6cd8af4c81
- mac_dbdma: Remove leftover `dma_memory_unmap` calls(CVE-2024-8612) - softmmu: Support concurrent bounce buffers(CVE-2024-8612) - system/physmem: Per-AddressSpace bounce buffering - system/physmem: Propagate AddressSpace to MapClient helpers Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
72 lines
2.5 KiB
Diff
72 lines
2.5 KiB
Diff
From 234034ba7e8ab516f12cb199fc45cfe7229eb281 Mon Sep 17 00:00:00 2001
|
|
From: Mattias Nissler <mnissler@rivosinc.com>
|
|
Date: Mon, 16 Sep 2024 10:57:08 -0700
|
|
Subject: [PATCH 4/4] mac_dbdma: Remove leftover `dma_memory_unmap`
|
|
calls(CVE-2024-8612)
|
|
|
|
cherry-pick from 2d0a071e625d7234e8c5623b7e7bf445e1bef72c
|
|
|
|
These were passing a NULL buffer pointer unconditionally, which happens
|
|
to behave in a mostly benign way (except for the chance of an excess
|
|
memory region unref and a bounce buffer leak). Per the function comment,
|
|
this was never meant to be accepted though, and triggers an assertion
|
|
with the "softmmu: Support concurrent bounce buffers" change.
|
|
|
|
Given that the code in question never sets up any mappings, just remove
|
|
the unnecessary dma_memory_unmap calls along with the DBDMA_io struct
|
|
fields that are now entirely unused.
|
|
|
|
Signed-off-by: Mattias Nissler <mnissler@rivosinc.com>
|
|
Message-Id: <20240916175708.1829059-1-mnissler@rivosinc.com>
|
|
Fixes: be1e343995 ("macio: switch over to new byte-aligned DMA helpers")
|
|
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
|
|
---
|
|
hw/ide/macio.c | 6 ------
|
|
include/hw/ppc/mac_dbdma.h | 4 ----
|
|
2 files changed, 10 deletions(-)
|
|
|
|
diff --git a/hw/ide/macio.c b/hw/ide/macio.c
|
|
index dca1cc9efc..3d895c07f4 100644
|
|
--- a/hw/ide/macio.c
|
|
+++ b/hw/ide/macio.c
|
|
@@ -119,9 +119,6 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret)
|
|
return;
|
|
|
|
done:
|
|
- dma_memory_unmap(&address_space_memory, io->dma_mem, io->dma_len,
|
|
- io->dir, io->dma_len);
|
|
-
|
|
if (ret < 0) {
|
|
block_acct_failed(blk_get_stats(s->blk), &s->acct);
|
|
} else {
|
|
@@ -202,9 +199,6 @@ static void pmac_ide_transfer_cb(void *opaque, int ret)
|
|
return;
|
|
|
|
done:
|
|
- dma_memory_unmap(&address_space_memory, io->dma_mem, io->dma_len,
|
|
- io->dir, io->dma_len);
|
|
-
|
|
if (s->dma_cmd == IDE_DMA_READ || s->dma_cmd == IDE_DMA_WRITE) {
|
|
if (ret < 0) {
|
|
block_acct_failed(blk_get_stats(s->blk), &s->acct);
|
|
diff --git a/include/hw/ppc/mac_dbdma.h b/include/hw/ppc/mac_dbdma.h
|
|
index 4a3f644516..c774f6bf84 100644
|
|
--- a/include/hw/ppc/mac_dbdma.h
|
|
+++ b/include/hw/ppc/mac_dbdma.h
|
|
@@ -44,10 +44,6 @@ struct DBDMA_io {
|
|
DBDMA_end dma_end;
|
|
/* DMA is in progress, don't start another one */
|
|
bool processing;
|
|
- /* DMA request */
|
|
- void *dma_mem;
|
|
- dma_addr_t dma_len;
|
|
- DMADirection dir;
|
|
};
|
|
|
|
/*
|
|
--
|
|
2.45.1.windows.1
|
|
|