qemu: enrich commit info for some patchs

Signed-off-by: AlexChen <alex.chen@huawei.com>
2020-09-24 10:47:29 +08:00 · 2020-09-24 10:47:29 +08:00 · a7b090aaca
commit a7b090aaca
parent 74e366ee0f
3 changed files with 69 additions and 10 deletions
--- a/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
+++ b/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
@ -1,14 +1,27 @@
-From 8b8d3992db22a583b69b6e2ae1d9cd87e2179e21 Mon Sep 17 00:00:00 2001
+From d99d965c232c649686b4d8bc42dc11dcaf90dc0b Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Fri, 18 Sep 2020 10:55:22 +0800
-Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field The 'Transfer
- Block Size' field is 12-bit wide. See section '2.2.2 Block Size Register
- (Offset 004h)' in datasheet.
+Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit

+The 'Transfer Block Size' field is 12-bit wide.
+
+See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
+
+Cc: qemu-stable@nongnu.org
+Cc: Igor Mitsyanko <i.mitsyanko@gmail.com>
 Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+---
+ hw/sd/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 7b80b1d9..acf482b8 100644
+index 7b80b1d93f..65a530aee4 100644
 --- a/hw/sd/sdhci.c
 +++ b/hw/sd/sdhci.c
@@ -1127,7 +1127,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
--- a/hw-xhci-check-return-value-of-usb_packet_map.patch
+++ b/hw-xhci-check-return-value-of-usb_packet_map.patch
@ -1,17 +1,60 @@
-From e43f0019b0aff881c562c8d2428bce6b3d55845c Mon Sep 17 00:00:00 2001
+From ff7545a6911bc7b9d818a541130f666a81077b44 Mon Sep 17 00:00:00 2001
 From: Li Qiang <liq3ea@163.com>
 Date: Fri, 18 Sep 2020 11:08:28 +0800
 Subject: [PATCH] hw: xhci: check return value of 'usb_packet_map'

 Currently we don't check the return value of 'usb_packet_map',
-this will cause an NAF issue. This is LP#1891341.
+this will cause an UAF issue. This is LP#1891341.
 Following is the reproducer provided in:
 -->https://bugs.launchpad.net/qemu/+bug/1891341

+cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
+-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
+-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
+-nodefaults -nographic -qtest stdio
+outl 0xcf8 0x80001016
+outl 0xcfc 0x3c009f0d
+outl 0xcf8 0x80001004
+outl 0xcfc 0xc77695e
+writel 0x9f0d000000000040 0xffff3655
+writeq 0x9f0d000000002000 0xff2f9e0000000000
+write 0x1d 0x1 0x27
+write 0x2d 0x1 0x2e
+write 0x17232 0x1 0x03
+write 0x17254 0x1 0x06
+write 0x17278 0x1 0x34
+write 0x3d 0x1 0x27
+write 0x40 0x1 0x2e
+write 0x41 0x1 0x72
+write 0x42 0x1 0x01
+write 0x4d 0x1 0x2e
+write 0x4f 0x1 0x01
+writeq 0x9f0d000000002000 0x5c051a0100000000
+write 0x34001d 0x1 0x13
+write 0x340026 0x1 0x30
+write 0x340028 0x1 0x08
+write 0x34002c 0x1 0xfe
+write 0x34002d 0x1 0x08
+write 0x340037 0x1 0x5e
+write 0x34003a 0x1 0x05
+write 0x34003d 0x1 0x05
+write 0x34004d 0x1 0x13
+writeq 0x9f0d000000002000 0xff00010100400009
+EOF
+
 This patch fixes this.

+Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-id: 20200812153139.15146-1-liq3ea@163.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
 diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index a21485fe..3b25abca 100644
+index a21485fe8a..3b25abcacd 100644
 --- a/hw/usb/hcd-xhci.c
 +++ b/hw/usb/hcd-xhci.c
@@ -1614,7 +1614,10 @@ static int xhci_setup_packet(XHCITransfer *xfer)
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 20
+Release: 21
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY
@ -183,7 +183,7 @@ Patch0170: megasas-avoid-NULL-pointer-dereference.patch
 Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch
 Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch
 Patch0173: hw-arm-acpi-enable-SHPC-native-hot-plug.patch
-PATCH0174: hw-usb-core-fix-buffer-overflow.patch
+Patch0174: hw-usb-core-fix-buffer-overflow.patch
 Patch0175: Drop-bogus-IPv6-messages.patch 
 Patch0176: hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
 Patch0177: hw-xhci-check-return-value-of-usb_packet_map.patch
@ -532,6 +532,9 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Thu Sep 24 2020 Huawei Technologies Co., Ltd <alex.chen@huawei.com>
+- enrich commit info for some patchs
+
 * Fri Sep 18 2020 Huawei Technologies Co., Ltd <lijiajie11@huawei.com>
 - hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-field.patch
 - hw-xhci-check-return-value-of-usb_packet_map.patch