177 #if 0
178 eepro100_er_interrupt(s);
179diff --git a/hw/net/tulip.c b/hw/net/tulip.c
180index ca69f7e..1f2c79d 100644
181--- a/hw/net/tulip.c
182+++ b/hw/net/tulip.c
183@@ -86,16 +86,18 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
184 static void tulip_desc_write(TULIPState *s, hwaddr p,
185 struct tulip_descriptor *desc)
186 {
187+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
188+
189 if (s->csr[0] & CSR0_DBO) {
190- stl_be_pci_dma(&s->dev, p, desc->status);
191- stl_be_pci_dma(&s->dev, p + 4, desc->control);
192- stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1);
193- stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2);
194+ stl_be_pci_dma(&s->dev, p, desc->status, attrs);
195+ stl_be_pci_dma(&s->dev, p + 4, desc->control, attrs);
196+ stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs);
197+ stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs);
198 } else {
199- stl_le_pci_dma(&s->dev, p, desc->status);
200- stl_le_pci_dma(&s->dev, p + 4, desc->control);
201- stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1);
202- stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2);
203+ stl_le_pci_dma(&s->dev, p, desc->status, attrs);
204+ stl_le_pci_dma(&s->dev, p + 4, desc->control, attrs);
205+ stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs);
206+ stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs);
207 }
208 }
209
210diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
211index 091a350..b5e8b14 100644
212--- a/hw/scsi/megasas.c
213+++ b/hw/scsi/megasas.c
214@@ -168,14 +168,16 @@ static void megasas_frame_set_cmd_status(MegasasState *s,
215 unsigned long frame, uint8_t v)
216 {
217 PCIDevice *pci = &s->parent_obj;
218- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), v);
219+ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status),
220+ v, MEMTXATTRS_UNSPECIFIED);
221 }
222
223 static void megasas_frame_set_scsi_status(MegasasState *s,
224 unsigned long frame, uint8_t v)
225 {
226 PCIDevice *pci = &s->parent_obj;
227- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v);
228+ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status),
229+ v, MEMTXATTRS_UNSPECIFIED);
230 }
231
232 static inline const char *mfi_frame_desc(unsigned int cmd)
233@@ -542,6 +544,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
234
235 static void megasas_complete_frame(MegasasState *s, uint64_t context)
236 {
237+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
238 PCIDevice *pci_dev = PCI_DEVICE(s);
239 int tail, queue_offset;
240
241@@ -555,10 +558,12 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
242 */
243 if (megasas_use_queue64(s)) {
244 queue_offset = s->reply_queue_head * sizeof(uint64_t);
245- stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context);
246+ stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
247+ context, attrs);
248 } else {
249 queue_offset = s->reply_queue_head * sizeof(uint32_t);
250- stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context);
251+ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
252+ context, attrs);
253 }
254 s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa);
255 trace_megasas_qf_complete(context, s->reply_queue_head,
256@@ -572,7 +577,7 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
257 s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds);
258 trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail,
259 s->busy);
260- stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head);
261+ stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head, attrs);
262 /* Notify HBA */
263 if (msix_enabled(pci_dev)) {
264 trace_megasas_msix_raise(0);
265diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
266index cd76bd6..59c3e8b 100644
267--- a/hw/scsi/vmw_pvscsi.c
268+++ b/hw/scsi/vmw_pvscsi.c
269@@ -55,7 +55,8 @@
270 (m)->rs_pa + offsetof(struct PVSCSIRingsState, field)))
271 #define RS_SET_FIELD(m, field, val) \
272 (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
273- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val))
274+ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \
275+ MEMTXATTRS_UNSPECIFIED))
276
277 struct PVSCSIClass {
278 PCIDeviceClass parent_class;
279diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
280index 8c5f2ed..9f51ef2 100644
281--- a/include/hw/pci/pci.h
282+++ b/include/hw/pci/pci.h
283@@ -859,11 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
284 MEMTXATTRS_UNSPECIFIED); \
285 return val; \
286 } \
287- static inline void st##_s##_pci_dma(PCIDevice *dev, \
288- dma_addr_t addr, uint##_bits##_t val) \
289- { \
290- st##_s##_dma(pci_get_address_space(dev), addr, val, \
291- MEMTXATTRS_UNSPECIFIED); \
292+ static inline void st##_s##_pci_dma(PCIDevice *dev, \
293+ dma_addr_t addr, \
294+ uint##_bits##_t val, \
295+ MemTxAttrs attrs) \
296+ { \
297+ st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \
298 }
299
300 PCI_DMA_DEFINE_LDST(ub, b, 8);
301--
3021.8.3.1
303
diff --git a/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
new file mode 100644
index 0000000000..7f9de244be
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
@@ -0,0 +1,271 @@
1From 398f9a84ac7132e38caf7b066273734b3bf619ff Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 23:45:06 +0100
4Subject: [PATCH] pci: Let ld*_pci_dma() take MemTxAttrs argument
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Let devices specify transaction attributes when calling ld*_pci_dma().
10
11Keep the default MEMTXATTRS_UNSPECIFIED in the few callers.
12
13CVE: CVE-2021-3611
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff]
15
16Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
17Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Message-Id: <20211223115554.3155328-22-philmd@redhat.com>
19Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
20---
21 hw/audio/intel-hda.c | 2 +-
22 hw/net/eepro100.c | 19 +++++++++++++------
23 hw/net/tulip.c | 18 ++++++++++--------
24 hw/scsi/megasas.c | 16 ++++++++++------
25 hw/scsi/mptsas.c | 10 ++++++----
26 hw/scsi/vmw_pvscsi.c | 3 ++-
27 hw/usb/hcd-xhci.c | 1 +
28 include/hw/pci/pci.h | 6 +++---
29 8 files changed, 46 insertions(+), 29 deletions(-)
30
31diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
32index 3309ae0..e34b7ab 100644
33--- a/hw/audio/intel-hda.c
34+++ b/hw/audio/intel-hda.c
35@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
36
37 rp = (d->corb_rp + 1) & 0xff;
38 addr = intel_hda_addr(d->corb_lbase, d->corb_ubase);
39- verb = ldl_le_pci_dma(&d->pci, addr + 4*rp);
40+ verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED);
41 d->corb_rp = rp;
42
43 dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb);
44diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
45index 83c4431..eb82e9c 100644
46--- a/hw/net/eepro100.c
47+++ b/hw/net/eepro100.c
48@@ -737,6 +737,7 @@ static void read_cb(EEPRO100State *s)
49
50 static void tx_command(EEPRO100State *s)
51 {
52+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
53 uint32_t tbd_array = s->tx.tbd_array_addr;
54 uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff;
55 /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */
56@@ -772,11 +773,14 @@ static void tx_command(EEPRO100State *s)
57 /* Extended Flexible TCB. */
58 for (; tbd_count < 2; tbd_count++) {
59 uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
60- tbd_address);
61+ tbd_address,
62+ attrs);
63 uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
64- tbd_address + 4);
65+ tbd_address + 4,
66+ attrs);
67 uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
68- tbd_address + 6);
69+ tbd_address + 6,
70+ attrs);
71 tbd_address += 8;
72 TRACE(RXTX, logout
73 ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
74@@ -792,9 +796,12 @@ static void tx_command(EEPRO100State *s)
75 }
76 tbd_address = tbd_array;
77 for (; tbd_count < s->tx.tbd_count; tbd_count++) {
78- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address);
79- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4);
80- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
81+ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address,
82+ attrs);
83+ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4,
84+ attrs);
85+ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6,
86+ attrs);
87 tbd_address += 8;
88 TRACE(RXTX, logout
89 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
90diff --git a/hw/net/tulip.c b/hw/net/tulip.c
91index 1f2c79d..c76e486 100644
92--- a/hw/net/tulip.c
93+++ b/hw/net/tulip.c
94@@ -70,16 +70,18 @@ static const VMStateDescription vmstate_pci_tulip = {
95 static void tulip_desc_read(TULIPState *s, hwaddr p,
96 struct tulip_descriptor *desc)
97 {
98+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
99+
100 if (s->csr[0] & CSR0_DBO) {
101- desc->status = ldl_be_pci_dma(&s->dev, p);
102- desc->control = ldl_be_pci_dma(&s->dev, p + 4);
103- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8);
104- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12);
105+ desc->status = ldl_be_pci_dma(&s->dev, p, attrs);
106+ desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs);
107+ desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs);
108+ desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs);
109 } else {
110- desc->status = ldl_le_pci_dma(&s->dev, p);
111- desc->control = ldl_le_pci_dma(&s->dev, p + 4);
112- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8);
113- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12);
114+ desc->status = ldl_le_pci_dma(&s->dev, p, attrs);
115+ desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs);
116+ desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs);
117+ desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs);
118 }
119 }
120
121diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
122index b5e8b14..98b1370 100644
123--- a/hw/scsi/megasas.c
124+++ b/hw/scsi/megasas.c
125@@ -202,7 +202,9 @@ static uint64_t megasas_frame_get_context(MegasasState *s,
126 unsigned long frame)
127 {
128 PCIDevice *pci = &s->parent_obj;
129- return ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context));
130+ return ldq_le_pci_dma(pci,
131+ frame + offsetof(struct mfi_frame_header, context),
132+ MEMTXATTRS_UNSPECIFIED);
133 }
134
135 static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd)
136@@ -534,7 +536,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
137 s->busy++;
138
139 if (s->consumer_pa) {
140- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
141+ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa,
142+ MEMTXATTRS_UNSPECIFIED);
143 }
144 trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context,
145 s->reply_queue_head, s->reply_queue_tail, s->busy);
146@@ -565,14 +568,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
147 stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
148 context, attrs);
149 }
150- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa);
151+ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
152 trace_megasas_qf_complete(context, s->reply_queue_head,
153 s->reply_queue_tail, s->busy);
154 }
155
156 if (megasas_intr_enabled(s)) {
157 /* Update reply queue pointer */
158- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa);
159+ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
160 tail = s->reply_queue_head;
161 s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds);
162 trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail,
163@@ -637,6 +640,7 @@ static void megasas_abort_command(MegasasCmd *cmd)
164
165 static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
166 {
167+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
168 PCIDevice *pcid = PCI_DEVICE(s);
169 uint32_t pa_hi, pa_lo;
170 hwaddr iq_pa, initq_size = sizeof(struct mfi_init_qinfo);
171@@ -675,9 +679,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
172 pa_lo = le32_to_cpu(initq->pi_addr_lo);
173 pa_hi = le32_to_cpu(initq->pi_addr_hi);
174 s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
175- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
176+ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs);
177 s->reply_queue_head %= MEGASAS_MAX_FRAMES;
178- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
179+ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs);
180 s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
181 flags = le32_to_cpu(initq->flags);
182 if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
183diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
184index f6c7765..ac9f4df 100644
185--- a/hw/scsi/mptsas.c
186+++ b/hw/scsi/mptsas.c
187@@ -172,14 +172,15 @@ static const int mpi_request_sizes[] = {
188 static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length,
189 dma_addr_t *sgaddr)
190 {
191+ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
192 PCIDevice *pci = (PCIDevice *) s;
193 dma_addr_t addr;
194
195 if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) {
196- addr = ldq_le_pci_dma(pci, *sgaddr + 4);
197+ addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs);
198 *sgaddr += 12;
199 } else {
200- addr = ldl_le_pci_dma(pci, *sgaddr + 4);
201+ addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs);
202 *sgaddr += 8;
203 }
204 return addr;
205@@ -203,7 +204,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
206 dma_addr_t addr, len;
207 uint32_t flags_and_length;
208
209- flags_and_length = ldl_le_pci_dma(pci, sgaddr);
210+ flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED);
211 len = flags_and_length & MPI_SGE_LENGTH_MASK;
212 if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
213 != MPI_SGE_FLAGS_SIMPLE_ELEMENT ||
214@@ -234,7 +235,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
215 break;
216 }
217
218- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr);
219+ flags_and_length = ldl_le_pci_dma(pci, next_chain_addr,
220+ MEMTXATTRS_UNSPECIFIED);
221 if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
222 != MPI_SGE_FLAGS_CHAIN_ELEMENT) {
223 return MPI_IOCSTATUS_INVALID_SGL;
224diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
225index 59c3e8b..33e16f9 100644
226--- a/hw/scsi/vmw_pvscsi.c
227+++ b/hw/scsi/vmw_pvscsi.c
228@@ -52,7 +52,8 @@
229
230 #define RS_GET_FIELD(m, field) \
231 (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
232- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field)))
233+ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \
234+ MEMTXATTRS_UNSPECIFIED))
235 #define RS_SET_FIELD(m, field, val) \
236 (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
237 (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \
238diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
239index da5a407..14bdb89 100644
240--- a/hw/usb/hcd-xhci.c
241+++ b/hw/usb/hcd-xhci.c
242@@ -3440,6 +3440,7 @@ static int usb_xhci_post_load(void *opaque, int version_id)
243 }
244 ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED);
245 slot->ctx = xhci_mask64(addr);
246+
247 xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx));
248 slot->uport = xhci_lookup_uport(xhci, slot_ctx);
249 if (!slot->uport) {
250diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
251index 9f51ef2..7a46c1f 100644
252--- a/include/hw/pci/pci.h
253+++ b/include/hw/pci/pci.h
254@@ -852,11 +852,11 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
255
256 #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
257 static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
258- dma_addr_t addr) \
259+ dma_addr_t addr, \
260+ MemTxAttrs attrs) \
261 { \
262 uint##_bits##_t val; \
263- ld##_l##_dma(pci_get_address_space(dev), addr, &val, \
264- MEMTXATTRS_UNSPECIFIED); \
265+ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \
266 return val; \
267 } \
268 static inline void st##_s##_pci_dma(PCIDevice *dev, \
269--
2701.8.3.1
271
diff --git a/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..e52a45b90f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,47 @@
1From 6bebb270731758fae3114b7d24c2b12b7c325cc5 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 23:47:30 +0100
4Subject: [PATCH] pci: Let st*_pci_dma() propagate MemTxResult
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9st*_dma() returns a MemTxResult type. Do not discard
10it, return it to the caller.
11
12CVE: CVE-2021-3611
13Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5]
14
15Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
16Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Message-Id: <20211223115554.3155328-23-philmd@redhat.com>
18Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
19---
20 include/hw/pci/pci.h | 10 +++++-----
21 1 file changed, 5 insertions(+), 5 deletions(-)
22
23diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
24index 7a46c1f..c90cecc 100644
25--- a/include/hw/pci/pci.h
26+++ b/include/hw/pci/pci.h
27@@ -859,12 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
28 ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \
29 return val; \
30 } \
31- static inline void st##_s##_pci_dma(PCIDevice *dev, \
32- dma_addr_t addr, \
33- uint##_bits##_t val, \
34- MemTxAttrs attrs) \
35+ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \
36+ dma_addr_t addr, \
37+ uint##_bits##_t val, \
38+ MemTxAttrs attrs) \
39 { \
40- st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \
41+ return st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \
42 }
43
44 PCI_DMA_DEFINE_LDST(ub, b, 8);
45--
461.8.3.1
47
diff --git a/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
new file mode 100644
index 0000000000..6bd6350f44
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
@@ -0,0 +1,296 @@
1From 4a63054bce23982b99f4d3c65528e47e614086b2 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Fri, 17 Dec 2021 23:49:30 +0100
4Subject: [PATCH] pci: Let ld*_pci_dma() propagate MemTxResult
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9ld*_dma() returns a MemTxResult type. Do not discard
10it, return it to the caller.
11
12Update the few callers.
13
14CVE: CVE-2021-3611
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2]
16
17Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
18Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Message-Id: <20211223115554.3155328-24-philmd@redhat.com>
20Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
21---
22 hw/audio/intel-hda.c | 2 +-
23 hw/net/eepro100.c | 25 ++++++++++---------------
24 hw/net/tulip.c | 16 ++++++++--------
25 hw/scsi/megasas.c | 21 ++++++++++++---------
26 hw/scsi/mptsas.c | 16 +++++++++++-----
27 hw/scsi/vmw_pvscsi.c | 16 ++++++++++------
28 include/hw/pci/pci.h | 17 ++++++++---------
29 7 files changed, 60 insertions(+), 53 deletions(-)
30
31diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
32index e34b7ab..2b55d52 100644
33--- a/hw/audio/intel-hda.c
34+++ b/hw/audio/intel-hda.c
35@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
36
37 rp = (d->corb_rp + 1) & 0xff;
38 addr = intel_hda_addr(d->corb_lbase, d->corb_ubase);
39- verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED);
40+ ldl_le_pci_dma(&d->pci, addr + 4 * rp, &verb, MEMTXATTRS_UNSPECIFIED);
41 d->corb_rp = rp;
42
43 dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb);
44diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
45index eb82e9c..679f52f 100644
46--- a/hw/net/eepro100.c
47+++ b/hw/net/eepro100.c
48@@ -769,18 +769,16 @@ static void tx_command(EEPRO100State *s)
49 } else {
50 /* Flexible mode. */
51 uint8_t tbd_count = 0;
52+ uint32_t tx_buffer_address;
53+ uint16_t tx_buffer_size;
54+ uint16_t tx_buffer_el;
55+
56 if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) {
57 /* Extended Flexible TCB. */
58 for (; tbd_count < 2; tbd_count++) {
59- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev,
60- tbd_address,
61- attrs);
62- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev,
63- tbd_address + 4,
64- attrs);
65- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev,
66- tbd_address + 6,
67- attrs);
68+ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
69+ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
70+ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
71 tbd_address += 8;
72 TRACE(RXTX, logout
73 ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n",
74@@ -796,12 +794,9 @@ static void tx_command(EEPRO100State *s)
75 }
76 tbd_address = tbd_array;
77 for (; tbd_count < s->tx.tbd_count; tbd_count++) {
78- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address,
79- attrs);
80- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4,
81- attrs);
82- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6,
83- attrs);
84+ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs);
85+ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs);
86+ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs);
87 tbd_address += 8;
88 TRACE(RXTX, logout
89 ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
90diff --git a/hw/net/tulip.c b/hw/net/tulip.c
91index c76e486..d5b6cc5 100644
92--- a/hw/net/tulip.c
93+++ b/hw/net/tulip.c
94@@ -73,15 +73,15 @@ static void tulip_desc_read(TULIPState *s, hwaddr p,
95 const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
96
97 if (s->csr[0] & CSR0_DBO) {
98- desc->status = ldl_be_pci_dma(&s->dev, p, attrs);
99- desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs);
100- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs);
101- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs);
102+ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs);
103+ ldl_be_pci_dma(&s->dev, p + 4, &desc->control, attrs);
104+ ldl_be_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs);
105+ ldl_be_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs);
106 } else {
107- desc->status = ldl_le_pci_dma(&s->dev, p, attrs);
108- desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs);
109- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs);
110- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs);
111+ ldl_le_pci_dma(&s->dev, p, &desc->status, attrs);
112+ ldl_le_pci_dma(&s->dev, p + 4, &desc->control, attrs);
113+ ldl_le_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs);
114+ ldl_le_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs);
115 }
116 }
117
118diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
119index 98b1370..dc9bbdb 100644
120--- a/hw/scsi/megasas.c
121+++ b/hw/scsi/megasas.c
122@@ -202,9 +202,12 @@ static uint64_t megasas_frame_get_context(MegasasState *s,
123 unsigned long frame)
124 {
125 PCIDevice *pci = &s->parent_obj;
126- return ldq_le_pci_dma(pci,
127- frame + offsetof(struct mfi_frame_header, context),
128- MEMTXATTRS_UNSPECIFIED);
129+ uint64_t val;
130+
131+ ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context),
132+ &val, MEMTXATTRS_UNSPECIFIED);
133+
134+ return val;
135 }
136
137 static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd)
138@@ -536,8 +539,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
139 s->busy++;
140
141 if (s->consumer_pa) {
142- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa,
143- MEMTXATTRS_UNSPECIFIED);
144+ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail,
145+ MEMTXATTRS_UNSPECIFIED);
146 }
147 trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context,
148 s->reply_queue_head, s->reply_queue_tail, s->busy);
149@@ -568,14 +571,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context)
150 stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset,
151 context, attrs);
152 }
153- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
154+ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs);
155 trace_megasas_qf_complete(context, s->reply_queue_head,
156 s->reply_queue_tail, s->busy);
157 }
158
159 if (megasas_intr_enabled(s)) {
160 /* Update reply queue pointer */
161- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs);
162+ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs);
163 tail = s->reply_queue_head;
164 s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds);
165 trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail,
166@@ -679,9 +682,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
167 pa_lo = le32_to_cpu(initq->pi_addr_lo);
168 pa_hi = le32_to_cpu(initq->pi_addr_hi);
169 s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
170- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs);
171+ ldl_le_pci_dma(pcid, s->producer_pa, &s->reply_queue_head, attrs);
172 s->reply_queue_head %= MEGASAS_MAX_FRAMES;
173- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs);
174+ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, attrs);
175 s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
176 flags = le32_to_cpu(initq->flags);
177 if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
178diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
179index ac9f4df..5181b0c 100644
180--- a/hw/scsi/mptsas.c
181+++ b/hw/scsi/mptsas.c
182@@ -177,10 +177,16 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length,
183 dma_addr_t addr;
184
185 if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) {
186- addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs);
187+ uint64_t addr64;
188+
189+ ldq_le_pci_dma(pci, *sgaddr + 4, &addr64, attrs);
190+ addr = addr64;
191 *sgaddr += 12;
192 } else {
193- addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs);
194+ uint32_t addr32;
195+
196+ ldl_le_pci_dma(pci, *sgaddr + 4, &addr32, attrs);
197+ addr = addr32;
198 *sgaddr += 8;
199 }
200 return addr;
201@@ -204,7 +210,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
202 dma_addr_t addr, len;
203 uint32_t flags_and_length;
204
205- flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED);
206+ ldl_le_pci_dma(pci, sgaddr, &flags_and_length, MEMTXATTRS_UNSPECIFIED);
207 len = flags_and_length & MPI_SGE_LENGTH_MASK;
208 if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
209 != MPI_SGE_FLAGS_SIMPLE_ELEMENT ||
210@@ -235,8 +241,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
211 break;
212 }
213
214- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr,
215- MEMTXATTRS_UNSPECIFIED);
216+ ldl_le_pci_dma(pci, next_chain_addr, &flags_and_length,
217+ MEMTXATTRS_UNSPECIFIED);
218 if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK)
219 != MPI_SGE_FLAGS_CHAIN_ELEMENT) {
220 return MPI_IOCSTATUS_INVALID_SGL;
221diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
222index 33e16f9..4d9969f 100644
223--- a/hw/scsi/vmw_pvscsi.c
224+++ b/hw/scsi/vmw_pvscsi.c
225@@ -50,10 +50,10 @@
226 #define PVSCSI_MAX_CMD_DATA_WORDS \
227 (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
228
229-#define RS_GET_FIELD(m, field) \
230- (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
231+#define RS_GET_FIELD(pval, m, field) \
232+ ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
233 (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \
234- MEMTXATTRS_UNSPECIFIED))
235+ pval, MEMTXATTRS_UNSPECIFIED)
236 #define RS_SET_FIELD(m, field, val) \
237 (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \
238 (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \
239@@ -249,10 +249,11 @@ pvscsi_ring_cleanup(PVSCSIRingInfo *mgr)
240 static hwaddr
241 pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
242 {
243- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
244+ uint32_t ready_ptr;
245 uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
246 * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
247
248+ RS_GET_FIELD(&ready_ptr, mgr, reqProdIdx);
249 if (ready_ptr != mgr->consumed_ptr
250 && ready_ptr - mgr->consumed_ptr < ring_size) {
251 uint32_t next_ready_ptr =
252@@ -323,8 +324,11 @@ pvscsi_ring_flush_cmp(PVSCSIRingInfo *mgr)
253 static bool
254 pvscsi_ring_msg_has_room(PVSCSIRingInfo *mgr)
255 {
256- uint32_t prodIdx = RS_GET_FIELD(mgr, msgProdIdx);
257- uint32_t consIdx = RS_GET_FIELD(mgr, msgConsIdx);
258+ uint32_t prodIdx;
259+ uint32_t consIdx;
260+
261+ RS_GET_FIELD(&prodIdx, mgr, msgProdIdx);
262+ RS_GET_FIELD(&consIdx, mgr, msgConsIdx);
263
264 return (prodIdx - consIdx) < (mgr->msg_len_mask + 1);
265 }
266diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
267index c90cecc..5b36334 100644
268--- a/include/hw/pci/pci.h
269+++ b/include/hw/pci/pci.h
270@@ -850,15 +850,14 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr,
271 DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED);
272 }
273
274-#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
275- static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \
276- dma_addr_t addr, \
277- MemTxAttrs attrs) \
278- { \
279- uint##_bits##_t val; \
280- ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \
281- return val; \
282- } \
283+#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \
284+ static inline MemTxResult ld##_l##_pci_dma(PCIDevice *dev, \
285+ dma_addr_t addr, \
286+ uint##_bits##_t *val, \
287+ MemTxAttrs attrs) \
288+ { \
289+ return ld##_l##_dma(pci_get_address_space(dev), addr, val, attrs); \
290+ } \
291 static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \
292 dma_addr_t addr, \
293 uint##_bits##_t val, \
294--
2951.8.3.1
296
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
new file mode 100644
index 0000000000..dc7990d1b7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
@@ -0,0 +1,74 @@
1From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Sat, 18 Dec 2021 17:09:10 +0100
4Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors
5MIME-Version: 1.0
6Content-Type: text/plain; charset=utf8
7Content-Transfer-Encoding: 8bit
8
9Per the "High Definition Audio Specification" manual (rev. 1.0a),
10section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status":
11
12 Response Overrun Interrupt Status (RIRBOIS):
13
14 Hardware sets this bit to a 1 when an overrun occurs in the RIRB.
15 An interrupt may be generated if the Response Overrun Interrupt
16 Control bit is set.
17
18 This bit will be set if the RIRB DMA engine is not able to write
19 the incoming responses to memory before additional incoming
20 responses overrun the internal FIFO.
21
22 When hardware detects an overrun, it will drop the responses which
23 overrun the buffer and set the RIRBOIS status bit to indicate the
24 error condition. Optionally, if the RIRBOIC is set, the hardware
25 will also generate an error to alert software to the problem.
26
27QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This
28function returns a MemTxResult indicating whether the DMA access
29was successful.
30Handle any MemTxResult error as "DMA engine is not able to write the
31incoming responses to memory" and raise the Overrun Interrupt flag
32when this case occurs.
33
34CVE: CVE-2021-3611
35Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40]
36
37Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
38Message-Id: <20211218160912.1591633-2-philmd@redhat.com>
39Signed-off-by: Thomas Huth <thuth@redhat.com>
40Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
41---
42 hw/audio/intel-hda.c | 9 +++++++--
43 1 file changed, 7 insertions(+), 2 deletions(-)
44
45diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
46index 5f8a878..47a36ac 100644
47--- a/hw/audio/intel-hda.c
48+++ b/hw/audio/intel-hda.c
49@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
50 IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
51 hwaddr addr;
52 uint32_t wp, ex;
53+ MemTxResult res = MEMTX_OK;
54
55 if (d->ics & ICH6_IRS_BUSY) {
56 dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n",
57@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res
58 ex = (solicited ? 0 : (1 << 4)) | dev->cad;
59 wp = (d->rirb_wp + 1) & 0xff;
60 addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase);
61- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs);
62- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs);
63+ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs);
64+ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs);
65+ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) {
66+ d->rirb_sts |= ICH6_RBSTS_OVERRUN;
67+ intel_hda_update_irq(d);
68+ }
69 d->rirb_wp = wp;
70
71 dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n",
72--
731.8.3.1
74
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
new file mode 100644
index 0000000000..b79fadf3f6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
@@ -0,0 +1,43 @@
1From 79fa99831debc9782087e834382c577215f2f511 Mon Sep 17 00:00:00 2001
2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
3Date: Sat, 18 Dec 2021 17:09:11 +0100
4Subject: [PATCH] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO
5 devices)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=utf8
8Content-Transfer-Encoding: 8bit
9
10Issue #542 reports a reentrancy problem when the DMA engine accesses
11the HDA controller I/O registers. Fix by restricting the DMA engine
12to memories regions (forbidding MMIO devices such the HDA controller).
13
14Reported-by: OSS-Fuzz (Issue 28435)
15Reported-by: Alexander Bulekov <alxndr@bu.edu>
16Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Reviewed-by: Thomas Huth <thuth@redhat.com>
18Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542
19CVE: CVE-2021-3611
20Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511]
21
22Message-Id: <20211218160912.1591633-3-philmd@redhat.com>
23Signed-off-by: Thomas Huth <thuth@redhat.com>
24Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
25---
26 hw/audio/intel-hda.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
30index 47a36ac..78a47bc 100644
31--- a/hw/audio/intel-hda.c
32+++ b/hw/audio/intel-hda.c
33@@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d)
34
35 static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response)
36 {
37- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED;
38+ const MemTxAttrs attrs = { .memory = true };
39 HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus);
40 IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
41 hwaddr addr;
42--
431.8.3.1
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-21 15:59:45 +0000