summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorStefan Hajnoczi <stefanha@redhat.com>2025-03-24 13:26:23 -0400
committerStefan Hajnoczi <stefanha@redhat.com>2025-03-24 13:26:23 -0400
commit170825d14d88a1ce7fae98d5a928480f2f329b22 (patch)
treed03116d1cf833d94274b092ee6e0d15fb73cd6a5
parent71119ed3651622e1c531d1294839e9f3341adaf5 (diff)
parent78877b2e06464f49f777e086845e094ea7bc82ef (diff)
downloadfocaccia-qemu-170825d14d88a1ce7fae98d5a928480f2f329b22.tar.gz
focaccia-qemu-170825d14d88a1ce7fae98d5a928480f2f329b22.zip
Merge tag 'pull-aspeed-20250323' of https://github.com/legoater/qemu into staging
aspeed queue:

* Fix AST2700 SoC model

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEoPZlSPBIlev+awtgUaNDx8/77KEFAmfgSG0ACgkQUaNDx8/7
# 7KFIaQ//TDinoK375i/tsRxpHPVHU40mQbn2pCx8g+mDoMZubfExSWncxcOpgzbM
# KM+NSOK0PBnCUHt0aWVb/USyMM7hftJHRkC6IY43HFnRIJlKxPeaS/IC73fPMMKu
# sDuBYz1ALseLFM1vArCiAijA8aCQOAiOBq/GSgscuHcgmTTMJ+c0LbwEaV5/aJwO
# BSIn6bRMLByl6w31NCetu7XwybCI9xCdgcGTuv7gNXtjk8poy540gB1CK02smDjc
# 0uRY9QXjh2epDWXz7UqMlJsEkEUc9BZP/95a70OKFsgDKz1K6kuCxgA3QbKLRgY1
# CDlinhERQuyFta6ulsoQ6E6T6nzc9MzTRjLztSdmMWkCd/qm1j4bWVuGnWD++9WT
# 1Q2IX4D5kurKNizux2+HaV02s3RafpeSjGOYMjaTpr74yqPpwa7gM2WnJhxZF1Md
# MF+ee30be5dJaVcZ0doYd+m3c6M0W5S1H5tR99YTA3auwikY0zgEKHrgXoDnv+sb
# 803AQroIBGZxbnxSH1OVJD4MB7Xos5CBxi0FYvpCy8E7Piaz2EGAe7QQUyHhPZjs
# Eg5rKCXODToYIpTHg+JYakHEt3ooewX3/pSVa//PJzde0eR25VNc6ybl4Xklqxib
# SjQ7HFqPkWrbVNK7o6j1LHLVa+sxtIT8FQtHKh5XjD7wnQwYV5U=
# =AwrM
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 23 Mar 2025 13:44:13 EDT
# gpg:                using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1
# gpg: Good signature from "Cédric Le Goater <clg@redhat.com>" [full]
# gpg:                 aka "Cédric Le Goater <clg@kaod.org>" [full]
# Primary key fingerprint: A0F6 6548 F048 95EB FE6B  0B60 51A3 43C7 CFFB ECA1

* tag 'pull-aspeed-20250323' of https://github.com/legoater/qemu:
  hw/misc/aspeed_hace: Fix buffer overflow in has_padding function
  hw/intc/aspeed: Fix IRQ handler mask check
  aspeed: Fix maximum number of spi controller

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat
-rw-r--r--hw/intc/aspeed_intc.c2
-rw-r--r--hw/misc/aspeed_hace.c5
-rw-r--r--include/hw/arm/aspeed_soc.h2
3 files changed, 7 insertions, 2 deletions
diff --git a/hw/intc/aspeed_intc.c b/hw/intc/aspeed_intc.c
index 3fd417084f..f17bf43925 100644
--- a/hw/intc/aspeed_intc.c
+++ b/hw/intc/aspeed_intc.c
@@ -111,7 +111,7 @@ static void aspeed_intc_set_irq_handler(AspeedINTCState *s,
     outpin_idx = intc_irq->outpin_idx;
     inpin_idx = intc_irq->inpin_idx;
 
-    if (s->mask[inpin_idx] || s->regs[status_reg]) {
+    if ((s->mask[inpin_idx] & select) || (s->regs[status_reg] & select)) {
         /*
          * a. mask is not 0 means in ISR mode
          * sources interrupt routine are executing.
diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c
index 32a5dbded3..d75da33353 100644
--- a/hw/misc/aspeed_hace.c
+++ b/hw/misc/aspeed_hace.c
@@ -128,6 +128,11 @@ static bool has_padding(AspeedHACEState *s, struct iovec *iov,
     if (*total_msg_len <= s->total_req_len) {
         uint32_t padding_size = s->total_req_len - *total_msg_len;
         uint8_t *padding = iov->iov_base;
+
+        if (padding_size > req_len) {
+            return false;
+        }
+
         *pad_offset = req_len - padding_size;
         if (padding[*pad_offset] == 0x80) {
             return true;
diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index f899356ed9..f069d17d16 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -42,7 +42,7 @@
 #include "hw/char/serial-mm.h"
 #include "hw/intc/arm_gicv3.h"
 
-#define ASPEED_SPIS_NUM  2
+#define ASPEED_SPIS_NUM  3
 #define ASPEED_EHCIS_NUM 2
 #define ASPEED_WDTS_NUM  8
 #define ASPEED_CPUS_NUM  4