| Message ID | 6dcb63036f3b35c833de752d1472d08bf4a9c289.1719996804.git.jeuk20.kim@samsung.com |
|---|---|
| State | New |
| Headers | show |
| Series | hw/ufs: Fix mcq register range determination logic | expand |
On 24-07-03 17:54:10, Jeuk Kim wrote: > The function ufs_is_mcq_reg() only evaluated the range of the > mcq_op_reg offset, which is defined as a constant. > Therefore, it was possible for ufs_is_mcq_reg() to return true > despite ufs device is configured to not support the mcq. > This could cause ufs_mmio_read()/ufs_mmio_write() to overflow the > buffer. So fix it. > > Fixes: 5c079578d2e4 ("hw/ufs: Add support MCQ of UFSHCI 4.0") > Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com> Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
diff --git a/hw/ufs/ufs.c b/hw/ufs/ufs.c index 683fff5840..cf0edd281c 100644 --- a/hw/ufs/ufs.c +++ b/hw/ufs/ufs.c @@ -57,7 +57,13 @@ static inline uint64_t ufs_reg_size(UfsHc *u) static inline bool ufs_is_mcq_reg(UfsHc *u, uint64_t addr, unsigned size) { - uint64_t mcq_reg_addr = ufs_mcq_reg_addr(u, 0); + uint64_t mcq_reg_addr; + + if (!u->params.mcq) { + return false; + } + + mcq_reg_addr = ufs_mcq_reg_addr(u, 0); return (addr >= mcq_reg_addr && addr + size <= mcq_reg_addr + sizeof(u->mcq_reg)); }
The function ufs_is_mcq_reg() only evaluated the range of the mcq_op_reg offset, which is defined as a constant. Therefore, it was possible for ufs_is_mcq_reg() to return true despite ufs device is configured to not support the mcq. This could cause ufs_mmio_read()/ufs_mmio_write() to overflow the buffer. So fix it. Fixes: 5c079578d2e4 ("hw/ufs: Add support MCQ of UFSHCI 4.0") Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com> --- hw/ufs/ufs.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)