From d4dfb4ffd4008d0d7d3bc9b1dca3e5c5afcc4336 Mon Sep 17 00:00:00 2001 From: Troy Lee Date: Mon, 17 Mar 2025 14:59:37 +0800 Subject: [PATCH 1/3] aspeed: Fix maximum number of spi controller MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 6de4aa8dc544 ("hw/arm/aspeed_ast27x0: Add SoC Support for AST2700 A1") extends ast2700a1 spis_num to 3, but ASPEED_SPIS_NUM defines the maximum number of spi controller to 2, result in ehci[0] is being overwritten in runtime. Signed-off-by: Troy Lee Fixes: 6de4aa8dc544 ("hw/arm/aspeed_ast27x0: Add SoC Support for AST2700 A1") Reviewed-by: Cédric Le Goater Link: https://lore.kernel.org/qemu-devel/20250317065938.1902272-1-troy_lee@aspeedtech.com Signed-off-by: Cédric Le Goater --- include/hw/arm/aspeed_soc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h index f899356ed9..f069d17d16 100644 --- a/include/hw/arm/aspeed_soc.h +++ b/include/hw/arm/aspeed_soc.h @@ -42,7 +42,7 @@ #include "hw/char/serial-mm.h" #include "hw/intc/arm_gicv3.h" -#define ASPEED_SPIS_NUM 2 +#define ASPEED_SPIS_NUM 3 #define ASPEED_EHCIS_NUM 2 #define ASPEED_WDTS_NUM 8 #define ASPEED_CPUS_NUM 4 From 7b8cbe5162e69ad629c5326bf3c158b81857955d Mon Sep 17 00:00:00 2001 From: Steven Lee Date: Thu, 20 Mar 2025 17:25:43 +0800 Subject: [PATCH 2/3] hw/intc/aspeed: Fix IRQ handler mask check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated the IRQ handler mask check to AND with select variable. This ensures that the interrupt service routine is correctly triggered for the interrupts within the same irq group. For example, both `eth0` and the debug UART are handled in `GICINT132`. Without this fix, the debug console may hang if the `eth0` ISR is not handled. Signed-off-by: Steven Lee Change-Id: Ic3609eb72218dfd68be6057d78b8953b18828709 Reviewed-by: Cédric Le Goater Fixes: d831c5fd8682 ("aspeed/intc: Add AST2700 support") Link: https://lore.kernel.org/qemu-devel/20250320092543.4040672-2-steven_lee@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/intc/aspeed_intc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/intc/aspeed_intc.c b/hw/intc/aspeed_intc.c index 3fd417084f..f17bf43925 100644 --- a/hw/intc/aspeed_intc.c +++ b/hw/intc/aspeed_intc.c @@ -111,7 +111,7 @@ static void aspeed_intc_set_irq_handler(AspeedINTCState *s, outpin_idx = intc_irq->outpin_idx; inpin_idx = intc_irq->inpin_idx; - if (s->mask[inpin_idx] || s->regs[status_reg]) { + if ((s->mask[inpin_idx] & select) || (s->regs[status_reg] & select)) { /* * a. mask is not 0 means in ISR mode * sources interrupt routine are executing. From 78877b2e06464f49f777e086845e094ea7bc82ef Mon Sep 17 00:00:00 2001 From: Jamin Lin Date: Fri, 21 Mar 2025 17:25:58 +0800 Subject: [PATCH 3/3] hw/misc/aspeed_hace: Fix buffer overflow in has_padding function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The maximum padding size is either 64 or 128 bytes and should always be smaller than "req_len". If "padding_size" exceeds "req_len", then "req_len - padding_size" underflows due to "uint32_t" data type, leading to a large incorrect value (e.g., `0xFFXXXXXX`). This causes an out-of-bounds memory access, potentially leading to a buffer overflow. Added a check to ensure "padding_size" does not exceed "req_len" before computing "pad_offset". This prevents "req_len - padding_size" from underflowing and avoids accessing invalid memory. Signed-off-by: Jamin Lin Reviewed-by: Cédric Le Goater Fixes: 5cd7d8564a8b563da724b9e6264c967f0a091afa ("aspeed/hace: Support AST2600 HACE ") Link: https://lore.kernel.org/qemu-devel/20250321092623.2097234-3-jamin_lin@aspeedtech.com Signed-off-by: Cédric Le Goater --- hw/misc/aspeed_hace.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c index 32a5dbded3..d75da33353 100644 --- a/hw/misc/aspeed_hace.c +++ b/hw/misc/aspeed_hace.c @@ -128,6 +128,11 @@ static bool has_padding(AspeedHACEState *s, struct iovec *iov, if (*total_msg_len <= s->total_req_len) { uint32_t padding_size = s->total_req_len - *total_msg_len; uint8_t *padding = iov->iov_base; + + if (padding_size > req_len) { + return false; + } + *pad_offset = req_len - padding_size; if (padding[*pad_offset] == 0x80) { return true;