diff -Nru qemu-6.2+dfsg/debian/changelog qemu-6.2+dfsg/debian/changelog --- qemu-6.2+dfsg/debian/changelog 2023-09-15 18:39:05.000000000 +0000 +++ qemu-6.2+dfsg/debian/changelog 2023-11-30 14:53:27.000000000 +0000 @@ -1,3 +1,45 @@ +qemu (1:6.2+dfsg-2ubuntu6.16) jammy-security; urgency=medium + + * SECURITY UPDATE: infinite loop in USB xHCI controller + - debian/patches/CVE-2020-14394.patch: fix unbounded loop in + hw/usb/hcd-xhci.c. + - CVE-2020-14394 + * SECURITY UPDATE: OOB read in RDMA device + - debian/patches/CVE-2023-1544.patch: protect against buggy or + malicious guest driver in hw/rdma/vmw/pvrdma_main.c. + - CVE-2023-1544 + * SECURITY UPDATE: 9pfs special file access + - debian/patches/CVE-2023-2861.patch: prevent opening special files in + fsdev/virtfs-proxy-helper.c, hw/9pfs/9p-util.h. + - CVE-2023-2861 + * SECURITY UPDATE: heap overflow in crypto device + - debian/patches/CVE-2023-3180.patch: verify src&dst buffer length for + sym request in hw/virtio/virtio-crypto.c. + - CVE-2023-3180 + * SECURITY UPDATE: infinite loop in VNC server + - debian/patches/CVE-2023-3255.patch: fix infinite loop in + inflate_buffer in ui/vnc-clipboard.c. + - CVE-2023-3255 + * SECURITY UPDATE: race in virtio-net hot-unplug + - debian/patches/CVE-2023-3301.patch: do not cleanup the vdpa/vhost-net + structures if peer nic is present in net/vhost-vdpa.c. + - CVE-2023-3301 + * SECURITY UPDATE: DoS in VNC server + - debian/patches/CVE-2023-3354.patch: remove io watch if TLS channel is + closed during handshake in include/io/channel-tls.h, + io/channel-tls.c. + - CVE-2023-3354 + * SECURITY UPDATE: disk offset 0 access + - debian/patches/CVE-2023-5088.patch: cancel async DMA operation before + resetting state in hw/ide/core.c. + - CVE-2023-5088 + * SECURITY UPDATE: DoS in Intel HD Audio device + - debian/patches/CVE-2021-3611-*.patch: add MemTxAttrs argument to + DMA functions and use it in hw/audio/intel-hda.c. + - CVE-2021-3611 + + -- Marc Deslauriers Thu, 30 Nov 2023 09:53:27 -0500 + qemu (1:6.2+dfsg-2ubuntu6.15) jammy; urgency=medium * d/rules: remove --no-start for qemu-guest-agent (LP: #2028124) diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2020-14394.patch qemu-6.2+dfsg/debian/patches/CVE-2020-14394.patch --- qemu-6.2+dfsg/debian/patches/CVE-2020-14394.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2020-14394.patch 2023-11-30 14:48:46.000000000 +0000 @@ -0,0 +1,69 @@ +Backport of: + +From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 4 Aug 2022 15:13:00 +0200 +Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in + xhci_ring_chain_length() (CVE-2020-14394) + +The loop condition in xhci_ring_chain_length() is under control of +the guest, and additionally the code does not check for failed DMA +transfers (e.g. if reaching the end of the RAM), so the loop there +could run for a very long time or even forever. Fix it by checking +the return value of dma_memory_read() and by introducing a maximum +loop length. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 +Message-Id: <20220804131300.96368-1-thuth@redhat.com> +Reviewed-by: Mauro Matteo Cascella +Acked-by: Gerd Hoffmann +Signed-off-by: Thomas Huth +--- + hw/usb/hcd-xhci.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -21,6 +21,7 @@ + + #include "qemu/osdep.h" + #include "qemu/timer.h" ++#include "qemu/log.h" + #include "qemu/module.h" + #include "qemu/queue.h" + #include "migration/vmstate.h" +@@ -724,9 +725,13 @@ static int xhci_ring_chain_length(XHCISt + bool control_td_set = 0; + uint32_t link_cnt = 0; + +- while (1) { ++ do { + TRBType type; +- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE); ++ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE) != MEMTX_OK) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n", ++ __func__); ++ return -1; ++ } + le64_to_cpus(&trb.parameter); + le32_to_cpus(&trb.status); + le32_to_cpus(&trb.control); +@@ -760,7 +765,17 @@ static int xhci_ring_chain_length(XHCISt + if (!control_td_set && !(trb.control & TRB_TR_CH)) { + return length; + } +- } ++ ++ /* ++ * According to the xHCI spec, Transfer Ring segments should have ++ * a maximum size of 64 kB (see chapter "6 Data Structures") ++ */ ++ } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE); ++ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n", ++ __func__); ++ ++ return -1; + } + + static void xhci_er_reset(XHCIState *xhci, int v) diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-01.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-01.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-01.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-01.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,79 @@ +From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:43:05 +0100 +Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While the reply queue values fit in 16-bit, they are accessed +as 32-bit: + + 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); + 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES; + 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); + 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + +Having: + + 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */ + +In order to update the ld/st*_pci_dma() API to pass the address +of the value to access, it is simpler to have the head/tail declared +as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in +the MegasasState structure. + +Acked-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-20-philmd@redhat.com> +--- + hw/scsi/megasas.c | 4 ++-- + hw/scsi/trace-events | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 8f357841004..14ec6d68bbf 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -109,8 +109,8 @@ struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + uint16_t reply_queue_len; +- uint16_t reply_queue_head; +- uint16_t reply_queue_tail; ++ uint32_t reply_queue_head; ++ uint32_t reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 92d5b40f892..ae8551f2797 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_ + + # megasas.c + megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " " +-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x" ++megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x" + megasas_initq_map_failed(int frame) "scmd %d: failed to map queue" + megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64 + megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d" + megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x" + megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64 + megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx" +-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" +-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d" ++megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" ++megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu" + megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " " +-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" ++megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy" + megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x" + megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu" +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-02.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-02.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-02.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-02.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,56 @@ +From 7ccb391ccd594b3f33de8deb293ff8d47bb4e219 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 09:28:49 +0200 +Subject: [PATCH] dma: Let dma_memory_valid() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_valid(). + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-2-philmd@redhat.com> +--- + include/hw/ppc/spapr_vio.h | 2 +- + include/sysemu/dma.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4bea87f39cc..4c45f1579fa 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -91,7 +91,7 @@ static inline void spapr_vio_irq_pulse(SpaprVioDevice *dev) + static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + uint32_t size, DMADirection dir) + { +- return dma_memory_valid(&dev->as, taddr, size, dir); ++ return dma_memory_valid(&dev->as, taddr, size, dir, MEMTXATTRS_UNSPECIFIED); + } + + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3201e7901db..296f3b57c9c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -73,11 +73,11 @@ static inline void dma_barrier(AddressSpace *as, DMADirection dir) + * dma_memory_{read,write}() and check for errors */ + static inline bool dma_memory_valid(AddressSpace *as, + dma_addr_t addr, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return address_space_access_valid(as, addr, len, + dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + } + + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-03.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-03.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-03.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-03.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,94 @@ +From 7a36e42d9114474278ce30ba36945cc62292eb60 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 10:28:32 +0200 +Subject: [PATCH] dma: Let dma_memory_set() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_set(). + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-3-philmd@redhat.com> +--- + hw/nvram/fw_cfg.c | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 3 ++- + softmmu/dma-helpers.c | 5 ++--- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c06b30de112..f7803fe3c30 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -399,7 +399,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + * tested before. + */ + if (read) { +- if (dma_memory_set(s->dma_as, dma.address, 0, len)) { ++ if (dma_memory_set(s->dma_as, dma.address, 0, len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4c45f1579fa..c90e74a67dd 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -111,7 +111,8 @@ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + uint8_t c, uint32_t size) + { +- return (dma_memory_set(&dev->as, taddr, c, size) != 0) ? ++ return (dma_memory_set(&dev->as, taddr, ++ c, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 296f3b57c9c..d23516f020a 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -175,9 +175,10 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @c: constant byte to fill the memory + * @len: the number of bytes to fill with the constant byte ++ * @attrs: memory transaction attributes + */ + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len); ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs); + + /** + * address_space_map: Map a physical memory region into a host virtual address. +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7d766a5e89a..1f07217ad4a 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -19,7 +19,7 @@ + /* #define DEBUG_IOMMU */ + + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len) ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs) + { + dma_barrier(as, DMA_DIRECTION_FROM_DEVICE); + +@@ -31,8 +31,7 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + memset(fillbuf, c, FILLBUF_SIZE); + while (len > 0) { + l = len < FILLBUF_SIZE ? len : FILLBUF_SIZE; +- error |= address_space_write(as, addr, MEMTXATTRS_UNSPECIFIED, +- fillbuf, l); ++ error |= address_space_write(as, addr, attrs, fillbuf, l); + len -= l; + addr += l; + } +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-04.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-04.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-04.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-04.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,74 @@ +From 4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 09:30:10 +0200 +Subject: [PATCH] dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will add the MemTxAttrs argument to dma_memory_rw() in +the next commit. Since dma_memory_rw_relaxed() is only used +by dma_memory_rw(), modify it first in a separate commit to +keep the next commit easier to review. + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-4-philmd@redhat.com> +--- + include/sysemu/dma.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d23516f020a..3be803cf3ff 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -83,9 +83,10 @@ static inline bool dma_memory_valid(AddressSpace *as, + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, ++ MemTxAttrs attrs) + { +- return address_space_rw(as, addr, MEMTXATTRS_UNSPECIFIED, ++ return address_space_rw(as, addr, attrs, + buf, len, dir == DMA_DIRECTION_FROM_DEVICE); + } + +@@ -93,7 +94,9 @@ static inline MemTxResult dma_memory_read_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw_relaxed(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw_relaxed(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, +@@ -102,7 +105,8 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + dma_addr_t len) + { + return dma_memory_rw_relaxed(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -124,7 +128,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-05.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-05.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-05.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-05.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,154 @@ +From 23faf5694ff8054b847e9733297727be4a641132 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 09:37:43 +0200 +Subject: [PATCH] dma: Let dma_memory_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_rw(). + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-5-philmd@redhat.com> +--- + hw/intc/spapr_xive.c | 3 ++- + hw/usb/hcd-ohci.c | 10 ++++++---- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + softmmu/dma-helpers.c | 3 ++- + 5 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c +index 4ec659b93e1..eae95c716f1 100644 +--- a/hw/intc/spapr_xive.c ++++ b/hw/intc/spapr_xive.c +@@ -1684,7 +1684,8 @@ static target_ulong h_int_esb(PowerPCCPU *cpu, + mmio_addr = xive->vc_base + xive_source_esb_mgmt(xsrc, lisn) + offset; + + if (dma_memory_rw(&address_space_memory, mmio_addr, &data, 8, +- (flags & SPAPR_XIVE_ESB_STORE))) { ++ (flags & SPAPR_XIVE_ESB_STORE), ++ MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to access ESB @0x%" + HWADDR_PRIx "\n", mmio_addr); + return H_HARDWARE; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 1cf2816772c..56e2315c734 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -586,7 +586,8 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -595,7 +596,7 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + ptr = td->be & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +@@ -613,7 +614,8 @@ static int ohci_copy_iso_td(OHCIState *ohci, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -622,7 +624,7 @@ static int ohci_copy_iso_td(OHCIState *ohci, + ptr = end_addr & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index e7cdf2d5ec5..4383f1c95e0 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -808,7 +808,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, + DMADirection dir) + { +- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, dir); ++ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, ++ dir, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3be803cf3ff..e8ad42226f6 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -121,15 +121,15 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + * @buf: buffer with the data transferred + * @len: the number of bytes to read or write + * @dir: indicates the transfer direction ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs); + } + + /** +@@ -147,7 +147,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -166,7 +167,7 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + const void *buf, dma_addr_t len) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 1f07217ad4a..5bf76fff6bd 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -305,7 +305,8 @@ static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, ++ MEMTXATTRS_UNSPECIFIED); + ptr += xfer; + len -= xfer; + resid -= xfer; +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-06.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-06.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-06.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-06.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,1387 @@ +Backport of: + +From ba06fe8add5b788956a7317246c6280dfc157040 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 10:08:29 +0200 +Subject: [PATCH] dma: Let dma_memory_read/write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_read() or dma_memory_write(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + ( + - dma_memory_read(E1, E2, E3, E4) + + dma_memory_read(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + | + - dma_memory_write(E1, E2, E3, E4) + + dma_memory_write(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + ) + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-6-philmd@redhat.com> +--- + hw/arm/musicpal.c | 13 +++++++------ + hw/arm/smmu-common.c | 3 ++- + hw/arm/smmuv3.c | 14 +++++++++----- + hw/core/generic-loader.c | 3 ++- + hw/dma/pl330.c | 12 ++++++++---- + hw/dma/sparc32_dma.c | 16 ++++++++++------ + hw/dma/xlnx-zynq-devcfg.c | 6 ++++-- + hw/dma/xlnx_dpdma.c | 10 ++++++---- + hw/i386/amd_iommu.c | 16 +++++++++------- + hw/i386/intel_iommu.c | 28 +++++++++++++++++----------- + hw/ide/macio.c | 2 +- + hw/intc/xive.c | 7 ++++--- + hw/misc/bcm2835_property.c | 3 ++- + hw/misc/macio/mac_dbdma.c | 10 ++++++---- + hw/net/allwinner-sun8i-emac.c | 18 ++++++++++++------ + hw/net/ftgmac100.c | 25 ++++++++++++++++--------- + hw/net/imx_fec.c | 32 ++++++++++++++++++++------------ + hw/net/npcm7xx_emc.c | 20 ++++++++++++-------- + hw/nvram/fw_cfg.c | 9 ++++++--- + hw/pci-host/pnv_phb3.c | 5 +++-- + hw/pci-host/pnv_phb3_msi.c | 9 ++++++--- + hw/pci-host/pnv_phb4.c | 5 +++-- + hw/sd/allwinner-sdhost.c | 14 ++++++++------ + hw/sd/sdhci.c | 35 ++++++++++++++++++++++------------- + hw/usb/hcd-dwc2.c | 8 ++++---- + hw/usb/hcd-ehci.c | 6 ++++-- + hw/usb/hcd-ohci.c | 18 +++++++++++------- + hw/usb/hcd-xhci.c | 18 +++++++++++------- + include/hw/ppc/spapr_vio.h | 6 ++++-- + include/sysemu/dma.h | 20 ++++++++++++-------- + 30 files changed, 241 insertions(+), 150 deletions(-) + +--- a/hw/arm/musicpal.c ++++ b/hw/arm/musicpal.c +@@ -185,13 +185,13 @@ static void eth_rx_desc_put(AddressSpace + cpu_to_le16s(&desc->buffer_size); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_rx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->bytes); + le16_to_cpus(&desc->buffer_size); +@@ -215,7 +215,7 @@ static ssize_t eth_receive(NetClientStat + eth_rx_desc_get(&s->dma_as, desc_addr, &desc); + if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) { + dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header, +- buf, size); ++ buf, size, MEMTXATTRS_UNSPECIFIED); + desc.bytes = size + s->vlan_header; + desc.cmdstat &= ~MP_ETH_RX_OWN; + s->cur_rx[i] = desc.next; +@@ -241,13 +241,13 @@ static void eth_tx_desc_put(AddressSpace + cpu_to_le16s(&desc->bytes); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_tx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->res); + le16_to_cpus(&desc->bytes); +@@ -269,7 +269,8 @@ static void eth_send(mv88w8618_eth_state + if (desc.cmdstat & MP_ETH_TX_OWN) { + len = desc.bytes; + if (len < 2048) { +- dma_memory_read(&s->dma_as, desc.buffer, buf, len); ++ dma_memory_read(&s->dma_as, desc.buffer, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + qemu_send_packet(qemu_get_queue(s->nic), buf, len); + } + desc.cmdstat &= ~MP_ETH_TX_OWN; +--- a/hw/arm/smmu-common.c ++++ b/hw/arm/smmu-common.c +@@ -193,7 +193,8 @@ static int get_pte(dma_addr_t baseaddr, + dma_addr_t addr = baseaddr + index * sizeof(*pte); + + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte)); ++ ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte), ++ MEMTXATTRS_UNSPECIFIED); + + if (ret != MEMTX_OK) { + info->type = SMMU_PTW_ERR_WALK_EABT; +--- a/hw/arm/smmuv3.c ++++ b/hw/arm/smmuv3.c +@@ -102,7 +102,8 @@ static inline MemTxResult queue_read(SMM + { + dma_addr_t addr = Q_CONS_ENTRY(q); + +- return dma_memory_read(&address_space_memory, addr, data, q->entry_size); ++ return dma_memory_read(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + } + + static MemTxResult queue_write(SMMUQueue *q, void *data) +@@ -110,7 +111,8 @@ static MemTxResult queue_write(SMMUQueue + dma_addr_t addr = Q_PROD_ENTRY(q); + MemTxResult ret; + +- ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size); ++ ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + return ret; + } +@@ -285,7 +287,8 @@ static int smmu_get_ste(SMMUv3State *s, + + trace_smmuv3_get_ste(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -306,7 +309,8 @@ static int smmu_get_cd(SMMUv3State *s, S + + trace_smmuv3_get_cd(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -411,7 +415,7 @@ static int smmu_find_ste(SMMUv3State *s, + l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std)); + /* TODO: guarantee 64-bit single-copy atomicity */ + ret = dma_memory_read(&address_space_memory, l1ptr, &l1std, +- sizeof(l1std)); ++ sizeof(l1std), MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr); +--- a/hw/core/generic-loader.c ++++ b/hw/core/generic-loader.c +@@ -57,7 +57,8 @@ static void generic_loader_reset(void *o + + if (s->data_len) { + assert(s->data_len < sizeof(s->data)); +- dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len); ++ dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len, ++ MEMTXATTRS_UNSPECIFIED); + } + } + +--- a/hw/dma/pl330.c ++++ b/hw/dma/pl330.c +@@ -1111,7 +1111,8 @@ static inline const PL330InsnDesc *pl330 + uint8_t opcode; + int i; + +- dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1); ++ dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1, ++ MEMTXATTRS_UNSPECIFIED); + for (i = 0; insn_desc[i].size; i++) { + if ((opcode & insn_desc[i].opmask) == insn_desc[i].opcode) { + return &insn_desc[i]; +@@ -1125,7 +1126,8 @@ static inline void pl330_exec_insn(PL330 + uint8_t buf[PL330_INSN_MAXSIZE]; + + assert(insn->size <= PL330_INSN_MAXSIZE); +- dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size); ++ dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size, ++ MEMTXATTRS_UNSPECIFIED); + insn->exec(ch, buf[0], &buf[1], insn->size - 1); + } + +@@ -1189,7 +1191,8 @@ static int pl330_exec_cycle(PL330Chan *c + if (q != NULL && q->len <= pl330_fifo_num_free(&s->fifo)) { + int len = q->len - (q->addr & (q->len - 1)); + +- dma_memory_read(s->mem_as, q->addr, buf, len); ++ dma_memory_read(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +@@ -1220,7 +1223,8 @@ static int pl330_exec_cycle(PL330Chan *c + fifo_res = pl330_fifo_get(&s->fifo, buf, len, q->tag); + } + if (fifo_res == PL330_FIFO_OK || q->z) { +- dma_memory_write(s->mem_as, q->addr, buf, len); ++ dma_memory_write(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +--- a/hw/dma/sparc32_dma.c ++++ b/hw/dma/sparc32_dma.c +@@ -81,11 +81,11 @@ void ledma_memory_read(void *opaque, hwa + addr |= s->dmaregs[3]; + trace_ledma_memory_read(addr, len); + if (do_bswap) { +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + for(i = 0; i < len; i += 2) { + bswap16s((uint16_t *)(buf + i)); + } +@@ -103,7 +103,8 @@ void ledma_memory_write(void *opaque, hw + addr |= s->dmaregs[3]; + trace_ledma_memory_write(addr, len); + if (do_bswap) { +- dma_memory_write(&is->iommu_as, addr, buf, len); ++ dma_memory_write(&is->iommu_as, addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +@@ -114,7 +115,8 @@ void ledma_memory_write(void *opaque, hw + for(i = 0; i < l; i += 2) { + tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i)); + } +- dma_memory_write(&is->iommu_as, addr, tmp_buf, l); ++ dma_memory_write(&is->iommu_as, addr, tmp_buf, l, ++ MEMTXATTRS_UNSPECIFIED); + len -= l; + buf += l; + addr += l; +@@ -148,7 +150,8 @@ void espdma_memory_read(void *opaque, ui + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_read(s->dmaregs[1], len); +- dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +@@ -158,7 +161,8 @@ void espdma_memory_write(void *opaque, u + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_write(s->dmaregs[1], len); +- dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +--- a/hw/dma/xlnx-zynq-devcfg.c ++++ b/hw/dma/xlnx-zynq-devcfg.c +@@ -161,12 +161,14 @@ static void xlnx_zynq_devcfg_dma_go(Xlnx + btt = MIN(btt, dmah->dest_len); + } + DB_PRINT("reading %x bytes from %x\n", btt, dmah->src_addr); +- dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt); ++ dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->src_len -= btt; + dmah->src_addr += btt; + if (loopback && (dmah->src_len || dmah->dest_len)) { + DB_PRINT("writing %x bytes from %x\n", btt, dmah->dest_addr); +- dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt); ++ dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->dest_len -= btt; + dmah->dest_addr += btt; + } +--- a/hw/dma/xlnx_dpdma.c ++++ b/hw/dma/xlnx_dpdma.c +@@ -652,7 +652,7 @@ size_t xlnx_dpdma_start_operation(XlnxDP + } + + if (dma_memory_read(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor))) { ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_EISR] |= ((1 << 1) << channel); + xlnx_dpdma_update_irq(s); + s->operation_finished[channel] = true; +@@ -708,7 +708,8 @@ size_t xlnx_dpdma_start_operation(XlnxDP + if (dma_memory_read(&address_space_memory, + source_addr[0], + &s->data[channel][ptr], +- line_size)) { ++ line_size, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -736,7 +737,8 @@ size_t xlnx_dpdma_start_operation(XlnxDP + if (dma_memory_read(&address_space_memory, + source_addr[frag], + &(s->data[channel][ptr]), +- fragment_len)) { ++ fragment_len, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -754,7 +756,7 @@ size_t xlnx_dpdma_start_operation(XlnxDP + DPRINTF("update the descriptor with the done flag set.\n"); + xlnx_dpdma_desc_set_done(&desc); + dma_memory_write(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor)); ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); + } + + if (xlnx_dpdma_desc_completion_interrupt(&desc)) { +--- a/hw/i386/amd_iommu.c ++++ b/hw/i386/amd_iommu.c +@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState * + } + + if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail, +- evt, AMDVI_EVENT_LEN)) { ++ evt, AMDVI_EVENT_LEN, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail); + } + +@@ -376,7 +376,8 @@ static void amdvi_completion_wait(AMDVIS + } + if (extract64(cmd[0], 0, 1)) { + if (dma_memory_write(&address_space_memory, addr, &data, +- AMDVI_COMPLETION_DATA_SIZE)) { ++ AMDVI_COMPLETION_DATA_SIZE, ++ MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_completion_wait_fail(addr); + } + } +@@ -502,7 +503,7 @@ static void amdvi_cmdbuf_exec(AMDVIState + uint64_t cmd[2]; + + if (dma_memory_read(&address_space_memory, s->cmdbuf + s->cmdbuf_head, +- cmd, AMDVI_COMMAND_SIZE)) { ++ cmd, AMDVI_COMMAND_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_command_read_fail(s->cmdbuf, s->cmdbuf_head); + amdvi_log_command_error(s, s->cmdbuf + s->cmdbuf_head); + return; +@@ -836,7 +837,7 @@ static bool amdvi_get_dte(AMDVIState *s, + uint32_t offset = devid * AMDVI_DEVTAB_ENTRY_SIZE; + + if (dma_memory_read(&address_space_memory, s->devtab + offset, entry, +- AMDVI_DEVTAB_ENTRY_SIZE)) { ++ AMDVI_DEVTAB_ENTRY_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_dte_get_fail(s->devtab, offset); + /* log error accessing dte */ + amdvi_log_devtab_error(s, devid, s->devtab + offset, 0); +@@ -881,7 +882,8 @@ static inline uint64_t amdvi_get_pte_ent + { + uint64_t pte; + +- if (dma_memory_read(&address_space_memory, pte_addr, &pte, sizeof(pte))) { ++ if (dma_memory_read(&address_space_memory, pte_addr, ++ &pte, sizeof(pte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_get_pte_hwerror(pte_addr); + amdvi_log_pagetab_error(s, devid, pte_addr, 0); + pte = 0; +@@ -1048,7 +1050,7 @@ static int amdvi_get_irte(AMDVIState *s, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte"); + return -AMDVI_IR_GET_IRTE; + } +@@ -1108,7 +1110,7 @@ static int amdvi_get_irte_ga(AMDVIState + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte_ga"); + return -AMDVI_IR_GET_IRTE; + } +--- a/hw/i386/intel_iommu.c ++++ b/hw/i386/intel_iommu.c +@@ -569,7 +569,8 @@ static int vtd_get_root_entry(IntelIOMMU + dma_addr_t addr; + + addr = s->root + index * sizeof(*re); +- if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ re, sizeof(*re), MEMTXATTRS_UNSPECIFIED)) { + re->lo = 0; + return -VTD_FR_ROOT_TABLE_INV; + } +@@ -602,7 +603,8 @@ static int vtd_get_context_entry_from_ro + } + + addr = addr + index * ce_size; +- if (dma_memory_read(&address_space_memory, addr, ce, ce_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ ce, ce_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_CONTEXT_TABLE_INV; + } + +@@ -639,8 +641,8 @@ static uint64_t vtd_get_slpte(dma_addr_t + assert(index < VTD_SL_PT_ENTRY_NR); + + if (dma_memory_read(&address_space_memory, +- base_addr + index * sizeof(slpte), &slpte, +- sizeof(slpte))) { ++ base_addr + index * sizeof(slpte), ++ &slpte, sizeof(slpte), MEMTXATTRS_UNSPECIFIED)) { + slpte = (uint64_t)-1; + return slpte; + } +@@ -704,7 +706,8 @@ static int vtd_get_pdire_from_pdir_table + index = VTD_PASID_DIR_INDEX(pasid); + entry_size = VTD_PASID_DIR_ENTRY_SIZE; + addr = pasid_dir_base + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pdire, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pdire, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -728,7 +731,8 @@ static int vtd_get_pe_in_pasid_leaf_tabl + index = VTD_PASID_TABLE_INDEX(pasid); + entry_size = VTD_PASID_ENTRY_SIZE; + addr = addr + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pe, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -2275,7 +2279,8 @@ static bool vtd_get_inv_desc(IntelIOMMUS + uint32_t dw = s->iq_dw ? 32 : 16; + dma_addr_t addr = base_addr + offset * dw; + +- if (dma_memory_read(&address_space_memory, addr, inv_desc, dw)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ inv_desc, dw, MEMTXATTRS_UNSPECIFIED)) { + error_report_once("Read INV DESC failed."); + return false; + } +@@ -2308,8 +2313,9 @@ static bool vtd_process_wait_desc(IntelI + dma_addr_t status_addr = inv_desc->hi; + trace_vtd_inv_desc_wait_sw(status_addr, status_data); + status_data = cpu_to_le32(status_data); +- if (dma_memory_write(&address_space_memory, status_addr, &status_data, +- sizeof(status_data))) { ++ if (dma_memory_write(&address_space_memory, status_addr, ++ &status_data, sizeof(status_data), ++ MEMTXATTRS_UNSPECIFIED)) { + trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo); + return false; + } +@@ -3120,8 +3126,8 @@ static int vtd_irte_get(IntelIOMMUState + } + + addr = iommu->intr_root + index * sizeof(*entry); +- if (dma_memory_read(&address_space_memory, addr, entry, +- sizeof(*entry))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ entry, sizeof(*entry), MEMTXATTRS_UNSPECIFIED)) { + error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64, + __func__, index, addr); + return -VTD_FR_IR_ROOT_INVAL; +--- a/hw/ide/macio.c ++++ b/hw/ide/macio.c +@@ -97,7 +97,7 @@ static void pmac_ide_atapi_transfer_cb(v + /* Non-block ATAPI transfer - just copy to RAM */ + s->io_buffer_size = MIN(s->io_buffer_size, io->len); + dma_memory_write(&address_space_memory, io->addr, s->io_buffer, +- s->io_buffer_size); ++ s->io_buffer_size, MEMTXATTRS_UNSPECIFIED); + io->len = 0; + ide_atapi_cmd_ok(s); + m->dma_active = false; +--- a/hw/intc/xive.c ++++ b/hw/intc/xive.c +@@ -1246,8 +1246,8 @@ void xive_end_queue_pic_print_info(XiveE + uint64_t qaddr = qaddr_base + (qindex << 2); + uint32_t qdata = -1; + +- if (dma_memory_read(&address_space_memory, qaddr, &qdata, +- sizeof(qdata))) { ++ if (dma_memory_read(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to read EQ @0x%" + HWADDR_PRIx "\n", qaddr); + return; +@@ -1311,7 +1311,8 @@ static void xive_end_enqueue(XiveEND *en + uint32_t qdata = cpu_to_be32((qgen << 31) | (data & 0x7fffffff)); + uint32_t qentries = 1 << (qsize + 10); + +- if (dma_memory_write(&address_space_memory, qaddr, &qdata, sizeof(qdata))) { ++ if (dma_memory_write(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to write END data @0x%" + HWADDR_PRIx "\n", qaddr); + return; +--- a/hw/misc/bcm2835_property.c ++++ b/hw/misc/bcm2835_property.c +@@ -69,7 +69,8 @@ static void bcm2835_property_mbox_push(B + break; + case 0x00010003: /* Get board MAC address */ + resplen = sizeof(s->macaddr.a); +- dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen); ++ dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen, ++ MEMTXATTRS_UNSPECIFIED); + break; + case 0x00010004: /* Get board serial */ + qemu_log_mask(LOG_UNIMP, +--- a/hw/misc/macio/mac_dbdma.c ++++ b/hw/misc/macio/mac_dbdma.c +@@ -94,7 +94,7 @@ static void dbdma_cmdptr_load(DBDMA_chan + DBDMA_DPRINTFCH(ch, "dbdma_cmdptr_load 0x%08x\n", + ch->regs[DBDMA_CMDPTR_LO]); + dma_memory_read(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void dbdma_cmdptr_save(DBDMA_channel *ch) +@@ -104,7 +104,7 @@ static void dbdma_cmdptr_save(DBDMA_chan + le16_to_cpu(ch->current.xfer_status), + le16_to_cpu(ch->current.res_count)); + dma_memory_write(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void kill_channel(DBDMA_channel *ch) +@@ -371,7 +371,8 @@ static void load_word(DBDMA_channel *ch, + return; + } + +- dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +@@ -403,7 +404,8 @@ static void store_word(DBDMA_channel *ch + return; + } + +- dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +--- a/hw/net/allwinner-sun8i-emac.c ++++ b/hw/net/allwinner-sun8i-emac.c +@@ -350,7 +350,8 @@ static void allwinner_sun8i_emac_get_des + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s, +@@ -402,7 +403,8 @@ static void allwinner_sun8i_emac_flush_d + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool allwinner_sun8i_emac_can_receive(NetClientState *nc) +@@ -460,7 +462,8 @@ static ssize_t allwinner_sun8i_emac_rece + << RX_DESC_STATUS_FRM_LEN_SHIFT; + } + +- dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes); ++ dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes, ++ MEMTXATTRS_UNSPECIFIED); + allwinner_sun8i_emac_flush_desc(s, &desc, s->rx_desc_curr); + trace_allwinner_sun8i_emac_receive(s->rx_desc_curr, desc.addr, + desc_bytes); +@@ -512,7 +515,8 @@ static void allwinner_sun8i_emac_transmi + desc.status |= TX_DESC_STATUS_LENGTH_ERR; + break; + } +- dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, bytes); ++ dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, ++ bytes, MEMTXATTRS_UNSPECIFIED); + packet_bytes += bytes; + desc.status &= ~DESC_STATUS_CTL; + allwinner_sun8i_emac_flush_desc(s, &desc, s->tx_desc_curr); +@@ -634,7 +638,8 @@ static uint64_t allwinner_sun8i_emac_rea + break; + case REG_TX_CUR_BUF: /* Transmit Current Buffer */ + if (s->tx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +@@ -647,7 +652,8 @@ static uint64_t allwinner_sun8i_emac_rea + break; + case REG_RX_CUR_BUF: /* Receive Current Buffer */ + if (s->rx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +--- a/hw/net/ftgmac100.c ++++ b/hw/net/ftgmac100.c +@@ -453,7 +453,8 @@ static void do_phy_ctl(FTGMAC100State *s + + static int ftgmac100_read_bd(FTGMAC100Desc *bd, dma_addr_t addr) + { +- if (dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ bd, sizeof(*bd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -473,7 +474,8 @@ static int ftgmac100_write_bd(FTGMAC100D + lebd.des1 = cpu_to_le32(bd->des1); + lebd.des2 = cpu_to_le32(bd->des2); + lebd.des3 = cpu_to_le32(bd->des3); +- if (dma_memory_write(&address_space_memory, addr, &lebd, sizeof(lebd))) { ++ if (dma_memory_write(&address_space_memory, addr, ++ &lebd, sizeof(lebd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -554,7 +556,8 @@ static void ftgmac100_do_tx(FTGMAC100Sta + len = sizeof(s->frame) - frame_size; + } + +- if (dma_memory_read(&address_space_memory, bd.des3, ptr, len)) { ++ if (dma_memory_read(&address_space_memory, bd.des3, ++ ptr, len, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read packet @ 0x%x\n", + __func__, bd.des3); + s->isr |= FTGMAC100_INT_AHB_ERR; +@@ -1030,20 +1033,24 @@ static ssize_t ftgmac100_receive(NetClie + bd.des1 = lduw_be_p(buf + 14) | FTGMAC100_RXDES1_VLANTAG_AVAIL; + + if (s->maccr & FTGMAC100_MACCR_RM_VLAN) { +- dma_memory_write(&address_space_memory, buf_addr, buf, 12); +- dma_memory_write(&address_space_memory, buf_addr + 12, buf + 16, +- buf_len - 16); ++ dma_memory_write(&address_space_memory, buf_addr, buf, 12, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(&address_space_memory, buf_addr + 12, ++ buf + 16, buf_len - 16, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, ++ buf_len, MEMTXATTRS_UNSPECIFIED); + } + } else { + bd.des1 = 0; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + } + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + +--- a/hw/net/imx_fec.c ++++ b/hw/net/imx_fec.c +@@ -387,19 +387,22 @@ static void imx_phy_write(IMXFECState *s + + static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data); + } + + static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data, + bd->option, bd->status); +@@ -407,7 +410,8 @@ static void imx_enet_read_bd(IMXENETBufD + + static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_eth_update(IMXFECState *s) +@@ -474,7 +478,8 @@ static void imx_fec_do_tx(IMXFECState *s + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -555,7 +560,8 @@ static void imx_enet_do_tx(IMXFECState * + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -1103,11 +1109,12 @@ static ssize_t imx_fec_receive(NetClient + buf_len += size - 4; + } + buf_addr = bd.data; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +@@ -1210,8 +1217,8 @@ static ssize_t imx_enet_receive(NetClien + */ + const uint8_t zeros[2] = { 0 }; + +- dma_memory_write(&address_space_memory, buf_addr, +- zeros, sizeof(zeros)); ++ dma_memory_write(&address_space_memory, buf_addr, zeros, ++ sizeof(zeros), MEMTXATTRS_UNSPECIFIED); + + buf_addr += sizeof(zeros); + buf_len -= sizeof(zeros); +@@ -1220,11 +1227,12 @@ static ssize_t imx_enet_receive(NetClien + shift16 = false; + } + +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +--- a/hw/net/npcm7xx_emc.c ++++ b/hw/net/npcm7xx_emc.c +@@ -200,7 +200,8 @@ static void emc_update_irq_from_reg_chan + + static int emc_read_tx_desc(dma_addr_t addr, NPCM7xxEMCTxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -221,7 +222,7 @@ static int emc_write_tx_desc(const NPCM7 + le_desc.status_and_length = cpu_to_le32(desc->status_and_length); + le_desc.ntxdsa = cpu_to_le32(desc->ntxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -231,7 +232,8 @@ static int emc_write_tx_desc(const NPCM7 + + static int emc_read_rx_desc(dma_addr_t addr, NPCM7xxEMCRxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -252,7 +254,7 @@ static int emc_write_rx_desc(const NPCM7 + le_desc.reserved = cpu_to_le32(desc->reserved); + le_desc.nrxdsa = cpu_to_le32(desc->nrxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -360,7 +362,8 @@ static void emc_try_send_next_packet(NPC + buf = malloced_buf; + } + +- if (dma_memory_read(&address_space_memory, next_buf_addr, buf, length)) { ++ if (dma_memory_read(&address_space_memory, next_buf_addr, buf, ++ length, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read packet @ 0x%x\n", + __func__, next_buf_addr); + emc_set_mista(emc, REG_MISTA_TXBERR); +@@ -545,10 +548,11 @@ static ssize_t emc_receive(NetClientStat + + buf_addr = rx_desc.rxbsa; + emc->regs[REG_CRXBSA] = buf_addr; +- if (dma_memory_write(&address_space_memory, buf_addr, buf, len) || ++ if (dma_memory_write(&address_space_memory, buf_addr, buf, ++ len, MEMTXATTRS_UNSPECIFIED) || + (!(emc->regs[REG_MCMDR] & REG_MCMDR_SPCRC) && +- dma_memory_write(&address_space_memory, buf_addr + len, crc_ptr, +- 4))) { ++ dma_memory_write(&address_space_memory, buf_addr + len, ++ crc_ptr, 4, MEMTXATTRS_UNSPECIFIED))) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bus error writing packet\n", + __func__); + emc_set_mista(emc, REG_MISTA_RXBERR); +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -357,7 +357,8 @@ static void fw_cfg_dma_transfer(FWCfgSta + dma_addr = s->dma_addr; + s->dma_addr = 0; + +- if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) { ++ if (dma_memory_read(s->dma_as, dma_addr, ++ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), + FW_CFG_DMA_CTL_ERROR); + return; +@@ -419,7 +420,8 @@ static void fw_cfg_dma_transfer(FWCfgSta + */ + if (read) { + if (dma_memory_write(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +@@ -427,7 +429,8 @@ static void fw_cfg_dma_transfer(FWCfgSta + if (!e->allow_write || + len != dma.length || + dma_memory_read(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } else if (e->write_cb) { + e->write_cb(e->callback_opaque, s->cur_offset, len); +--- a/hw/pci-host/pnv_phb3.c ++++ b/hw/pci-host/pnv_phb3.c +@@ -715,7 +715,8 @@ static bool pnv_phb3_resolve_pe(PnvPhb3D + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * ((bus_num << 8) | ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -794,7 +795,7 @@ static void pnv_phb3_translate_tve(PnvPh + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +--- a/hw/pci-host/pnv_phb3_msi.c ++++ b/hw/pci-host/pnv_phb3_msi.c +@@ -53,7 +53,8 @@ static bool phb3_msi_read_ive(PnvPHB3 *p + return false; + } + +- if (dma_memory_read(&address_space_memory, ive_addr, &ive, sizeof(ive))) { ++ if (dma_memory_read(&address_space_memory, ive_addr, ++ &ive, sizeof(ive), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "Failed to read IVE at 0x%" PRIx64, + ive_addr); + return false; +@@ -73,7 +74,8 @@ static void phb3_msi_set_p(Phb3MsiState + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 4, &p, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 4, ++ &p, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set P) at 0x%" PRIx64, ive_addr); + } +@@ -89,7 +91,8 @@ static void phb3_msi_set_q(Phb3MsiState + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 5, &q, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 5, ++ &q, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set Q) at 0x%" PRIx64, ive_addr); + } +--- a/hw/pci-host/pnv_phb4.c ++++ b/hw/pci-host/pnv_phb4.c +@@ -891,7 +891,8 @@ static bool pnv_phb4_resolve_pe(PnvPhb4D + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * PCI_BUILD_BDF(bus_num, ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -961,7 +962,7 @@ static void pnv_phb4_translate_tve(PnvPh + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +--- a/hw/sd/allwinner-sdhost.c ++++ b/hw/sd/allwinner-sdhost.c +@@ -311,7 +311,8 @@ static uint32_t allwinner_sdhost_process + uint8_t buf[1024]; + + /* Read descriptor */ +- dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + if (desc->size == 0) { + desc->size = klass->max_desc_size; + } else if (desc->size > klass->max_desc_size) { +@@ -337,23 +338,24 @@ static uint32_t allwinner_sdhost_process + /* Write to SD bus */ + if (is_write) { + dma_memory_read(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, buf, buf_bytes); + + /* Read from SD bus */ + } else { + sdbus_read_data(&s->sdbus, buf, buf_bytes); + dma_memory_write(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + } + num_done += buf_bytes; + } + + /* Clear hold flag and flush descriptor */ + desc->status &= ~DESC_STATUS_HOLD; +- dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + + return num_done; + } +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -616,8 +616,8 @@ static void sdhci_sdma_transfer_multi_bl + s->blkcnt--; + } + } +- dma_memory_write(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_write(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -637,8 +637,8 @@ static void sdhci_sdma_transfer_multi_bl + s->data_count = block_size; + boundary_count -= block_size - begin; + } +- dma_memory_read(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_read(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -670,9 +670,11 @@ static void sdhci_sdma_transfer_single_b + + if (s->trnmod & SDHC_TRNS_READ) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, datacnt); +- dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, s->fifo_buffer, datacnt); + } + s->blkcnt--; +@@ -694,7 +696,8 @@ static void get_adma_description(SDHCISt + hwaddr entry_addr = (hwaddr)s->admasysaddr; + switch (SDHC_DMA_TYPE(s->hostctl1)) { + case SDHC_CTRL_ADMA2_32: +- dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2)); ++ dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2), ++ MEMTXATTRS_UNSPECIFIED); + adma2 = le64_to_cpu(adma2); + /* The spec does not specify endianness of descriptor table. + * We currently assume that it is LE. +@@ -705,7 +708,8 @@ static void get_adma_description(SDHCISt + dscr->incr = 8; + break; + case SDHC_CTRL_ADMA1_32: +- dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1)); ++ dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1), ++ MEMTXATTRS_UNSPECIFIED); + adma1 = le32_to_cpu(adma1); + dscr->addr = (hwaddr)(adma1 & 0xFFFFF000); + dscr->attr = (uint8_t)extract32(adma1, 0, 7); +@@ -717,10 +721,13 @@ static void get_adma_description(SDHCISt + } + break; + case SDHC_CTRL_ADMA2_64: +- dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1); +- dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2); ++ dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2, ++ MEMTXATTRS_UNSPECIFIED); + dscr->length = le16_to_cpu(dscr->length); +- dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8); ++ dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8, ++ MEMTXATTRS_UNSPECIFIED); + dscr->addr = le64_to_cpu(dscr->addr); + dscr->attr &= (uint8_t) ~0xC0; + dscr->incr = 12; +@@ -785,7 +792,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_write(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -810,7 +818,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_read(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +--- a/hw/usb/hcd-dwc2.c ++++ b/hw/usb/hcd-dwc2.c +@@ -272,8 +272,8 @@ static void dwc2_handle_packet(DWC2State + + if (pid != USB_TOKEN_IN) { + trace_usb_dwc2_memory_read(hcdma, tlen); +- if (dma_memory_read(&s->dma_as, hcdma, +- s->usb_buf[chan], tlen) != MEMTX_OK) { ++ if (dma_memory_read(&s->dma_as, hcdma, s->usb_buf[chan], tlen, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_read failed\n", + __func__); + } +@@ -328,8 +328,8 @@ babble: + + if (pid == USB_TOKEN_IN) { + trace_usb_dwc2_memory_write(hcdma, actual); +- if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], +- actual) != MEMTX_OK) { ++ if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], actual, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_write failed\n", + __func__); + } +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -383,7 +383,8 @@ static inline int get_dwords(EHCIState * + } + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); ++ dma_memory_read(ehci->as, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + *buf = le32_to_cpu(*buf); + } + +@@ -405,7 +406,8 @@ static inline int put_dwords(EHCIState * + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); ++ dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp), ++ MEMTXATTRS_UNSPECIFIED); + } + + return num; +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -452,7 +452,8 @@ static inline int get_dwords(OHCIState * + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le32_to_cpu(*buf); +@@ -471,7 +472,8 @@ static inline int put_dwords(OHCIState * + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -488,7 +490,8 @@ static inline int get_words(OHCIState *o + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le16_to_cpu(*buf); +@@ -507,7 +510,8 @@ static inline int put_words(OHCIState *o + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint16_t tmp = cpu_to_le16(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -537,8 +541,8 @@ static inline int ohci_read_iso_td(OHCIS + static inline int ohci_read_hcca(OHCIState *ohci, + dma_addr_t addr, struct ohci_hcca *hcca) + { +- return dma_memory_read(ohci->as, addr + ohci->localmem_base, +- hcca, sizeof(*hcca)); ++ return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca, ++ sizeof(*hcca), MEMTXATTRS_UNSPECIFIED); + } + + static inline int ohci_put_ed(OHCIState *ohci, +@@ -572,7 +576,7 @@ static inline int ohci_put_hcca(OHCIStat + return dma_memory_write(ohci->as, + addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET, + (char *)hcca + HCCA_WRITEBACK_OFFSET, +- HCCA_WRITEBACK_SIZE); ++ HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED); + } + + /* Read/Write the contents of a TD from/to main memory. */ +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -488,7 +488,7 @@ static inline void xhci_dma_read_u32s(XH + + assert((len % sizeof(uint32_t)) == 0); + +- dma_memory_read(xhci->as, addr, buf, len); ++ dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + + for (i = 0; i < (len / sizeof(uint32_t)); i++) { + buf[i] = le32_to_cpu(buf[i]); +@@ -508,7 +508,7 @@ static inline void xhci_dma_write_u32s(X + for (i = 0; i < n; i++) { + tmp[i] = cpu_to_le32(buf[i]); + } +- dma_memory_write(xhci->as, addr, tmp, len); ++ dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED); + } + + static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport) +@@ -619,7 +619,7 @@ static void xhci_write_event(XHCIState * + ev_trb.status, ev_trb.control); + + addr = intr->er_start + TRB_SIZE*intr->er_ep_idx; +- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE); ++ dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED); + + intr->er_ep_idx++; + if (intr->er_ep_idx >= intr->er_size) { +@@ -680,7 +680,8 @@ static TRBType xhci_ring_fetch(XHCIState + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE); ++ dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + trb->addr = ring->dequeue; + trb->ccs = ring->ccs; + le64_to_cpus(&trb->parameter); +@@ -727,7 +728,7 @@ static int xhci_ring_chain_length(XHCISt + + do { + TRBType type; +- if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE) != MEMTX_OK) { ++ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n", + __func__); + return -1; +@@ -796,7 +797,8 @@ static void xhci_er_reset(XHCIState *xhc + xhci_die(xhci); + return; + } +- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg)); ++ dma_memory_read(xhci->as, erstba, &seg, sizeof(seg), ++ MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&seg.addr_low); + le32_to_cpus(&seg.addr_high); + le32_to_cpus(&seg.size); +@@ -2412,7 +2414,8 @@ static TRBCCode xhci_get_port_bandwidth( + /* TODO: actually implement real values here */ + bw_ctx[0] = 0; + memset(&bw_ctx[1], 80, xhci->numports); /* 80% */ +- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx)); ++ dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx), ++ MEMTXATTRS_UNSPECIFIED); + + return CC_SUCCESS; + } +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -97,14 +97,16 @@ static inline bool spapr_vio_dma_valid(S + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, + void *buf, uint32_t size) + { +- return (dma_memory_read(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_read(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + + static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + const void *buf, uint32_t size) + { +- return (dma_memory_write(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_write(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -143,12 +143,14 @@ static inline MemTxResult dma_memory_rw( + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: length of the data transferred ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, +- void *buf, dma_addr_t len) ++ void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, buf, len, +- DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_TO_DEVICE, attrs); + } + + /** +@@ -162,12 +164,14 @@ static inline MemTxResult dma_memory_rea + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: the number of bytes to write ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, +- const void *buf, dma_addr_t len) ++ const void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_FROM_DEVICE, attrs); + } + + /** +@@ -239,7 +243,7 @@ static inline void dma_memory_unmap(Addr + dma_addr_t addr) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -247,20 +251,20 @@ static inline void dma_memory_unmap(Addr + uint##_bits##_t val) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1); ++ dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + return val; + } + + static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) + { +- dma_memory_write(as, addr, &val, 1); ++ dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + } + + DEFINE_LDST_DMA(uw, w, 16, le); diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-07.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-07.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-07.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-07.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,223 @@ +From a1d4b0a3051b3079c8db607f519bc0fcb30e17ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 3 Sep 2020 11:00:47 +0200 +Subject: [PATCH] dma: Let dma_memory_map() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_map(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + - dma_memory_map(E1, E2, E3, E4) + + dma_memory_map(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + +Reviewed-by: Richard Henderson +Reviewed-by: Li Qiang +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Philippe Mathieu-Daudé +Acked-by: Stefan Hajnoczi +Message-Id: <20211223115554.3155328-7-philmd@redhat.com> +--- + hw/display/virtio-gpu.c | 10 ++++++---- + hw/hyperv/vmbus.c | 8 +++++--- + hw/ide/ahci.c | 8 +++++--- + hw/usb/libhw.c | 3 ++- + hw/virtio/virtio.c | 6 ++++-- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 5 +++-- + softmmu/dma-helpers.c | 3 ++- + 8 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index d78b9700c7d..c6dc818988c 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -814,8 +814,9 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + + do { + len = l; +- map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- a, &len, DMA_DIRECTION_TO_DEVICE); ++ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, a, &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!map) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for" + " element %d\n", __func__, e); +@@ -1252,8 +1253,9 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, + for (i = 0; i < res->iov_cnt; i++) { + hwaddr len = res->iov[i].iov_len; + res->iov[i].iov_base = +- dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- res->addrs[i], &len, DMA_DIRECTION_TO_DEVICE); ++ dma_memory_map(VIRTIO_DEVICE(g)->dma_as, res->addrs[i], &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + + if (!res->iov[i].iov_base || len != res->iov[i].iov_len) { + /* Clean up the half-a-mapping we just created... */ +diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c +index dbce3b35fba..8aad29f1bb2 100644 +--- a/hw/hyperv/vmbus.c ++++ b/hw/hyperv/vmbus.c +@@ -373,7 +373,8 @@ static ssize_t gpadl_iter_io(GpadlIter *iter, void *buf, uint32_t len) + + maddr = (iter->gpadl->gfns[idx] << TARGET_PAGE_BITS) | off_in_page; + +- iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir); ++ iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir, ++ MEMTXATTRS_UNSPECIFIED); + if (mlen != pgleft) { + dma_memory_unmap(iter->as, iter->map, mlen, iter->dir, 0); + iter->map = NULL; +@@ -490,7 +491,8 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, + goto err; + } + +- iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir); ++ iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!l) { + ret = -EFAULT; + goto err; +@@ -566,7 +568,7 @@ static vmbus_ring_buffer *ringbuf_map_hdr(VMBusRingBufCommon *ringbuf) + dma_addr_t mlen = sizeof(*rb); + + rb = dma_memory_map(ringbuf->as, ringbuf->rb_addr, &mlen, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (mlen != sizeof(*rb)) { + dma_memory_unmap(ringbuf->as, rb, mlen, + DMA_DIRECTION_FROM_DEVICE, 0); +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index a94c6e26fb0..8e77ddb660f 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -249,7 +249,8 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr, + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + } + +- *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE); ++ *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (len < wanted && *ptr) { + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + *ptr = NULL; +@@ -939,7 +940,8 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, + + /* map PRDT */ + if (!(prdt = dma_memory_map(ad->hba->as, prdt_addr, &prdt_len, +- DMA_DIRECTION_TO_DEVICE))){ ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED))){ + trace_ahci_populate_sglist_no_map(ad->hba, ad->port_no); + return -1; + } +@@ -1301,7 +1303,7 @@ static int handle_cmd(AHCIState *s, int port, uint8_t slot) + tbl_addr = le64_to_cpu(cmd->tbl_addr); + cmd_len = 0x80; + cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len, +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (!cmd_fis) { + trace_handle_cmd_badfis(s, port); + return -1; +diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c +index 9c33a1640f7..f350eae443d 100644 +--- a/hw/usb/libhw.c ++++ b/hw/usb/libhw.c +@@ -36,7 +36,8 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl) + + while (len) { + dma_addr_t xlen = len; +- mem = dma_memory_map(sgl->as, base, &xlen, dir); ++ mem = dma_memory_map(sgl->as, base, &xlen, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!mem) { + goto err; + } +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index ea7c079fb04..e11a8a0dbab 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1306,7 +1306,8 @@ static bool virtqueue_map_desc(VirtIODevice *vdev, unsigned int *p_num_sg, + iov[num_sg].iov_base = dma_memory_map(vdev->dma_as, pa, &len, + is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!iov[num_sg].iov_base) { + virtio_error(vdev, "virtio: bogus descriptor or out of resources"); + goto out; +@@ -1355,7 +1356,8 @@ static void virtqueue_map_iovec(VirtIODevice *vdev, struct iovec *sg, + sg[i].iov_base = dma_memory_map(vdev->dma_as, + addr[i], &len, is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!sg[i].iov_base) { + error_report("virtio: error trying to map MMIO memory"); + exit(1); +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 4383f1c95e0..1acefc2a4c3 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -875,7 +875,8 @@ static inline void *pci_dma_map(PCIDevice *dev, dma_addr_t addr, + { + void *buf; + +- buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir); ++ buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir, ++ MEMTXATTRS_UNSPECIFIED); + return buf; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 522682bf386..97ff6f29f8c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -202,16 +202,17 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @len: pointer to length of buffer; updated on return + * @dir: indicates the transfer direction ++ * @attrs: memory attributes + */ + static inline void *dma_memory_map(AddressSpace *as, + dma_addr_t addr, dma_addr_t *len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + hwaddr xlen = *len; + void *p; + + p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + *len = xlen; + return p; + } +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 5bf76fff6bd..3c06a2feddd 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -143,7 +143,8 @@ static void dma_blk_cb(void *opaque, int ret) + while (dbs->sg_cur_index < dbs->sg->nsg) { + cur_addr = dbs->sg->sg[dbs->sg_cur_index].base + dbs->sg_cur_byte; + cur_len = dbs->sg->sg[dbs->sg_cur_index].len - dbs->sg_cur_byte; +- mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir); ++ mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir, ++ MEMTXATTRS_UNSPECIFIED); + /* + * Make reads deterministic in icount mode. Windows sometimes issues + * disk read requests with overlapping SGs. It leads +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-08.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-08.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-08.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-08.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,38 @@ +From c0ee1527358474c75067993d1bb233ad3a4ee081 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 16 Dec 2021 11:24:56 +0100 +Subject: [PATCH] dma: Have dma_buf_rw() take a void pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_rw() to take a void pointer argument +to save us pointless casts to uint8_t *. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-8-philmd@redhat.com> +--- + softmmu/dma-helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 3c06a2feddd..09e29997ee5 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,9 +294,10 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, ++static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + DMADirection dir) + { ++ uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; + +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-09.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-09.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-09.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-09.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,155 @@ +From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 16 Dec 2021 11:27:23 +0100 +Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void + pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_read/dma_buf_write functions to take +a void pointer argument and save us pointless casts to uint8_t *. + +Remove this pointless casts in the megasas device model. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-9-philmd@redhat.com> +--- + hw/scsi/megasas.c | 22 +++++++++++----------- + include/sysemu/dma.h | 4 ++-- + softmmu/dma-helpers.c | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -847,7 +847,7 @@ static int megasas_ctrl_get_info(Megasas + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -877,7 +877,7 @@ static int megasas_mfc_get_defaults(Mega + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -898,7 +898,7 @@ static int megasas_dcmd_get_bios_info(Me + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -909,7 +909,7 @@ static int megasas_dcmd_get_fw_time(Mega + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -936,7 +936,7 @@ static int megasas_event_info(MegasasSta + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1005,7 +1005,7 @@ static int megasas_dcmd_pd_get_list(Mega + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1171,7 +1171,7 @@ static int megasas_dcmd_ld_get_list(Mega + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1220,7 +1220,7 @@ static int megasas_dcmd_ld_list_query(Me + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1389,7 +1389,7 @@ static int megasas_dcmd_cfg_read(Megasas + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1419,7 +1419,7 @@ static int megasas_dcmd_get_properties(M + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1464,7 +1464,7 @@ static int megasas_dcmd_set_properties(M + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *b + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, in + return resid; + } + +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); + } + +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); + } diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-10.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-10.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-10.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-10.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,88 @@ +From e2d784b67dc724a9b0854b49255ba0ee8ca46543 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 22:18:19 +0100 +Subject: [PATCH] pci: Let pci_dma_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling pci_dma_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-10-philmd@redhat.com> +--- + hw/audio/intel-hda.c | 3 ++- + hw/scsi/esp-pci.c | 2 +- + include/hw/pci/pci.h | 10 ++++++---- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 8ce9df64e3e..fb3d34a4a0c 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -427,7 +427,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n", + st->be, st->bp, st->bpl[st->be].len, copy); + +- pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output); ++ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, ++ MEMTXATTRS_UNSPECIFIED); + st->lpib += copy; + st->bp += copy; + buf += copy; +diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c +index dac054aeed4..1792f84cea6 100644 +--- a/hw/scsi/esp-pci.c ++++ b/hw/scsi/esp-pci.c +@@ -280,7 +280,7 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len, + len = pci->dma_regs[DMA_WBC]; + } + +- pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir); ++ pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir, MEMTXATTRS_UNSPECIFIED); + + /* update status registers */ + pci->dma_regs[DMA_WBC] -= len; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 1acefc2a4c3..a751ab5a75d 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -806,10 +806,10 @@ static inline AddressSpace *pci_get_address_space(PCIDevice *dev) + */ + static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, +- dir, MEMTXATTRS_UNSPECIFIED); ++ dir, attrs); + } + + /** +@@ -827,7 +827,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return pci_dma_rw(dev, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -845,7 +846,8 @@ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + const void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, (void *) buf, len, DMA_DIRECTION_FROM_DEVICE); ++ return pci_dma_rw(dev, addr, (void *) buf, len, ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-11.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-11.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-11.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-11.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,62 @@ +From 959384e74e1b508acc3af6e806b3d7b87335fc2a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 22:59:46 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling dma_buf_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the 2 callers. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-11-philmd@redhat.com> +--- + softmmu/dma-helpers.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7f37548394e..fa81d2b386c 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -295,7 +295,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + + + static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; +@@ -307,8 +307,7 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, +- MEMTXATTRS_UNSPECIFIED); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; +@@ -319,12 +318,14 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-12.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-12.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-12.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-12.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,111 @@ +From 392e48af3468d7f8e49db33fdc9e28b5f99276ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 23:02:21 +0100 +Subject: [PATCH] dma: Let dma_buf_write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_write(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-12-philmd@redhat.com> +--- + hw/ide/ahci.c | 6 ++++-- + hw/nvme/ctrl.c | 3 ++- + hw/scsi/megasas.c | 2 +- + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 11 insertions(+), 9 deletions(-) + +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1381,8 +1381,10 @@ static void ahci_pio_transfer(const IDED + has_sglist ? "" : "o"); + + if (has_sglist && size) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (is_write) { +- dma_buf_write(s->data_ptr, size, &s->sg); ++ dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { + dma_buf_read(s->data_ptr, size, &s->sg); + } +@@ -1479,7 +1481,7 @@ static int ahci_dma_rw_buf(const IDEDMA + if (is_write) { + dma_buf_read(p, l, &s->sg); + } else { +- dma_buf_write(p, l, &s->sg); ++ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } + + /* free sglist, update byte count */ +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1168,10 +1168,11 @@ static uint16_t nvme_tx(NvmeCtrl *n, Nvm + assert(sg->flags & NVME_SG_ALLOC); + + if (sg->flags & NVME_SG_DMA) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint64_t residual; + + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { +- residual = dma_buf_write(ptr, len, &sg->qsg); ++ residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { + residual = dma_buf_read(ptr, len, &sg->qsg); + } +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1464,7 +1464,7 @@ static int megasas_dcmd_set_properties(M + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write(&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1423,7 +1423,7 @@ void scsi_req_data(SCSIRequest *req, int + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { + req->resid = dma_buf_read(buf, len, req->sg); + } else { +- req->resid = dma_buf_write(buf, len, req->sg); ++ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } + scsi_req_continue(req); + } +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -303,7 +303,7 @@ BlockAIOCB *dma_blk_write(BlockBackend * + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -322,10 +322,9 @@ uint64_t dma_buf_read(void *ptr, int32_t + MEMTXATTRS_UNSPECIFIED); + } + +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-13.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-13.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-13.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-13.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,203 @@ +From 1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 23:29:52 +0100 +Subject: [PATCH] dma: Let dma_buf_read() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_read(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-13-philmd@redhat.com> +--- + hw/ide/ahci.c | 4 ++-- + hw/nvme/ctrl.c | 2 +- + hw/scsi/megasas.c | 24 ++++++++++++------------ + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 19 insertions(+), 20 deletions(-) + +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1386,7 +1386,7 @@ static void ahci_pio_transfer(const IDED + if (is_write) { + dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { +- dma_buf_read(s->data_ptr, size, &s->sg); ++ dma_buf_read(s->data_ptr, size, &s->sg, attrs); + } + } + +@@ -1479,7 +1479,7 @@ static int ahci_dma_rw_buf(const IDEDMA + } + + if (is_write) { +- dma_buf_read(p, l, &s->sg); ++ dma_buf_read(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } else { + dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1174,7 +1174,7 @@ static uint16_t nvme_tx(NvmeCtrl *n, Nvm + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { + residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { +- residual = dma_buf_read(ptr, len, &sg->qsg); ++ residual = dma_buf_read(ptr, len, &sg->qsg, attrs); + } + + if (unlikely(residual)) { +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -847,7 +847,7 @@ static int megasas_ctrl_get_info(Megasas + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -877,7 +877,7 @@ static int megasas_mfc_get_defaults(Mega + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -898,7 +898,7 @@ static int megasas_dcmd_get_bios_info(Me + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -909,7 +909,7 @@ static int megasas_dcmd_get_fw_time(Mega + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -936,7 +936,7 @@ static int megasas_event_info(MegasasSta + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1005,7 +1005,7 @@ static int megasas_dcmd_pd_get_list(Mega + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1099,7 +1099,7 @@ static int megasas_pd_get_info_submit(SC + info->connected_port_bitmap = 0x1; + info->device_speed = 1; + info->link_speed = 1; +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1171,7 +1171,7 @@ static int megasas_dcmd_ld_get_list(Mega + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1220,7 +1220,7 @@ static int megasas_dcmd_ld_list_query(Me + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1270,7 +1270,7 @@ static int megasas_ld_get_info_submit(SC + info->ld_config.span[0].num_blocks = info->size; + info->ld_config.span[0].array_ref = cpu_to_le16(sdev_id); + +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1389,7 +1389,7 @@ static int megasas_dcmd_cfg_read(Megasas + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1419,7 +1419,7 @@ static int megasas_dcmd_get_properties(M + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1421,7 +1421,7 @@ void scsi_req_data(SCSIRequest *req, int + + buf = scsi_req_get_buf(req); + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { +- req->resid = dma_buf_read(buf, len, req->sg); ++ req->resid = dma_buf_read(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } else { + req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,7 +302,7 @@ BlockAIOCB *dma_blk_read(BlockBackend *b + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -316,10 +316,9 @@ static uint64_t dma_buf_rw(void *buf, in + return resid; + } + +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-14.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-14.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-14.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-14.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,87 @@ +From 292e13142d277c15bdd68331abc607e46628b7e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 15 Dec 2021 23:38:52 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +dma_memory_rw() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Since dma_buf_rw() was previously returning the QEMUSGList +size not consumed, add an extra argument where this size +can be stored. + +Update the 2 callers. + +Reviewed-by: Klaus Jensen +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-14-philmd@redhat.com> +--- + softmmu/dma-helpers.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index a391773c296..b0be1564797 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,12 +294,14 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir, MemTxAttrs attrs) ++static MemTxResult dma_buf_rw(void *buf, int32_t len, uint64_t *residp, ++ QEMUSGList *sg, DMADirection dir, ++ MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; ++ MemTxResult res = MEMTX_OK; + + resid = sg->size; + sg_cur_index = 0; +@@ -307,23 +309,34 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); ++ res |= dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; + } + +- return resid; ++ if (residp) { ++ *residp = resid; ++ } ++ return res; + } + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ ++ return resid; + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ ++ return resid; + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-15.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-15.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-15.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-15.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,116 @@ +From 2280c27afc65bb2af95dd44a88e3b7117bfe240a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:53:34 +0100 +Subject: [PATCH] dma: Let st*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-16-philmd@redhat.com> +--- + hw/nvram/fw_cfg.c | 4 ++-- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 12 ++++++++---- + include/sysemu/dma.h | 10 ++++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index 9b91b15cb08..e5f3c981841 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -360,7 +360,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (dma_memory_read(s->dma_as, dma_addr, + &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- FW_CFG_DMA_CTL_ERROR); ++ FW_CFG_DMA_CTL_ERROR, MEMTXATTRS_UNSPECIFIED); + return; + } + +@@ -446,7 +446,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- dma.control); ++ dma.control, MEMTXATTRS_UNSPECIFIED); + + trace_fw_cfg_read(s, 0); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index a751ab5a75d..d07e9707b48 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,7 +859,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val); \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 5d2ea8e6656..e87f8e6f596 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -118,10 +118,14 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + H_DEST_PARM : H_SUCCESS; + } + +-#define vio_stb(_dev, _addr, _val) (stb_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_sth(_dev, _addr, _val) (stw_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stl(_dev, _addr, _val) (stl_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stq(_dev, _addr, _val) (stq_be_dma(&(_dev)->as, (_addr), (_val))) ++#define vio_stb(_dev, _addr, _val) \ ++ (stb_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_sth(_dev, _addr, _val) \ ++ (stw_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stl(_dev, _addr, _val) \ ++ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stq(_dev, _addr, _val) \ ++ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index fd8f16003dd..009dd3ca960 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -249,10 +249,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ +- uint##_bits##_t val) \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) +@@ -263,9 +264,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) ++static inline void stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-16.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-16.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-16.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-16.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,134 @@ +From 34cdea1db600540a5261dc474e986f28b637c8e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:18:07 +0100 +Subject: [PATCH] dma: Let ld*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-17-philmd@redhat.com> +--- + hw/intc/pnv_xive.c | 7 ++++--- + hw/usb/hcd-xhci.c | 6 +++--- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + 5 files changed, 17 insertions(+), 13 deletions(-) + +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indire + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,7 +195,8 @@ static uint64_t pnv_xive_vst_addr_indire + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -542,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2076,7 +2076,7 @@ static TRBCCode xhci_address_slot(XHCISt + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid); ++ poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3451,8 +3451,8 @@ static int usb_xhci_post_load(void *opaq + if (!slot->addressed) { + continue; + } +- slot->ctx = +- xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid)); ++ slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, ++ MEMTXATTRS_UNSPECIFIED)); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,7 +854,8 @@ static inline MemTxResult pci_dma_write( + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr); \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -126,7 +126,8 @@ static inline int spapr_vio_dma_set(Spap + (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) +-#define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) ++#define vio_ldq(_dev, _addr) \ ++ (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -241,10 +241,11 @@ static inline void dma_memory_unmap(Addr + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ + static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -253,14 +254,14 @@ static inline void dma_memory_unmap(Addr + MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) ++static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(as, addr, &val, 1, attrs); + return val; + } + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-17.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-17.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-17.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-17.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,61 @@ +From 24aed6bcb6b6d266149591f955c2460c28759eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:56:14 +0100 +Subject: [PATCH] dma: Let st*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +dma_memory_write() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-18-philmd@redhat.com> +--- + include/sysemu/dma.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d1635f55870..895044d747f 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -248,13 +248,13 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ +- static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ +- { \ +- val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ val = cpu_to_##_end##_bits(val); \ ++ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) +@@ -265,10 +265,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs att + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, +- uint8_t val, MemTxAttrs attrs) ++static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, attrs); ++ return dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-18.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-18.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-18.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-18.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,158 @@ +From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:31:11 +0100 +Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +dma_memory_read() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +Reviewed-by: Richard Henderson +Reviewed-by: Cédric Le Goater +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-19-philmd@redhat.com> +--- + hw/intc/pnv_xive.c | 8 ++++---- + hw/usb/hcd-xhci.c | 7 ++++--- + include/hw/pci/pci.h | 6 ++++-- + include/hw/ppc/spapr_vio.h | 6 +++++- + include/sysemu/dma.h | 25 ++++++++++++------------- + 5 files changed, 29 insertions(+), 23 deletions(-) + +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indire + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indire + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2076,7 +2076,7 @@ static TRBCCode xhci_address_slot(XHCISt + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3443,6 +3443,7 @@ static int usb_xhci_post_load(void *opaq + uint32_t slot_ctx[4]; + uint32_t ep_ctx[5]; + int slotid, epid, state; ++ uint64_t addr; + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); + +@@ -3451,8 +3452,8 @@ static int usb_xhci_post_load(void *opaq + if (!slot->addressed) { + continue; + } +- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, +- MEMTXATTRS_UNSPECIFIED)); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); ++ slot->ctx = xhci_mask64(addr); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write( + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ uint##_bits##_t val; \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ ++ MEMTXATTRS_UNSPECIFIED); \ ++ return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(Spap + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) \ +- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) ++ ({ \ ++ uint64_t _val; \ ++ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \ ++ _val; \ ++ }) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(Addr + } + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ +- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ +- return _end##_bits##_to_cpu(val); \ +- } \ ++ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *pval, \ ++ MemTxAttrs attrs) \ ++ { \ ++ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \ ++ _end##_bits##_to_cpus(pval); \ ++ return res; \ ++ } \ + static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(Addr + return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) ++static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t *val, MemTxAttrs attrs) + { +- uint8_t val; +- +- dma_memory_read(as, addr, &val, 1, attrs); +- return val; ++ return dma_memory_read(as, addr, val, 1, attrs); + } + + static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-19.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-19.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-19.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-19.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,284 @@ +From a423a1b523296f8798a5851aaaba64dd166c0a74 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 22:39:42 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-21-philmd@redhat.com> +--- + hw/audio/intel-hda.c | 10 ++++++---- + hw/net/eepro100.c | 29 ++++++++++++++++++----------- + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 15 ++++++++++----- + hw/scsi/vmw_pvscsi.c | 3 ++- + include/hw/pci/pci.h | 11 ++++++----- + 6 files changed, 52 insertions(+), 34 deletions(-) + +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,6 +345,7 @@ static void intel_hda_corb_run(IntelHDAS + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -367,8 +368,8 @@ static void intel_hda_response(HDACodecD + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*wp, response); +- stl_le_pci_dma(&d->pci, addr + 8*wp + 4, ex); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +@@ -394,6 +395,7 @@ static void intel_hda_response(HDACodecD + static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + uint8_t *buf, uint32_t len) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -428,7 +430,7 @@ static bool intel_hda_xfer(HDACodecDevic + st->be, st->bp, st->bpl[st->be].len, copy); + + pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + st->lpib += copy; + st->bp += copy; + buf += copy; +@@ -451,7 +453,7 @@ static bool intel_hda_xfer(HDACodecDevic + if (d->dp_lbase & 0x01) { + s = st - d->st; + addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*s, st->lpib); ++ stl_le_pci_dma(&d->pci, addr + 8 * s, st->lpib, attrs); + } + dprint(d, 3, "dma: --\n"); + +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -700,6 +700,8 @@ static void set_ru_state(EEPRO100State * + + static void dump_statistics(EEPRO100State * s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + /* Dump statistical data. Most data is never changed by the emulation + * and always 0, so we first just copy the whole block and then those + * values which really matter. +@@ -707,16 +709,18 @@ static void dump_statistics(EEPRO100Stat + */ + pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size); + stl_le_pci_dma(&s->dev, s->statsaddr + 0, +- s->statistics.tx_good_frames); ++ s->statistics.tx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 36, +- s->statistics.rx_good_frames); ++ s->statistics.rx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 48, +- s->statistics.rx_resource_errors); ++ s->statistics.rx_resource_errors, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 60, +- s->statistics.rx_short_frame_errors); ++ s->statistics.rx_short_frame_errors, attrs); + #if 0 +- stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames); +- stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 76, ++ s->statistics.xmt_tco_frames, attrs); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 78, ++ s->statistics.rcv_tco_frames, attrs); + missing("CU dump statistical counters"); + #endif + } +@@ -833,6 +837,7 @@ static void set_multicast_list(EEPRO100S + + static void action_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + /* The loop below won't stop if it gets special handcrafted data. + Therefore we limit the number of iterations. */ + unsigned max_loop_count = 16; +@@ -911,7 +916,7 @@ static void action_command(EEPRO100State + } + /* Write new status. */ + stw_le_pci_dma(&s->dev, s->cb_address, +- s->tx.status | ok_status | STATUS_C); ++ s->tx.status | ok_status | STATUS_C, attrs); + if (bit_i) { + /* CU completed action. */ + eepro100_cx_interrupt(s); +@@ -937,6 +942,7 @@ static void action_command(EEPRO100State + + static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + cu_state_t cu_state; + switch (val) { + case CU_NOP: +@@ -986,7 +992,7 @@ static void eepro100_cu_command(EEPRO100 + /* Dump statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs); + break; + case CU_CMD_BASE: + /* Load CU base. */ +@@ -997,7 +1003,7 @@ static void eepro100_cu_command(EEPRO100 + /* Dump and reset statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs); + memset(&s->statistics, 0, sizeof(s->statistics)); + break; + case CU_SRESUME: +@@ -1612,6 +1618,7 @@ static ssize_t nic_receive(NetClientStat + * - Magic packets should set bit 30 in power management driver register. + * - Interesting packets should set bit 29 in power management driver register. + */ ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + EEPRO100State *s = qemu_get_nic_opaque(nc); + uint16_t rfd_status = 0xa000; + #if defined(CONFIG_PAD_RECEIVED_FRAMES) +@@ -1726,9 +1733,9 @@ static ssize_t nic_receive(NetClientStat + TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n", + rfd_command, rx.link, rx.rx_buf_addr, rfd_size)); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, status), rfd_status); ++ offsetof(eepro100_rx_t, status), rfd_status, attrs); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, count), size); ++ offsetof(eepro100_rx_t, count), size, attrs); + /* Early receive interrupt not supported. */ + #if 0 + eepro100_er_interrupt(s); +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -86,16 +86,18 @@ static void tulip_desc_read(TULIPState * + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- stl_be_pci_dma(&s->dev, p, desc->status); +- stl_be_pci_dma(&s->dev, p + 4, desc->control); +- stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_be_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_be_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } else { +- stl_le_pci_dma(&s->dev, p, desc->status); +- stl_le_pci_dma(&s->dev, p + 4, desc->control); +- stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_le_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_le_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } + } + +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -168,14 +168,16 @@ static void megasas_frame_set_cmd_status + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static void megasas_frame_set_scsi_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static inline const char *mfi_frame_desc(unsigned int cmd) +@@ -541,6 +543,7 @@ static MegasasCmd *megasas_enqueue_frame + + static void megasas_complete_frame(MegasasState *s, uint64_t context) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci_dev = PCI_DEVICE(s); + int tail, queue_offset; + +@@ -554,10 +557,12 @@ static void megasas_complete_frame(Megas + */ + if (megasas_use_queue64(s)) { + queue_offset = s->reply_queue_head * sizeof(uint64_t); +- stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } else { + queue_offset = s->reply_queue_head * sizeof(uint32_t); +- stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } + s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); + trace_megasas_qf_complete(context, s->reply_queue_head, +@@ -571,7 +576,7 @@ static void megasas_complete_frame(Megas + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, + s->busy); +- stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head); ++ stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head, attrs); + /* Notify HBA */ + if (msix_enabled(pci_dev)) { + trace_megasas_msix_raise(0); +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -55,7 +55,8 @@ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val)) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ ++ MEMTXATTRS_UNSPECIFIED)) + + struct PVSCSIClass { + PCIDeviceClass parent_class; +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,11 +859,12 @@ static inline MemTxResult pci_dma_write( + MEMTXATTRS_UNSPECIFIED); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, uint##_bits##_t val) \ +- { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ static inline void st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-20.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-20.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-20.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-20.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,248 @@ +From 398f9a84ac7132e38caf7b066273734b3bf619ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:45:06 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-22-philmd@redhat.com> +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 19 +++++++++++++------ + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 16 ++++++++++------ + hw/scsi/mptsas.c | 10 ++++++---- + hw/scsi/vmw_pvscsi.c | 3 ++- + hw/usb/hcd-xhci.c | 1 + + include/hw/pci/pci.h | 6 +++--- + 8 files changed, 46 insertions(+), 29 deletions(-) + +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAS + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4*rp); ++ verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -737,6 +737,7 @@ static void read_cb(EEPRO100State *s) + + static void tx_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint32_t tbd_array = s->tx.tbd_array_addr; + uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff; + /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */ +@@ -772,11 +773,14 @@ static void tx_command(EEPRO100State *s) + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { + uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address); ++ tbd_address, ++ attrs); + uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4); ++ tbd_address + 4, ++ attrs); + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6); ++ tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -792,9 +796,12 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); ++ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, ++ attrs); ++ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, ++ attrs); ++ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,16 +70,18 @@ static const VMStateDescription vmstate_ + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_be_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_le_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); + } + } + +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,7 +202,9 @@ static uint64_t megasas_frame_get_contex + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context)); ++ return ldq_le_pci_dma(pci, ++ frame + offsetof(struct mfi_frame_header, context), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -533,7 +535,8 @@ static MegasasCmd *megasas_enqueue_frame + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -564,14 +567,14 @@ static void megasas_complete_frame(Megas + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -636,6 +639,7 @@ static void megasas_abort_command(Megasa + + static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pcid = PCI_DEVICE(s); + uint32_t pa_hi, pa_lo; + hwaddr iq_pa, initq_size = sizeof(struct mfi_init_qinfo); +@@ -674,9 +678,9 @@ static int megasas_init_firmware(Megasas + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -172,14 +172,15 @@ static const int mpi_request_sizes[] = { + static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t *sgaddr) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci = (PCIDevice *) s; + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 8; + } + return addr; +@@ -203,7 +204,7 @@ static int mptsas_build_sgl(MPTSASState + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr); ++ flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -234,7 +235,8 @@ static int mptsas_build_sgl(MPTSASState + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr); ++ flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -52,7 +52,8 @@ + + #define RS_GET_FIELD(m, field) \ + (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ ++ MEMTXATTRS_UNSPECIFIED)) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3454,6 +3454,7 @@ static int usb_xhci_post_load(void *opaq + } + ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); + slot->ctx = xhci_mask64(addr); ++ + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -852,11 +852,11 @@ static inline MemTxResult pci_dma_write( + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-21.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-21.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-21.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-21.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,43 @@ +From 6bebb270731758fae3114b7d24c2b12b7c325cc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:47:30 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +st*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-23-philmd@redhat.com> +--- + include/hw/pci/pci.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 7a46c1fa226..c90cecc85c0 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,12 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ ++ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ return st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-22.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-22.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-22.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-22.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,275 @@ +From 4a63054bce23982b99f4d3c65528e47e614086b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Dec 2021 23:49:30 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ld*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +Reviewed-by: Richard Henderson +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211223115554.3155328-24-philmd@redhat.com> +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 25 ++++++++++--------------- + hw/net/tulip.c | 16 ++++++++-------- + hw/scsi/megasas.c | 21 ++++++++++++--------- + hw/scsi/mptsas.c | 16 +++++++++++----- + hw/scsi/vmw_pvscsi.c | 16 ++++++++++------ + include/hw/pci/pci.h | 17 ++++++++--------- + 7 files changed, 60 insertions(+), 53 deletions(-) + +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAS + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(&d->pci, addr + 4 * rp, &verb, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -769,18 +769,16 @@ static void tx_command(EEPRO100State *s) + } else { + /* Flexible mode. */ + uint8_t tbd_count = 0; ++ uint32_t tx_buffer_address; ++ uint16_t tx_buffer_size; ++ uint16_t tx_buffer_el; ++ + if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) { + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -796,12 +794,9 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -73,15 +73,15 @@ static void tulip_desc_read(TULIPState * + const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); ++ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_be_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_be_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_be_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); ++ ldl_le_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_le_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_le_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_le_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } + } + +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,9 +202,12 @@ static uint64_t megasas_frame_get_contex + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, +- frame + offsetof(struct mfi_frame_header, context), +- MEMTXATTRS_UNSPECIFIED); ++ uint64_t val; ++ ++ ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context), ++ &val, MEMTXATTRS_UNSPECIFIED); ++ ++ return val; + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -535,8 +538,8 @@ static MegasasCmd *megasas_enqueue_frame + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -567,14 +570,14 @@ static void megasas_complete_frame(Megas + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -678,9 +681,9 @@ static int megasas_init_firmware(Megasas + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->producer_pa, &s->reply_queue_head, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -177,10 +177,16 @@ static dma_addr_t mptsas_ld_sg_base(MPTS + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint64_t addr64; ++ ++ ldq_le_pci_dma(pci, *sgaddr + 4, &addr64, attrs); ++ addr = addr64; + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint32_t addr32; ++ ++ ldl_le_pci_dma(pci, *sgaddr + 4, &addr32, attrs); ++ addr = addr32; + *sgaddr += 8; + } + return addr; +@@ -204,7 +210,7 @@ static int mptsas_build_sgl(MPTSASState + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, sgaddr, &flags_and_length, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -235,8 +241,8 @@ static int mptsas_build_sgl(MPTSASState + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, next_chain_addr, &flags_and_length, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -50,10 +50,10 @@ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +-#define RS_GET_FIELD(m, field) \ +- (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ ++#define RS_GET_FIELD(pval, m, field) \ ++ ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ +- MEMTXATTRS_UNSPECIFIED)) ++ pval, MEMTXATTRS_UNSPECIFIED) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +@@ -249,10 +249,11 @@ pvscsi_ring_cleanup(PVSCSIRingInfo *mgr) + static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { +- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ready_ptr; + uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING + * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + ++ RS_GET_FIELD(&ready_ptr, mgr, reqProdIdx); + if (ready_ptr != mgr->consumed_ptr + && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = +@@ -323,8 +324,11 @@ pvscsi_ring_flush_cmp(PVSCSIRingInfo *mg + static bool + pvscsi_ring_msg_has_room(PVSCSIRingInfo *mgr) + { +- uint32_t prodIdx = RS_GET_FIELD(mgr, msgProdIdx); +- uint32_t consIdx = RS_GET_FIELD(mgr, msgConsIdx); ++ uint32_t prodIdx; ++ uint32_t consIdx; ++ ++ RS_GET_FIELD(&prodIdx, mgr, msgProdIdx); ++ RS_GET_FIELD(&consIdx, mgr, msgConsIdx); + + return (prodIdx - consIdx) < (mgr->msg_len_mask + 1); + } +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -850,15 +850,14 @@ static inline MemTxResult pci_dma_write( + DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + +-#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +- static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ +- return val; \ +- } \ ++#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ ++ static inline MemTxResult ld##_l##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ } \ + static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-23.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-23.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-23.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-23.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,70 @@ +From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Sat, 18 Dec 2021 17:09:10 +0100 +Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the "High Definition Audio Specification" manual (rev. 1.0a), +section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": + + Response Overrun Interrupt Status (RIRBOIS): + + Hardware sets this bit to a 1 when an overrun occurs in the RIRB. + An interrupt may be generated if the Response Overrun Interrupt + Control bit is set. + + This bit will be set if the RIRB DMA engine is not able to write + the incoming responses to memory before additional incoming + responses overrun the internal FIFO. + + When hardware detects an overrun, it will drop the responses which + overrun the buffer and set the RIRBOIS status bit to indicate the + error condition. Optionally, if the RIRBOIC is set, the hardware + will also generate an error to alert software to the problem. + +QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This +function returns a MemTxResult indicating whether the DMA access +was successful. +Handle any MemTxResult error as "DMA engine is not able to write the +incoming responses to memory" and raise the Overrun Interrupt flag +when this case occurs. + +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20211218160912.1591633-2-philmd@redhat.com> +Signed-off-by: Thomas Huth +--- + hw/audio/intel-hda.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 5f8a878f20c..47a36acc71c 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; + uint32_t wp, ex; ++ MemTxResult res = MEMTX_OK; + + if (d->ics & ICH6_IRS_BUSY) { + dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", +@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); +- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { ++ d->rirb_sts |= ICH6_RBSTS_OVERRUN; ++ intel_hda_update_irq(d); ++ } + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2021-3611-24.patch qemu-6.2+dfsg/debian/patches/CVE-2021-3611-24.patch --- qemu-6.2+dfsg/debian/patches/CVE-2021-3611-24.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2021-3611-24.patch 2023-11-30 14:53:27.000000000 +0000 @@ -0,0 +1,41 @@ +From 79fa99831debc9782087e834382c577215f2f511 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Sat, 18 Dec 2021 17:09:11 +0100 +Subject: [PATCH] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO + devices) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Issue #542 reports a reentrancy problem when the DMA engine accesses +the HDA controller I/O registers. Fix by restricting the DMA engine +to memories regions (forbidding MMIO devices such the HDA controller). + +Reported-by: OSS-Fuzz (Issue 28435) +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Thomas Huth +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 +CVE: CVE-2021-3611 +Message-Id: <20211218160912.1591633-3-philmd@redhat.com> +Signed-off-by: Thomas Huth +--- + hw/audio/intel-hda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 47a36acc71c..78a47bc08c1 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-1544.patch qemu-6.2+dfsg/debian/patches/CVE-2023-1544.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-1544.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-1544.patch 2023-11-30 14:49:08.000000000 +0000 @@ -0,0 +1,65 @@ +From 85fc35afa93c7320d1641d344d0c5dfbe341d087 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 4fc67120256..55b338046e6 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +GitLab + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-2861.patch qemu-6.2+dfsg/debian/patches/CVE-2023-2861.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-2861.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-2861.patch 2023-11-30 14:49:24.000000000 +0000 @@ -0,0 +1,161 @@ +Backport of: + +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 +From: Christian Schoenebeck +Date: Wed, 7 Jun 2023 18:29:33 +0200 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen +Reported-by: Jietao Xiao +Reported-by: Jinku Li +Reported-by: Wenbo Shen +Signed-off-by: Christian Schoenebeck +Reviewed-by: Greg Kurz +Reviewed-by: Michael Tokarev +Message-Id: +--- + fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 39 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 64 insertions(+), 2 deletions(-) + +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -339,6 +340,28 @@ static void resetugid(int suid, int sgid + } + + /* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ ++/* + * send response in two parts + * 1) ProxyHeader + * 2) Response or error status +@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,6 +13,8 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else +@@ -26,6 +28,38 @@ static inline void close_preserve_errno( + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -56,6 +90,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-3180.patch qemu-6.2+dfsg/debian/patches/CVE-2023-3180.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-3180.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-3180.patch 2023-11-30 14:49:39.000000000 +0000 @@ -0,0 +1,42 @@ +From 49f1e02bac166821c712534aaa775f50e1afe17f Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei +Cc: Mauro Matteo Cascella +Cc: Yiming Tao +Signed-off-by: zhenwei pi +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980) +Signed-off-by: Michael Tokarev +--- + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -461,6 +461,11 @@ virtio_crypto_sym_op_helper(VirtIODevice + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-3255.patch qemu-6.2+dfsg/debian/patches/CVE-2023-3255.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-3255.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-3255.patch 2023-11-30 14:49:51.000000000 +0000 @@ -0,0 +1,53 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 4 Jul 2023 10:41:22 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Tested-by: Marc-André Lureau +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t * + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t * + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-3301.patch qemu-6.2+dfsg/debian/patches/CVE-2023-3301.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-3301.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-3301.patch 2023-11-30 14:52:24.000000000 +0000 @@ -0,0 +1,59 @@ +Backport of: + +From aab37b2002811f112d5c26337473486d7d585881 Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Mon, 19 Jun 2023 12:22:09 +0530 +Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if + peer nic is present + +When a peer nic is still attached to the vdpa backend, it is too early to free +up the vhost-net and vdpa structures. If these structures are freed here, then +QEMU crashes when the guest is being shut down. The following call chain +would result in an assertion failure since the pointer returned from +vhost_vdpa_get_vhost_net() would be NULL: + +do_vm_stop() -> vm_state_notify() -> virtio_set_status() -> +virtio_net_vhost_status() -> get_vhost_net(). + +Therefore, we defer freeing up the structures until at guest shutdown +time when qemu_cleanup() calls net_cleanup() which then calls +qemu_del_net_client() which would eventually call vhost_vdpa_cleanup() +again to free up the structures. This time, the loop in net_cleanup() +ensures that vhost_vdpa_cleanup() will be called one last time when +all the peer nics are detached and freed. + +All unit tests pass with this change. + +CC: imammedo@redhat.com +CC: jusual@redhat.com +CC: mst@redhat.com +Fixes: CVE-2023-3301 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929 +Signed-off-by: Ani Sinha +Message-Id: <20230619065209.442185-1-anisinha@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit a0d7215e339b61c7d7a7b3fcf754954d80d93eb8) +Signed-off-by: Michael Tokarev +(Mjt: context change for stable-8.0) +--- + net/vhost-vdpa.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -128,6 +128,14 @@ static void vhost_vdpa_cleanup(NetClient + { + VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc); + ++ /* ++ * If a peer NIC is attached, do not cleanup anything. ++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup() ++ * when the guest is shutting down. ++ */ ++ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) { ++ return; ++ } + if (s->vhost_net) { + vhost_net_cleanup(s->vhost_net); + g_free(s->vhost_net); diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-3354.patch qemu-6.2+dfsg/debian/patches/CVE-2023-3354.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-3354.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-3354.patch 2023-11-30 14:52:44.000000000 +0000 @@ -0,0 +1,76 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 20 Jun 2023 09:45:34 +0100 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen +Signed-off-by: Daniel P. Berrangé +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -48,6 +48,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_ta + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshak + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -373,6 +375,10 @@ static int qio_channel_tls_close(QIOChan + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + diff -Nru qemu-6.2+dfsg/debian/patches/CVE-2023-5088.patch qemu-6.2+dfsg/debian/patches/CVE-2023-5088.patch --- qemu-6.2+dfsg/debian/patches/CVE-2023-5088.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/CVE-2023-5088.patch 2023-11-30 14:53:02.000000000 +0000 @@ -0,0 +1,105 @@ +From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001 +From: Fiona Ebner +Date: Wed, 6 Sep 2023 15:09:21 +0200 +Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there is a pending DMA operation during ide_bus_reset(), the fact +that the IDEState is already reset before the operation is canceled +can be problematic. In particular, ide_dma_cb() might be called and +then use the reset IDEState which contains the signature after the +reset. When used to construct the IO operation this leads to +ide_get_sector() returning 0 and nsector being 1. This is particularly +bad, because a write command will thus destroy the first sector which +often contains a partition table or similar. + +Traces showing the unsolicited write happening with IDEState +0x5595af6949d0 being used after reset: + +> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 +> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port +> ide_reset IDEstate 0x5595af6949d0 +> ide_reset IDEstate 0x5595af694da8 +> ide_bus_reset_aio aio_cancel +> dma_aio_cancel dbs=0x7f64600089a0 +> dma_blk_cb dbs=0x7f64600089a0 ret=0 +> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 +> ahci_populate_sglist ahci(0x5595af6923f0)[0] +> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 +> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE +> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 +> dma_blk_cb dbs=0x7f6420802010 ret=0 + +> (gdb) p *qiov +> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, +> iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", +> size = 512}}} +> (gdb) bt +> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, +> cb=0x5595ace6f0b0 , opaque=0x7f6420802010) +> at ../block/block-backend.c:1682 +> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=) +> at ../softmmu/dma-helpers.c:179 +> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> io_func=io_func@entry=0x5595ace6ee30 , +> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, +> cb=0x5595acd40b30 , opaque=0x5595af6949d0, +> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 +> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> cb=cb@entry=0x5595acd40b30 , opaque=opaque@entry=0x5595af6949d0) +> at ../softmmu/dma-helpers.c:280 +> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=) +> at ../hw/ide/core.c:953 +> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) +> at ../softmmu/dma-helpers.c:107 +> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 +> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) +> at ../block/block-backend.c:1527 +> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 +> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 +> #10 0x00005595ad258cfb in coroutine_trampoline (i0=, +> i1=) at ../util/coroutine-ucontext.c:177 + +Signed-off-by: Fiona Ebner +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: simon.rowe@nutanix.com +Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/ide/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -2447,19 +2447,19 @@ static void ide_dummy_transfer_stop(IDES + + void ide_bus_reset(IDEBus *bus) + { +- bus->unit = 0; +- bus->cmd = 0; +- ide_reset(&bus->ifs[0]); +- ide_reset(&bus->ifs[1]); +- ide_clear_hob(bus); +- +- /* pending async DMA */ ++ /* pending async DMA - needs the IDEState before it is reset */ + if (bus->dma->aiocb) { + trace_ide_bus_reset_aio(); + blk_aio_cancel(bus->dma->aiocb); + bus->dma->aiocb = NULL; + } + ++ bus->unit = 0; ++ bus->cmd = 0; ++ ide_reset(&bus->ifs[0]); ++ ide_reset(&bus->ifs[1]); ++ ide_clear_hob(bus); ++ + /* reset dma provider too */ + if (bus->dma->ops->reset) { + bus->dma->ops->reset(bus->dma); diff -Nru qemu-6.2+dfsg/debian/patches/series qemu-6.2+dfsg/debian/patches/series --- qemu-6.2+dfsg/debian/patches/series 2023-09-15 18:39:05.000000000 +0000 +++ qemu-6.2+dfsg/debian/patches/series 2023-11-30 14:53:27.000000000 +0000 @@ -89,3 +89,35 @@ ubuntu/lp-1853307-s390x-pci-shrink-DMA-aperture-to-be-bound-by-vfio-DM.patch ubuntu/lp-1853307-s390x-pci-reset-ISM-passthrough-devices-on-shutdown-.patch ubuntu/lp-2033957-virtiofsd-Fix-breakage-due-to-fuse_init_in.patch +CVE-2020-14394.patch +CVE-2023-1544.patch +CVE-2023-2861.patch +CVE-2023-3180.patch +CVE-2023-3255.patch +CVE-2023-3301.patch +CVE-2023-3354.patch +CVE-2023-5088.patch +CVE-2021-3611-01.patch +CVE-2021-3611-02.patch +CVE-2021-3611-03.patch +CVE-2021-3611-04.patch +CVE-2021-3611-05.patch +CVE-2021-3611-06.patch +CVE-2021-3611-07.patch +CVE-2021-3611-08.patch +CVE-2021-3611-09.patch +CVE-2021-3611-10.patch +CVE-2021-3611-11.patch +CVE-2021-3611-12.patch +CVE-2021-3611-13.patch +CVE-2021-3611-14.patch +CVE-2021-3611-15.patch +CVE-2021-3611-16.patch +CVE-2021-3611-17.patch +CVE-2021-3611-18.patch +CVE-2021-3611-19.patch +CVE-2021-3611-20.patch +CVE-2021-3611-21.patch +CVE-2021-3611-22.patch +CVE-2021-3611-23.patch +CVE-2021-3611-24.patch