Hi Phil,
Thanks for inviting me. I've applied your patch. It seems fine
because my sb16 fuzzer is running for another 24 hours and
it has no crash yet. I can also double-check the specification.
Best,
Qiang
On Mon, Jun 14, 2021 at 7:13 PM Philippe Mathieu-Daudé wrote:
>
> ping?
>
> On 6/1/21
hysmem.c:2799:14
> #18 address_space_write softmmu/physmem.c:2891:18
> #19 cpu_outw softmmu/ioport.c:70:5
>
> [*] http://www.baudline.com/solutions/full_duplex/sb16_pci/index.html
>
> Fixes: 85571bc7415 ("audio merge (malc)")
> Buglink: https://bugs.launchpad.net/b
Hi Phil,
> You didn't Cc'ed the maintainers of the SCSI subsystem (see
> https://wiki.qemu.org/Contribute/SubmitAPatch#CC_the_relevant_maintainer
> ) so I'm doing it for you:
Thank you!
> It seems you didn't send your patch with the proper tool, see
>
41h/42h.
Fixes: 85571bc7415 ("audio merge (malc)")
Signed-off-by: Qiang Liu
---
hw/audio/sb16.c | 31 +++
tests/qtest/fuzz-sb16-test.c | 17 +
2 files changed, 36 insertions(+), 12 deletions(-)
diff --git a/hw/audio/sb16.c b/hw/au
ink: https://bugs.launchpad.net/qemu/+bug/1913923
Signed-off-by: Qiang Liu
---
hw/net/vmxnet3.c | 7 ---
1 file changed, 7 deletions(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index eff299f629..a388918479 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1786,13 +1786,6 @@ vmxnet3_io_
Hi
> This looks like your mailer mangled the patch.
> Can you resent using 'git send-email`?
Yes, I can. I finally figure it out how to config my Gmail. I should
send a new email
and this thread is supposed to be closed, right?
Best
Qiang
tmmu/memory.c:0:13
> > #16 flatview_write_continue softmmu/physmem.c:2759:23
> > #17 flatview_write softmmu/physmem.c:2799:14
> > #18 address_space_write softmmu/physmem.c:2891:18
> > #19 cpu_outw softmmu/ioport.c:70:5
> >
> > [*] http://www.baudline.com/solutio
On Tue, Jun 22, 2021 at 5:16 PM Philippe Mathieu-Daudé wrote:
>
> On 6/22/21 10:54 AM, Qiang Liu wrote:
> > Hi folks,
> >
> > With this patch, having tested more, I find another way to trigger the
> > assertion.
> > I found it just now such that I di
Hi,
On Wed, Jun 23, 2021 at 11:23 AM Jason Wang wrote:
>
>
> 在 2021/6/23 上午10:26, Qiang Liu 写道:
> > From: cyruscyliu
> >
> > A malicious guest user can write VMXNET3_REG_ICR to crash QEMU. This
> > patch remove the g_aasert_not_reached() there and make the access
On Mon, Jun 14, 2021 at 11:06 PM Philippe Mathieu-Daudé wrote:
>
> On 6/14/21 2:11 PM, Qiang Liu wrote:
> > Hi Phil,
> >
> > Thanks for inviting me. I've applied your patch. It seems fine
> > because my sb16 fuzzer is running for another 24 hours and
>
Hi Paul,
On Mon, Jul 5, 2021 at 6:27 AM Paul Zimmerman wrote:
>
> On Sat, Jun 26, 2021 at 10:21 PM Qiang Liu wrote:
> >
> > Hi folks,
> >
> > I found this bug by my dwc2 fuzzer.
> > It seems that
> > * https://bugs.launchpad.net/qemu/+bug/1907042
41h/42h.
Fixes: 85571bc7415 ("audio merge (malc)")
Signed-off-by: Qiang Liu
---
hw/audio/sb16.c | 31 +++
tests/qtest/fuzz-sb16-test.c | 17 +
2 files changed, 36 insertions(+), 12 deletions(-)
diff --git a/hw/audio/sb16.c b/hw/au
. To avoid
potential assertion failure in usb_ep_get(), we could enforce epnum to 0
and warn users.
Fixes: 153ef1662c3 ("dwc-hsotg (dwc2) USB host controller emulation")
Signed-off-by: Qiang Liu
---
hw/usb/hcd-dwc2.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/hw/usb/hcd-dwc2.c b/
it be better to consider and fix them together?
Best,
Qiang
On Sun, Jun 27, 2021 at 11:28 AM Qiang Liu wrote:
>
> When eptype is USB_ENDPOINT_XFER_CONTROL and pid is
> TSIZ_SC_MC_PID_SETUP, usb_ep_get() should return the control endpoint.
> In hw/usb/core.c, the assumed epnum of
this
MMIO region is 0x3AF, this patch also removes the assertion in
xlnx_dp_write.
Fixes: 58ac482a66de ("introduce xlnx-dp")
Signed-off-by: Qiang Liu
---
hw/display/xlnx_dp.c | 7 ---
include/hw/display/xlnx_dp.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff
On Tue, Jul 13, 2021 at 6:24 PM Philippe Mathieu-Daudé wrote:
>
> On 7/13/21 12:20 PM, Philippe Mathieu-Daudé wrote:
> > On 7/13/21 5:14 AM, Qiang Liu wrote:
> >> xlnx_dp_read allows an out-of-bounds read at its default branch because
> >> of an improper index.
>
Thank you for all the insightful comments about the separated patches.
This would be my first time to format a serial of patches. Does it
look like below?
[PATCH v3 00/2] title
[PATCH v3 01/2] fix
[PATCH v3 02/2] test
Best,
Qiang
On Mon, Aug 9, 2021 at 11:24 AM Peter Maydell wrote:
>
d breaking
migration.
Fixes: 58ac482a66de ("introduce xlnx-dp")
Signed-off-by: Qiang Liu
---
v2:
- not change DP_CORE_REG_ARRAY_SIZE
- add a qtest reproducer
- update the code style
I have a question about the QTest reproducer. Before patching xlnx-dp,
(0x3ac >> 2) will exceed the r
On Wed, Aug 4, 2021 at 3:43 PM Thomas Huth wrote:
>
> On 04/08/2021 08.51, Qiang Liu wrote:
> > xlnx_dp_read allows an out-of-bounds read at its default branch because
> > of an improper index.
> >
> > According to
> > https://www.xilinx.com/html_docs/reg
through HcControl. Therefore, I change usb_device_reset() to
usb_port_reset() where usb_detach() and usb_device_reset() are invoked
consequently.
Fixes: d28f4e2d8631 ("usb: kill USB_MSG_RESET")
Reported-by: Qiang Liu
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1180
Signed-off-by:
I've checked out the patches and re-run my PoC. I see no crash anymore.
I also fuzzed the latest code for a while (with the patches) and I saw
no related crashes.
Tested-by: Qiang Liu
On Tue, Aug 30, 2022 at 2:38 PM Gerd Hoffmann wrote:
>
> Add handler for fatal errors. Moves
he (x, y) coordinates
> > depending on the direction in the SRCCOPY ROP3 operation, but
> > forgot to address the same issue for the PATCOPY, BLACKNESS and
> > WHITENESS operations, which also call pixman_fill().
> >
> > Fix that now by using the adjusted coordinates i
The abort() in xhci_find_stream() can be triggered via enabling the secondary
stream arrays by setting linear stream array (LSA) bit (in endpoint context) to
0. We may show warnings and drop this operation.
Fixes: 024426acc0a2 ("usb-xhci: usb3 streams")
Reported-by: Qiang Liu
Resol
0, which is similar to the drop operation for
ohci_service_ed_list() when head is 0. Probably, a similar issue is in
ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0.
Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)")
Reported-
Hi,
I will take over this and fix it
Best,
Qiang
On Tue, Sep 27, 2022 at 9:11 AM Stefan Hajnoczi wrote:
> On Mon, 26 Sept 2022 at 06:29, Gerd Hoffmann wrote:
> >
> > From: Qiang Liu
> >
> > I found an assertion failure in usb_cancel_packet() and posted
In xlnx_dp_aux_set_command, when the command leads to the default
branch, xlxn-dp will abort and then crash.
This patch removes this abort and drops this operation.
Fixes: 58ac482 ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/411
Reported-by: Qiang L
In xlnx_dp_aux_set_command, when the command leads to the default
branch, xlxn-dp will abort and then crash.
This patch removes this abort and drops this operation.
Fixes: 58ac482 ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/411
Reported-by: Qiang L
could leverage this to crash QEMU.
Fixes: e5c9a13e2670 ("PCI AC97 emulation by malc.")
Reported-by: Volker Rümelin
Reported-by: Qiang Liu
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1393
Signed-off-by: Qiang Liu
---
hw/audio/ac97.c | 11 ---
1 file changed, 8
e this to crash QEMU.
> >
> > Fixes: e5c9a13e2670 ("PCI AC97 emulation by malc.")
> > Reported-by: Volker Rümelin
> > Reported-by: Qiang Liu
> > Resolves:https://gitlab.com/qemu-project/qemu/-/issues/1393
> > Signed-off-by: Qiang Liu
> > ---
&g
Dear Fred,
On Tue, Jan 10, 2023 at 9:57 PM Konrad, Frederic
wrote:
> Hi,
>
> > -Original Message-
> > From: qemu-devel-bounces+fkonrad=amd@nongnu.org
> On Behalf Of
> > Qiang Liu
> > Sent: 09 January 2023 07:00
> > To: qemu-devel@nongnu.o
This patch replaces hw_error to guest error log for [read|write]b
accesses when mode_16bit is enabled. This avoids aborting qemu.
Fixes: 1248f8d4cbc3 ("hw/lan9118: Add basic 16-bit mode support.")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1433
Reported-by: Qiang Liu
Fixes: 58ac482a66de ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1418
Reported-by: Qiang Liu
Signed-off-by: Qiang Liu
---
hw/display/xlnx_dp.c | 4
1 file changed, 4 insertions(+)
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index
(). I think it may be OK to drop the abort in
xlnx_dp_change_graphic_fmt() because the error information will be
printed.
Fixes: 58ac482a66de ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1415
Reported-by: Qiang Liu
Signed-off-by: Qiang Liu
---
Check s->rx_fifo before pushing data into it.
Fixes: 58ac482a66de ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1419
Reported-by: Qiang Liu
Signed-off-by: Qiang Liu
---
hw/display/xlnx_dp.c | 4
1 file changed, 4 insertions(+)
diff --git
On Wed, Jan 11, 2023 at 4:44 PM Philippe Mathieu-Daudé
wrote:
> Hi Qiang,
>
> On 11/1/23 08:05, Qiang Liu wrote:
> > This patch replaces hw_error to guest error log for [read|write]b
> > accesses when mode_16bit is enabled. This avoids aborting qemu.
> >
> > Fixe
Check fifos before poping data from and pushing data into it.
Fixes: 98e5d7a2b726 ("hw/net/can: Introduce Xilinx ZynqMP CAN controller")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1425
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1427
Reported-by: Qiang Liu
Hi all,
I'm sure this patch will prevent the assertion failure due to the
inconsistent ep and pid (UBS_TOKEN_SETUP) (
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg07179.html).
For UHCI (https://gitlab.com/qemu-project/qemu/-/issues/119) and OHCI (
/-/issues/303).
Fixes: 25d5de7d81a5 ("usb: link packets to endpoints not devices")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/119
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/303
Cc: Paul Zimmerman
Signed-off-by: Qiang Liu
---
hw/usb/core.c | 2 +-
1 file
This patch replaces hw_error to guest error log for [read|write]b
accesses when mode_16bit is enabled. This avoids aborting qemu.
Fixes: 1248f8d4cbc3 ("hw/lan9118: Add basic 16-bit mode support.")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1433
Reported-by: Qiang Liu
(). I think it may be OK to drop the abort in
xlnx_dp_change_graphic_fmt() because the error information will be
printed.
Fixes: 58ac482a66de ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1415
Reported-by: Qiang Liu
Signed-off-by: Qiang Liu
---
This patch checks if the s->tx_fifo is full.
Fixes: 58ac482a66de ("introduce xlnx-dp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1424
Reported-by: Qiang Liu
Signed-off-by: Qiang Liu
---
hw/display/xlnx_dp.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-
conditionally log attempted writes to non-existing or
read-only registers.
Reported-by: Qiang Liu
Link: https://gitlab.com/qemu-project/qemu/-/issues/1408
Fixes: 0701a5efa015 ("hw/usb: Add basic i.MX USB Phy support")
Signed-off-by: Guenter Roeck
---
hw/usb/imx-usb-phy.c | 19 +
break;
case R_BDIV:/* Baud rate divider */
+value &= 0xff;
if (value >= 0x04) {
-s->r[offset] = value & 0xFF;
+s->r[offset] = value;
}
break;
default:
Tested on my side.
Tested-by: Qiang Liu
Hi,
> This commit breaks boot-serial-test on ppc64-softmmu.
>>
>> $ ./configure --enable-tcg-interpreter
>> '--target-list=aarch64-softmmu alpha-softmmu arm-softmmu hppa-softmmu
>> m68k-softmmu microblaze-softmmu ppc64-softmmu s390x-softmmu
>> x86_64-softmmu'
>> $ make && cd build &&
44 matches
Mail list logo
