From 85fc35afa93c7320d1641d344d0c5dfbe341d087 Mon Sep 17 00:00:00 2001 From: Yuval Shaia Date: Wed, 1 Mar 2023 16:29:26 +0200 Subject: [PATCH 1/7] hw/pvrdma: Protect against buggy or malicious guest driver Guest driver allocates and initialize page tables to be used as a ring of descriptors for CQ and async events. The page table that represents the ring, along with the number of pages in the page table is passed to the device. Currently our device supports only one page table for a ring. Let's make sure that the number of page table entries the driver reports, do not exceeds the one page table size. Reported-by: Soul Chen Signed-off-by: Yuval Shaia Fixes: CVE-2023-1544 Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> Signed-off-by: Thomas Huth --- hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 4fc6712025..55b338046e 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, dma_addr_t dir_addr, uint32_t num_pages) { uint64_t *dir, *tbl; - int rc = 0; + int max_pages, rc = 0; if (!num_pages) { rdma_error_report("Ring pages count must be strictly positive"); return -EINVAL; } + /* + * Make sure we can satisfy the requested number of pages in a single + * TARGET_PAGE_SIZE sized page table (taking into account that first entry + * is reserved for ring-state) + */ + max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; + if (num_pages > max_pages) { + rdma_error_report("Maximum pages on a single directory must not exceed %d\n", + max_pages); + return -EINVAL; + } + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory (ring %s)", name); rc = -ENOMEM; goto out; } + + /* We support only one page table for a ring */ tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); if (!tbl) { rdma_error_report("Failed to map to page table (ring %s)", name); From e9a54265f533f4df957ee9ced3304df8c3ef2bea Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Wed, 27 Sep 2023 15:30:19 +0200 Subject: [PATCH 2/7] hw/rdma: Deprecate the pvrdma device and the rdma subsystem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This subsystem is said to be in a bad shape (see e.g. [1], [2] and [3]), and nobody seems to feel responsible to pick up patches for this and send them via a pull request. For example there is a patch for a CVE-worthy bug posted more than half a year ago [4] which has never been merged. Thus let's mark it as deprecated and finally remove it unless somebody steps up and improves the code quality and adds proper regression tests. [1] https://lore.kernel.org/qemu-devel/20230918144206.560120-1-armbru@redhat.com/ [2] https://lore.kernel.org/qemu-devel/ZQnojJOqoFu73995@redhat.com/ [3] https://lore.kernel.org/qemu-devel/1054981c-e8ae-c676-3b04-eeb030e11f65@tls.msk.ru/ [4] https://lore.kernel.org/qemu-devel/20230301142926.18686-1-yuval.shaia.ml@gmail.com/ Message-ID: <20230927133019.228495-1-thuth@redhat.com> Acked-by: Juan Quintela Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- MAINTAINERS | 2 +- docs/about/deprecated.rst | 8 ++++++++ hw/rdma/vmw/pvrdma_main.c | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index c3cc12dc29..1c9b49c00f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3843,7 +3843,7 @@ F: docs/block-replication.txt PVRDMA M: Yuval Shaia M: Marcel Apfelbaum -S: Maintained +S: Odd Fixes F: hw/rdma/* F: hw/rdma/vmw/* F: docs/pvrdma.txt diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 8b136320e2..ffd0a8c896 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -327,6 +327,14 @@ QEMU's ``vhost`` feature, which would eliminate the high latency costs under which the 9p ``proxy`` backend currently suffers. However as of to date nobody has indicated plans for such kind of reimplementation unfortunately. +``-device pvrdma`` and the rdma subsystem (since 8.2) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The pvrdma device and the whole rdma subsystem are in a bad shape and +without active maintenance. The QEMU project intends to remove this +device and subsystem from the code base in a future release without +replacement unless somebody steps up and improves the situation. + Block device options '''''''''''''''''''' diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 55b338046e..e735ff97eb 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -615,6 +615,8 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp) bool ram_shared = false; PCIDevice *func0; + warn_report_once("pvrdma is deprecated and will be removed in a future release"); + rdma_info_report("Initializing device %s %x.%x", pdev->name, PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn)); From d0353b6e7b3f9ba6132f0fa9b3605e4d4275af0c Mon Sep 17 00:00:00 2001 From: Chris Rauer Date: Fri, 29 Sep 2023 00:08:31 +0000 Subject: [PATCH 3/7] tests/qtest: Fix npcm7xx_timer-test.c flaky test npcm7xx_timer-test occasionally fails due to the state of the timers from the previous test iteration. Advancing the clock step after the reset resolves this issue. Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1897 Signed-off-by: Chris Rauer Message-ID: <20230929000831.691559-1-crauer@google.com> Signed-off-by: Thomas Huth --- tests/qtest/npcm7xx_timer-test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/qtest/npcm7xx_timer-test.c b/tests/qtest/npcm7xx_timer-test.c index 43711049ca..58f58c2f71 100644 --- a/tests/qtest/npcm7xx_timer-test.c +++ b/tests/qtest/npcm7xx_timer-test.c @@ -465,6 +465,7 @@ static void test_periodic_interrupt(gconstpointer test_data) int i; tim_reset(td); + clock_step_next(); tim_write_ticr(td, count); tim_write_tcsr(td, CEN | IE | MODE_PERIODIC | PRESCALE(ps)); From f912f1bdb6b4237515e01a4ba646b2a7daefebed Mon Sep 17 00:00:00 2001 From: Klaus Jensen Date: Wed, 23 Aug 2023 10:14:41 +0200 Subject: [PATCH 4/7] hw/misc/i2c-echo: add copyright/license note Add missing copyright and license notice. Also add a short description of the device. Signed-off-by: Klaus Jensen Message-ID: <20230823-i2c-echo-fixes-v1-1-ccc05a6028f0@samsung.com> Signed-off-by: Thomas Huth --- hw/misc/i2c-echo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/misc/i2c-echo.c b/hw/misc/i2c-echo.c index 5705ab5d73..5ae3d0817e 100644 --- a/hw/misc/i2c-echo.c +++ b/hw/misc/i2c-echo.c @@ -1,3 +1,13 @@ +/* + * Example I2C device using asynchronous I2C send. + * + * Copyright (C) 2023 Samsung Electronics Co., Ltd. All Rights Reserved. + * + * This work is licensed under the terms of the GNU GPL, version 2. See + * the COPYING file in the top-level directory. + * + */ + #include "qemu/osdep.h" #include "qemu/timer.h" #include "qemu/main-loop.h" From a8500f804313ec7be233b329195cc8476e4190eb Mon Sep 17 00:00:00 2001 From: Klaus Jensen Date: Wed, 23 Aug 2023 10:14:42 +0200 Subject: [PATCH 5/7] hw/misc/Kconfig: add switch for i2c-echo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Associate i2c-echo with TEST_DEVICES and add a dependency on I2C. Signed-off-by: Klaus Jensen Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth Message-ID: <20230823-i2c-echo-fixes-v1-2-ccc05a6028f0@samsung.com> Signed-off-by: Thomas Huth --- hw/misc/Kconfig | 5 +++++ hw/misc/meson.build | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig index 858277bb60..dba41afe67 100644 --- a/hw/misc/Kconfig +++ b/hw/misc/Kconfig @@ -34,6 +34,11 @@ config PCA9552 bool depends on I2C +config I2C_ECHO + bool + default y if TEST_DEVICES + depends on I2C + config PL310 bool diff --git a/hw/misc/meson.build b/hw/misc/meson.build index 33659313b4..f60de33f9a 100644 --- a/hw/misc/meson.build +++ b/hw/misc/meson.build @@ -138,7 +138,7 @@ system_ss.add(when: 'CONFIG_NRF51_SOC', if_true: files('nrf51_rng.c')) system_ss.add(when: 'CONFIG_GRLIB', if_true: files('grlib_ahb_apb_pnp.c')) -system_ss.add(when: 'CONFIG_I2C', if_true: files('i2c-echo.c')) +system_ss.add(when: 'CONFIG_I2C_ECHO', if_true: files('i2c-echo.c')) specific_ss.add(when: 'CONFIG_AVR_POWER', if_true: files('avr_power.c')) From abf8c47f44f7a9b6c66214e9a0c59336e8728074 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Thu, 12 Oct 2023 13:14:01 +0200 Subject: [PATCH 6/7] MAINTAINERS: Add include/sysemu/qtest.h to the qtest section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We already list system/qtest.c in the qtest section, so the corresponding header file should be listed here, too. Message-ID: <20231012111401.871711-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Huth --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 1c9b49c00f..3f449bfe58 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3128,6 +3128,7 @@ M: Laurent Vivier R: Paolo Bonzini S: Maintained F: system/qtest.c +F: include/sysemu/qtest.h F: accel/qtest/ F: tests/qtest/ F: docs/devel/qgraph.rst From f51f90c65ed7706c3c4f7a889ce3d6b7ab75ef6a Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Wed, 11 Oct 2023 08:20:31 +0200 Subject: [PATCH 7/7] gitlab-ci: Disable the riscv64-debian-cross-container by default This job is failing since weeks. Let's mark it as manual until it gets fixed. Message-Id: <82aa015a-ca94-49ce-beec-679cc175b726@redhat.com> Acked-by: Michael Tokarev Signed-off-by: Thomas Huth --- .gitlab-ci.d/container-cross.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.d/container-cross.yml b/.gitlab-ci.d/container-cross.yml index e0d75d5824..2848166ba3 100644 --- a/.gitlab-ci.d/container-cross.yml +++ b/.gitlab-ci.d/container-cross.yml @@ -95,6 +95,7 @@ riscv64-debian-cross-container: allow_failure: true variables: NAME: debian-riscv64-cross + QEMU_JOB_OPTIONAL: 1 # we can however build TCG tests using a non-sid base riscv64-debian-test-cross-container: